Running CF under a Domain Account

Jul 11, 2008

There was a question on our local user group list yesterday that I provided an answer for. The question was..

"I've been looking for a list of directories and permissions necessary for using a domain account to run CF on Windows (as opposed to Local System), and having little luck. There is an article about CF on IIS on the Adobe site, but it is for CF7 and is incomplete."

A little background first on this. By default, ColdFusion on a Windows environment runs under a special account called "Local System". This has full Administrator permissions on a local server which naturally creates security concerns. Ideally, CF should have only enough permissions to properly run and that's it. In this particular question, they want to use a domain account which would provide the ability for CF to read/write to other servers on the local network. Naturally, the "Local System" account wouldn't work in this situation since it doesn't have access to resources on the local network domain. So for a variety of reasons it is a good idea to switch this out, but as noted above the Adobe instructions on this procedure are incomplete.

Here is the complete set of instructions to properly do this:

1. Create a new account called 'coldfusion', either a domain account or a local user depending on your needs.

2. Go into Local Security Policy -< Local Policies -> User Rights Assignment
    Add the 'coldfusion' account to..
        - Deny log on locally
        - Deny log on through Terminal Services
        - Log on as a service
3. Next go to regedt32 and give the 'coldfusion' account permissions to modify to following (needed only if you have ODBC datasources)
4. Now go into File Explorer
        Give Modify permissions to the following directories
        .../ColdFusion8 or .../JRUN4 (also if you are using a different JVM, the account needs permissions there as well)
        Then any directories that contain the cfml sites and code
5. Next go into Services
        Change into the CF service properties and click the 'Log On' tab
        Switch the user from 'Local System' to the 'coldfusion' account and enter the password
        Click apply and then restart services - it should properly restart under the new account

A special note on step 4. To make things easier, I just said apply Modify permissions to these directories, but you could go a step further on the security of this. If your Coldfusion sites aren't changing files or uploading new files, you could do just Read/Execute permissions for those areas. Read/Execute only can also be applied to the CFIDE area. The ColdFusion8 (or JRun4) directories gets a little tricky. Some areas need to be Modify level to allow for creation of class files and logs but others could be just Read/Execute.



teaguem wrote on 11/18/0812:47 PM

You mentioned that the some of the jrun directories require modify while others require read/execute. How can I determine which need which? Does the inability to log on an indicator that some right is not high enough?
John Mason

John Mason wrote on 11/18/081:30 PM

Right so to write logs, the CF account would need modify rights. That would be needed for the areas that have the runtime logs and the normal cf logs.

Write your comment

(it will not be displayed)