Let me try this again in its own thread. Would anyone care to share their experience with the auto lockdown tool? If you had unexpected results, what went wrong? How did you fix it? Thanks.

I've had issues running it after upgrading from a previous version of CF (where I had done the old manual lockdown guide steps). It threw some errors, but I think it still did what needed to be done.

@cfvonner Thanks Carl. So the lockdown tool itself threw some errors, but the end result was ok? Your site(s) worked as expected, and were locked down well?

As far as I can tell, yes.

Thanks. Anyone else have experiences to share, smooth or not?

My suggestion is to verify the results after it is done. I've had a client who ran it, had no errors, but some of the items weren't complete and they were still exposed.

Thanks @quetwo. What sorts of items didn't get done, if you know?

I think removing the /CFIDE/ from outside access, if I remember right

Interesting. We block those URLs at the firewall, they're only available inside.

Still, my suggestion is that you double check ALL the settings. It's an automated script and things can go wrong.

I've got a dev box that has multiple versions of coldfusion installed side-by-side, with separate sites set up, pointing to the same files for the webroot. And when I run the lockdown tool for CF2023, say, it sets the permissions right for the CF2023 user, but at the same time removes the permissions for the CF2018 and CF2021 users....

Pfft. One person's edge case is someone else's daily life.

(CF2023) Mine went to 100% and stopped and froze there ... apparently writing permissions to IIS. Spent 4 hours with support and tried 4 more times. No luck. My Windows IT said my account was a local admin, so I had complete permissions. Eventually I had to restore my VM server from a previous day's image. Did not try running the tool again. Instead, I addressed the issues HackMyCF reported. Is my CF server not secure now?