Securing the ColdFusion Administrator

[This information is intended to supplement the printed version of Administering ColdFusion Server, Chapter 9, "Configuring Advanced Security."]

In addition to securing a wide range of ColdFusion resources, you can also secure the ColdFusion Administrator. You do this by first enabling Advanced Security in the Administrator and then enabling ColdFusion Administration Authentication. Since securing the Administrator requires authenticating users trying to access administrator pages, your first step must be to enable Advanced Security. If you haven't already defined a user directory against which to authenticate users, you probably need to first do some Advanced Security configuration before securing Adminstrator pages.

See Configuring Advanced Security for more information about any configuration tasks you may need to do before enabling Administrator security.

Note

This feature is only supported on Windows NT.

Implementation overview

To configure Adminstrator Security, the following steps are necessary:

  1. First, make sure you've enabled Advanced Security and defined a valid User Directory for authenticating users.
  2. Open the ColdFusion Adminstrator/Advanced Security page.
  3. With Advanced Security enabled, click to enable ColdFusion Administration Authentication. If Advanced Security is not enabled, the page will simply reload and the ColdFusion Administration Authentication checkbox will be unchecked.
  4. Enter the Adminstrator user name you want to use and the user directory against which the user name is authenticated. This Adminstrator username must be a valid account in the user directory you select. For more information about creating user directories, see Configuring Advanced Security.

Tip

Performance in the Administrator is greatly improved when the Security Server Cache is enabled on the Administrator Advanced Security page.

Once you enable Administrtor security you may want to add other users as ColdFusion Administrators. ColdFusion allows you to add users to one of three possible Administrator security levels, depending on the access you want a user to have to Advanced security settings and the ColdFusion environment.

Three levels of Administrator security

Users with Administrator rights have full access to ColdFusion Administrator pages. However, in addition to the Administrator login you create when enabling Administrator security, you can define additional users for any of three levels of access to the Administrator: Administrator or full access, Privileged access, and Restricted access:

About Administrator Security

When you enable Adminstrator Security, ColdFusion creates a security context, called ColdFusion Admin, used exclusively for Administrator Security. If you view the security context properties, you'll see that the ColdFusion Admin secures only Collection, DataSource, and UserObject resource types. Do not change the resource types secured by the ColdFusion Admin Security Context; doing so will disable Admin Security and produce unexpected results.

Administrator security resource rules

ColdFusion also creates three resource rules in the ColdFusion Admin security context. These rules are used by ColdFusion to authenticate users for different levels of security access to Administrator pages. The rules, CF Administrator Access, CF Privileged Access, CF Restricted Access, correspond with the three levels of access to the Administrator that you can configure:

Levels of access to Administrator pages

The three levels of access you can define for Administrators are used by ColdFusion to hide Administrator pages based on the level of access defined for the user login. For example, with full Administrator access, all Administrator pages are available to the user. The login with full Administrator access

Privileged Administrator access

With Privileged access, users see all Administrator menu items except for Basic Security and Advanced Security pages.

You might want to create a class of privileged Administrators who manage all aspects of the ColdFusion environment except Basic Security and Advanced Security.

Data sources and Verity collections created by users with Privileged security access to the Administrator are not visible to other users unless a user with full Administrator rights explicitly adds the resource to the user policy.

This level of access allows privileged Adminstrators to configure any area of the Administrator except security.

Restricted Administrator access

With Restricted access, users see only the Datasources Administrator menu items, and one menu item from the Miscellaneous menu. This level of access allows restricted Administrators to add and configure data sources but prevents them from altering the ColdFusion enviornment in any significant way.

As with privileged access, data sources and collections created by a restricted access Administrator are not visible to other Administrators unless an Administrator with access to Advanced Security explicitly adds the resource to the user policy.

