Web application security is a difficult topic and can’t be covered completely in a single blog post. After the break I discuss one quick way to block ColdFusion Administrator requests in Apache. I also list other resources that will help you understand ColdFusion security and how to apply practical security constructs on your ColdFusion servers.
As a ColdFusion developer or administrator you should always protect your server by locking out requests to the ColdFusion Administrator. Having a Web-based admin panel for ColdFusion is fantastic but if an unauthorized user were to gain access to it they could cause serious harm to your application, your customers, and your business. Privatizing access to the ColdFusion Administrator should be high on your priority list.
One way to do this is to not allow access to your ColdFusion Administrator via your external Web server such as Internet Information Server (IIS) and Apache. This means in order to log into your ColdFusion Administrator you must use a URL that corresponds to the built-in Web server that ships with ColdFusion. This Web server runs on non-standard ports with a separate port for each instance of ColdFusion running on your server (in a multi-instance installation). The Apache Location directive below disallows any request that has /CFIDE/administrator as part of the URL.
<Location ~ "/CFIDE/administrator"> Order Deny,Allow Deny from All </Location>
How does this provide additional security?
The additional security comes from not allowing anyone to add the path /CFIDE/administrator to your public URL. Anyone who knows a bit about ColdFusion knows this is the URL path to the administrator. A nefarious Internet user could add this path to your dot com and if you haven’t locked it down they’ll now know you are running ColdFusion. Plus, they’ll be able to brute force attack the log-in form to the administrator. Even if they aren’t able to guess your super awesome password, ColdFusion will serve requests for their log-in attempts taking up valuable resources on your server.
Is blocking ColdFusion Administrator from an external Web server enough?
Of course not, but it’s a start. An attacker could still learn the IP address of your server and attempt to guess the built-in ColdFusion Web server ports you are using. If they guess correctly they can then brute force attack the ColdFusion Administrator login. To resolve this I also recommend locking down your ColdFusion Administrator by IP address. You can set your server to only allow ColdFusion Administrator login from a specific IP address (such as your office) or even better only allow login via VPN and an internal IP address such as 10.x.x.x or 192.x.x.x. This last suggestion is one of my favorites because it provides the most versatile access to your server. You can be anywhere in the world and still access your ColdFusion Administrator but you must first connect to your VPN connection before a 10.x.x.x or 192.x.x.x IP address will connect you to your server and ultimately your ColdFusion Administrator.
Where to go from here
There’s much more to Web and ColdFusion security than the little bit of information I’ve provided here. If you want to learn more ways to lock down your ColdFusion Administrator I recommend reading Steven Erat’s blog post from 2005. Yes it’s old, but what Steven suggests still applies today. I also recommend you use Pete Freitag’s HackMyCF site. It’s a free Web-based application that will scan your ColdFusion servers and e-mail you a nice report of vulnerabilities with information on how to fix them. Pete also provides a low cost subscription service to HackMyCF that will scan your servers automatically based on the schedule you provide. Finally, Pete wrote a ColdFusion 9 lockdown guide (PDF link) that includes all kinds of information on securing your ColdFusion servers on Windows and Linux. Page 12 of the guide includes information on Apache and ColdFusion security considerations on Linux.