On Tue, Mar 17, 2009 at 4:30 PM, TJ Downes wrote: > I've read through the docs on inxstalling CF and noted that the only things > they've encouraged are disabling RDS and JSP for shared hosting. Ive also > disable cfobject, cfschedule, cfldap, cfregistry, cfthread, cfexecute and all > the cfexchange tags.
Why wold you disable cfldap, cfthread and cfexchange? Also note that disabling cfobject breaks cfdump since that uses cfobject internally, so you should eplace your dump.cfm template with one that doesn't depend on cfobject. > Now I am a little confused as to how I prevent users from accessing other > user's DSNs and also how to prevent them from accessing other website's files > using cffile/cfdirectory, or even maliciously destroying/modifying verity > collections created by other users. Sandboxes is the only way, and they have limitations, i.e. you can not prevent a user from seeing the application variables of another user. > If I am right, I should also be disabling createObject for .NET, COM, CORBA > and Java, but are there any other functions I should disable? That should do it if you are just after security. > Ideally I think each site should have it's own sandbox, but I think doing > this programatically as each site is generated by the control panel software > would be tedious. As James says, script it through the Admin API. > Also to note that this is on Windows 2008 with IIS7. Make sure CF does not run as local administrator so that in the event a user breaks out of his Sandbox the potential damage is limited. Jochem -- Jochem van Dieten http://jochem.vandieten.net/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:320584 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
