http://jamesallen.name/index.cfm Adventures in Coldfusion and Internet development. en-us Wed, 08 Sep 2010 17:56:05 +0100 Sat, 01 Aug 2009 12:53:00 +0100 BlogCFC http://blogs.law.harvard.edu/tech/rss slingshotuk@googlemail.com slingshotuk@googlemail.com http://jamesallen.name/index.cfm/2009/8/1/How-to-Secure-Railo-31-Admin-in-IIS-6 <p>I recently setup my new VPS with the awesome Railo 3.1 on Server 2003 and I soon started thinking about the security of the admin URL. With Adobe Coldfusion it's good practice to either move the administrator so it only runs on a non-standard port with IP filtering or protect it with a username and password via web server security.</p> <p>I decided that I would go the route of securing the Railo admin path via IIS directory security, however I soon realised that in Railo the admin URL is not a physical path. I.E. It is not created as either a virtual directory or a real directory within the webroot of each website hosted on the server.</p> <p>The Railo admin URL is as follows:</p> <p><strong>http://www.mysite.com/railo-context/admin/index.cfm</strong></p> <p>The way this URL is processed is that the ISAPI filter which Railo uses looks out for any call to railo-context and forwards it to the correct place within the Railo system. This is all done outside of IIS.</p> <p>So how do we protect the URL?</p> <p>The answer is actually pretty simple although you will have to do it on <strong>every </strong>virtual site setup on the server.</p> <p>All we have to do is to create two physical folders within the webroot of the website we want to protect as follows:</p> <p><strong>railo-context/admin</strong></p> <p>Once this is created we can then go into the IIS 6 manager, locate the '<strong>admin</strong>' folder, right click and select '<strong>properties</strong>'. Within '<strong>Directory Security</strong>' it is then possible to either restrict accces via IP or via authentication and access control.</p> <p>If using username and password security go into the '<strong>Authentication Method</strong><strong>s</strong>' panel and uncheck '<strong>Enable anonymous access'</strong> and leave '<strong>Integrated Windows authentication</strong>' ticked.</p> <p><img src="images/posts/IIS6_Permissions.png" alt="" /></p> <p>Now, whenever you access the railo admin URL you can log in via an account on the server (e.g administrator). It's recommended that you create a special windows account that will only be used for admin access. You could then only give that user permissions to access the '<strong>/railo-context/admin</strong>' - though this would need to be done on each folder in each web root. In a hosted scenario this would be a good idea anyway as each customer should really have their own web user account to ensure they can only access their resources on the system.</p> <p><strong>Note: </strong>If you do decide to just log in using the administrator account on the server I recommend you do this over SSL <strong>ONLY</strong>. If you do it over http:// it would be possible for a user on the same network (e.g wifi access point) to sniff your http packets and determine your admin password - not good.</p> <p>&nbsp;</p> Railo Sat, 01 Aug 2009 12:53:00 +0100 http://jamesallen.name/index.cfm/2009/8/1/How-to-Secure-Railo-31-Admin-in-IIS-6