I'm looking for thoughts on the limitations of Adobe's Auto Lockdown tool. • Did you have to undo or modify any of its actions for your apps to work correctly? Like what? • Are there security related things it didn't do that you chose to do manually? • If you chose not to use it at all, why? What did you do instead? As you can tell from that list, I'm not talking about securing or assessing your custom code, just about hardening the configuration of your CF servers against hostile actors.

sounds like a @foundeo question

I'd imagine like anything security related - they are 'guidelines' and your security depends on a lot of factors that you have to evaluate... And I'd agree with @Mark Takata (Adobe) - hopefully @foundeo will chime in 🙂 He's security ninja 🥷

The auto lockdown tool I think works fine for most people, there are cases where people choose to do it manually and for that reason I try to list out what it does in the Lockdown Guide in section 2.6.0. There are certainly other things you can do to improve security beyond just running the tool, there is an entire section 5 Additional Lockdown Measures in the Lockdown Guide that lists out some ideas. At the end of the day the most secure setup will differ from environment to environment due to what features you use in your apps, your best bet is to turn off, or block all the features that you don’t use as much as possible. Great example of this is if you don’t have any

remote

CFC functions on your server, do you really need to allow a

.cfc

request through to ColdFusion? If you had blocked .cfc on your web server then you would possibly be protected from some of the recent vulnerabilities (Section 5.7 of the lockdown guide).

Thanks Pete et al. How about this piece: Did you have to undo or modify any of its actions for your apps to work correctly? Like what?

I’ve seen some cases where enabling the “Server Settings > Disable Access to Internal ColdFusion Java components” setting has caused some code or third-party components to break. This setting disables the ability for CFML code to access and create Java objects that are part of the internal ColdFusion implementation. But it sounds like code that relies on this should be avoided because it’s undocumented/not official supported functionality. The lockdown tool / secure profile will enable this option (so Java access is disabled), although I think it became something that was enabled by default in a CF2021 update. (This is definitely a setting you want enabled!) There’s also a lot of overlap (maybe complete overlap) with the Lockdown guides, but the Coldfusion STIG also has some good information to consider when locking down CF environments. Though it hasn’t been updated since CF11 and may be too restrictive for some environments— https://www.stigviewer.com/stig/adobe_coldfusion_11/2015-11-02/ and https://ncp.nist.gov/checklist/707

@Brian Reilly Thank you sir, exactly the sorts of info I'm looking for. There's a version of the STIG viewer for CommandBox, courtesy of the esteemed @bdw429s, not sure how much more up to date is is that thanthat CF11 version.

Brad also has a cfconfig setup for all the STIG settings https://www.ortussolutions.com/blog/using-cfconfig-to-apply-government-stigs-to-coldfusion-servers

@Jim Priest That's what I was referring to in the post above.