Server Auto-Lockdown helps administrators secure their ColdFusion server installations. Using Server Auto-Lockdown, secure your servers against vulnerabilities.

At present the steps needed to lock down a ColdFusion server are manual. This document lists the steps to install Server Lockdown, which automates the steps needed for locking down a server.

When locking down a server manually, the steps involved are:

  • Install IIS
  • Configure IIS
  • Create user accounts
  • Set up webroot folder structure
  • Set up webroot permissions
  • Run ColdFusion installer
  • Install ColdFusion updates
  • Run webserver configuration tool (wsconfig.exe)
  • Setup file system permissions
  • Configure cf_scripts alias (linux)
  • Change registry permission (windows)
  • Specify logon user for ColdFusion services
  • Configure uniworkermap.properties (Windows)
  • Lockdown the /jakarta virtual directory (Windows)
  • Change ColdFusion Administrator settings

Instead, the Server Auto-Lockdown installer:

  • Performs all steps automatically
  • Provides settings summary
  • Rolls back to original configuration if the installer fails
  • Installs silently
  • Is available for all platforms (Windows and Linux)
  • Takes far lesser time compared to manually performing the steps

Before locking down a server, you must ensure the following, among others:

  • ColdFusion must be installed and running in Production or Production + Secure Profile
  • webserver must be installed and running
  • ColdFusion Administrator must have been accessed after installation.

Additionally, we recommend the following pre-requisites:

  • Firewall is enabled
  • ColdFusion, webserver, and the webroot are present in separate directories
  • ColdFusion has the latest update installed
  • Filesystem is NTFS

Windows - IIS

Follow the steps below to install Server Lockdown.

  1. To launch the installer, double-click the setup file. To proceed, click Next and accept the license agreement.

    Introduction
    Introduction
  2. Verify and review the installation pre-requisites.

    Pre-requisites
    Pre-requisites
  3. When you run the installer, the installer asks you for the ColdFusion installation directory. Specify the location and click Next.

    ColdFusion installation directory
    ColdFusion installation directory
  4. From the on-screen options, choose whether you wish to update ColdFusion to its latest version. Choose this option only if there is an internet connection so that you can download the latest update. If you do not have an active internet connection, specify the location of the update jar file.

    It is recommended that ColdFusion is on the latest update before starting the Server Auto-Lockdown process.

    ColdFusion latest updates
    ColdFusion latest updates
  5. From the drop-down list, choose the ColdFusion instance, which needs to be locked down. For each instance, run the server lockdown installer separately. 

    The instances that have already been locked down is displayed below the Available Instances drop-down list.

    ColdFusion instance
    ColdFusion instance
  6. Choose the web server and click Next.

    Web server configuration-IIS
    Web server configuration-IIS
  7. In case of IIS, choose the respective website(s) that needs to be configured to run as a connector with the given instance. This website(s) will be locked down along with the selected ColdFusion instance.

    To select multiple websites, press shift/alt/ctrl, and click each website.

    The website(s) with which the connector is already configured with the instance selected in Step 5 will be pre-selected. 

    Websites in IIS
    Websites in IIS
  8. Verify that the Application Pool details for the selected websites are correct.

    The application pool user will be used to give appropriate permissions to your IIS webroot and connector folder in [CF_Home]\config\wsconfig\[connector number]. Make sure that the name is correct. If not, your ColdFusion applications will be inaccessible. Select a path to map to your application pool.

    To proceed, click Next.

    Application pool details
    Application pool details
  9. Verify that the web server webroot(s) for the selected websites are correct.

    This folder must contain the webroot files, and these will be served using the connector port.

    Webroot details
    Webroot details
  10. The inputs entered below will be used by the installer to make a few changes to the ColdFusion Administrator settings that are recommended in the Lockdown Guide.

    The port here is the internal ColdFusion port, and not the connector port. For example, port 8500.

    We will not be changing or storing the password. We are using this password as an input. Make sure that the port is open, and ColdFusion instance which is being locked down is being served using this port.

    ColdFusion Administrator credentials
    ColdFusion Administrator credentials
  11. Provide the details for an OS administrator user account. This is required by the installer to make some changes in the file system. This user account must be the administrator account for the system where the installer is running. For example, in Windows, the account may be Administrator.

    The domain, in this case, is either the domain in which the administrator account is present or the Machine Name if it is a local account.

    We will not be changing or storing the password. This password is needed to roll back changes made to the registry and services in case of any error during installation.

