Securing ColdFusion pages through IIS
Using NT/IIS security to authenticate ColdFusion Pages can be a bit
confusing, but it does have logic to it that works. It may simply take
some time to figure out the logic for specific NT environments.
On a basic level, there are three authentication schemes available for
ColdFusion pages. The non-restricted scheme that does not require user
login; broad authentication on a directory basis that requires a user
logon once when requesting any CF Page from that directory; and
specific authentication on a file by file basis that requires a user
login to a specific page, but not for other unrestricted pages.
Authentication schemes are created by using the web server
authentication settings in conjunction with directory and file
permissions. On the web server side, the open authentication scheme is
handled by using the anonymous logon option. Directory and file
authentication schemes are handled by using the Basic Clear Text and
NT Challenge/Response options. More information on these is below.
Once authentication options are set in the web server, certain NT
accounts must be granted access to ColdFusion page directories and/or
specific ColdFusion application files. The NT user accounts of
importance are:
* System account - the system account should be added to file
permissions to give the web server access to the directory. It should
be given read and execute permissions.
* ColdFusion account - The account under which ColdFusion is
running. It should be given read and execute permissions. By default
it is the system account. To check this account go to the Services
Control Panel, highlight the ColdFusion service and click startup.
* The Anonymous user account (IUSR_machinename) - This account
needs to be added to all files or directories to which anonymous logon
is desired. It should be given read and execute permissions.
* Any user or group which should have access to a ColdFusion page
directory or file.
* In addition to ColdFusion page directories the
/cfusion/bin/iscf.dll must also have proper permissions placed on it.
Since all users must have access to the iscf.dll to process a
ColdFusion page, it is generally easiest to assign the everyone group
to the iscf.dll.
Below are standard configurations that should work for basic
ColdFusion page security:
Anonymous Logon:
1. In WWW service properties, make sure the anonymous logon option
is checked. The anonymous logon will not work if the password entered
in the web server does not match the password for the anonymous iusr
account under NT. By default these passwords will match unless the
user has gone in and changed them. Be sure to stop and start the web
server after changing authentication options.
2. Apply appropriate accounts to directory permissions.
* /cfusion/bin/iscf.dll file
Everyone account
* ColdFusion application pages directories
System account
Anonymous (IUSR) account
ColdFusion account
Basic Clear Text/NT Challenge Response:
1. In WWW service properties, check the Basic Clear Text or NT
Challenge/Response (it is easier to troubleshoot if only the Basic
option is checked).
2. Apply appropriate accounts to directory permissions.
* /cfusion/bin/iscf.dll file
Everyone account
* ColdFusion application pages directory
System account
Any user or group account that should have permissions
ColdFusion account
Note:
* If NT Challenge/Response is checked on the web server
authentication settings, Internet Explorer, because of its hooks into
NT, will automatically authenticate users that have proper
permissions.
* If any secured pages have other pages included within them by
the cfinclude tag, make sure that the included pages have proper
permissions set on them.
* If an Application.cfm* page is used for a secured application be
sure that it has the same permissions as the rest of the application.
*In reality, the Application.cfm page can be used to handle
security for an entire application. Since it is included at the top of
every page of the application, permissions need only be set on the
Application.cfm file. Permissions on other ColdFusion pages of that
application can be left open to everyone.
On 9/8/06, Christopher Jordan <[EMAIL PROTECTED]> wrote:
Does anyone have thoughts on this?
Christopher Jordan wrote:
Hi folks,
The IT director at the client I'm working for right now, is trying to
tighten down security, and he wants to change the privileges on the account
that the CF services currently use. However, a long while back when my
company first got this client and they didn't know ColdFusion from a hole in
the ground, there were problems using an account with limited privileges.
The IT director at the time, couldn't figure it out and his solution was to
make the account a domain admin.
Are domain admin privilages overkill? Can anybody tell me what the minimum
access privileges are for the account that the ColdFusion services use?
Many thanks,
Chris
_______________________________________________
Reply to DFWCFUG:
[email protected]
Subscribe/Unsubscribe:
http://lists1.safesecureweb.com/mailman/listinfo/list
List Archives:
http://www.mail-archive.com/list%40list.dfwcfug.org/
http://www.mail-archive.com/list%40dfwcfug.org/
DFWCFUG Sponsors:
www.HostMySite.com
www.teksystems.com/
_______________________________________________
Reply to DFWCFUG:
[email protected]
Subscribe/Unsubscribe:
http://lists1.safesecureweb.com/mailman/listinfo/list
List Archives:
http://www.mail-archive.com/list%40list.dfwcfug.org/
http://www.mail-archive.com/list%40dfwcfug.org/
DFWCFUG Sponsors:
www.HostMySite.com
www.teksystems.com/
