Security Best Practice: Securing the ColdFusion AdministratorProducts affected
ColdFusion provides both Basic and Advanced Security facilities to secure the ColdFusion Administrator against unauthorized use. However, Macromedia strongly recommends that site administrators secure access to the ColdFusion Administrator at the file level as well by either:
- Securing the ColdFusion Administrator directory (/CFIDE/Administrator) using standard Web Server and operating system file system security, or
- Removing the /CFIDE/Administrator directory from the web server when the ColdFusion Administrator is not in use.
Refer to the Developer Center article Configuring ColdFusion MX 7 Server Security for additional recommendations and best practices for securing ColdFusion MX 7 running on IIS 6.0 servers.
Note that access to the remaining directories under the /CFIDE directory tree should generally be permitted and are required if any ColdFusion templates on the server make use ofcfform tags, client-side validation, client-side Java controls, etc:
/CFIDE/Classes
/CFIDE/Main
/CFIDE/Scripts
These directories contain Java and JavaScript support files used by the various tags in ColdFusion.
Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue.
For additional information on security issues at Macromedia, please visit: www.macromedia.com/security.
Related Links:
Doc ID
(tn_17254)
Last updated
2007-06-05
Products affected
