And don't forget that beyond that, the Resource/Sandbox security features in the CFMX Admin do allow you to create further limits on what CF is allowed to do (directories accessible, and more). In the Std edition, you get Resource Security to control what ALL CF templates in all apps on that CF server can do. In Enterprise, you get Sandbox Security, which lets you create either a global sandbox and/or ones per app. I wrote about this in the CFMX 6 timeframe (and it's not changed, really) at two DevCenter articles: ColdFusion Security, Part One: Understanding Sandbox/Resource Security http://www.adobe.com/devnet/security/articles/sandbox_01.html Security, Part Two: Setting Up Sandbox/Resource Security http://www.adobe.com/devnet/security/articles/sandbox_02.html /charlie
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Wednesday, August 01, 2007 12:25 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] CF Service Account CF should never be run as a high privileged account. Create a low privilege account and run CF under that account. Only allow CF permissions on the filesystem where they are absolutely required. Ensure CF does not have any administrative privileges if they are not used (like using <cfregistry> to edit the registry). For other server shares, ensure that the account you created has rights on those shares. This is commonly called implementing the principle of least privilege. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "What is objectionable, what is dangerous about extremists is not that they are extreme, but that they are intolerant." -- Robert F. Kennedy, 1964 On Aug 1, 2007, at 12:21 PM, Rob Saxon wrote: By default the CF service runs as a System account. What is the best practice to allow this service to access all areas of the web server and other server shares? Here are some ideas I considered: Scenario 1: Creating a domain account for the service with that belongs to the local Admin group for the host server. Scenario 2: Creating a local account on the host and shared servers with the same name and make that account a member of the web server's admin group and give that local account access to the share on the remote server. Is either of these possibilities recommended? If not, are there any suggestions? Take care, Rob --------------------------------------------------------------------------- Rob Saxon Director Web Management Mercer University 478-301-5550 ------------------------------------------------------------- Annual Sponsor - Figleaf Software <http://www.figleaf.com> To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by FusionLink <http://www.fusionlink.com> ------------------------------------------------------------- ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------