On nix systems it's a little more straight forward to turn off services for production environment like RDS, Charting or anything else if you don't use...Other than that I'm certainly no pro on the subject but would be curious to hear more info...
-----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 22, 2002 3:39 PM To: CF-Talk Subject: RE: CFMX JrunScripts folder > I'm trying to figure out what why is necessary to > have the JRunScripts virtual folder under each > WebSite on my IIS server. MM documentation doesn't > explain much about it except that you must have it > (not why). As a pure CF developer I only can guess > that this is kind of JRun heritage since CFMX runs > over a "light" Jrun. Somebody can explain me what > this folder is for? It's really necessary give it > "scripts and execute" permission? Can I protect it > from anonymous access (default)? I'm not sure exactly what operations require this virtual directory. Most CFML pages that I've tried under CF MX don't need it. I suspect that it might be needed for CFCHART, but this is just a guess, really. It points to the same physical directory in which the ISAPI extension used by CF MX is stored - the JRun ISAPI connector. Note that it doesn't have read permissions in IIS, just script and execute. Currently, I'm testing CF MX to find out which of these sorts of things I can turn off, and what happens if I do so. That'll take a while, though. > I'm a little bit worried about security and CFMX. For > previous CF versions there's a huge information regarding > it (TechNotes, Forum threads, articles, etc, etc) and it's > quite easy for regular developers like me to put a > Win2k box+CF5 running smooth and secure. But for CFMX i > found only few things, none of than very clear. Does CFMX > under IIS differs from CF5 in terms of security tunning? > What are the main differences and cares? Yes, you should probably be a bit worried. I'm sure there are some things about CF MX that aren't generally known, that may cause security problems when they're discovered. There are some obvious differences worth pointing out, though. Registry security can be significantly tighter, since CF MX doesn't use the Registry. So far, it appears to be significantly easier to configure CF MX to run as a user with fewer rights than the SYSTEM security context, and there doesn't appear to be any loss of functionality when this is done. Finally, you might look to JRun documentation and resources for security, since from a server configuration and management perspective, JRun and CF MX are very similar. I'm currently working to revise our security course, "Securing ColdFusion on Windows Servers", to cover CF MX, but this will take a bit of time. In the meantime, I'd advise security-conscious server administrators to play around with CF MX, see what's going on when you run it, and see what happens when you make various changes. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
