TechNote (Archived)

Securing ColdFusion pages through IIS

Using NT/IIS security to authenticate ColdFusion Pages can be a bit confusing, but it does have logic to it that works. It may simply take some time to figure out the logic for specific NT environments.

On a basic level, there are three authentication schemes available for ColdFusion pages. The non-restricted scheme that does not require user login; broad authentication on a directory basis that requires a user logon once when requesting any CF Page from that directory; and specific authentication on a file by file basis that requires a user login to a specific page, but not for other unrestricted pages.

Authentication schemes are created by using the web server authentication settings in conjunction with directory and file permissions. On the web server side, the open authentication scheme is handled by using the anonymous logon option. Directory and file authentication schemes are handled by using the Basic Clear Text and NT Challenge/Response options. More information on these is below.

Once authentication options are set in the web server, certain NT accounts must be granted access to ColdFusion page directories and/or specific ColdFusion application files. The NT user accounts of importance are:

System account - the system account should be added to file permissions to give the web server access to the directory. It should be given read and execute permissions.
ColdFusion account - The account under which ColdFusion is running. It should be given read and execute permissions. By default it is the system account. To check this account go to the Services Control Panel, highlight the ColdFusion service and click startup.
The Anonymous user account (IUSR_machinename) - This account needs to be added to all files or directories to which anonymous logon is desired. It should be given read and execute permissions.
Any user or group which should have access to a ColdFusion page directory or file.
In addition to ColdFusion page directories the /cfusion/bin/iscf.dll must also have proper permissions placed on it. Since all users must have access to the iscf.dll to process a ColdFusion page, it is generally easiest to assign the everyone group to the iscf.dll.

Below are standard configurations that should work for basic ColdFusion page security:

Anonymous Logon:

In WWW service properties, make sure the anonymous logon option is checked. The anonymous logon will not work if the password entered in the web server does not match the password for the anonymous iusr account under NT. By default these passwords will match unless the user has gone in and changed them. Be sure to stop and start the web server after changing authentication options.
Apply appropriate accounts to directory permissions.
- /cfusion/bin/iscf.dll file Everyone account
- ColdFusion application pages directories System account
  Anonymous (IUSR) account
  ColdFusion account

Basic Clear Text/NT Challenge Response:

In WWW service properties, check the Basic Clear Text or NT Challenge/Response (it is easier to troubleshoot if only the Basic option is checked).
Apply appropriate accounts to directory permissions.
- /cfusion/bin/iscf.dll file Everyone account
- ColdFusion application pages directory System account
  Any user or group account that should have permissions
  ColdFusion account

Note:

If NT Challenge/Response is checked on the web server authentication settings, Internet Explorer, because of its hooks into NT, will automatically authenticate users that have proper permissions.
If any secured pages have other pages included within them by the cfinclude tag, make sure that the included pages have proper permissions set on them.
If an Application.cfm* page is used for a secured application be sure that it has the same permissions as the rest of the application.

*In reality, the Application.cfm page can be used to handle security for an entire application. Since it is included at the top of every page of the application, permissions need only be set on the Application.cfm file. Permissions on other ColdFusion pages of that application can be left open to everyone.