    OS Administrator account details
    OS Administrator account details
  12. If there is an existing user for running ColdFusion services, select Yes and enter the user details. If there is no existing user, select no and enter the user details with domain name as the machine name. These details will be used to create a user in the Local System which will be used for running ColdFusion services

    While specifying the password, follow the password policy of your organization.

    ColdFusion Runtime user
    ColdFusion Runtime user
  13. Enter the shutdown port. To proceed, click Next.

    Note:

    This should only be changed if the ColdFusion server being locked down is on an intranet, and someone else in the network might use the shutdown port. If the machine is an isolated one, there’s no need to change the shutdown port.

    ColdFusion shutdown port
    ColdFusion shutdown port
  14. Review the pre-installation summary and click Install to start the Server Auto-Lockdown.

    Pre-installation summary
    Pre-installation summary

Note:

After lockdown, check the installation logs in <CF_HOME>/lockdown/<INSTANCE_TO_LOCKDOWN>/logs/ folder. The log file lists the actions and the status of each action.

Windows - Apache

The following installation screens are specific to Apache. The first few screens are common to both IIS and Apache.

  1. In the step where the installer checks for webserver configurations, choose Apache. Click Install.

    Choose Apache
    Choose Apache
  2. The inputs entered below will be used by the installer to make a few changes to the ColdFusion Administrator settings that are recommended in the Lockdown Guide.

    The port here is the internal ColdFusion port, and not the connector port. For example, port 8500.

    We will not be changing or storing the password. We are using this password as an input. Make sure that the port is open, and ColdFusion instance which is being locked down is being served using this port.

    ColdFusion Administrator credentials
    ColdFusion Administrator credentials
  3. Provide the details for an OS administrator user account. This is required by the installer to make some changes in the file system. This user account must be the administrator account for the system where the installer is running. For example, in Windows, the account may be Administrator.

    The domain, in this case, is either the domain in which the administrator account is present or the Machine Name if it is a local account.

    We will not be changing or storing the password. This password is needed to roll back changes made to the registry and services in case of any error during installation.

    OS Administrator account details
    OS Administrator account details
  4. If there is an existing user for running ColdFusion services, select Yes and enter the user details. If there is no existing user, select no and enter the user details with domain name as the machine name. These details will be used to create a user in the Local System which will be used for running ColdFusion services

    While specifying the password, follow the password policy of your organization.

    ColdFusion runtime user
    ColdFusion runtime user
  5. If there is an existing user for running web server, select Yes and enter the user details. If there is no existing user, select no and enter the user details with domain name as the machine name. These details will be used to create a user in the Local System which will be used for running Apache services.

    It is recommended to have different users for running ColdFusion and Apache services.

    Web server runtime user
    Web server runtime user
  6. Specify the path to the conf directory of Apache.

    Web server conf folder
    Web server conf folder
  7. Specify the path of the binary file of Apache.

    Web server binary file path
    Web server binary file path
  8. Specify the path to the webroot of Apache.

    Webroot path
    Webroot path
  9. If you want to upload files to your website, select Yes and specify the folder where these files are to be uploaded.

    By default, the option No is selected.

    File upload
    File upload
  10. Enter an alias for /cf_scripts/scripts to block all calls to /cf_scripts/scripts.

    Alias for cf_scripts
    Alias for cf_scripts
  11. Enter the shutdown port. To proceed, click Next.

    Shutdown port
    Shutdown port

Linux

  1. To launch the Server Auto-Lockdown installer, double-click the setup file.

    Introduction
    Introduction
  2. Verify and review the pre-requisites for installation.

    Pre-requisites
    Pre-requisites
  3. When you run the installer, the installer asks you for the ColdFusion installation directory. Specify the location and click Next.

    ColdFusion installation directory
    ColdFusion installation directory
  4. From the on-screen options, choose whether you wish to update ColdFusion to its latest version. Choose this option only if there is an internet connection so that you can download the latest update. If you do not have an active internet connection, specify the location of the update jar file.

    It is recommended that ColdFusion is on the latest update before starting the Server Auto-Lockdown process.

    ColdFusion updates
    ColdFusion updates
  5. From the drop-down list, choose the ColdFusion instance, which needs to be locked down. For each instance, run the server lockdown installer separately. 

    The instances that have already been locked down is displayed below the Available Instances drop-down list.

    ColdFusion configuration
    ColdFusion configuration
  6. Choose the web server, which in this case is Apache.

