Coldfusion Application Security
What basic security steps should I take to make sure a ColdFusion server is secure?
The only way to prevent being hacked it to secure your site. There are a few rules here:
Remove all example applications from live machines.
Review all security docs from phrack, l0pht, HoF and Allaire (the last two assuming your using CF).
Use a hacking script to see if there are any obvious holes.
If your really worried, have a security expert come in to review your setup.
As long as you have removed all of the CFDOCS (or password protected them), checked your DB permissions (SQL not running as SA), upgraded to MDAC 2.1 (if using access), and have not left any of your programs open (like uploaders and such) then CF is rather secure. The only times people have walked into a server through CF is when they were using one of these exploits.
How does the ColdFusion service interact with IIS in terms of security?
CF runs as a separate service, but it also integrates with IIS using an ISAPI extension. The ISAPI extension runs in-process with IIS, just like the ASP engine, and when a request is received that is mapped to the file extension associated with the ISAPI extension (typically .cfm and .dbm, although those can be changed in the IIS management console), the request is forwarded to the CF service for processing.
IIS and NT security are used to determine whether the user can request the file in the first place. This happens before the request is forwarded to the CF service. So, you'll generally follow the same procedure for securing CF applications with ACLs that you would with an ASP application.
CF, by default, runs as a service using SYSTEM privileges
How can I check for the existence of files on a server that could be used maliciously by a hacker?
When you install ColdFusion Server, you are given the option of installing the online documentation and sample applications. If you choose to install them, they will be installed on the server in the CFDOCS directory just below the web root.
Installing the sample application is never a good idea as they could be exploited maliciously.
MunchkinLAN is a ColdFusion based security viewer. It allows you to enter a domain name and test if certain vulnerable files exist on that domain.