Server Auto-Lockdown

July 12, 2018
Newbie
Followers: 0 people
11

Server Auto-Lockdown

Newbie
Followers: 0 people
July 12, 2018

Introduction

With the 2018 release of ColdFusion, we have introduced the support for Server Auto-Lockdown.

Before going into the details, let’s understand what is Server Auto-Lockdown.

What is Server Auto-Lockdown?

Server Auto-Lockdown is based on the Lockdown Guide prepared by Pete Freitag for helping server administrators to secure ColdFusion Installations.

The installer guides the users to change some permissions in their system to secure their ColdFusion installation. A few settings that need to be changed are:

  1. Set some OS level file system permissions
  2. Change registry permissions
  3. Configure Webserver
  4. Change a few ColdFusion Administrator settings

Why Server Auto-Lockdown?

With the number of intrusions seen every-day across organizations, small and big, to startups to federal agencies and even nuclear installations, it’s obvious why a secure infrastructure is of paramount importance to any organization.

The lockdown guide was prepared to prevent hacks related to the entire server/system being taken hostage by hackers.

While the lockdown guide did its job as expected, the lockdown guide is manual and time-consuming. The entire process,

  1. Involves more than 50 steps
  2. Takes 4-5 hours for one successful lockdown of a server
  3. Is error prone since each step must be performed with utmost precision
  4. Has no fallback. If anything goes wrong anywhere, its advised to start over to not leave behind traces of any vulnerability
  5. Involves identical steps for multiple setups. If there are multiple ColdFusion servers present in the organization, all the 50 steps will need to be performed on them separately which again will include all the pitfalls mentioned above

This motivated us to develop Server Auto-Lockdown. The Server Auto-Lockdown:

  1. Performs all 50 steps automatically
  2. Provides settings summary
  3. Rollbacks to original configuration if the installer fails
  4. Installs silently
  5. Is available for all platforms
  6. Takes 4-5 minutes compared to manually performing the steps
  7. Provides an uninstaller to revert all your settings to its initial state
  8. Provides logs to show each change made to the system during the installation

How Server Auto-Lockdown works?

We have prepared a separate installer for lockdown. It takes in a set of inputs required for us to lock down your ColdFusion server.

The installer needs to be run as Administrator after ColdFusion has been installed successfully.

The inputs to the installer are used to change/edit the permissions/configurations as mentioned in the Lockdown guide.

Server Auto-Lockdown installers are currently available for Windows IIS, Windows Apache and Linux Apache systems. We will be releasing the same for Mac and Solaris in a couple of months.

Installation Steps

The installation steps are written in our documentation for Server Auto-Lockdown at:

https://helpx.adobe.com/coldfusion/using/server-lockdown.html

Review each step carefully before proceeding with the installation. This will prevent any wrong input being given which will render your ColdFusion installation unusable.

How to check if installation successful?

There are a few things you can do to check to see if auto-lockdown of your server was successful

  1. Check the installer logs. The logs must not display any errors.
  2. Check the custom logs that are created in the same folder where the installer log was created. The bottom of the log must display either:
    1. Successfully locked down ColdFusion
    2. Successfully locked down Apache server
  3. Check the file system permissions for the websites/ColdFusion instance/Magic folders for connectors. They must change to the user-defined permissions as input during the ColdFusion installation
  4. Check services/processes running using the user given as input during ColdFusion installation step
  5. Check the value for /cf_scripts/scripts has changed in VDIR for IIS/Apache, and ColdFusion Administrator

My installation has Rolled back

If you see any of the lines shown below,  your uninstallation was unsuccessful due to some issues. The log to check is the custom log created by the installer.

  1. Rolling back any changes made during lockdown!
  2. Rolling back the changes because of Lockdown failure
  3. A non-fatal exception at the bottom of the custom log we created

In this case, you need to identify the step where lockdown happened. The step can be seen in the log, and will be just above the lines mentioned. You need to fix whatever is mentioned and try lockdown again. If the issue persists, you can contact ColdFusion support for any help regarding this

I want to uninstall Server Auto-Lockdown

We also provide an uninstaller for the Server Auto-Lockdown installer.

It reverts all the changes made during the lockdown process to the initial state your system was in. Launch the uninstaller by double clicking the uninstaller and giving in a few details as required. These details are required as we do not store any passwords during the installation.

The uninstaller can be found at: [CF Home]\lockdown\[Instance locked down]\Uninstall

I want to install lockdown in multiple servers (Silent installers)

We also provide silent installers for lockdown. The properties required are shared in the documentation of Auto-Lockdown present here

The installers can be automated to install in any system with minimal changes required to the properties file.

