Solved

How to lock down a directory in IIS

Posted on 2013-02-05
5
798 Views
Last Modified: 2013-02-06
Hi,
If I have a site like this:
www.mysite.com/admin/stuff
and I want to stop anyone except a certain IP address from gaining access to that particular URL/path in IIS 7, how would I do that?
Specifically I'm trying to lock down ColdFusion Administrator url which is in the form
www.mysite.com/CFIDE/administrator/
Thanks!
Nacht
0
Comment
Question by:nachtmsk
5 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 500 total points
ID: 38856538
even if you block access to that, it can still be an issue as cf can serve cfadmin files from it's install dir even if you have blocked the one in inetpub or where your virtual directory points.

http://www.petefreitag.com/item/750.cfm

what I do is copy  the entire cfide fold above the webroot (which makes it completely inaccessible) and then when I need to access the administrator i run a batch file with this line

xcopy c:\inetpub\administrator\*.* c:\inetpub\wwwroot\cfide\administrator\ /s

I can then load my cfadmin login page, do my maintenance and when done,

i run another batch file

rd c:\inetpub\wwwroot\cfide\administrator\ /s /q

you must remember to run this. You could always add it to a schedule task to run at midnight so if you do forget, the time it's available is short.

There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

My version of CF wasn't vulnerable to this latest cfadmin authentication exploit, but had it been, it wouldn't have mattered (and I could have patched at my leisure) as cfadmin was not available to be exploited.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 38856565
There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

+100
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38857207
Are you using IIS 7.5? If so it is very easy to block these folders. This option might even be in IIS 7.0
You can have these folders blocked via Request Filtering
CFIDE.../
administrator
componentutils
adminapi

Then have one web site that has no internet access and leave those open on that web site only.

Now if you server itself  gets compromised this method goes down the tubes but then again if your server is compromised you have more to worry about than you website getting hacked.
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38857215
Sorry forgot to say Agreed best practice just do not have those folders on the server.
0
 

Author Closing Comment

by:nachtmsk
ID: 38859366
Thanks everyone. I went with the moving of the directory out of the webroot. I'll probably just create and virtual directory (alias) whenever I need to modify anything. Seems the quickest route.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently while working on a project I got a very annoying cfdocument has no body error message. I had never seen this error before. So I checked the code. The code was pretty simple; it was Just showing me the cfdocumnt tag and inside that tag a …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now