Defining Additional Adminstrators

To define additional users as ColdFusion Administrators, you add users to one of three available Advanced Security resource policies, depending on the level of access you want for the user login. You must log in to the Administrator as a user with adminstrative authority in order to update settings in the ColdFusion Admin security context. When you enable Administrator security, ColdFusion automatically creates these three resource policies, which correspond to the three available levels of access to Adminstrator pages:

To define a ColdFusion Administrator:

  1. Open the Administrator/Advanced Security page and click the Security Contexts button.
  2. On the Registered Contexts page, click the ColdFusion Admin security context.
  3. On the Edit Security Context page, click the Policies button to bring up the Resource Policies page for the ColdFusion Admin security context.
  4. Click on the policy you want to open the Edit Security Policy page.

  5. Click the Users button to open the Users page for the selected policy. Now, click the Add/Remove button.
  6. On the Add/Remove users page, enter a user name in the Enter User text box, or click a user name in the Available Users box and click the left arrow button to move the user name into the Currrent Users box.

Configuring ColdFusion RDS

[This information is intended to supplement the printed version of Administering ColdFusion Server, Chapter 9, "Configuring Advanced Security."]

ColdFusion RDS provides user authentication and authorization services to secure resources for ColdFusion Studio users. To fully implement ColdFusion RDS so that ColdFusion Server resources are fully secured you need to perform some configuration tasks in the ColdFusion Adminstrator Advanced Security pages.

If you have enabled ColdFusion Administrator security, you need Adminstrator or full access rights for access to the Advanced Security pages.

Note

This feature is only supported on Windows NT.

Setting up a ColdFusion RDS Server

Developers using ColdFusion Studio can access directories and data sources on a ColdFusion RDS Server. However, security for these resources is only enforced when the ColdFusion Server is configured to use either Basic security or Advanced security.

This section is only concerned with setting up Advanced security to allow full use of ColdFusion RDS Server security features. Information about configuring an RDS Server for Basic security can be found in Administering ColdFusion Server.

Overview

In order to secure ColdFusion Server resources using RDS, you must first enable security on the ColdFusion server. ColdFusion Server Advanced security is required to authenticate users accessing resources through an RDS Server with both a user name and a password. Once authentcated, access to individual resources and resource types must be authorized based on Advanced security rules and policies defined in the Administrator.

Configuring RDS on the server

RDS on the server requires some setup work in order to fully enable security for ColdFusion resources accessed from ColdFusion Studio. You have to:

To enable ColdFusion Studio security:

  1. With Advanced Security enabled, open the ColdFusion Adminstrator, Advanced Security page.
  2. Click the Use ColdFusion Studio Authentication checkbox. You need to select an existing security context from the drop down listbox to fully implement RDS, so if you haven't created a security context, do that now by clicking the Security Contexts button. Once you've defined the context, return to the Advanced Securty page to so you can select it for ColdFusion Studio security.

    For more information on configuring advanced security, including creating security contexts, see Administering ColdFusion Server.

About securing resources

In the security context you create for the RDS server, you can select any of the resource types available, but RDS only enforces security on directories and data sources. If you do enable Studio security but do not specify any resource types for the security context used for RDS, Studio users will not be able to access any resources on the RDS server. So make sure that, unless you want to lock all RDS server resources, you specify the resources you want to control.

Once the resource types are defined in the security context, you need to create at least one rule for authenticating Studio users.

About creating a rule for Studio security

To fully enable RDS Server security, you need to create a rule for the security context that will enforce security for Studio users. This rule is used internally by ColdFusion to authenticate users accessing ColdFusion resources (directories and data sources) from ColdFusion Studio. If ColdFusion Studio security is enabled, but the rule is undefined, users are authenticated when trying to access resources, but no access to resources is allowed.

Before creating this rule, make sure you have defined a security context to use for RDS security. Ordinarily, you'll want to define a security context specifically for this purpose.

To create the rule for ColdFusion Studio security :

  1. In the Advanced Security page of the Administrator, click the Security Contexts button. Select the security context name you want to use for RDS.
  2. In the Security context page, click the Rules button to open the Rules page. Enter a name for the new rule, such as BaseStudioUser, and select User Object from the list box. Click the Add button.
  3. In the edit page for your new rule, enter the name of the user object to secure as "CFStudioUser." The CFStudioUser user object is used internally by ColdFusion for RDS.
  4. Enter the action as "execute."
  5. Click the Apply button.