Securing the ColdFusion Administrator

In addition to securing a wide range of ColdFusion resources, you can also secure the ColdFusion Administrator. You do this by first enabling Advanced Security in the Administrator and then enabling ColdFusion Administration Authentication. Since securing the Administrator requires authenticating users trying to access administrator pages, your first step must be to enable Advanced Security. If you haven't already defined a user directory against which to authenticate users, you probably need to first do some Advanced Security configuration before securing Adminstrator pages.

See Configuring Advanced Security for more information about any configuration tasks you may need to do before enabling Administrator security.

Note: This feature is only supported on Windows NT.

Implmentation overview

To configure Adminstrator Security, the following steps are necessary:

  1. First, make sure you've enabled Advanced Security and defined a valid User Directory for authenticating users.
  2. Open the ColdFusion Adminstrator/Advanced Security page.
  3. With Advanced Security enabled, click to enable ColdFusion Administration Authentication. If Advanced Security is not enabled, the page will simply reload and the ColdFusion Administration Authentication checkbox will be unchecked.
  4. Enter the Adminstrator user name you want to use as the Administrator. This Adminstrator username must be a valid account in the user directory you select.
  5. Enter the user directory you want to use to authenticate users as they attempt to access Administrator pages. You must select a user directory you've already defined using ColdFusion Advanced Security.
  6. Click Apply. You may need to stop and restart the Cold Fusion Application Server service if you have elected to cache ColdFusion database connections.

Configuring Administrator Security

When you enable Adminstrator Security, ColdFusion creates a Security Context, called ColdFusion Admin, used exclusively for Administrator Security. If you view the Security Context properties, you'll see that the ColdFusion Admin secures only Collection, DataSource, and UserObject resource types. Do not change the resource types secured by the ColdFusion Admin Security Context; doing so will disable Admin Security and produce unexpected results.

Admin Security Resource Rules

When you enable Administrator Security, ColdFusion creates three Resource Rules in the ColdFusion Admin Security Context. ColdFusion reserves these rules for authenticating users for different levels of security access to Administrator pages. The rules, CF Administrator Access, CF Privileged Access, CF Restricted Access, correspond with the three levels of access to the Administrator that you can configure:

To associate users with a specific Administrator Security access level, you add users to one of the three Resource Policies that ColdFusion creates in the ColdFusion Admin Security Context: Administrator, privileged, or restricted.

Defining additional Adminstrator users

To define users as ColdFusion Administrators with full access to Administrator pages, you add users to the CF Administrator Resource Policy, which is part of the ColdFusion Admin Security Context.

  1. Open the Administrator/Advanced Security page and click the Security Contexts button.
  2. On the Registered Contexts page, click the ColdFusion Admin security context.
  3. On the Edit Security Context page, click the Policies button to bring up the Resource Policies page for the ColdFusion Admin security context.
  4. Click on the CFAdministrator policy to open the Edit Security Policy page.
  5. Click the Users button to open the Users page for the CFAdministrator policy. Now, click the Add/Remove button.
  6. On the Add/Remove users page, enter a username in the Enter User text box, or click a user name in the Available Users box and click the left arrow button to move the user name into the Currrent Users box.