    Web server configuration
    Web server configuration
  7. The inputs entered below will be used by the installer to make a few changes to the ColdFusion Administrator settings that are recommended in the Lockdown Guide.

    The port here is the internal ColdFusion port, and not the connector port. For example, port 8500.

    We will not be changing or storing the password. We are using this password as an input. Make sure that the port is open, and ColdFusion instance which is being locked down is being served using this port.

    ColdFusion Administrator credentials
    ColdFusion Administrator credentials
  8. Provide the details for an OS administrator user account. This is required by the installer to make some changes in the file system. This user account must be the administrator account for the system where the installer is running. For example, in Windows, the account may be Administrator.

    The domain, in this case, is either the domain in which the administrator account is present or the Machine Name if it is a local account.

    We will not be changing or storing the password. This password is needed to roll back changes made to the registry and services in case of any error during installation.

    The password is optional in Linux.

    OS Administrator account details
    OS Administrator account details
  9. If there is an existing user for running ColdFusion services, select Yes and enter the user details. If there is no existing user, select no and enter the user details with domain name as the machine name. These details will be used to create a user in the Local System which will be used for running ColdFusion services

    While specifying the password, follow the password policy of your organization.

    The password is optional in Linux.

    ColdFusion runtime user
    ColdFusion runtime user
  10. If there is an existing user for running web server, select Yes and enter the user details. If there is no existing user, select no and enter the user details with domain name as the machine name. These details will be used to create a user in the Local System which will be used for running ColdFusion services

    While specifying the password, follow the password policy of your organization.

    The password is optional in Linux.

    Web server runtime user
    Web server runtime user
  11. Specify the path to the conf directory of Apache.

    Web server conf directory
    Web server conf directory
  12. Specify the path of the binary file of Apache.

    Web server binary file path
    Web server binary file path
  13. Specify the path to the Apache webroot.

    Web server webroot path
    Web server webroot path
  14. If you want to upload files to your website, select Yes and specify the folder where these files are to be uploaded.

    File upload
    File upload
  15. To restrict calls to /cf_scripts/scripts, enter an alias for the location.

    Alias for cf_scripts
    Alias for cf_scripts
  16. Enter the shutdown port. To proceed, click Next.

    Shutdown port
    Shutdown port

Silent installation of Server Auto-Lockdown

Linux - Apache

# Silent Properties file for Adobe ColdFusion Server Auto-Lockdown Installer
# Web Server : Apache
# Platform : Linux

INSTALLER_UI=SILENT

#Enter the directory where ColdFusion is installed. Ex: /opt/coldfusion2018.
SILENT_CF_SERVER_LOCATION=

#The Web Server Apache is selected for configuring the connector in ColdFusion.
#Apache will also be locked down along with ColdFusion.
SERVER_APACHE=1
SERVER_IIS=0

#ColdFusion Server instance intended for Lockdown Ex:cfusion
APP_SERVER_INSTANCE=

#Update ColdFusion to the latest update. Allowed : 1, if you want to update ColdFusion, 0 if not.
UPDATE_CF_TRUE=1

#Allowed : 1 for Automatic Update, 0 for Manually updating ColdFusion
AUTO_UPDATE_CF_TRUE=1

#If auto-update is false, provide the path where hotfix.jar is present. Give full path.
HF_UPDATE_JAR_PATH=

#Apache Windows

#ColdFusion Configuration
#Enter the ColdFusion Administrator credentials and the built-in Web Server port.
CF_ADMIN_USERNAME=
CF_ADMIN_PASSWORD=
CF_ADMIN_PORT=

#OS Administrator Account Details.
#Enter the user account details of the OS administrator. 
SYSTEM_ADMIN_USER=
SYSTEM_ADMIN_PWD=
SYSTEM_ADMIN_DOMAIN=

# Allowed :1 if you have a user already created for running CF Services, 0 otherwise.
USER_CF_SERVICE_TRUE=

# Details for User for configuring ColdFusion services and file system permissions. If not existing, a user will be created
CF_USER_UNAME=
CF_USER_PWD=
CF_USER_GRP=

# Enter the user account to run Web Server with, post lockdown.
#The user account will be granted file system permissions to the ColdFusion connector directories and the Web Server webroot(s)/document root.
# 1 if you have a user created for running Apache Services, 0 otherwise.
APACHE_DEFAULT_USER_TRUE=
APACHE_DEFAULT_USERNAME=apache
APACHE_DEFAULT_GROUP=
APACHE_DEFAULT_PASSWORD=

