System information
Adobe documentation - Confidential
Introduction
The ColdFusion 11 Server Lockdown Guide is written to help server administrators secure their
ColdFusion 11 installations. In this document, you will find several tips and suggestions intended to
improve the security of your ColdFusion server. The reader is strongly encouraged to test all
recommendations on an isolated test environment before deploying into production.
Default File Paths and Usernames
This guide will provide example file system paths for installation, you should not use the same example
installation paths provided in this guide.
Operating Systems and Web Servers
This guide focuses on Windows 2012 / IIS 8, and Redhat Enterprise Linux (RHEL) 6.5 / Apache 2.2. Many
of the suggestions presented in this document can be extrapolated to apply to similar Operating
Systems and Web Servers.
ColdFusion Version
This guide was written for ColdFusion 11 Enterprise Edition.
Scope of Document
This document does not detail security settings for the Operating System, the Web Server, or Network
Firewalls. It is focused on security settings for the ColdFusion server only.
All suggestions in this document should be tested and validated on a non-production environment
before deploying to production.
Applying to Existing Installations
This guide is written from the perspective of a fresh installation. When possible consider performing a
fresh installation of the operating system, web server and the ColdFusion server. If an attacker has
compromised the existing server in any way you should start with a fresh operating system installation
on new hardware.
Naming Conventions
In this guide we will refer to the ColdFusion installation root directory as {cf.root} it corresponds to the
directory that you select when installing ColdFusion. The ColdFusion instance root is referred to as
{cf.instance.root} in this guide, enterprise installations may have multiple instances, but the default
instance is {cf.root}/cfusion/
Adobe documentation - Confidential