Security by obscurity is not a good mechanism... let everyone see.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"What is objectionable, what is dangerous about extremists is not
that they are extreme, but that they are intolerant."
-- Robert F. Kennedy, 1964
On Aug 1, 2007, at 3:24 PM, John Mason wrote:
Dean, I'll need to email you off list after the meeting. I
naturally don't like sharing that stuff in the open for everyone to
see.
For everyone out there - needless to say, don't just depend on the
CF level of security. Security should always include multiple
layers. Otherwise it won't hold up very well.
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Wednesday, August 01, 2007 3:17 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] CF Service Account
Sandbox security is fine when it is backed up by OS-level security.
What hack do you refer to? That's a new one on me.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[U]nconstitutional behavior by the authorities is constrained only
by the peoples' willingness to contest them"
--John Perry Barlow
On Aug 1, 2007, at 3:12 PM, John Mason wrote:
There's some, but there's a known remote java class hack to get
around it. I'm testing CF8 for this issue. Bluedragon doesn't have
this issue by the way. For a lot of things sandboxing is certainly
good if people would just use it ;)
But if you have COM objects on and CF is running under the local
service account. Which a lot of people do for some reason. You can
pretty much do anything you want to a server. Taking CF off local
service account achieves a lot of known security issues out right
and it's easy to implement. That's why I jump on that whenever
possible.
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Charlie Arehart
Sent: Wednesday, August 01, 2007 2:59 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] CF Service Account
No value in the resource/sandbox security? :-)
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Saxon
Sent: Wednesday, August 01, 2007 2:05 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] CF Service Account
Thank you John and Dean for your feedback. The CF script needs to
write the contents of a web form to a folder on another server so
that an application on that server can read in the form results.
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
Annual Sponsor - Figleaf Software
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
