Security - Administrator
Configure administrator passwords, RDS access, and authentication security
Overview
The Security - Administrator page controls access to the ColdFusion Administrator interface and RDS (Remote Development Services). These settings are critical for protecting your server from unauthorized access and potential security breaches. Proper configuration of administrator passwords, session timeouts, and access restrictions is essential for maintaining server security.
Administrator Password Settings
Configure secure passwords for ColdFusion Administrator and RDS access.
Administrator Password
PurposeMaster password for accessing ColdFusion Administrator
DefaultSet during installation (cannot be blank)
RecommendationUse strong, unique password (16+ characters)
StoragePassword is hashed and stored in jvm.config or similar
Password Requirements:
- Minimum 8 characters (recommend 16+)
- Mix of uppercase, lowercase, numbers, and special characters
- Avoid dictionary words and common patterns
- Never reuse passwords from other systems
- Rotate password quarterly or after personnel changes
Confirm Password
PurposeVerification field to prevent typos when setting password
RequirementMust match Administrator Password exactly
Enable Password Protection for RDS
PurposeRequire authentication for Remote Development Services
DefaultEnabled (strongly recommended)
RecommendationAlways enable, disable RDS entirely in production
ImpactPrevents unauthorized remote access to server resources
RDS CapabilitiesFile browsing, database access, debugging
RDS Password
PurposeSeparate password for RDS access (if enabled)
DefaultSame as admin password
RecommendationUse different password from administrator
ProductionDisable RDS entirely, or use very strong password with IP restrictions
Security Warning: RDS provides significant access to server resources. Never enable in production without strict IP restrictions and monitoring.
Session and Timeout Settings
Control administrator session timeouts and login behavior.
Administrator Session Timeout (minutes)
PurposeAuto-logout after period of inactivity
Default20 minutes
RecommendationProduction: 10-15 minutes
Development: 30-60 minutes for convenience
Development: 30-60 minutes for convenience
Security ImpactShorter timeout reduces risk of unauthorized access via unattended session
Trade-offMore frequent re-authentication vs. security
Enable Login Timeout
PurposeLimit time window for completing login process
DefaultEnabled
RecommendationAlways enable
Timeout DurationTypically 60 seconds
Security ImpactPrevents certain authentication bypass attempts
Access Control Settings
Configure IP restrictions and access auditing for enhanced security.
Allowed IP Addresses
PurposeWhitelist IP addresses allowed to access administrator
DefaultEmpty (all IPs allowed)
RecommendationConfigure for production environments
FormatSingle IP:
CIDR range:
Multiple: Comma-separated list
192.168.1.100CIDR range:
192.168.1.0/24Multiple: Comma-separated list
Best Practices:
- Limit to VPN IPs, office networks, or bastion hosts
- Test configuration before deploying to production
- Keep backup access method in case of lockout
Warning: Incorrect configuration can lock you out of the administrator. Always test IP restrictions carefully.
Blocked IP Addresses
PurposeBlacklist specific IP addresses
DefaultEmpty
Use CaseBlock known malicious IPs
PrecedenceBlocked list takes priority over allowed list
Enable Administrator Access Audit
PurposeLog all administrator login attempts and actions
DefaultDisabled
RecommendationEnable for production security monitoring
Log Location
cf_root/logs/admin-access.logLogged InformationIP address, username, timestamp, action
Compliance: Required for many security standards including PCI-DSS, HIPAA, and SOC 2. Review logs regularly for suspicious activity.
RDS (Remote Development Services)
Remote Development Services provides remote access to ColdFusion server resources. Used by development tools like ColdFusion Builder and Dreamweaver for file browsing, database access, and debugging capabilities.
Enable RDS
PurposeEnable/disable Remote Development Services
DefaultDisabled (production), Enabled (development)
RecommendationProduction: Always disable
Development: Enable only if using compatible IDE
Development: Enable only if using compatible IDE
Security Risk: RDS can expose sensitive data and allow file manipulation. Significant security risk if not properly secured.
RDS Configuration Options
Separate PasswordUse different credentials than administrator
IP RestrictionsLimit RDS access to specific IPs
SSL/TLSUse encrypted connections for RDS
Audit LoggingEnable logging of RDS access
Best Practices:
- Never enable RDS in production environments
- Use strong, separate password for RDS
- Restrict RDS access to specific developer IPs
- Always use HTTPS/SSL for RDS connections
- Monitor RDS access logs for unauthorized attempts
Password Security Best Practices
Strong Password Requirements
- Length
- Minimum 16 characters (20+ recommended)
- Complexity
- Mix of uppercase, lowercase, numbers, symbols
- Avoid
- Dictionary words, personal information, patterns
- Unique
- Different from other system passwords
Use a password manager to generate and store complex passwords securely.
Password Management
- Rotation
- Change passwords quarterly or after security events
- Sharing
- Never share passwords between team members
- Storage
- Store in encrypted password manager
- Documentation
- Keep secure backup of credentials in safe location
Change passwords immediately when admins leave the organization.
