Solved

How to lock down a directory in IIS

Posted on 2013-02-05
5
812 Views
Last Modified: 2013-02-06
Hi,
If I have a site like this:
www.mysite.com/admin/stuff
and I want to stop anyone except a certain IP address from gaining access to that particular URL/path in IIS 7, how would I do that?
Specifically I'm trying to lock down ColdFusion Administrator url which is in the form
www.mysite.com/CFIDE/administrator/
Thanks!
Nacht
0
Comment
Question by:nachtmsk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 500 total points
ID: 38856538
even if you block access to that, it can still be an issue as cf can serve cfadmin files from it's install dir even if you have blocked the one in inetpub or where your virtual directory points.

http://www.petefreitag.com/item/750.cfm

what I do is copy  the entire cfide fold above the webroot (which makes it completely inaccessible) and then when I need to access the administrator i run a batch file with this line

xcopy c:\inetpub\administrator\*.* c:\inetpub\wwwroot\cfide\administrator\ /s

I can then load my cfadmin login page, do my maintenance and when done,

i run another batch file

rd c:\inetpub\wwwroot\cfide\administrator\ /s /q

you must remember to run this. You could always add it to a schedule task to run at midnight so if you do forget, the time it's available is short.

There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

My version of CF wasn't vulnerable to this latest cfadmin authentication exploit, but had it been, it wouldn't have mattered (and I could have patched at my leisure) as cfadmin was not available to be exploited.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 38856565
There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

+100
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38857207
Are you using IIS 7.5? If so it is very easy to block these folders. This option might even be in IIS 7.0
You can have these folders blocked via Request Filtering
CFIDE.../
administrator
componentutils
adminapi

Then have one web site that has no internet access and leave those open on that web site only.

Now if you server itself  gets compromised this method goes down the tubes but then again if your server is compromised you have more to worry about than you website getting hacked.
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38857215
Sorry forgot to say Agreed best practice just do not have those folders on the server.
0
 

Author Closing Comment

by:nachtmsk
ID: 38859366
Thanks everyone. I went with the moving of the directory out of the webroot. I'll probably just create and virtual directory (alias) whenever I need to modify anything. Seems the quickest route.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question