Note: This is valid from
Hotfix 9 onwards.
Depending on the user account that you have used to Lock down your server, you might need to consider the following few more steps for providing appropriate permissions to be able to apply the updates from ColdFusion Administrator.
Hotfix
needs two things to be installed properly from ColdFusion Administrator.
The user that is configured for ColdFusion Service should be permitted to
Start/Stop the service. More on this to setup is explained below.
Setting up the ColdFusion Service user:
Down load and Install Windows tool named SubInACL.exe (Installer name is SubInACL.msi)
to give service start/stop permissions from
http://www.microsoft.com/en-us/download/confirmation.aspx?id=23510
Once you install it, the tool subinacl.exe gets installed
under
C:Program Files (x86)Windows Resource KitsTools
Then, run the tool as follows from command prompt by
replacing <MachineName> and <username> with your username and machine
name.
a)
For machine’s local user
C:Program Files (x86)Windows Resource KitsTools>subinacl.exe /service “<MachineName>ColdFusion 10
Application Server” /grant=<username>=TO
b) If the user is a Domain user you have to replace <Domainname> as well along
with <MachineName>, <username> in the following command.
C:Program Files (x86)Windows Resource KitsTools>subinacl.exe /service “<MachineName>ColdFusion 10
Application Server” /grant=<Domainname><username>=TO
More details on this are explained in the below
resource.
http://support.microsoft.com/default.aspx?scid=kb;en-us;288129
This is a one-time setup that you have to do.
Once this is done -> Restart ColdFusion service
-> Open ColdFusion server Administrator -> Apply Update -> You
should be able to apply the Hotfix successfully now.
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
Newbie
32 posts
ColdFusion 11’s Hotfix 8 and ColdFusion 2016’s Hotfix 1 contains the fix to take care of directory permissions even when lockdown is applied.
While the hotfix is applied, permissions would be changed by the hotfix installer and are restored back after the hotfix installation which were set as per the lockdown guide.
Service account permissions, you still have to take care as it can be set only by the admin account.
Another disappointment… A user posted a question on StackOverflow as to why he could not update his ColdFusion installation after performing the lock down steps. He found out that the ColdFusion administrator’s update page relies on the /CFIDE/scripts directory to function (a-la the cfform tag). Since the lock down guide suggests denying any requests to that URI the update page was failing. He had to allow access in order to use the update feature. Here is a link to the post: http://stackoverflow.com/q/30205018/1636917
This is not good! The update feature should not require exposing that URI. This should be changed. The user was on ColdFusion 11.
@Krishna please make sure that this information is included in the Adobe ColdFusion lock down guides. I am referring to the current ones, not only future ones. They need to be updated.
Hi Krishna,
This blog post has been helpful – thanks!
Note to others: don’t do these steps on Windows:
1) install CF per Lockdown Guide
2) install latest CF update per Lockdown Guide
3) change CF service user per Lockdown Guide
4) uninstall latest CF update via CF Admin
5) See CF won’t start anymore =P (maybe CF should handle this scenario more gracefully..)
Note: I intentionally did step #4, before running SubInACL_exe, just to see what would happen.
Suggestion: Maybe the Lockdown Guide should mention SubInACL_exe?
@Debbie Folks-Huber, FWIW I’ve verified SubInACL_exe is necessary/works on Windows Server 2012 R2
Thanks!,
-Aaron
I have applied the above directions, but SubInACL.exe applies to Windows Server 2003 and earlier. What about Windows Server 2008 R2? I have not been able to get the updates to apply.
Thanks much for the feedback Henry.
Security lock down guide mentions about the “detailed permission structure for the ColdFusion installation directory” for be able to apply Hot fixes. And here in this blog we are trying to tell you those particulars. Secondly, the permissions mentioned are only for the service account user.
I believe this is not negation of lock down guide but it is elaboration.
Many of these things depend on the end-user’s environment.
However, as you suggested, where ever possible we will improve to have them
in-built possibly in the installer.
Thanks,
Krishna
I have to say, this just isn’t a very good solution is it?! Yet again I’m left disappointed…
There are very frequent security updates, I’m not sure if that’s a good or bad thing. I’d like there to be no patches needed because it was solid first time eh.
But to then have a lockdown guide that if you follow it, breaks your ability to upload future security patches – isn’t really so secure. I just wish it was a bit better.
You talk about roadmaps and new features and things, and honestly I can’t think of anything needed. There’s been a lot of talk about this already, but we don’t need anything new – we need what we have to be inherently secure out the box, and for vulnerabilities to be banished. Then CF would be great – right now it doesn’t inspire confidence.
Thank you for posting this .. always had to set back to regular computer account every time I wanted to apply a patch.
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
