The Server Auto Lock-Down installer does not allow you to apply lock-down for newly created sites without re-installing the lock-down tool from the beginning.
Follow the procedure to re-install the lock-down tool for a new site.
Assumptions
ColdFusion is configured with one site cfsite1, and the runtime user name of ColdFusion after lockdown is cfuser. In addition, you have already locked down the instance cfusion (located as C:\ColdFusion2018\cfusion). The magic folder path for the site is C:\ColdFusion2018\config\wsconfig\1
You have a second site called cfsite2, which you want to lock down without running the Server Auto-Lockdown installer.
For the site cfsite2,
- The webroot is located as C:\inetpub\cfsite2
- The appooolname is cfsite2
- The websitename is cfsite2
Procedure
- Create a connector for the website cfsite2, which has a magic folder, for example, C:\ColdFusion2018\config\wsconfig\2.
- Right-click the magic folder and click Security> Advanced.
- Click Disable Inheritance, and enable the option Remove all inherited permissions from this object. All permissions get removed as shown below:
- Perform the set of steps below:
- Set 1
-
- Click Add.
- Click Select a principal.
- Enter the domain of the machine in locations.
- Enter <Administrator user name> in Enter the object name to select.
- Click OK.
- Select Full control for Basic Permissions.
- To save the changes, click OK.
-
- Set 2
- Click Add.
- Click Select a principal.
- Enter the Domain of the machine in locations.
- Enter Administrators in Enter the object name to select.
- Click OK.
- Select Full control for Basic Permissions.
- To save the changes, click OK.
- Set 3
- Click Add.
- Click Select a principal.
- Enter the Domain of the machine in locations.
- In the Enter the object name to select field, enter cfuser.
- Click OK
- Select Read & Execute, List folder contents, and Write for Basic Permissions.
- To save the changes, click OK.
- Set 4
- Click Add.
- Click Select a principal.
- Enter the Domain of the machine in locations.
- In the Enter the object name to select field, enter IIS AppPool\cfsite2.
- Click OK
- Select Read & Execute, List folder contents, and Write for Basic Permissions.
- To save the changes, click OK.
- Set 1
- Click Replace all child object permissions. Click Apply.
- Navigate to the webroot and right-click. In Security, click Advanced. Click Disable inheritance and remove all inherited properties. Follow the set of steps below:
- Set 1
- Click Add.
- Click Select a principal.
- Enter the domain of the machine in locations.
- In Enter the object name to select field, enter IIS AppPool\cfsite2.
- Click OK
- Select Read & Execute, List folder contents, and Write for Basic Permissions.
- To save the changes, click OK.
- Set 2
- Click Add.
- Click Select a principal.
- Enter the domain of the machine in locations.
- In Enter the object name to select field, enter IUSR.
- Click OK
- Select Read & Execute, List folder contents, and Write for Basic Permissions.
- To save the changes, click OK.
- Set 3
- Click Add.
- Click Select a principal.
- Enter the domain of the machine in locations.
- In Enter the object name to select field, enter IIS_IUSRS.
- Click OK
- Select Read & Execute, List folder contents, and Write for Basic Permissions.
- To save the changes, click OK.
- Set 4
- Click Add.
- Click Select a principal.
- Enter the domain of the machine in locations.
- Enter <Administrator user name> in Enter the object name to select.
- Click OK.
- Select Full control for Basic Permissions.
- To save the changes, click OK.
- Set 5
- Click Add.
- Click Select a principal.
- Enter the Domain of the machine in locations.
- Enter Administrators in Enter the object name to select.
- Click OK.
- Select Full control for Basic Permissions.
- To save the changes, click OK.
- Set 6
- Click Add.
- Click Select a principal.
- Enter the Domain of the machine in locations.
- In the Enter the object name to select field, enter cfuser.
- Click OK
- Select Read & Execute, List folder contents, and Write for Basic Permissions.
- To save the changes, click OK.
- Set 1
- Click Replace all child object permissions. Click Apply.
- Navigate to C:\ColdFusion2018\cfusion\wwwroot. Right-click cf_scripts. Click Security > Advanced. Execute the steps below:
- Click Add.
- Click Select a principal.
- Enter the domain of the machine in locations.
- In Enter the object name to select field, enter IIS AppPool\cfsite2.
- Click OK
- Select Read & Execute, List folder contents, and Write for Basic Permissions.
- To save the changes, click OK.
- Navigate to the magic folder for cfsite1 (C:\ColdFusion2018\config\wsconfig\1) and open the file worker.properties. Copy the value for key worker.cfusion.secret. Navigate to the magic folder for cfsite2 (C:\ColdFusion2018\config\wsconfig\2) and open the file worker.properties. Create a key worker.cfusion.secret=<Value copied above>.
- Navigate to inetmgr and launch IIS Manager. Copy the Request Filtering settings from cfsite1 to cfsite2 (Click cfsite1 -> Request Filtering -> URL).
- Navigate to inetmgr and launch IIS Manager. Click the website cfsite2. Remove X-Powered-By header from HTTP Response Header.
- Restart the ColdFusion instance.
- Restart the IIS website.
NOTE: After uninstalling Lockdown, you must revert these settings manually.
There seems a slight mistake that could confuse readers.
In your reference to the new connector “magic folder” for the new “site 2”, you refer to its as folder 3 in the first reference, but folder 2 in the second:
Create a connector for the website cfsite2, which has a magic folder, for example, C:\ColdFusion2018\config\wsconfig\3.
But later:
Navigate to the magic folder for cfsite2 (C:\ColdFusion2018\config\wsconfig\2) and open the file worker.properties.
Also, the first one reads as if they user SHOULD set it to 3, but of course we have no control of that. Really, it should tell the reader look to see what number the folder is for their new site and new connector.
That can be seen in the Jakarta virtual directory or alias created in the web server for that site.
You may also want to point readers to Adobe resources with more details on how the wsconfig files all connect.
I’ll add that those who may need assistance with this sort of stuff can get directed remote help (for a fee) from Adobe support or folks like myself. I list such troubleshooting consultants at cf411.com/cftrouble. Sometimes it would take only minutes for an experienced person to sort out a confusing, misconfigured setup. It is indeed unfortunate that this stuff can be so complex.
You must be logged in to post a comment.