Thanks for the comments Dave. We'll investigate the permissions. Any recommendations for a good info source?
We have enough trouble keeping basic things running after somebody goes around "hardening" things. I'm all for security, but when their idea of security is an un-networked server in a locked room, it won't go over well with the users. Regards, Chris On Wed, Sep 19, 2012 at 11:52 PM, Dave Watts <[email protected]> wrote: > >> > Yes, CF runs under Local System. So CF has full system access. That's >> > the danger from the applications on the server. What about an external >> > attack -- what could be done, specifically? >> >> That really depends on what the applications do, and how well they're >> written. An attacker can run those applications, and potentially >> manipulate the inputs to those applications in a way that makes them >> behave differently than you want them to. > > Oh, and also: why don't you run CF with a less-privileged user account > or security context? CF doesn't need to be SYSTEM to run, and can do > well in most cases with significantly limited permissions and > privileges. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352689 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
