> I am working on setting up a new server which is running > Win2K Server, CF Server 5 Pro, and SQL Server 2K. I have > ordered the O'Reilly book on securing Win 2K for the > internet.
Good. I highly recommend that book. > I have found a few docs on securing SQL as well, but any > suggestions would be helpful. What I really am interested > in are docs on best security practices for CF Server. I > have heard that the real security risk for CF is locking > down SQL server when the two are being used in conjunction. > I had heard mention of a checklist someone had come up with > for CF server installs, but I have not been able to find it > nor do I know who wrote it. Any help would be greatly > appreciated. I have about a week and a half to get everything > set. Fortunately, from a security perspective, there's very little that's specific to CF, as opposed to any other CGI environment. You want to do the following: 1. Limit the rights of your CF applications to the database. You can do this by creating specific logins, and limiting the rights of those logins as much as possible. You can further this goal by using stored procedures exclusively - then you can limit the rights of the logins to those required to run the stored procedures. There are plenty of resources on this topic. 2. Filter all input from the browser, to ensure that you don't execute anything that you shouldn't. You can do this input filtering within your CF code, or you can do it at the web server level with IIS, or both. I'll actually be presenting on this specific topic at CFNORTH (http://www.cfnorth.com/) next week, if anyone's interested. 3. Limit the rights of the CF server, if possible. This entails running the CF Application Server service as a specific user, rather than as SYSTEM, which is the default. There's a good description of this process here: http://www.defusion.com/articles/index.cfm?ArticleID=89 Although the description is specific to CF 4.5.x, it'll work the same way with CF 5, basically. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
