← Back to ColdFusion Administrator Reference

Security - RDS (Remote Development Services)

Configure remote development access and security settings

Last updated: October 27, 20257 min read

Overview

Remote Development Services (RDS) is a ColdFusion feature that allows IDE tools like Adobe Dreamweaver, CFBuilder, and CFEclipse to connect remotely to your ColdFusion server for file browsing, database queries, and debugging. While useful for development, RDS provides significant server access and must be carefully controlled in production environments.

Critical Security Warning: RDS provides direct file system and database access to your server. It should be DISABLED on production servers and only enabled on development/staging environments with proper authentication and network restrictions.

RDS Configuration Settings

Control whether RDS is enabled and configure authentication requirements.

Enable RDS

PurposeEnable or disable Remote Development Services functionality

DefaultDisabled (recommended for production)

RecommendationProduction: Disabled (always)
Staging: Disabled or restricted by IP
Development: Enabled with strong password

ImpactWhen enabled, remote IDEs can browse files, query databases, and execute code

Security Risk: Enabling RDS on production servers exposes your file system, database connections, and server resources to potential unauthorized access. Only enable on isolated development environments.

RDS Password

PurposeAuthentication password required for RDS connections

DefaultSet during ColdFusion installation

RecommendationAlways use a strong, unique password (16+ characters, mixed case, numbers, symbols)

SecuritySingle password protects all RDS access - compromise grants full server access

Best Practices:

Use password manager to generate and store complex password
Never use the same password as the ColdFusion Administrator
Rotate password regularly (every 90 days minimum)
Never share RDS passwords via email or chat
Change immediately if compromise suspected

Enable Separate Password for RDS and Admin

PurposeUse different passwords for RDS and Administrator access

DefaultEnabled (recommended)

RecommendationAlways enable - separate credentials limit blast radius

SecurityPrevents RDS password compromise from granting admin access

Defense in Depth: Separate passwords ensure that if one credential is compromised, the attacker doesn't automatically gain access to both RDS and Administrator interfaces.

What RDS Provides Access To

Understanding the scope of access granted when RDS is enabled.

File System Access

Capabilities: Browse, read, edit, create, delete files
Scope: Full server file system (subject to OS permissions)
Risk Level: Critical

Allows complete file system manipulation including CFM templates, configuration files, and data.

Database Access

Capabilities: Query all configured datasources
Scope: Full database read/write access
Risk Level: Critical

Direct SQL execution against all configured databases with datasource privileges.

Code Execution

Capabilities: Execute CFML code on server
Scope: Run arbitrary code with server privileges
Risk Level: Critical

Can execute CFML code snippets directly on the server for testing.

Debugging Access

Capabilities: Remote debugging sessions
Scope: Inspect variables, step through code
Risk Level: High

View application variables, session data, and execution flow in real-time.

Server Information

Capabilities: View server configuration details
Scope: Settings, mappings, datasources
Risk Level: High

Exposes server configuration that aids in reconnaissance for attacks.

Configuring RDS in Development Tools

Adobe ColdFusion Builder / CFEclipse

Connecting to ColdFusion server via RDS:

RDS Connection Setup

RDS Server Configuration in CFBuilder:

1. Open RDS Configuration:
   Window → Preferences → ColdFusion → RDS Configuration

2. Add New Server:
   - Server Name: Development Server
   - Host Name: dev.example.com (or localhost)
   - Port Number: 8500 (default) or custom port
   - Context Root: /CFIDE (default)
   - RDS Password: [your RDS password]

3. Test Connection:
   Click "Test Connection" to verify settings

4. Advanced Options:
   - Use HTTPS: Enable for remote servers
   - