I would have the CF application directories be read only. You don't
want a vulnerability in your application to allow the arbitrary
modification or overwriting of any CFML files, since that could lead
to system compromise.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"To announce that there must be no criticism of the president, or that
we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public."
-- Theodore Roosevelt
On Jul 10, 2008, at 2:11 PM, John Mason wrote:
Yes, you're correct...only if you need to modify the code would you
need to
up the permissions
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting
Now offering VPS Plans running with VMware technology
Now offering ColdFusion 8 Enterprise hosting
FREE Subversion hosting
This e-mail message and all attachments transmitted with it may
contain
legally privileged and/or confidential information intended solely
for the
use of the addressee(s). If the reader of this message is not the
intended
recipient, you are hereby notified that any reading, dissemination,
distribution, copying, forwarding or other use of this message or its
attachments is strictly prohibited. If you have received this
message in
error, please notify the sender immediately and delete this message
and all
copies and backups thereof.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Thursday, July 10, 2008 2:06 PM
To: [email protected]
Subject: Re: [ACFUG Discuss] Minimum required permissions
Why would CF need to modify (or have write privileges at all) on the
directories containing CFML sites/code? Shouldn't read-only
privileges
there be sufficient?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"[T]he people can always be brought to the bidding of the leaders.
This is easy. All you have to do is to tell them they are being
attacked,
and denounce the pacifists for lack of patriotism and exposing the
country
to danger. It works the same in every country."
--Hermann Goering, Hitler's Reich-Marshall at the Nuremberg Trials
On Jul 10, 2008, at 1:58 PM, John Mason wrote:
Here's the basic run down.
Create a new account called 'coldfusion'
Go into Local Security Policy -> Local Policies -> User Rights
Assignment
Add the 'coldfusion' account to..
- Deny log on locally
- Deny log on through Terminal Services
- Log on as a service
Next go to regedt32
GIve the 'coldfusion' account permissions to modify to
following (if you have ODBC datasources only)
HKLM/SOFTWARE/Microsoft/ODBC
Now go into File Explorer
Give Modify permissions to the following directories
.../CFIDE
.../ColdFusion8 or .../JRUN4 (also if you are using a
different JVM, the account there's permissions there as well)
Then any directories that contain the cfml sites and code
Next go into Services
Change into the CF service properties and click the 'Log On'
tab
Switch the user from 'Local System' to the 'coldfusion'
account and enter the password
Click apply and then restart services - it shoudl properly
restart under the new account
John Mason
[EMAIL PROTECTED]
770.337.8363
www.FusionLink.com - ColdFusion and Flex hosting Now offering VPS
Plans running with VMware technology Now offering ColdFusion 8
Enterprise hosting FREE Subversion hosting
This e-mail message and all attachments transmitted with it may
contain legally privileged and/or confidential information intended
solely for the use of the addressee(s). If the reader of this message
is not the intended recipient, you are hereby notified that any
reading, dissemination, distribution, copying, forwarding or other
use
of this message or its attachments is strictly prohibited.
If you have received this message in error, please notify the sender
immediately and delete this message and all copies and backups
thereof.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shawn
gorrell
Sent: Thursday, July 10, 2008 9:12 AM
To: [email protected]
Subject: [ACFUG Discuss] Minimum required permissions
Hoping that maybe Dave Watts is paying attention to the list today...
I've been looking for a list of directories and permissions necessary
for using a domain account to run CF on Windows (as opposed to Local
System), and having little luck. There is an article about CF on IIS
on the Adobe site, but it is for CF7 and is incomplete. Dave did a
presentation on a similar topic an referred to an article on defusion
that looked like it should have the info, but defusion is dead.
Haven't been able to dig up anything else useful on Google.
Does anyone have a list like that? I can kind of guess and test my
way
through it, but a list would save a ton of time.
Thanks
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by FusionLink
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists Archive @
http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
-------------------------------------------------------------
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform
For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-------------------------------------------------------------
