I would appreciate advice from anyone who has experience with this topic in a production shared host environment.
I've read through the docs on inxstalling CF and noted that the only things they've encouraged are disabling RDS and JSP for shared hosting. Ive also disable cfobject, cfschedule, cfldap, cfregistry, cfthread, cfexecute and all the cfexchange tags. Now I am a little confused as to how I prevent users from accessing other user's DSNs and also how to prevent them from accessing other website's files using cffile/cfdirectory, or even maliciously destroying/modifying verity collections created by other users. If I am right, I should also be disabling createObject for .NET, COM, CORBA and Java, but are there any other functions I should disable? Ideally I think each site should have it's own sandbox, but I think doing this programatically as each site is generated by the control panel software would be tedious. If you have any suggestions here they would be much appreciated. Any other suggestions or advice you have to help me ensure the server is secure would be very much appreciated. Also to note that this is on Windows 2008 with IIS7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320571 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
