Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
Questions about security
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:25174#126626
----- Excess quoted text cut - see Original Post for more -----
As "webguy" indicates, there are lots of things you'll need to do. In
addition, unfortunately, you really can't ensure that your data won't be
compromised, if it's online. I would strongly recommend that, if security is
suddenly such a serious concern, you spend quite a bit of time learning
about all aspects of host-based security (and network security to the extent
that you're responsible for it), or that you outsource what you're not
prepared to deal with yourself.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
Author: webguy
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:25174#126607
Oh yeah, I left out; a decent firewall, and a properly configered DMZ /
Zones / network and maybe IDS (www.Snort.org is cool) and decent
passwords.....
looking at CFMX server then alone (ie without your code...)
Disable / remove RDS,
Run it under a user account which only has the needed permissions.
Apply all patches.
Also think of CFMX as a Java application, it is. I've been meaning to check
out
the J2ee/java version of "hacking exposed" anyone read it?
http://www.amazon.co.uk/exec/obidos/ASIN/0072225653/ref=sr_aps_books_1_1/026
-9749361-5814842
Also cfmx contains versions of the following
AXIS
Verity
j-intragra
log4j
etc. etc.
and of course Jrun (or what ever java container) + a JDK issues
So any issues that apply to these may apply to CFMX
regards
WG
Secure Windows - get the O'reilly book
http://www.oreilly.com/catalog/securwinserv/
http://www.microsoft.com/security/
Secure IIS - http://www.iisfaq.com/default.aspx?view=P142
Secure SQL server -http://www.sqlsecurity.com/DesktopDefault.aspx
Use database roles etc..
Secure CFMX - http://www.macromedia.com/devnet/security/security_zone/
Secure your application. e.g. http://secinf.net/websecurity/
CF specific - http://www.macromedia.com/support/coldfusion/technotes.html
[short list]
Possibly encrypt your data, or build a write only database table. For
example you will probably never need to show a credit card number on a
website (maybe some of it - last 5 digits), but will need to use it on a
back end. Use a different database role to read it.
WG
I have some questions about CFMX security, loop hole, pit falls and
configuration.
I have two Win2k clustered servers that will contain membership data that
will be stored in SQL Server DB on a third server. I need to insure that I
will not be hacked. Is there any particular configuration that is
recommended or issues?
Author: Eric Creese
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:25174#126606
Thanks. My main concern is from the CF side of things. The network admins can
look at the rest. I am introducing CF here at my new employer and I will need to
provide this type of info for them if they choose to go with CF.
Secure Windows - get the O'reilly book
http://www.oreilly.com/catalog/securwinserv/
http://www.microsoft.com/security/
Secure IIS - http://www.iisfaq.com/default.aspx?view=P142
Secure SQL server -http://www.sqlsecurity.com/DesktopDefault.aspx
Use database roles etc..
Secure CFMX - http://www.macromedia.com/devnet/security/security_zone/
Secure your application. e.g. http://secinf.net/websecurity/
CF specific - http://www.macromedia.com/support/coldfusion/technotes.html
[short list]
Possibly encrypt your data, or build a write only database table. For
example you will probably never need to show a credit card number on a
website (maybe some of it - last 5 digits), but will need to use it on a
back end. Use a different database role to read it.
WG
I have some questions about CFMX security, loop hole, pit falls and
configuration.
I have two Win2k clustered servers that will contain membership data that
will be stored in SQL Server DB on a third server. I need to insure that I
will not be hacked. Is there any particular configuration that is
recommended or issues?
Author: webguy
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:25174#126605
Secure Windows - get the O'reilly book
http://www.oreilly.com/catalog/securwinserv/
http://www.microsoft.com/security/
Secure IIS - http://www.iisfaq.com/default.aspx?view=P142
Secure SQL server -http://www.sqlsecurity.com/DesktopDefault.aspx
Use database roles etc..
Secure CFMX - http://www.macromedia.com/devnet/security/security_zone/
Secure your application. e.g. http://secinf.net/websecurity/
CF specific - http://www.macromedia.com/support/coldfusion/technotes.html
[short list]
Possibly encrypt your data, or build a write only database table. For
example you will probably never need to show a credit card number on a
website (maybe some of it - last 5 digits), but will need to use it on a
back end. Use a different database role to read it.
WG
I have some questions about CFMX security, loop hole, pit falls and
configuration.
I have two Win2k clustered servers that will contain membership data that
will be stored in SQL Server DB on a third server. I need to insure that I
will not be hacked. Is there any particular configuration that is
recommended or issues?
Author: Eric Creese
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:25174#126604
I have some questions about CFMX security, loop hole, pit falls and
configuration.
I have two Win2k clustered servers that will contain membership data that will be
stored in SQL Server DB on a third server. I need to insure that I will not be
hacked. Is there any particular configuration that is recommended or issues?
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