#Enter the conf directory path of the Web Server.
#This folder must contain the httpd.conf or apache2.conf file.Ex: /etc/apache2.
WEBSERVER_CONF_DIR=


#Enter the binary file path of the Web Server. Ex: /usr/sbin/apache2
APACHE_BIN_FILE_PATH=

#Enter the webroot path of the Web Server. 
#The required file system permissions will be granted to this folder.Ex; /var/www/html
WEBROOT_PATH=

#If you want to upload files to your website, specify the path of the folder where these files are to be placed. 
#This folder will also be granted write permissions.
#Allowed: 1 if you want files to be uploaded through your website, 0 otherwise
USER_FILE_UPLOAD_TRUE=
USER_FILE_UPLOAD_PATH=

#Enter an alias for /cf_scripts/scripts to block all calls to /cf_scripts/scripts.
CF_SCRIPTS_ALIAS=

#Allowed: 1 if you want to change the shutdown port, 0 otherwise
CHANGE_SHUTDOWN_PORT_TRUE=1

# New shutdown port number
SHUTDOWN_PORT_NEW=

Windows - Apache

# Silent Properties file for Adobe ColdFusion Server Auto-Lockdown Installer
# Web Server : Apache
# Platform : Windows(All)

INSTALLER_UI=SILENT

#Enter the directory where ColdFusion is installed. Ex: C:\\ColdFusion2018.
SILENT_CF_SERVER_LOCATION=C:\\ColdFusion2018

#The Web Server Apache is selected for configuring the connector in ColdFusion.
#Apache will also be locked down along with ColdFusion.
SERVER_APACHE=1
SERVER_IIS=0

#ColdFusion Server instance intended for Lockdown Ex:cfusion
APP_SERVER_INSTANCE=

#Update ColdFusion to the latest update. Allowed : 1, if you want to update ColdFusion, 0 if not.
UPDATE_CF_TRUE=1

#Allowed : 1 for Automatic Update, 0 for Manually updating ColdFusion
AUTO_UPDATE_CF_TRUE=1

#If auto-update is false, provide the path where hotfix.jar is present. Give full path.
HF_UPDATE_JAR_PATH=

#Apache Windows

#ColdFusion Configuration
#Enter the ColdFusion Administrator credentials and the built-in Web Server port.
CF_ADMIN_USERNAME=
CF_ADMIN_PASSWORD=
CF_ADMIN_PORT=

#OS Administrator Account Details.
#Enter the user account details of the OS administrator. 
SYSTEM_ADMIN_USER=
SYSTEM_ADMIN_PWD=
SYSTEM_ADMIN_DOMAIN=

# Allowed :1 if you have a user already created for running CF Services, 0 otherwise.
USER_CF_SERVICE_TRUE=

# Details for User for configuring ColdFusion services and file system permissions. If not existing, a user will be created
CF_USER_UNAME=
CF_USER_PWD=
CF_USER_GRP=

# Enter the user account to run Web Server with, post lockdown.
#The user account will be granted file system permissions to the ColdFusion connector directories and the Web Server webroot(s)/document root.
# 1 if you have a user created for running Apache Services, 0 otherwise.
APACHE_DEFAULT_USER_TRUE=
APACHE_DEFAULT_USERNAME=apache
APACHE_DEFAULT_GROUP=
APACHE_DEFAULT_PASSWORD=

#Enter the conf directory path of the Web Server.
#This folder must contain the httpd.conf or apache2.conf file.Ex: C:\Apache24\conf.
WEBSERVER_CONF_DIR=


#Enter the binary file path of the Web Server. Ex: C:\Apache24\bin\httpd.exe
APACHE_BIN_FILE_PATH=

#Enter the webroot path of the Web Server. 
#The required file system permissions will be granted to this folder.Ex C:\Apache24\htdocs
WEBROOT_PATH=

#If you want to upload files to your website, specify the path of the folder where these files are to be placed. 
#This folder will also be granted write permissions.
#Allowed: 1 if you want files to be uploaded through your website, 0 otherwise
USER_FILE_UPLOAD_TRUE=
USER_FILE_UPLOAD_PATH=

#Enter an alias for /cf_scripts/scripts to block all calls to /cf_scripts/scripts.
CF_SCRIPTS_ALIAS=

#Allowed: 1 if you want to change the shutdown port, 0 otherwise
CHANGE_SHUTDOWN_PORT_TRUE=1

# New shutdown port number
SHUTDOWN_PORT_NEW=

Windows - IIS

# Silent Properties file for Adobe ColdFusion Server Auto-Lockdown Installer
# Web Server : IIS
# Platform : Windows(All)

