CF 2021 security question (I may have more!). The docs say this:

To enhance security for the ColdFusion server on Windows, restrict access to the following files to selected ColdFusion users:
/cfusion/lib/seed.properties
/cfusion/lib/password.properties
/cfusion/lib/license.properties
/cfusion/bin/passwordreset.bat
/cfusion/bin/cf-passwordreset.jar

My understanding is that in general, the user CF runs under needs full access to the files in the ColdFusion install. • Is that right? • But these files are an exception? • I ignorantly assume CF needs to read them at least, yes? • So are they saying CF should have read permissions only, to those files, only, but full access to the rest of the CF directory?

meaning, your cf service, and any user that needs to maintain cf, like if you have a group of cf power users

OK, guess that makes sense. Those are the only people who can get on the box in the first place.

The usual sort of thing is that the administrators of the servers are separate from the developers of the software running on the server. SysAdmins will have access to everything. Devs won't. Obvs the account that the CF server runs as will need min read access to a bunch of stuff, and write to other stuff, but what it can write to should be very limited (and should only be able to read from the application source code dir). I presume all this is clearly detailed in the lockdown guide, so don't base any server securing activity on shit that ppl on a forum tell you (incl. me).

All I found in the lockdown guide about this specific set of files is this:

Pay careful attention to the file permissions of sensitive configuration files located in {cf.instance.root}/lib/ such as
password.properties , seed.properties and all neo-*.xml files. In addition the files located in
{cf.instance.root}/runtime/conf/ contain important configuration files utilized by the Tomcat container.

It's not clear to me exactly what permissions that means the cf service user should have.