In general just create a new user for cf service and only give it access to your wwwroot, coldfusion, and system temp folders. There is a lockdown guide somewhere, but i find that a biy ovrrkill.
Regards Russ Michaels On Sep 20, 2012 11:31 PM, "Chris" <[email protected]> wrote: > > Thanks for the comments Dave. > > We'll investigate the permissions. Any recommendations for a good info > source? > > We have enough trouble keeping basic things running after somebody > goes around "hardening" things. I'm all for security, but when their > idea of security is an un-networked server in a locked room, it won't > go over well with the users. > > Regards, > Chris > > > On Wed, Sep 19, 2012 at 11:52 PM, Dave Watts <[email protected]> wrote: > > > >> > Yes, CF runs under Local System. So CF has full system access. That's > >> > the danger from the applications on the server. What about an external > >> > attack -- what could be done, specifically? > >> > >> That really depends on what the applications do, and how well they're > >> written. An attacker can run those applications, and potentially > >> manipulate the inputs to those applications in a way that makes them > >> behave differently than you want them to. > > > > Oh, and also: why don't you run CF with a less-privileged user account > > or security context? CF doesn't need to be SYSTEM to run, and can do > > well in most cases with significantly limited permissions and > > privileges. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352693 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
