As we all know it is a best practice to minimize the privileges of any application or account to reduce the attack surface. ColdFusion is no exception to this rule and should really be run under a dedicated user account with minimal permissions. And while on some systems such as my laptop, I am too lazy to follow that best practice, I do my best on other systems. The basic instructions for running ColdFusion under a specific user account are in Technote 17279. One of the things that bugs me about this technote is that it says ColdFusion needs Full Control permissions on the following filesystem directories to run:

  • WebDocument Directory
  • c:\cfusion or c:\cfusionmx (and all subdirectories)
  • c:\winnt
  • c:\winnt\system32

These filesystem permissions are really much more than I like them to be. As a rule I never give anything Full Control or even Change on the Windows install folder. In fact, I have been running ColdFusion servers since version 4.5 with just Read/Execute and Add on the Windows install folder (the good old NT4 days where we had Add permissions instead of FILE_APPEND_DATA and FILE_WRITE_DATA). And currently I run ColdFusion 8 multiserver JRun instances with much more restrictive permissions as well, using the following recipe:

  1. Remove all permissions of the Users group on the \JRun4\servers\ folder.
  2. Create a new Local account in the Local Users group (or add the Domain Account to the Local Users group).
  3. Using the JRun console, create a new server instance. (Do not start the instance to test.)
  4. On the filesystem, give the user you created in step 1 Change over the \JRun4\servers\<instance> directory.
  5. Create a Windows Service for the new instance using jrunsvc.exe. (Do not start the service to test.)
  6. Switch the new instance to the user you created in step 1 and start it. (If you started it before several files will have the wrong owner and the service will not start.)
  7. Drop in a ColdFusion EAR file to replace the DEFAULT-EAR and you have a new, low privilege ColdFusion instance ready to use through the built in webserver. If you want to use ColdFusion with another webserver you need to give the ColdFusion user account permissions on the webroot and the webserver should be given Change on \JRun4\lib\wsconfig\.
  8. If you want to use ColdFusion to read/write to other directories on the file system you obviously need to make sure it has the right permissions.

This recipe depends on the default permissions of a Windows installation. If you have tightened those and run into problems with your ColdFusion install, check the permissions on the \JRun4\ folder and the \windows\ folder. They should have Read, Execute (and Add for pre-MX versions of CF to accommodate temp file creation) for the user you added in step 1. Obviously this does not take into account the ODBC bridge, the Verity Services or the .NET Service.

4 Comments

  1. Laura says:

    if things are going wrong, what should i be looking for in the *-out logs?

  2. Jochem says:

    When I change a ColdFusion server configuration in a way that requires a restart I usually shut down ColdFusion, archive the logfiles elsewhere and restart ColdFusion. That way all the logfiles will be created from scratch for the new configuration. If you have any problem with the new configuration, look for the first error message in the log, fix it and try again.

  3. Laura says:

    is the ColdFusion EAR file you talk about in step 7 a default one that is installed with CF? we’ve never dealt with these files, we’ve always used CAR files. Do i need to create an EAR file for our instance before starting this process?

  4. Jochem says:

    The ColdFusion installer gives you three options when you install CF: single-server, multi-server and J2EE-archive. Take the last one and generate an EAR file with the context-root “/”. That gives you a clean, new CF EAR file that you can deploy on JRun.