RE: [DFW CFUG] Re: CF Security Question

Fri, 08 Sep 2006 10:12:38 -0700

The most important thing Tom said was , “not as a domain admin”. This would be worse than leaving it as the default and using the system user. If you need CF to be able to access network shares, then I guess you could run it as a domain user. I always run it with a user account, the permissions of which have been significantly limited.

 

Thanks,

 

Ken Ferguson

214.636.6126

 

 

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher Jordan
Sent: Friday, September 08, 2006 11:45 AM
To: Dallas/Fort Worth ColdFusion User Group Mailing List
Subject: Re: [DFW CFUG] Re: CF Security Question

 

Thanks for responding, Tom. I appreciate knowing how others are running their CF servers. I may just suggest a domain user instead of admin. Does anyone know if what Tom is doing here is pretty much standard or does anyone else set theirs up differently?

Chris

Tom Woestman wrote:

Chris,

 

We run CF as a domain user to ensure it has the ability to access network shares but definitely not as a domain admin.  The domain user is only needed if you are accessing resources outside the system itself (other than databases).  I would recommend moving access back to a domain user rather than admin if you are confident that user will have access to all resources needed.

 

If you don’t need to access outside resources then the standard system user is a good choice as that reduces the risk of a compromised system attacking other systems.

 

Tom Woestman

 

p.s.  I am not an expert in this area so please take this with the corresponding chunk of salt

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Christopher Jordan
Sent: Friday, September 08, 2006 8:29 AM
To: Dallas/Fort Worth ColdFusion User Group Mailing List
Subject: [DFW CFUG] Re: CF Security Question

 

Does anyone have thoughts on this?

Christopher Jordan wrote:

Hi folks,

The IT director at the client I'm working for right now, is trying to tighten down security, and he wants to change the privileges on the account that the CF services currently use. However, a long while back when my company first got this client and they didn't know ColdFusion from a hole in the ground, there were problems using an account with limited privileges. The IT director at the time, couldn't figure it out and his solution was to make the account a domain admin.

Are domain admin privilages overkill? Can anybody tell me what the minimum access privileges are for the account that the ColdFusion services use?

Many thanks,
Chris

 





 
_______________________________________________
Reply to DFWCFUG: 
  [email protected]
Subscribe/Unsubscribe: 
  http://lists1.safesecureweb.com/mailman/listinfo/list
List Archives: 
    http://www.mail-archive.com/list%40list.dfwcfug.org/             
  http://www.mail-archive.com/list%40dfwcfug.org/
DFWCFUG Sponsors: 
  www.HostMySite.com 
  www.teksystems.com/
  
_______________________________________________
Reply to DFWCFUG: 
  [email protected]
Subscribe/Unsubscribe: 
  http://lists1.safesecureweb.com/mailman/listinfo/list
List Archives: 
    http://www.mail-archive.com/list%40list.dfwcfug.org/             
  http://www.mail-archive.com/list%40dfwcfug.org/
DFWCFUG Sponsors: 
  www.HostMySite.com 
  www.teksystems.com/

Reply via email to