INSTALLER_UI=SILENT

#Enter the directory where ColdFusion is installed. Ex: C:\\ColdFusion2018.
SILENT_CF_SERVER_LOCATION=

#The Web Server IIS is selected for configuring the connector in ColdFusion.
#The IIS website(s) will also be locked down along with ColdFusion.
SERVER_IIS=1
SERVER_APACHE=0

#ColdFusion Server instance intended for Lockdown Ex:cfusion
APP_SERVER_INSTANCE=

#Enter the IIS Website(s) you are planning to Lockdown(comma separated). Ex: site1,site2
SILENT_WEBSITES_TO_LOCKDOWN=

#Application Pool(s) for chosen website(s) (comma separated). Ex: site1AppPool,site2AppPool
SILENT_APP_POOL_IIS_WEBSITES=

#Webroot(s) folder for chosen website in IIS (comma separated) Ex: C:\inetpub\site1,C:\inetpub\site2
SILENT_WEBROOT_IIS_WEBSITES=

#Update ColdFusion to the latest update. Allowed : 1, if you want to update ColdFusion, 0 if not.
UPDATE_CF_TRUE=1

#Allowed : 1 for Automatic Update, 0 for Manually updating ColdFusion
AUTO_UPDATE_CF_TRUE=1

#If auto-update is false, provide the path where hotfix.jar is present. Give full path.
HF_UPDATE_JAR_PATH=

#ColdFusion Configuration
#Enter the ColdFusion Administrator credentials and the built-in Web Server port.
CF_ADMIN_USERNAME=
CF_ADMIN_PASSWORD=
CF_ADMIN_PORT=

#OS Administrator Account Details.
#Enter the user account details of the OS administrator. 
SYSTEM_ADMIN_USER=
SYSTEM_ADMIN_PWD=
SYSTEM_ADMIN_DOMAIN=

# Allowed :1 if you have a user already created for running CF Services, 0 otherwise.
USER_CF_SERVICE_TRUE=1

#Enter the user account to run ColdFusion with, post lockdown. 
#The user account will be granted file system permissions to ColdFusion and the Web Server webroot(s)/document root.
CF_USER_UNAME=
CF_USER_DOMAIN=
CF_USER_PWD=

# Allowed :1 if you want to change the shutdown port, 0 otherwise
CHANGE_SHUTDOWN_PORT_TRUE=1

# New shutdown port number
SHUTDOWN_PORT_NEW=

Windows - IIS - Uninstall properties

# Silent Properties file for Adobe ColdFusion Server Auto-Lockdown Installer
# Web Server : IIS
# Platform : Windows(All)

INSTALLER_UI=SILENT

# Enter the details for the user account that was used to configure ColdFusion during lockdown. 
# In case the user was created during the server lockdown, the user account will be deleted.
CF_USER_UNAME_OLD=
CF_USER_PWD_OLD=
CF_USER_DOMAIN_OLD=

# Enter the user account to run ColdFusion with post uninstallation of lockdown. 
# The given user must already exist in the system.
CF_USER_UNAME=
CF_USER_PWD=
CF_USER_DOMAIN=

# Enter the username, password and internal webserver port for the ColdFusion Administrator. 
# Any changes made to ColdFusion during lockdown will be reverted using these credentials.
CF_ADMIN_USERNAME=
CF_ADMIN_PASSWORD=
CF_ADMIN_PORT=

Apache - Uninstall properties

# Silent Properties file for Adobe ColdFusion Server Auto-Lockdown Installer
# Web Server : Apache
# Platform : Windows, Solaris, Linux

INSTALLER_UI=SILENT

# Enter the details for the user account that was used to configure ColdFusion during auto-lockdown. 
# In case the user was created during the server auto-lockdown, the user account will be deleted.
CF_USER_UNAME_OLD=
CF_USER_PWD_OLD=
CF_USER_DOMAIN_OLD=

# Enter the OS user account to run ColdFusion with post uninstallation of auto-lockdown. 
# The given user must already exist in the system.
CF_USER_UNAME=
CF_USER_PWD=
CF_USER_DOMAIN=

# Enter the username, password, and internal webserver port for the ColdFusion Administrator. 
# Any changes made to ColdFusion during lockdown will be reverted using these credentials.
CF_ADMIN_USERNAME=
CF_ADMIN_PASSWORD=
CF_ADMIN_PORT=

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy