I think it is that simple, CF can be installed secure or not secure regardless of someone's understand of the server or how it works.
that is no different than saying, it is impossible for windows or Linux to be installed securely by default, of course they can, and are. Some of the most basic problems are nothing at all to do with systems admin, but the way CF itself works. You really only need read the lock down guide to see this. making something insecure by default is simply lazy, not to mention this attitude has given CF a very bad reputation as a result. Making an app secure by default, also forces admins to then learn about how it works if they want to loosen or customize that security, this is a good thing. Bare minimum... cf should be installed using a customer user account and not system, and that user should only be given permissions on the folders CF requires to work. During the install it could easily ask you to specify your doc root where your websites are stored and giver permissions on that. The CFIDE should be secure by default, so it doesn't contain the CFADMIN and is not mapped to every site by the Web config tool. Cfadmin should only ever be accessible via a single point. Each context should be restricted to accessing its own webroot by default The most dangerous tags/functions (cfregistry, cfexecute) should be disabled by default. Sorry but this has always seemed like basic common sense stuff to me since day 1, even before there was a lock down guide or cf got hacked. On Wed, Mar 26, 2014 at 1:57 PM, Dave Watts <[email protected]> wrote: > > > CF should install locked down out of the box, there really should be no > > need to follow a complex lockdown guide to make it secure. > > That sounds great in theory, but I don't think it would work well in > reality. > > Whenever you install server software, you are responsible for > understanding how it works, and for making tradeoffs between security > and functionality. Adobe doesn't know how exactly you're going to use > CF, and what tradeoffs you're willing to accept. Those are going to be > radically different between various developers and administrators, and > even radically different from one project to the next. There's no > substitute for basic knowledge here - it's just that simple. > > If you really think Adobe is responsible for your server's security, > and should be installed "locked down out of the box", you must have a > different idea of what locked down means than I do. > > Adobe is responsible for vulnerabilities in the CF Administrator, but > you are responsible for ensuring that the CF Administrator isn't > exposed to untrusted networks. It's a web application, just like any > other. > > Dave Watts, CTO, Fig Leaf Software > 1-202-527-9569 > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358132 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
