ColdFusion Main > ColdFusion Articles > Securing Coldfusion Pages Securing Coldfusion Pages through IISOn a basic level, there are three authentication schemes available for ColdFusion pages. The non-restricted scheme that does not require user login; broad authentication on a directory basis that requires a user logon once when requesting any CF Page from that directory; and specific authentication on a file by file basis that requires a user login to a specific page, but not for other unrestricted pages. Authentication schemes are created by using the web server authentication settings in conjunction with directory and file permissions. On the web server side, the open authentication scheme is handled by using the anonymous logon option. Directory and file authentication schemes are handled by using the Basic Clear Text and NT Challenge/Response options. More information on these is below. Once authentication options are set in the web server, certain NT accounts must be granted access to ColdFusion page directories and/or specific ColdFusion application files. The NT user accounts of importance are: · System account - the system account should be added to file permissions to give the web server access to the directory. It should be given read and execute permissions. · ColdFusion account - The account under which ColdFusion is running. It should be given read and execute permissions. By default it is the system account. To check this account go to the Services Control Panel, highlight the ColdFusion service and click startup. · The Anonymous user account (IUSR_machinename) - This account needs to be added to all files or directories to which anonymous logon is desired. It should be given read and execute permissions. · In addition to ColdFusion page directories the /cfusion/bin/iscf.dll must also have proper permissions placed on it. Since all users must have access to the iscf.dll to process a ColdFusion page, it is generally easiest to assign the everyone group to the iscf.dll. Below are standard configurations that should work for basic ColdFusion page security: Anonymous Logon: 1. In WWW service properties, make sure the anonymous logon option is checked. The anonymous logon will not work if the password entered in the web server does not match the password for the anonymous iusr account under NT. By default these passwords will match unless the user has gone in and changed them. Be sure to stop and start the web server after changing authentication options. 2. Apply appropriate accounts to directory permissions. * /cfusion/bin/iscf.dll file Everyone account * ColdFusion application pages directories System account Anonymous (IUSR) account ColdFusion account Basic Clear Text/NT Challenge Response: 1. In WWW service properties, check the Basic Clear Text or NT Challenge/Response (it is easier to troubleshoot if only the Basic option is checked). 2. Apply appropriate accounts to directory permissions. * /cfusion/bin/iscf.dll file Everyone account * ColdFusion application pages directory System account Any user or group account that should have permissions ColdFusion account To Outsource Coldfusion e commerce, ColdFusion programming, ColdFusion CMS or any other kind of ColdFusion software, please contact us. We can make available Coldfusion Programmer or a team of Coldfusion Programmers and web debelopers for ColdFusion development and support. For more details please visit our ColdFusion Services section. Click here for more ColdFusion articles. 
|
|
|||||||||
|
 |
||||
|
