July 12, 2018
Server Auto-Lockdown
bihani Follow
Comments
(13)
Share
July 12, 2018
Server Auto-Lockdown
bihani
Newbie
Followers: 0 people
Follow
bihani Follow
(13)
13

Introduction

With the 2018 release of ColdFusion, we have introduced the support for Server Auto-Lockdown.

Before going into the details, let’s understand what is Server Auto-Lockdown.

What is Server Auto-Lockdown?

Server Auto-Lockdown is based on the Lockdown Guide prepared by Pete Freitag for helping server administrators to secure ColdFusion Installations.

The installer guides the users to change some permissions in their system to secure their ColdFusion installation. A few settings that need to be changed are:

  1. Set some OS level file system permissions
  2. Change registry permissions
  3. Configure Webserver
  4. Change a few ColdFusion Administrator settings

Why Server Auto-Lockdown?

With the number of intrusions seen every-day across organizations, small and big, to startups to federal agencies and even nuclear installations, it’s obvious why a secure infrastructure is of paramount importance to any organization.

The lockdown guide was prepared to prevent hacks related to the entire server/system being taken hostage by hackers.

While the lockdown guide did its job as expected, the lockdown guide is manual and time-consuming. The entire process,

  1. Involves more than 50 steps
  2. Takes 4-5 hours for one successful lockdown of a server
  3. Is error prone since each step must be performed with utmost precision
  4. Has no fallback. If anything goes wrong anywhere, its advised to start over to not leave behind traces of any vulnerability
  5. Involves identical steps for multiple setups. If there are multiple ColdFusion servers present in the organization, all the 50 steps will need to be performed on them separately which again will include all the pitfalls mentioned above

This motivated us to develop Server Auto-Lockdown. The Server Auto-Lockdown:

  1. Performs all 50 steps automatically
  2. Provides settings summary
  3. Rollbacks to original configuration if the installer fails
  4. Installs silently
  5. Is available for all platforms
  6. Takes 4-5 minutes compared to manually performing the steps
  7. Provides an uninstaller to revert all your settings to its initial state
  8. Provides logs to show each change made to the system during the installation

How Server Auto-Lockdown works?

We have prepared a separate installer for lockdown. It takes in a set of inputs required for us to lock down your ColdFusion server.

The installer needs to be run as Administrator after ColdFusion has been installed successfully.

The inputs to the installer are used to change/edit the permissions/configurations as mentioned in the Lockdown guide.

Server Auto-Lockdown installers are currently available for Windows IIS, Windows Apache and Linux Apache systems. We will be releasing the same for Mac and Solaris in a couple of months.

Installation Steps

The installation steps are written in our documentation for Server Auto-Lockdown at:

https://helpx.adobe.com/coldfusion/using/server-lockdown.html

Review each step carefully before proceeding with the installation. This will prevent any wrong input being given which will render your ColdFusion installation unusable.

How to check if installation successful?

There are a few things you can do to check to see if auto-lockdown of your server was successful

  1. Check the installer logs. The logs must not display any errors.
  2. Check the custom logs that are created in the same folder where the installer log was created. The bottom of the log must display either:
    1. Successfully locked down ColdFusion
    2. Successfully locked down Apache server
  3. Check the file system permissions for the websites/ColdFusion instance/Magic folders for connectors. They must change to the user-defined permissions as input during the ColdFusion installation
  4. Check services/processes running using the user given as input during ColdFusion installation step
  5. Check the value for /cf_scripts/scripts has changed in VDIR for IIS/Apache, and ColdFusion Administrator

My installation has Rolled back

If you see any of the lines shown below,  your uninstallation was unsuccessful due to some issues. The log to check is the custom log created by the installer.

  1. Rolling back any changes made during lockdown!
  2. Rolling back the changes because of Lockdown failure
  3. A non-fatal exception at the bottom of the custom log we created

In this case, you need to identify the step where lockdown happened. The step can be seen in the log, and will be just above the lines mentioned. You need to fix whatever is mentioned and try lockdown again. If the issue persists, you can contact ColdFusion support for any help regarding this

I want to uninstall Server Auto-Lockdown

We also provide an uninstaller for the Server Auto-Lockdown installer.

It reverts all the changes made during the lockdown process to the initial state your system was in. Launch the uninstaller by double clicking the uninstaller and giving in a few details as required. These details are required as we do not store any passwords during the installation.

The uninstaller can be found at: [CF Home]\lockdown\[Instance locked down]\Uninstall

I want to install lockdown in multiple servers (Silent installers)

We also provide silent installers for lockdown. The properties required are shared in the documentation of Auto-Lockdown present here

The installers can be automated to install in any system with minimal changes required to the properties file.

Download the latest Server Auto-Lockdown installers from here

13
bihani
Newbie
Followers: 0 people
Follow
bihani Follow
Similar Blogs
13 Comments
gabrieldavis321
Jun 30, 2021
Jun 30, 2021

Hi,

Does anyone know if we want to change the service account that CF runs under AFTER you ran the lockdown tool if that is ok or whether we need to uninstall the lockdown tool and start all over?

Thanks,

Gabe

Like
()
Reply
nickj24525839
Mar 25, 2020
Mar 25, 2020

How long does this install take.  I have IIS with 4 sites and it has been at Change permissions of IIS Website 100% for half an hour?  Task manager shows no cpu activity.

Like
()
Reply
Charlie Arehart
Jul 24, 2019
Jul 24, 2019

Folks finding this post in mid-2019 and beyond should note that in the technotes for CF2018 update 4 (from June 2019) there is indication that the Lockdown tool installer was “refreshed” (a new one was made available). See https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-4.html.

As for getting the new installer, see the CF downloads page, specifically this anchor:

https://www.adobe.com/support/coldfusion/downloads.html#cf2018ldg

Note that there are now Lockdown installers for Windows, Linux, and Mac. The Mac version was added in CF2018 Update 2. The checksums for the current versions are offered on that page.

I will add for those on Windows that you can confirm the version you have by looking at the properties of the file (in Windows), and its “details” page, where the new one (from update 4) reports 2018.0.2, while the original reports 2018.0.0. (The UI for the tool does NOT report its version that I have seen.)

Finally, I have not found any documentation on what changed with the tool as of CF2018 update 4, but I have just asked Adobe and am awaiting a reply. If I don’t think to add here what I hear back, I should see eventually if someone adds a comment asking me about it.

Anyway, the main point I wanted to make was that the tool was indeed updated in June 2019, so perhaps some of the warts and challenges people have had have been addressed. It would certainly seem wise for anyone preparing to use it to make sure they DO have the latest. So many people often re-use files downloaded a year or more ago, not realizing there was indeed an update.

Like
()
Reply
Add Comment