Download the latest Server Auto-Lockdown installers from here

Comments (11)
2019-07-24 21:38:19
2019-07-24 21:38:19

Folks finding this post in mid-2019 and beyond should note that in the technotes for CF2018 update 4 (from June 2019) there is indication that the Lockdown tool installer was “refreshed” (a new one was made available). See https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-4.html.

As for getting the new installer, see the CF downloads page, specifically this anchor:

https://www.adobe.com/support/coldfusion/downloads.html#cf2018ldg

Note that there are now Lockdown installers for Windows, Linux, and Mac. The Mac version was added in CF2018 Update 2. The checksums for the current versions are offered on that page.

I will add for those on Windows that you can confirm the version you have by looking at the properties of the file (in Windows), and its “details” page, where the new one (from update 4) reports 2018.0.2, while the original reports 2018.0.0. (The UI for the tool does NOT report its version that I have seen.)

Finally, I have not found any documentation on what changed with the tool as of CF2018 update 4, but I have just asked Adobe and am awaiting a reply. If I don’t think to add here what I hear back, I should see eventually if someone adds a comment asking me about it.

Anyway, the main point I wanted to make was that the tool was indeed updated in June 2019, so perhaps some of the warts and challenges people have had have been addressed. It would certainly seem wise for anyone preparing to use it to make sure they DO have the latest. So many people often re-use files downloaded a year or more ago, not realizing there was indeed an update.

Like
2019-04-08 19:21:20
2019-04-08 19:21:20

Just an FYI to anyone wanting to use this. If you plan to add a site on a locked down instance you will need to uninstall as your new site will not accessible. Going thru the motions now ….

Like
2019-03-29 11:45:32
2019-03-29 11:45:32

I have a brand new Windows server and after installing ColdFusion successfully ran the auto lock down tool.  It seems to have failed attempting to change the logon user for the Windows CF services that I did not install.  They are optional services, why does it fail?

Excerpt from the log file:
2019-03-28 12:22:24 INFO  – Changing logon users for ColdFusion services
2019-03-28 12:22:24 INFO  – Trying to change logon user for ColdFusion
2019-03-28 12:22:25 INFO  – Changing for: ColdFusion2018Add-onServices
2019-03-28 12:22:25 INFO  – [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:25 INFO  – Changing for: ColdFusion 2018 Application Server
2019-03-28 12:22:26 INFO  – [SC] ChangeServiceConfig SUCCESS
2019-03-28 12:22:26 INFO  – Changing for: ColdFusion 2018 ODBC Agent
2019-03-28 12:22:26 INFO  – [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:26 INFO  – Changing for: ColdFusion 2018 ODBC Server
2019-03-28 12:22:26 INFO  – [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:26 INFO  – Failed to change the logon users for ColdFusion services!
2019-03-28 12:22:26 INFO  – Rolling back the changes because of the Lockdown failure
2019-03-28 12:22:26 INFO  – Reverting back the registry permissions changed during Lockdown

Like
(1)
>
Miguel Fernandez
's comment
2019-04-25 18:13:59
2019-04-25 18:13:59
>
Miguel Fernandez
's comment

Hi Miguel,

I am experiencing the same issue. The lockdown is bailing out after it finds that I did not install the optional services. My log is identical to yours. Very frustrating!

Like
2018-09-10 23:55:55
2018-09-10 23:55:55

How does this work when you are running multiple instances using the Enterprise Edition? Do you need to run the lock-down tool for each instance/site?

Like
2018-07-16 13:52:02
2018-07-16 13:52:02

Good question, Carl. I don’t find it (currently) offered on the page shown upon downloading CF (as was the case with the pmt), nor is it linked to from the docs page above, nor on the “downloads” page (https://www.adobe.com/support/coldfusion/downloads.html).

Like
(2)
>
Charlie Arehart
's comment
2018-07-19 05:25:25
2018-07-19 05:25:25
>
Charlie Arehart
's comment
Like
>
SauravGhosh
's comment
2018-07-19 13:13:27
2018-07-19 13:13:27
>
SauravGhosh
's comment

Thanks.

Like
2018-07-16 03:05:33
2018-07-16 03:05:33

Hello, Where do I download CF2018 Server Auto-Lockdown installer to be able to run that?
Thanks in advance, Carl.

Like
(2)
>
Carl Meyer
's comment
2018-07-16 17:34:03
2018-07-16 17:34:03
>
Carl Meyer
's comment

We are aware of this.
It will be available soon.

Like
>
Carl Meyer
's comment
2018-07-19 05:25:50
2018-07-19 05:25:50
>
Carl Meyer
's comment
Like
Add your comment