Securing the Coldfusion/Railo Administrator in IIS

Print Email
Author: Steven Neiland
Published:

Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

With the recent security hole found in ColdFusions CFIDE adminapi (see here, here and here), I thought it a good time to dust off this blog post that I've had sitting around in my drafts folder for the better part of a year.

To prevent the previously mentioned attack as well as being good practice anyway it is a good idea to limit who can access your ColdFusion/Railo administrator. One technique is to limit access by IP address (for example 127.0.0.1). This can be achieved using IIS as follows.

Limit Access to Localhost Users Only

Lets limit access to the /CFIDE/adminapi and /CFIDE/administrator folders on our server to localhost users only. The instructions for doing this vary depending on if you are using IIS6 or IIS7.

IIS 6

  1. Open the IIS Manager Console
  2. Navigate to a particular domain
  3. Right click on the /CFIDE/administrator/ directory
  4. Select Properties
  5. Select the Directory Security Tab
  6. Under "IP Address and domain Name Restrictions" click Edit
  7. In the screen that opens select the "Denied Access" option.
  8. Click the "Add" Button to open the grant access screen.
  9. In the grant access screen set the type to single computer and add the ipaddress 127.0.0.1
  10. Click ok to each screen to save and close
  11. Now repeat for the /CFIDE/adminapi/ directory.

IIS 7+

  1. Open the IIS Manager
  2. Navigate to a particular domain
  3. Select the /CFIDE/administrator directory
  4. Open the IP Address and Domain Restrictions module
  5. Click "Edit Feature Settings" in the actions sidebar
  6. Select "Deny" and click ok.
  7. Click the "Add Allow Entry" option in the actions sidebar
  8. Enter 127.0.0.1 for specific ipv4 address and click ok
  9. Now repeat for the /CFIDE/adminapi/ directory.

Repeat these steps for every domain on the server.

Railo

To accomplish this for railo just replace "/CFIDE/administrator" in the above instructions with "/railo-context".

Alternate Method Request Filtering

Pete Freitag has a very good article on using Request Filtering to achieve the same results. It looks like this technique allows for the rule to be applied globally to that server.

Note: If you use the request filtering method be aware that there is a bug in IIS7.5 where you need to filter for /folder and /folder/.

Require HTTPS For Admin Console

If you do need to access the administrator for a machine other than localhost it is a good idea to at least require ssl for that connection if you have an ssl cert for your site. Here is how you do this.

IIS 6

  1. Open the IIS Manager Console
  2. Right click on the CFIDE/administrator/ directory
  3. Select Properties
  4. Select the Directory Security Tab
  5. Under Secure Communications click Edit
  6. Check "Require secure channel (SSL)"
  7. Click ok to each screen to save and close
  8. Now repeat for the /CFIDE/adminapi/ directory.

IIS 7+

  1. Open the IIS Manager Console
  2. Select the CFIDE/administrator/ directory
  3. Open the "SSL Settings" feature
  4. Tick the "Require SSL" checkbox
  5. Save and close
  6. Now repeat for the /CFIDE/adminapi/ directory.

Related Blog Postings

Reader Comments

Lee's Gravatar
Lee
Tuesday, January 8, 2013 at 9:43:33 AM Coordinated Universal Time

Nice post. This is exactly what we needed to do. It may be a level deeper, but you may want to add how to get "IP Address and domain Name Restrictions" set up in IIS if it is not already (we needed to add this - it was not part of the initial set up done by another group at our org).

Steven Neiland's Gravatar
Website
@sneiland
Steven Neiland
Tuesday, January 8, 2013 at 10:00:37 AM Coordinated Universal Time

Thanks Lee. If I get time I'll try get around to adding that.

James Moberg's Gravatar
@gamesover
James Moberg
Tuesday, January 8, 2013 at 11:23:45 AM Coordinated Universal Time

We preferred using "URL Rewrite" instead of "IP Address and domain Name Restrictions".

We added our local network IP class to the exclusion list so that we could access the CFIDE directories from our workstations. Any other attempted access from other IPs results in a regular "404 Not Found" error.

NOTE: We don't use any ColdFusion features that require the use of a publicly accessible CFIDE sub-directory.

  • Please keep comments on-topic.
  • Please do not post unrelated questions or large chunks of code.
  • Please do not engage in flaming/abusive behaviour.
  • Comments that contain advertisments or appear to be created for the purpose of link building, will not be published.

Archives Blog Listing

Tag Listing