Solved

How to lock down a directory in IIS

Posted on 2013-02-05
5
791 Views
Last Modified: 2013-02-06
Hi,
If I have a site like this:
www.mysite.com/admin/stuff
and I want to stop anyone except a certain IP address from gaining access to that particular URL/path in IIS 7, how would I do that?
Specifically I'm trying to lock down ColdFusion Administrator url which is in the form
www.mysite.com/CFIDE/administrator/
Thanks!
Nacht
0
Comment
Question by:nachtmsk
5 Comments
 
LVL 36

Accepted Solution

by:
SidFishes earned 500 total points
ID: 38856538
even if you block access to that, it can still be an issue as cf can serve cfadmin files from it's install dir even if you have blocked the one in inetpub or where your virtual directory points.

http://www.petefreitag.com/item/750.cfm

what I do is copy  the entire cfide fold above the webroot (which makes it completely inaccessible) and then when I need to access the administrator i run a batch file with this line

xcopy c:\inetpub\administrator\*.* c:\inetpub\wwwroot\cfide\administrator\ /s

I can then load my cfadmin login page, do my maintenance and when done,

i run another batch file

rd c:\inetpub\wwwroot\cfide\administrator\ /s /q

you must remember to run this. You could always add it to a schedule task to run at midnight so if you do forget, the time it's available is short.

There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

My version of CF wasn't vulnerable to this latest cfadmin authentication exploit, but had it been, it wouldn't have mattered (and I could have patched at my leisure) as cfadmin was not available to be exploited.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 38856565
There's no good reason to have cfadmin always available on a production machine and it's just another potential vulnerability.

+100
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38857207
Are you using IIS 7.5? If so it is very easy to block these folders. This option might even be in IIS 7.0
You can have these folders blocked via Request Filtering
CFIDE.../
administrator
componentutils
adminapi

Then have one web site that has no internet access and leave those open on that web site only.

Now if you server itself  gets compromised this method goes down the tubes but then again if your server is compromised you have more to worry about than you website getting hacked.
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38857215
Sorry forgot to say Agreed best practice just do not have those folders on the server.
0
 

Author Closing Comment

by:nachtmsk
ID: 38859366
Thanks everyone. I went with the moving of the directory out of the webroot. I'll probably just create and virtual directory (alias) whenever I need to modify anything. Seems the quickest route.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Hi. There are several upload tutorials using jquery and coldfusion. I found a very interesting one here Upload Your Files using Jquery & ColdFusion and Preview them (http://www.randhawaworld.com/) . I did keep the main js functions but made sever…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now