[This information is intended to supplement the printed version of Administering ColdFusion Server, Chapter 9, "Configuring Advanced Security."]
In addition to securing a wide range of ColdFusion resources, you can also secure the ColdFusion Administrator. You do this by first enabling Advanced Security in the Administrator and then enabling ColdFusion Administration Authentication. Since securing the Administrator requires authenticating users trying to access administrator pages, your first step must be to enable Advanced Security. If you haven't already defined a user directory against which to authenticate users, you probably need to first do some Advanced Security configuration before securing Adminstrator pages.
See Configuring Advanced Security for more information about any configuration tasks you may need to do before enabling Administrator security.
This feature is only supported on Windows NT.
To configure Adminstrator Security, the following steps are necessary:
Performance in the Administrator is greatly improved when the Security Server Cache is enabled on the Administrator Advanced Security page.
Once you enable Administrtor security you may want to add other users as ColdFusion Administrators. ColdFusion allows you to add users to one of three possible Administrator security levels, depending on the access you want a user to have to Advanced security settings and the ColdFusion environment.
Users with Administrator rights have full access to ColdFusion Administrator pages. However, in addition to the Administrator login you create when enabling Administrator security, you can define additional users for any of three levels of access to the Administrator: Administrator or full access, Privileged access, and Restricted access:
When you enable Adminstrator Security, ColdFusion creates a security context, called ColdFusion Admin, used exclusively for Administrator Security. If you view the security context properties, you'll see that the ColdFusion Admin secures only Collection, DataSource, and UserObject resource types. Do not change the resource types secured by the ColdFusion Admin Security Context; doing so will disable Admin Security and produce unexpected results.
ColdFusion also creates three resource rules in the ColdFusion Admin security context. These rules are used by ColdFusion to authenticate users for different levels of security access to Administrator pages. The rules, CF Administrator Access, CF Privileged Access, CF Restricted Access, correspond with the three levels of access to the Administrator that you can configure:
To associate users with a specific Administrator Security access level, you add users to one of the three Resource Policies that ColdFusion creates in the ColdFusion Admin Security Context: Administrator, privileged, or restricted.
The three levels of access you can define for Administrators are used by ColdFusion to hide Administrator pages based on the level of access defined for the user login. For example, with full Administrator access, all Administrator pages are available to the user. The login with full Administrator access
With Privileged access, users see all Administrator menu items except for Basic Security and Advanced Security pages.
You might want to create a class of privileged Administrators who manage all aspects of the ColdFusion environment except Basic Security and Advanced Security.
Data sources and Verity collections created by users with Privileged security access to the Administrator are not visible to other users unless a user with full Administrator rights explicitly adds the resource to the user policy.
This level of access allows privileged Adminstrators to configure any area of the Administrator except security.
With Restricted access, users see only the Datasources Administrator menu items, and one menu item from the Miscellaneous menu. This level of access allows restricted Administrators to add and configure data sources but prevents them from altering the ColdFusion enviornment in any significant way.
As with privileged access, data sources and collections created by a restricted access Administrator are not visible to other Administrators unless an Administrator with access to Advanced Security explicitly adds the resource to the user policy.
To define additional users as ColdFusion Administrators, you add users to one of three available Advanced Security resource policies, depending on the level of access you want for the user login. You must log in to the Administrator as a user with adminstrative authority in order to update settings in the ColdFusion Admin security context. When you enable Administrator security, ColdFusion automatically creates these three resource policies, which correspond to the three available levels of access to Adminstrator pages:
[This information is intended to supplement the printed version of Administering ColdFusion Server, Chapter 9, "Configuring Advanced Security."]
ColdFusion RDS provides user authentication and authorization services to secure resources for ColdFusion Studio users. To fully implement ColdFusion RDS so that ColdFusion Server resources are fully secured you need to perform some configuration tasks in the ColdFusion Adminstrator Advanced Security pages.
If you have enabled ColdFusion Administrator security, you need Adminstrator or full access rights for access to the Advanced Security pages.
This feature is only supported on Windows NT.
Developers using ColdFusion Studio can access directories and data sources on a ColdFusion RDS Server. However, security for these resources is only enforced when the ColdFusion Server is configured to use either Basic security or Advanced security.
This section is only concerned with setting up Advanced security to allow full use of ColdFusion RDS Server security features. Information about configuring an RDS Server for Basic security can be found in Administering ColdFusion Server.
In order to secure ColdFusion Server resources using RDS, you must first enable security on the ColdFusion server. ColdFusion Server Advanced security is required to authenticate users accessing resources through an RDS Server with both a user name and a password. Once authentcated, access to individual resources and resource types must be authorized based on Advanced security rules and policies defined in the Administrator.
RDS on the server requires some setup work in order to fully enable security for ColdFusion resources accessed from ColdFusion Studio. You have to:
For more information on configuring advanced security, including creating security contexts, see Administering ColdFusion Server.
In the security context you create for the RDS server, you can select any of the resource types available, but RDS only enforces security on directories and data sources. If you do enable Studio security but do not specify any resource types for the security context used for RDS, Studio users will not be able to access any resources on the RDS server. So make sure that, unless you want to lock all RDS server resources, you specify the resources you want to control.
Once the resource types are defined in the security context, you need to create at least one rule for authenticating Studio users.
To fully enable RDS Server security, you need to create a rule for the security context that will enforce security for Studio users. This rule is used internally by ColdFusion to authenticate users accessing ColdFusion resources (directories and data sources) from ColdFusion Studio. If ColdFusion Studio security is enabled, but the rule is undefined, users are authenticated when trying to access resources, but no access to resources is allowed.
Before creating this rule, make sure you have defined a security context to use for RDS security. Ordinarily, you'll want to define a security context specifically for this purpose.