> Has anyone worked with CF and the file encryption in Windows 2000?
EFS in Windows 2000 isn't especially useful within the context of CF
applications. The purpose of EFS is to prevent someone from booting up
another operating system and reading files from an NTFS 5 partition.
> We tried to set up a user account and set the ColdFusion
> Services to run as the new user. I then logged in as the
> user and encrypted the files in Windows 2000. However,
> when I tried to run the application, ColdFusion was not
> able to get access to the files. Anyone know how this
> should be done?
I did this once, when Win2K RC2 came out, just for kicks. As I recall, you
have to make sure that the CF user account has execute permission, and that
the web server account (in IIS, usually IUSR_MACHINENAME) has read
attributes permission.
To do it without having to log into the console as the CF user, you can use
runas to run a command prompt within the user's context. So, that's what I
did.
1. I created a user, cfuser. I added that user to the local Administrators
group so that I wouldn't have to muck around too much with permissions. I
set the CF service to run as that user.
2. I ran a runas session as that user:
runas /profile /user:mymachine\cfuser cmd.exe
Steps 3 and 4 were done from that command prompt.
3. I created a directory in my web root, "encrypted", and ran cipher.exe to
instruct that any files placed within that directory were to be encrypted.
4. I copied two files, enctest.html and enctest.cfm, into the directory.
5. From the first command prompt, running within the security context of my
local admin account, I navigated to the new directory and attempted to open
the files with Notepad. I received "access denied" errors - demonstrating
that I couldn't get to the files, even though I was running as a local
administrator at the time. So EFS was working.
6. When I requested the HTML file through my web server, I was prompted to
authenticate. Once I did so with the cfuser account, I could view the file.
When I requested the CFM file, it was executed without a request for
authentication.
> Here's our goal: We need to provide our application on a
> laptop for a partner to test. We would like to be able to
> run the application without allowing the laptop user to
> open any ColdFusion files to protect intellectual property.
> Other than through Windows 2000 encryption (which we haven't
> been able to get working), does anyone know of another way
> to accomplish this goal?
The problem here is that, practically speaking, you can't really prevent
someone from looking at files on a machine if they have rights to log on to
that machine's console. There are lots of known exploits to allow an
interactive user to gain administrative status. Once that happens, that
local administrator, as "keeper of the keys", will be able to read the file,
even with EFS. Or, failing that, it would be trivial to write a CF script
which simply copies the contents of each file and writes them out to disk
somewhere else, or writes the code to the browser.
On the other hand, if your partner isn't all that savvy, you don't even need
EFS. Simply apply the appropriate ACLs to the file system, and you're done.
Just keep in mind, though, that if you hand someone a disk full of source
code, they'll be able to read it no matter what you do, if they're
determined enough.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
