CodFusion

So currently ColdFusion has three basic installation choices: Self-contained, J2EE with JRun or J2EE EAR/WAR. It will also ask a couple of questions, like if you want RDS service on or not, etc.

Now, when you install ColdFusion, it is not really setup for production purposes – hosting ‘live’ applications securely. Most services are on and not really locked down. To properly lock down ColdFusion for a production environment, it actually takes a good deal of time. Adobe has a good article on this subject at: http://www.adobe.com/devnet/coldfusion/articles/cf7_security.html

This, of course, could be far easier if ColdFusion had an additional set of options in the setup to determine the purpose of the installation: development (low security) or production (high security). This would solve two particular issues that I see. First, it would greatly reduce the setup time for a production level ColdFusion server. Secondly, it would further remind people that the default (low security) installation is not design for hosting ‘live’ applications.

Below are some of the items I think a production installation of ColdFusion should address. Of course, these items are involved directly with the ColdFusion installation process. There would be other items dealing with the server and the web server specifically that this feature could not address.

- Have only the HEAD,GET and POST http verbs (methods) turn on for IIS or Apache. .NET does this, why not CF?
- Disable the RDS service.
- Turn off CF ODBC services, production applications should be using SQL Server, Oracle and maybe MySQL. All of these do not require the use of the CF ODBC services.
- Have ColdFusion run under its own account. Not, as in Windows, running under the Local System Account. Once again, .NET does this and it’s a fairly simple thing to do.
- Turn on UUID for CFTokens
- Do not install the documentation or sample applications.
- Turn off debugging
- By default, have sandbox security turn on
- Disable access to internal ColdFusion Java components
- Default client variable storage to cookie instead of registry (in fact take the registry option out)

There are other items that I address in particular like the maximum session timeouts, but these are items that are more to do with my particular style. The list above hits several of the bigger items.

Another issue is the location of the ColdFusion administrator and for that matter the cfcexplorer and AdminAPI CFCs. The CFIDE mapping should really be split into two separate mappings. The CF administrator, cfcExplorer and the AdminAPI CFCs should be in one mapping called CFADMIN. In our production mode setup, this mapping should be locked down to the localhost. The scripts folder which has all the libraries that run the Flash Forms and AJAX features should be in a second mapping called CFEXT, for ColdFusion extensions. Or we can call it CFLIB for ColdFusion library. You get the idea. The scripts, classes, images and maybe the debug folder should be included in this second mapping as well.