Security Profile Admin Extension for ColdFusion 10

This post is more than 2 years old.

The Adobe engineers are hard at work fixing bugs and preparing ColdFusion 10 for its final release. One of the interesting features that landed after the initial public release is a "Secure Profile" during installation. (Edit: Shilpi Khariwal just added a blog post on this new feature!) While installing ColdFusion, users can select to enable a Secure Profile that modifies around 20 default settings to help lock down the server. To be clear, this is not meant to be a one size fits all type solution nor is it meant to imply you can never worry about security again. Instead - it is simply meant to help guide people into a more secure production server.

This new feature is only available during installation. I thought it might be interesting to create a one page report tool covering those security options set up during installation. I wasn't able to get every single one (a few options are not available yet via the Admin API), but my report covers 17 settings. For each one it tells you your setting and the recommended setting. Good values are marked in green - bad values in red (or a red variant - I had design help by Rachel Lehman). Here's a screen shot:

Click the shot to embiggen (it's a word - AICN says so) and I apologize for not having a fancy jQuery-based lightbox setup.

Some of the features checked are:

  • Robust exceptions
  • Allowed SQL operations in DSNs
  • RDS being enabled
  • and more!

To install, read my guide on CF Admin extensions and - of course - use ColdFusion 10. This could easily be modified to work in ColdFusion 9 with a few IF checks here and there. The bits may be found at the Github repo (I'll add it to RIAForge once ColdFusion 10 is officially released.)

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Jim posted on 4/11/2012 at 6:20 PM


Does this apply for Standard or just the Enterprise version of CF?


Comment 2 by Raymond Camden posted on 4/11/2012 at 6:22 PM

It uses the Admin API which is Ent only. In theory - you can just remove the license and run it - but that's a lot of work for something so simple. If I had both a STD and ENT license, I'd enter the ENT one, run it, then quickly go back to STD to be legal. Personally I see no reason why the Admin API should be ENT only.

Of course - another option is for the code to check the current version. It could still report on the recommendations and with the links, you could check the m manually.

Comment 3 by Rich Hughes posted on 4/11/2012 at 6:44 PM

Looks great! Any chance it can work on CF9?

Comment 4 by Raymond Camden posted on 4/11/2012 at 6:45 PM

Rich: Yes - there are checks in here that are CF10 specific - but those could be IFed out. It's up on Github - give it a shot. :)