this is what I've been able to work out so far. CFMX is a complete service that stands alone. When it is used together with IIS, an ISAPI filter is installed in IIS that forwards requests to the CFMX service. It then runs under LocalSystem as seen in the Services Control Panel.
but if I wanted to restrict LAN access to, say, the owner of the files and admins I would set up the accounts as IUSR_MACHINENAME - annon web requests - R+Script (W for any data input: db or <CFFILE>) DOMAIN_ONE\OWNER - owner of the files - R+W+modify DOMAIN_TWO\ADMINS - admin group - full control And since LocalSystem by default has full control so that should work. any direct CF settings (CFAdministrator, sandboxing, etc) run at the application level (web request) and has nothing to do with NTFS LAN permissions. The file has to be first available (thanx to IUSR_MACHINENAME) and then CFMX checks for its' level of permissions. for default settings for CFMX on IIS it is really no different to running, say, ASP from IIS. I've read that for security reasons it is recommended to run CFMX under its own account, not under the LocalSystem account. Then grant that account Modify over the webserver root and its own directory tree, as well as the right to log on as a service. I'm not 100% sure what the issues are (ie: why - also, see the link below from webforums.macromedia.com) so anyone else chiming in at this point would be most welcome... <g> to get CFMX to obey NTFS permissions when serving restricted content (remember, these apply to web requests only, not LAN permissions) http://www.macromedia.com/support/coldfusion/ts/documents/nt_auth_iis.htm ColdFusion MX: Implementing NT authentication for ColdFusion templates with IIS Web Server http://www.macromedia.com/support/coldfusion/ts/documents/tn17029.htm Securing ColdFusion pages through IIS although this issue (follow the link) alarmed me a little (any comments?) http://webforums.macromedia.com/coldfusion/messageview.cfm?catid=12&threadid =599906 cheers barry.b ============================================ Hi Brian, What do you need to know? CF runs as the system user, and IIS can be configured to 'integrated NT authentication from MMC - Relevant site - right click/properties/security tab - I think down the bottom of the menu. -----Original Message----- From: Knott, Brian [mailto:[EMAIL PROTECTED] Sent: Friday, 30 May 2003 2:25 PM To: CFAussie Mailing List Subject: [cfaussie] Cold Fusion and IIS Is there any good resources on how to get IIS, Cold fusion and NTFS permissions working correctly. We are trying to set up a system that uses NT logins to access web sites as well as the CF administrator. Brian Knott QANTM Studio Senior Database Developer Ph (07) 30174331 Mob 0407572127 --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/
