With the 2018 release of ColdFusion, we have introduced the support for Server Auto-Lockdown.
Before going into the details, let’s understand what is Server Auto-Lockdown.
What is Server Auto-Lockdown?
Server Auto-Lockdown is based on the Lockdown Guide prepared by Pete Freitag for helping server administrators to secure ColdFusion Installations.
The installer guides the users to change some permissions in their system to secure their ColdFusion installation. A few settings that need to be changed are:
- Set some OS level file system permissions
- Change registry permissions
- Configure Webserver
- Change a few ColdFusion Administrator settings
Why Server Auto-Lockdown?
With the number of intrusions seen every-day across organizations, small and big, to startups to federal agencies and even nuclear installations, it’s obvious why a secure infrastructure is of paramount importance to any organization.
The lockdown guide was prepared to prevent hacks related to the entire server/system being taken hostage by hackers.
While the lockdown guide did its job as expected, the lockdown guide is manual and time-consuming. The entire process,
- Involves more than 50 steps
- Takes 4-5 hours for one successful lockdown of a server
- Is error prone since each step must be performed with utmost precision
- Has no fallback. If anything goes wrong anywhere, its advised to start over to not leave behind traces of any vulnerability
- Involves identical steps for multiple setups. If there are multiple ColdFusion servers present in the organization, all the 50 steps will need to be performed on them separately which again will include all the pitfalls mentioned above
This motivated us to develop Server Auto-Lockdown. The Server Auto-Lockdown,
- Performs all 50 steps automatically
- Provides settings summary
- Rollbacks to original configuration if the installer fails
- Installs silently
- Is available for all platforms
- Takes 4-5 minutes compared to manually performing the steps
- Provides an uninstaller to revert all your settings to its initial state
- Provides logs to show each change made to the system during the installation
How Server Auto-Lockdown works?
We have prepared a separate installer for lockdown. It takes in a set of inputs required for us to lock down your ColdFusion server.
The installer needs to be run as Administrator after ColdFusion has been installed successfully.
The inputs to the installer are used to change/edit the permissions/configurations as mentioned in the Lockdown guide.
Server Auto-Lockdown installers are currently available for Windows IIS, Windows Apache and Linux Apache systems. We will be releasing the same for Mac and Solaris in a couple of months.
The installation steps are written in our documentation for Server Auto-Lockdown at:
Review each step carefully before proceeding with the installation. This will prevent any wrong input being given which will render your ColdFusion installation unusable.
How to check if installation successful?
There are a few things you can do to check to see if auto-lockdown of your server was successful
- Check the installer logs. The logs must not display any errors.
- Check the custom logs that are created in the same folder where the installer log was created. The bottom of the log must display either:
- Successfully locked down ColdFusion
- Successfully locked down Apache server
- Check the file system permissions for the websites/ColdFusion instance/Magic folders for connectors. They must change to the user-defined permissions as input during the ColdFusion installation
- Check services/processes running using the user given as input during ColdFusion installation step
- Check the value for /cf_scripts/scripts has changed in VDIR for IIS/Apache, and ColdFusion Administrator
My installation has Rolled back
If you see any of the lines shown below, your uninstallation was unsuccessful due to some issues. The log to check is the custom log created by the installer.
- Rolling back any changes made during lockdown!
- Rolling back the changes because of Lockdown failure
- A non-fatal exception at the bottom of the custom log we created
In this case, you need to identify the step where lockdown happened. The step can be seen in the log, and will be just above the lines mentioned. You need to fix whatever is mentioned and try lockdown again. If the issue persists, you can contact ColdFusion support for any help regarding this
I want to uninstall Server Auto-Lockdown
We also provide an uninstaller for the Server Auto-Lockdown installer.
It reverts all the changes made during the lockdown process to the initial state your system was in. Launch the uninstaller by double clicking the uninstaller and giving in a few details as required. These details are required as we do not store any passwords during the installation.
The uninstaller can be found at: [CF Home]\lockdown\[Instance locked down]\Uninstall
I want to install lockdown in multiple servers (Silent installers)
We also provide silent installers for lockdown. The properties required are shared in the documentation of Auto-Lockdown present here
The installers can be automated to install in any system with minimal changes required to the properties file.