This article describes how to configure the ColdFusion Application Server services to run under a specific non-administrator user account on Windows and Unix and also includes what permissions are needed on what files/directories for a standard install of ColdFusion on Windows. This may be important for implementing ColdFusion Advanced Security (version 5 or earlier only) or giving ColdFusion Server execute privileges on a specific directory. This TechNote applies to Windows NT/2000/XP/2003 and Unix-based environments and assumes that you have chosen the default ColdFusion installation directory.

Note: On Windows NT/2000/XP/2003, using Sandbox security in versions 5 and earlier requires that the ColdFusion Application Service must be running under the System account. The steps in this TechNote cannot be used if Sandbox security is implemented.

To change the account ColdFusion Server runs under, use the following instructions.

Windows NT:

  1. In User Manager for Domains, create a local user for the ColdFusion services to log in as.
  2. Select the Start menu > Settings > Control Panel > Services.
  3. Highlight the ColdFusion Application Server service and click Startup.
  4. Choose the "This account" radio button and browse for the user account you created.

    Enter the password for the account you created. ColdFusion Server will only function with the correct password in the "password" list box.
  5. Add the user account that ColdFusion is running under. This account should have "Full Control" permissions for the following items:

    • WebDocument Directory
    • c:\cfusion or c:\cfusionmx (and all subdirectories)
    • c:\winnt
    • c:\winnt\system32
  6. Click Start on your Windows NT menu, click Run, and type Regedt32. Click Enter.
  7. Navigate to the following key:

    /HKEY_LOCAL_MACHINE/SOFTWARE/
  8. Click Security in the menu, and select Permissions.
  9. Add the newly created ColdFusion user and give that user full control of the registry key. Click the checkbox to replace the permission on existing subkeys.



    Important note for ColdFusion 5 and earlier: If you are using Advanced Security, repeat step 3 for the ODBC and Netegrity keys (and existing subkeys). The ODBC and Netegrity keys are also found under the following hive:



    /HKEY_LOCAL_MACHINE/SOFTWARE/.



    Warning: Please keep in mind that that the user granted permissions to this particular registry key now has full access permissions to all registry entries below this key. This can be a security concern. Consult your IT department guidelines to decide on the best security practice.
  10. Reboot.

Windows 2000/XP/2003:

  1. In User Manager for Domains, create a local user for the ColdFusion service to log in as.
  2. Select the Start menu > Settings > Control Panel > Administrative Tasks > Services.
  3. Highlight the ColdFusion Application Server service, right click on it and select Properties.
  4. Under the Log On tab, choose the "This Account" radio button and browse for the user account you created.



    Enter the password for the account you created. ColdFusion will only function with the correct password in the "password" list box.
  5. Add the user account that ColdFusion Server is running under. This account should have "Full Control" permissions for the following items:

    • WebDocument Directory
    • c:\cfusion or c:\cfusionmx (and all subdirectories)
    • c:\winnt or c:\windows
    • c:\winnt\system32 or c:\windows\system32
  6. Click Start on your Windows NT menu, click Run, and type Regedt32. Click Enter.
  7. Navigate to the following key:



    /HKEY_LOCAL_MACHINE/SOFTWARE/
  8. Click Security in the menu, and select Permissions.
  9. Add the newly created ColdFusion user and give that user full control of the registry key. Click the checkbox to replace the permission on existing subkeys.



    Important note for ColdFusion 5 and earlier: If you are using Advanced Security, repeat step 3 for the ODBC and Netegrity keys (and existing subkeys). The ODBC and Netegrity keys are also found under the following hive:



    /HKEY_LOCAL_MACHINE/SOFTWARE/.



    Warning: Please keep in mind that that the user granted permissions to this particular registry key now has full access permissions to all registry entries below this key. This can be a security concern. Consult your IT department guidelines to decide on the best security practice.
  10. Reboot.

In general, if you are having a permissions issue on a server, check the details below for what ColdFusion permissions are needed and where. If permissions are changed, restart the ColdFusion Application Server service and web server service (typically World Wide Web Publishing for IIS) in the Services panel. If the issue is not resolved and you can not access a certain page, reboot the whole server to ensure that any files that may be cached in memory with the old permissions are recycled.

Windows Permissions Summary:

  • System Account - The system account should be added to file permissions to give the web server access to the directory for the web root of the web site(s) as well as the CFusionmx\cfusion install directory. It should be given read and execute permissions.
  • ColdFusion Account - The account under which ColdFusion is running should be added to file permissions to give the web server access to the directory for the web root of the web site(s) as well as the CFusionmx\cfusion install directory. It should be given read and execute permissions. By default it is the system account. To check this account go to the Services Control Panel, highlight the ColdFusion service and click Startup.
  • The Anonymous User Account (IUSR_machinename) - The anonymous user account is used for anonymous access on the IIS web server. This user needs to be added to all files or directories to which anonymous logon is desired. It should be given read and execute permissions.
  • Any user or group which should have access to a ColdFusion template directory or file. It should be given read and execute permissions.
  • In addition to ColdFusion template directories, thecf_root\runtime\lib\wsconfig\1\jrun.dll (ColdFusion MX 6.1) or cf_root\bin\iscf.dll (ColdFusion 5 and earlier, with IIS) must also have proper permissions placed on it. Note: the "1" in the directory path above may differ depending on how many times you have run the connector or if you have ColdFusion configured with more than one web server. Since all users must have access to jrun.dll or iscf.dll to process a ColdFusion page, it is generally easiest to assign the Everyone group to jrun.dll or iscf.dll.

Unix-based Systems (Solaris, Linux and HP-UX):

  1. Stop the ColdFusion Server processes.
  2. Rerun the installer, entering your preferred new account during the reinstall (the account must be created prior to rerunning the installer).



    This will adjust permissions on the ColdFusion program files as necessary, and allow the new user to run with the appropriate permissions. All other settings in your original installation are left intact.
  3. Restart the ColdFusion processes.



    Typically, if you have stopped the ColdFusion Server processes, the system will restart the processes.

Additional Information

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy