Locking Down CF Servers
0 likes694 views
This document discusses how to lock down ColdFusion servers through securing the installation, post-installation configuration, and settings in the ColdFusion Administrator. It recommends following principles of least privilege, defense in depth, and reducing the attack surface. Specific steps include installing only necessary components, disabling unneeded servlets, restricting file permissions, updating to the latest JVM, securing sessions, and locking down the ColdFusion Administrator interface. The overall goal is to grant only the minimum permissions required to operate ColdFusion securely.
Ad
More Related Content
What's hot (20)
Similar to Locking Down CF Servers (20)
Ad
More from ColdFusionConference (20)
Ad
Recently uploaded (20)
Locking Down CF Servers
- 1. Locking Down CF Servers Pete Freitag, Foundeo Inc. foundeo.com | hackmycf.com | fuseguard.com
- 2. About Pete Freitag ✤ Owner of Foundeo Inc. ✤ HackMyCF - Remote ColdFusion Security Scanner ✤ FuseGuard - Web App Firewall for CFML ✤ Consulting - Install, Configure, Review, CFML Dev ✤ 17+ Years working with CF ✤ Author of CF9-11 Lockdown Guides, CFMX Cookbook (SAMs) ✤ blog: petefreitag.com twitter: @pfreitag slack: @foundeo
- 3. Our FocusToday ✤ Securing your ColdFusion Server Install ✤ Not covering: ✤ Hardening Your Operating System ✤ Database Security ✤ Securing your Application Source Code
- 4. Agenda ✤ Guiding Principals ✤ Installation ✤ Post Installation Lockdown ✤ ColdFusion Administrator Configuration ✤ Tomcat Configuration
- 5. Heavily Based on: ✤ Adobe ColdFusion 11 Lockdown Guide: http://bit.ly/cf11lockdown ✤ Adobe ColdFusion 10 Lockdown Guide: http://bit.ly/cf10lockdown ✤ Adobe ColdFusion 9 Lockdown Guide: http://bit.ly/cf9lockdown ✤ This talk assumes CF11, but is mostly the same for CF10 as well ✤ CF9 and below are no longer supported (no more security patches)
- 6. Why Do I need to Lockdown my install? Can't the installer do everything for me? What is secure? What tradeoffs are acceptable? (cc) http://www.flickr.com/photos/toddler/4169974226/
- 7. Principal of Least Privilege Grant only the minimum permission required to accomplish a task. (cc) http://www.flickr.com/photos/dvanzuijlekom/8279837896/in/photostream/
- 8. Defense in Depth Multiple Layers of Redundant Security. (cc) http://www.flickr.com/photos/flygraphix/4791988161/
- 10. ColdFusion ASP.NET PHP DNS FTP Web Server ColdFusion Web Server vs. Reduce Attack Surface
- 11. Avoid Defaults Avoid using defaults for configurable options such as paths, usernames, etc.
- 12. Services I Like: ✤ Duo Security: Two Factor Authentication ✤ (RDP, SSH) ✤ Dome9: Cloud Firewall ✤ Easily grant temporary access to administrative ports.
- 13. Pre-Installation ✤ Lockdown and Patch OS ✤ OS Vendors have Lockdown Guides as well. ✤ https://access.redhat.com/documentation/en-US/ Red_Hat_Enterprise_Linux/6/html/Security_Guide/ ✤ Windows Security Compliance Toolkit: http:// technet.microsoft.com/en-us/library/cc677002.aspx ✤ Ensure network firewall in place. ✤ Remove all unnecessary software.
- 14. Pre-Installation ✤ Windows: Create multiple partitions OS, CF, Web Root. ✤ Limits impact of a path traversal vulnerability. ✤ Create a user account for CF to run as.
- 15. Installation
- 16. Installation Install only necessary subcomponents
- 18. Installation
- 19. Installation
- 20. Installation
- 21. Installation
- 22. Installation
- 23. Post-Install ✤ Install any/all CF security hotfixes and updates. ✤ Install / Update Web Server connectors ✤ Configure administrator settings.
