Questions about security

I have some questions about CFMX security, loop hole, pit falls and configuration. I have two Win2k clustered servers that will contain membership data that will be stored in SQL Server DB on a third server. I need to insure that I will not be hacked. Is there any particular configuration that is recommended or issues?

Secure Windows - get the O'reilly book       http://www.oreilly.com/catalog/securwinserv/       http://www.microsoft.com/security/ Secure IIS  - http://www.iisfaq.com/default.aspx?view=P142 Secure SQL server -http://www.sqlsecurity.com/DesktopDefault.aspx Use database roles etc.. Secure CFMX - http://www.macromedia.com/devnet/security/security_zone/ Secure your application. e.g. http://secinf.net/websecurity/ CF specific - http://www.macromedia.com/support/coldfusion/technotes.html [short list] Possibly encrypt your data, or build a write only database table. For example you will probably never need to show a credit card number on a website (maybe some of it - last 5 digits), but will need to use it on a back end. Use a different database role to read it. WG I have some questions about CFMX security, loop hole, pit falls and configuration. I have two Win2k clustered servers that will contain membership data that will be stored in SQL Server DB on a third server. I need to insure that I will not be hacked. Is there any particular configuration that is recommended or issues?

Oh yeah, I left out; a decent firewall, and a properly configered DMZ / Zones / network and maybe IDS (www.Snort.org is cool) and decent passwords..... looking at CFMX server then alone (ie without your code...)   Disable / remove RDS,   Run it under a user account which only has the needed permissions.   Apply all patches. Also think of CFMX as a Java application, it is. I've been meaning to check out the J2ee/java version of "hacking exposed" anyone read it? http://www.amazon.co.uk/exec/obidos/ASIN/0072225653/ref=sr_aps_books_1_1/026 -9749361-5814842 Also cfmx contains versions of the following AXIS Verity j-intragra log4j etc. etc. and of course Jrun (or what ever java container) + a JDK issues So any issues that apply to these may apply to CFMX regards WG Secure Windows - get the O'reilly book       http://www.oreilly.com/catalog/securwinserv/       http://www.microsoft.com/security/ Secure IIS  - http://www.iisfaq.com/default.aspx?view=P142 Secure SQL server -http://www.sqlsecurity.com/DesktopDefault.aspx Use database roles etc.. Secure CFMX - http://www.macromedia.com/devnet/security/security_zone/ Secure your application. e.g. http://secinf.net/websecurity/ CF specific - http://www.macromedia.com/support/coldfusion/technotes.html [short list] Possibly encrypt your data, or build a write only database table. For example you will probably never need to show a credit card number on a website (maybe some of it - last 5 digits), but will need to use it on a back end. Use a different database role to read it. WG I have some questions about CFMX security, loop hole, pit falls and configuration. I have two Win2k clustered servers that will contain membership data that will be stored in SQL Server DB on a third server. I need to insure that I will not be hacked. Is there any particular configuration that is recommended or issues?

Thanks. My main concern is from the CF side of things. The network admins can look at the rest. I am introducing CF here at my new employer and I will need to provide this type of info for them if they choose to go with CF. Secure Windows - get the O'reilly book       http://www.oreilly.com/catalog/securwinserv/       http://www.microsoft.com/security/ Secure IIS  - http://www.iisfaq.com/default.aspx?view=P142 Secure SQL server -http://www.sqlsecurity.com/DesktopDefault.aspx Use database roles etc.. Secure CFMX - http://www.macromedia.com/devnet/security/security_zone/ Secure your application. e.g. http://secinf.net/websecurity/ CF specific - http://www.macromedia.com/support/coldfusion/technotes.html [short list] Possibly encrypt your data, or build a write only database table. For example you will probably never need to show a credit card number on a website (maybe some of it - last 5 digits), but will need to use it on a back end. Use a different database role to read it. WG I have some questions about CFMX security, loop hole, pit falls and configuration. I have two Win2k clustered servers that will contain membership data that will be stored in SQL Server DB on a third server. I need to insure that I will not be hacked. Is there any particular configuration that is recommended or issues?

----- Excess quoted text cut - see Original Post for more ----- As "webguy" indicates, there are lots of things you'll need to do. In addition, unfortunately, you really can't ensure that your data won't be compromised, if it's online. I would strongly recommend that, if security is suddenly such a serious concern, you spend quite a bit of time learning about all aspects of host-based security (and network security to the extent that you're responsible for it), or that you outsource what you're not prepared to deal with yourself. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444