> CF should install locked down out of the box, there really should be no > need to follow a complex lockdown guide to make it secure.
That sounds great in theory, but I don't think it would work well in reality. Whenever you install server software, you are responsible for understanding how it works, and for making tradeoffs between security and functionality. Adobe doesn't know how exactly you're going to use CF, and what tradeoffs you're willing to accept. Those are going to be radically different between various developers and administrators, and even radically different from one project to the next. There's no substitute for basic knowledge here - it's just that simple. If you really think Adobe is responsible for your server's security, and should be installed "locked down out of the box", you must have a different idea of what locked down means than I do. Adobe is responsible for vulnerabilities in the CF Administrator, but you are responsible for ensuring that the CF Administrator isn't exposed to untrusted networks. It's a web application, just like any other. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