- 24. Accessing CF Administrator ✤ Setup webserver (IIS / Apache) ✤ IP Restrictions, SSL, Additional User Auth ✤ or Use Builtin Web Server
- 25. Using BuiltinWeb Server ✤ Pro: Easy /CFIDE block ✤ Con: Harder to configure SSL, Virtual Directories, IP Restrictions ✤ Works well if using RDP to access from localhost, or setting up ssh tunneling on unix ✤ If you need to access from public network, create a dedicated site, use SSL, IP restrictions, etc.
- 26. Block /CFIDE ✤ If possible block all CFIDE ✤ If partially required block everything else. ✤ Block server wide, not by virtual host ✤ Always Restrict: ✤ /CFIDE/administrator ✤ /CFIDE/adminapi ✤ CF11 no longer has /CFIDE/GraphData.cfm
- 27. X Red = Should be blocked Orange = Block if possible Yellow = Low risk but can be blocked
- 28. Apache ✤ RedirectMatch 404 (?i).*/CFIDE.* ✤ <LocationMatch "(?i).*/CFIDE">
- 29. IIS Request Filtering ✤ Block or whitelist URIs ✤ Block or whitelist by file extension ✤ Block or whitelist HTTP verbs ✤ Request Limits ✤ Content Length ✤ URL Length ✤ Query String Length
- 32. Block unused servlet mappings ✤ /cfform-gateway ✤ /cfform-internal ✤ /rest ✤ /CFIDE/main/rds.cfm ✤ /CFIDE/GraphData.cfm (cfchart on CF10) ✤ /WSRPProducer ✤ /CFFileServlet ✤ /CFFormGateway ✤ /flashservices/gateway ✤ /flex2gateway ✤ See web.xml
- 33. Restrict File Extensions ✤ By Folder (user upload directories): ✤ Eg: Restrict folder to serve only jpg, png, gif files. ✤ Can be done globally or on site specific as well ✤ The /jakarta virtual directory needs dll extension
- 34. Dedicated User Account ✤ Windows: Change Service Log On identity. Otherwise CF runs with full permission to everything. ✤ Unix: The installer allows you to specify a user to run CF as. ✤ The default nobody user is probably not the best choice as other services might share this account.
- 35. File System Permissions Path CF User Permissions Web Server User Permissions Web Root Read Only Additional as needed Read Only CF Root Full Can be restricted further /CFIDE CF Connector Read Read Write (Logs)
- 36. File System Permissions ✤ /CFIDE and other directories under CF root can be restricted read only permission by the cf user to prevent runtime change. ✤ Run CF10/CF11 hotfix installer from command line as administrator. ✤ java -jar {coldfusion-home}cfusionhf-updateshotfix_XXX.jar
- 37. Update JVM ✤ Update to latest supported JVM (1.8 currently for CF10-11) ✤ Java 1.6 & 1.7 (as of 4/15) no longer supported by Oracle! ✤ Adobe recommends you run the latest supported JVM (eg 1.8. {highest number}) instead of specific version numbers.
- 38. Sandbox Security ✤ Disable Unnecessary Risks, eg: cfexecute, cfregistry ✤ More flexible on Enterprise but still works on standard.
- 39. Session Mechanism Feature J2EE CF Configure in Application.cfc No Yes Token size configurable Yes No Configure in web.xml Yes No Interoperates with J2EE applications Yes No SessionRotate No Yes SessionInvalidate No Yes CF10-11/tomcat
- 41. Tomcat ✤ Shutdown port / password ✤ Changing port on windows causes CF service stop to fail. ✤ Connector settings: ✤ connector secret (have to redo when updating connector) ✤ Tomcat 7 Security Configuration Guide: http://tomcat.apache.org/ tomcat-7.0-doc/security-howto.html
- 43. ColdFusion Administrator ✤ Default ScriptSrc Directory ✤ Setup an alias so /CFIDE/scripts/ -> /some-folder/ ✤ Allows you to block /CFIDE ✤ If you don’t use cfform, cfajaxproxy, etc you can skip. ✤ If you use the builtin web server you need to configure an alias
- 44. ColdFusion Administrator ✤ Allowed file extensions for CFInclude tag ✤ Mitigates directory traversal / path injection that leads to code execution attack. ✤ Comma separated list of file extensions that execute, typically can be set to just cfm
- 46. AdditionalTools ✤ HackMyCF ✤ FuseGuard ✤ CF Unofficial Updater (CF9 and below)
- 47. Questions? foundeo.com | hackmycf.com | fuseguard.com