I recently setup my new VPS with the awesome Railo 3.1 on Server 2003 and I soon started thinking about the security of the admin URL. With Adobe Coldfusion it's good practice to either move the administrator so it only runs on a non-standard port with IP filtering or protect it with a username and password via web server security.
I decided that I would go the route of securing the Railo admin path via IIS directory security, however I soon realised that in Railo the admin URL is not a physical path. I.E. It is not created as either a virtual directory or a real directory within the webroot of each website hosted on the server.
The Railo admin URL is as follows:
The way this URL is processed is that the ISAPI filter which Railo uses looks out for any call to railo-context and forwards it to the correct place within the Railo system. This is all done outside of IIS.
So how do we protect the URL?
The answer is actually pretty simple although you will have to do it on every virtual site setup on the server.
All we have to do is to create two physical folders within the webroot of the website we want to protect as follows:
Once this is created we can then go into the IIS 6 manager, locate the 'admin' folder, right click and select 'properties'. Within 'Directory Security' it is then possible to either restrict accces via IP or via authentication and access control.
If using username and password security go into the 'Authentication Methods' panel and uncheck 'Enable anonymous access' and leave 'Integrated Windows authentication' ticked.
Now, whenever you access the railo admin URL you can log in via an account on the server (e.g administrator). It's recommended that you create a special windows account that will only be used for admin access. You could then only give that user permissions to access the '/railo-context/admin' - though this would need to be done on each folder in each web root. In a hosted scenario this would be a good idea anyway as each customer should really have their own web user account to ensure they can only access their resources on the system.
Note: If you do decide to just log in using the administrator account on the server I recommend you do this over SSL ONLY. If you do it over http:// it would be possible for a user on the same network (e.g wifi access point) to sniff your http packets and determine your admin password - not good.