Password Reset Procedure
- Lost Password
- Can be reset via command line utility
- Command
- cf_root/cfusion/bin/cfsetadminpassword.sh (Unix) or .bat (Windows)
- Process
- Requires server restart after password reset
Document reset procedure for emergencies and test in development.
Best Practices
Production Environment
- Use strong, unique administrator password (16+ characters)
- Set session timeout to 10-15 minutes
- Configure allowed IP addresses to limit access
- Disable RDS entirely
- Enable administrator access audit logging
- Rotate passwords quarterly
- Monitor admin-access.log for unauthorized attempts
- Use VPN or bastion host for administrator access
- Implement two-factor authentication if available
- Restrict administrator access to minimal necessary personnel
Development Environment
- Use strong password even in development
- Enable RDS only if actively using compatible IDE
- Set separate RDS password from administrator password
- Longer session timeout acceptable (30-60 minutes)
- Still implement IP restrictions if possible
- Test security configurations before production deployment
Security Hardening
- Hide Administrator URL
- Change default /CFIDE/administrator path
- Web Server Restrictions
- Use web server rules to limit access
- SSL/TLS
- Always access administrator over HTTPS
- Network Segmentation
- Place admin interface on separate network
- Jump Box
- Require access through bastion host
- Monitoring
- Alert on failed login attempts
- Rate Limiting
- Implement login rate limiting
Compliance Considerations
- PCI-DSS
- Requires strong passwords, access logging, IP restrictions
- HIPAA
- Audit trail of administrative access required
- SOC 2
- Password complexity, rotation, and access controls
- GDPR
- Limit access to personal data via administrator
Common Issues and Solutions
Forgotten Administrator Password
Symptom: Cannot log into ColdFusion Administrator
Solutions:
- Use cfsetadminpassword utility located at
cf_root/cfusion/bin/cfsetadminpassword.shor.bat - Run command:
./cfsetadminpassword.sh newpassword - Restart server after password reset
- Store password securely in password manager to prevent recurrence
Locked Out by IP Restrictions
Symptom: Cannot access administrator from current IP address
Solutions:
- Edit
cf_root/lib/neo-security.xmlto modify IP restrictions - Remove IP restrictions temporarily, restart server, reconfigure properly
- Ensure IP not in blocked list or missing from allowed list
- Prevention: Always add new IP before removing old access
Session Timing Out Too Quickly
Symptom: Frequent re-authentication required
Solutions:
- Increase session timeout (balance security vs convenience)
- Development: 30-60 minutes acceptable
- Production: Keep at 10-15 minutes for security
- Configure in Security - Administrator page
RDS Connection Failures
Symptom: IDE cannot connect via RDS
Solutions:
- Verify RDS is enabled in administrator
- Check RDS password is correct
- Ensure firewall rules allow RDS port (typically 80/443 or separate port)
- Verify SSL certificate if using HTTPS
- Check IP restrictions aren't blocking your IP
Multiple Failed Login Attempts
Symptom: Login failures logged in admin-access.log
Solutions:
- Investigate source IP address in logs
- Legitimate causes: User forgotten password, typing errors
- Malicious causes: Brute force attack attempt
- Implement IP blocking for suspicious addresses
- Prevention: Use IP restrictions, strong passwords, rate limiting
Monitoring and Auditing
Access Log Monitoring
- Log File
- cf_root/logs/admin-access.log
- Contents
- All administrator login attempts and actions
- Review
- Daily review of access logs
- Alerts
- Configure alerts for suspicious activity
- Retention
- Keep logs for compliance period (typically 90+ days)
Suspicious Activity Indicators
- Multiple failed login attempts from same IP
- Login attempts from unexpected geographic locations
- Login attempts outside business hours
- Access from unknown IP addresses
- RDS access in production environment
- Configuration changes by unauthorized users
Security Monitoring Tools
- Log Aggregation
- Splunk, ELK Stack, CloudWatch Logs
- SIEM
- Security Information and Event Management systems
- Alerting
- PagerDuty, OpsGenie for critical events
- Intrusion Detection
- Fail2ban, OSSEC for brute force protection
Advanced Security Configuration
Changing Administrator URL
- Purpose
- Obscure default administrator path
- Default
- /CFIDE/administrator
- Method
- Configure web server alias or use URL rewrite
- Example
- Map /secretadmin to /CFIDE/administrator
- Security
- Reduces automated attacks targeting default path
Security through obscurity - not a substitute for strong password and access controls.
Web Server Access Controls
- Apache
- Use Directory or Location directives with IP restrictions
- IIS
- Configure IP Address and Domain Restrictions
- Nginx
- Use allow/deny directives
Blocks access before reaching ColdFusion for better performance and security.
SSL/TLS Configuration
- Requirement
- Always use HTTPS for administrator access
- Certificate
- Valid SSL certificate (not self-signed in production)
- Protocol
- TLS 1.2 or higher
- HSTS
- Enable HTTP Strict Transport Security
- Redirect
- Automatically redirect HTTP to HTTPS