Home » Adobe Manuals » Computer Software » Adobe 38043740 » Manual Viewer

Adobe 38043740 Lockdown Guide - Page 3

Installation Prerequisites, 2.1 Prerequisites for all ColdFusion installations - download

UPC - 883919135168

Add to My Manuals
Save this manual to your list of manuals

Page 3 highlights

Section 2: Installation Prerequisites Before running the ColdFusion 10 installer follow the steps in this section to prepare your Web Server for installation. 2.1 Prerequisites for all ColdFusion installations Create a separate partition / drive for ColdFusion Installation and website assets. This mitigates the successfulness of path traversal attacks. Install the latest security patches for your Operating System Install the latest security patches for your Web Server Software Configure your Firewall to block all non-administrative traffic to the server during installation. Download ColdFusion 10 from Adobe.com Verify that the MD5 checksum of the downloaded file matches the MD5 specified on the Adobe.com download page. On Mac OSX: To obtain the MD5 checksum of a file on Mac OSX launch Terminal.app and type: md5 filename On Linux: To obtain the MD5 checksum of a file on RedHat Enterprise Linux open a shell and type: md5sum filename On Windows: Windows installations do not include a MD5 checksum verifier by default. Microsoft provides a free MD5 checksum verifier called sigcheck.exe as part of SysInternals toolkit. Download the utility, open the command prompt and type sigcheck -h filename. The sigcheck utility not only generates a MD5 sum, it also verifies the signature of the ColdFusion installation executable (you should see Verified: Signed in the program output). 2.2 Prerequisites for a Windows 2008 Server Installation Read the Microsoft Windows Security Compliance Management Toolkit (see Appendix A.1) Run Windows Update to ensure all software is up to date 3

Section	Page
Adobe® ColdFusion® 10 Server Lockdown Guide	1
Section 1: Introduction	1
1.1 Default File Paths and Usernames	1
1.2 Operating Systems and Web Servers	1
1.3 ColdFusion Version	2
1.4 Scope of Document	2
Section 2: Installation Prerequisites	3
2.1 Prerequisites for all ColdFusion installations	3
2.2 Prerequisites for a Windows 2008 Server Installation	3
Table 2.2.3.1 Web Root Content Security Permissions	9
2.2.7 Anonymous Access Identity	17
2.2.8 Setup Request Filtering	17
Table 2.2.8.1 : CFIDE URIs	22
Additional URI Sequences to consider blocking:	22
2.2.9 Create a Website For ColdFusion Administrator	23
Remove Request Filtering Rule for ColdFusion Administrator Site	25
2.3 Prerequisites for a RedHat Enterprise Linux 6.3 Installation	27
Section 3 - Installing ColdFusion	32
3.1 Run ColdFusion Installer	32
4.1 Windows 2008 Post ColdFusion Installation	41
4.1.1 Install ColdFusion Hotfixes	41
4.1.10 Optionally Remove ASP.NET	48
4.2 Red Hat Enterprise Linux Post Installation	49
4.2.1 Install ColdFusion Hotfixes / Updates	49
4.2.3: Specify permissions for ColdFusion Directories	50
4.2.4: Install Apache Connector	50
4.2.7 Setup Auditing	53
4.2.8 Add umask to startup script	54
4.3 Post Configuration Settings for Windows and Linux	54
4.3.4 Tomcat Shutdown Port	55
4.3.5 Add a connector shared secret	56
4.3.6 Additional Tomcat Security Considerations	56
4.3.7 Additional File Security Considerations	56
5.1 Server Settings > Settings	57
5.2 Server Settings > Request Tuning	63
5.3 Server Settings > Client Variables	65
5.4 Server Settings > Memory Variables	65
5.5 Server Settings > Mail	67
5.6 Data & Services > Data Sources	67
5.7 Data & Services > Flex Integration	68
5.8 Debugging & Logging > Debug Output Settings	69
5.9 Debugging & Logging > Debugger Settings	69
5.10 Debugging & Logging > Logging Settings	70
5.11 Event Gateways > Settings	71
5.12 Security > Administrator	71
5.13 Security > RDS	72
5.14 Security > Sandbox Security	72
5.15 Security > Allowed IP Addresses	73
6.1 Servlets and Servlet Mappings in web.xml	75
6.2 Disabling RDS if Already Installed	76
6.3 Disabling support for JWS files	76
6.4 Disabling the GraphServlet	77
6.5 Disabling Flash Remoting Servlet Mappings	77
6.6 Disabling Flash Form Servlet Mappings	78
6.7 Disabling the CFReport Servlet Mapping	78
6.8 Remove WSRP Servlet Mapping	79
6.9 Disabling the CFFileServlet Mapping	79
6.10 Disabling Remote CFC Invocation	80
6.11 Adding ClickJacking Protection	82
6.12 Security Constraints in web.xml	82
Section 7: Patch Management Procedures	83
Meaning	85

Match case Limit results 1 per page

Section 2: Installation Prerequisites

Before running the ColdFusion 10 installer follow the steps in this section to prepare your Web Server for

installation.

2.1 Prerequisites for all ColdFusion installations

Create a separate partition / drive for ColdFusion Installation and website assets. This mitigates the

successfulness of path traversal attacks.

Install the latest security patches for your Operating System

Install the latest security patches for your Web Server Software

Configure your Firewall to block all non-administrative traffic to the server during installation.

Download ColdFusion 10 from Adobe.com

Verify that the MD5 checksum of the downloaded file matches the MD5 specified on the Adobe.com download page.

On Mac OSX:

To obtain the MD5 checksum of a file on Mac OSX launch Terminal.app and type:

md5

filename

On Linux:

To obtain the MD5 checksum of a file on RedHat Enterprise Linux open a shell and type:

md5sum

filename

On Windows:

Windows installations do not include a MD5 checksum verifier by default. Microsoft provides a free MD5 checksum verifier called

sigcheck.exe

as part of SysInternals toolkit. Download the utility, open the command prompt and type

sigcheck -h

filename

. The

sigcheck

utility not only generates a MD5 sum, it also verifies the signature of the ColdFusion installation

executable (you should see Verified: Signed in the program output).

2.2 Prerequisites for a Windows 2008 Server Installation

Read the Microsoft Windows Security Compliance Management Toolkit (see Appendix A.1)

Run Windows Update to ensure all software is up to date