Leaving your CFIDE folder naked and hanging in the breeze is an oft-overlooked security hazard on servers running ColdFusion. I ran into an issue with our CFIDE folder at work today, that took a while to debug. We are transitioning to a new data center, and our flash forms were giving the "RSL load failed!" message on the new machines. I had locked down CFIDE, but forgotten to allow access to /CFIDE/scripts/.
How to lock down your CFIDE folder in IIS 5 and IIS 6
- Open IIS, expand each site that has a virtual mapping to CFIDE.
- Right click CFIDE and click Properties.
- Go to the Directory Security Tab.
- Click the Edit button inside the "IP Address and domain name restrictions" section.
- Click the radio for "Denied access except for the following"
- Add your machine's internal IP, and add 127.0.0.1
Click OK, OK, Apply, OK, OK, Apply, Up, Up, Down, Down, Left, Right, Left, Right, B, A, etc.
Now you need to allow access to /CFIDE/scripts/, or your cfforms won't work.
- Right click /CFIDE/scripts/ and click Properties.
- Go to the Directory Security Tab.
- Click the Edit button inside the "IP Address and domain name restrictions" section.
- Click the radio for "Granted Acess"
Click OK, OK, etc.
Go to the command prompt and issue the iisreset command.
Make sure you can still get to your CFAdmin while logged onto your box directly. Make sure you can't from the outside world.
Now go do it!
There are many many many of you who have naked administration login pages!
You know who you are!
3-10-2008
3-9-2008
3-7-2008
3-4-2008
3-4-2008