On 26 March 2014 13:57, Dave Watts <dwa...@figleaf.com> wrote: > > > CF should install locked down out of the box, there really should be no > > need to follow a complex lockdown guide to make it secure. > > [...] > > If you really think Adobe is responsible for your server's security, > and should be installed "locked down out of the box", you must have a > different idea of what locked down means than I do. > > Adobe is responsible for vulnerabilities in the CF Administrator, but > you are responsible for ensuring that the CF Administrator isn't > exposed to untrusted networks. It's a web application, just like any > other. >
>From a system security perspective, the approach is generally the default is *no access*, and then access has to be specifically granted. Adobe has taken the opposite approach simply to make life easy, which has proven to be a foolhardy decision. Repeatedly. For years. You (and Adobe both) are labouring under some "perfect world" scenario in which admins actually *do* know what they're doing by default. This simply isn't true. Adobe need to accept reality and deal with it, rather than going "well in the perfect world then [this]". But we actually no it's not a perfect world, so why start the position from there? -- Adam ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358113 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm