> I'm curious to know how any CF admins out there have setup a > multi-server configuration. I've recently been tasked to > look at/improve our security setup here at work. Currently > we have a web/cf server (IIS 5.0 and CF 5.0) running on W2K > server. On another server we have NT4 with SQL Server 7.0 > > All of our queries are written to use ODBC and trusted > connections. To get this to work, we have altered the Cold > Fusion Application Service setup so that it runs as a local > user with Administrative privileges. That same user was then > added as an (NT) administrator on the SQL box so that > essentially CF is authenticating as dbo. That isn't a huge > problem for us as we are small and all the developers who > have access to the sql server are admins. Another conderation > is that CF needs the ability to write files to a file server > (which also has this same "cold fusion" user replicated on > it). > > Obviously this setup is less than secure and I'd like to > improve it however possible. What I'm looking for are some > "best practices" or advice from anyone out there with similar > configurations. I'm looking at creating a domain for these > machines so at the very least the passwords can be easily > changed more often. Any other suggestions or direction is > welcome.
Well, there's more to this than is conveniently summarized in an email, I think. So, I'll address some of the individual points. First, rather than running the CF Service as an administrative user to use trusted connections, I'd recommend that you create native SQL Server accounts, give those accounts the minimum permissions necessary for the individual databases, and use those accounts from CF. Second, if you can avoid running CF as an administrative user or SYSTEM at all, that would be good. This is a little complicated to set up, as you'll need to create a user account that has the necessary rights. There's a good article that covers this here: http://www.defusion.com/articles/index.cfm?ArticleID=89 While the article doesn't cover CF 5 specifically, the basic concepts are the same and will work with CF 5. Note that application and server security are very complex topics, and the more you learn, the better. If you're interested, Fig Leaf Software offers a one-day lecture called "Securing ColdFusion Servers on Windows", which covers securing the Windows OS, IIS, the CF server itself, your CF application code, and your database. More information is available here: http://training.figleaf.com/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
