With the recent security hole found in ColdFusions CFIDE adminapi (see here, here and here), I thought it a good time to dust off this blog post that I've had sitting around in my drafts folder for the better part of a year.
To prevent the previously mentioned attack as well as being good practice anyway it is a good idea to limit who can access your ColdFusion/Railo administrator. One technique is to limit access by IP address (for example 127.0.0.1). This can be achieved using IIS as follows.
Limit Access to Localhost Users Only
Lets limit access to the /CFIDE/adminapi and /CFIDE/administrator folders on our server to localhost users only. The instructions for doing this vary depending on if you are using IIS6 or IIS7.
IIS 6
- Open the IIS Manager Console
- Navigate to a particular domain
- Right click on the /CFIDE/administrator/ directory
- Select Properties
- Select the Directory Security Tab
- Under "IP Address and domain Name Restrictions" click Edit
- In the screen that opens select the "Denied Access" option.
- Click the "Add" Button to open the grant access screen.
- In the grant access screen set the type to single computer and add the ipaddress 127.0.0.1
- Click ok to each screen to save and close
- Now repeat for the /CFIDE/adminapi/ directory.
IIS 7+
- Open the IIS Manager
- Navigate to a particular domain
- Select the /CFIDE/administrator directory
- Open the IP Address and Domain Restrictions module
- Click "Edit Feature Settings" in the actions sidebar
- Select "Deny" and click ok.
- Click the "Add Allow Entry" option in the actions sidebar
- Enter 127.0.0.1 for specific ipv4 address and click ok
- Now repeat for the /CFIDE/adminapi/ directory.
Repeat these steps for every domain on the server.
Railo
To accomplish this for railo just replace "/CFIDE/administrator" in the above instructions with "/railo-context".
Alternate Method Request Filtering
Pete Freitag has a very good article on using Request Filtering to achieve the same results. It looks like this technique allows for the rule to be applied globally to that server.
Note: If you use the request filtering method be aware that there is a bug in IIS7.5 where you need to filter for /folder and /folder/.
Require HTTPS For Admin Console
If you do need to access the administrator for a machine other than localhost it is a good idea to at least require ssl for that connection if you have an ssl cert for your site. Here is how you do this.
IIS 6
- Open the IIS Manager Console
- Right click on the CFIDE/administrator/ directory
- Select Properties
- Select the Directory Security Tab
- Under Secure Communications click Edit
- Check "Require secure channel (SSL)"
- Click ok to each screen to save and close
- Now repeat for the /CFIDE/adminapi/ directory.
IIS 7+
- Open the IIS Manager Console
- Select the CFIDE/administrator/ directory
- Open the "SSL Settings" feature
- Tick the "Require SSL" checkbox
- Save and close
- Now repeat for the /CFIDE/adminapi/ directory.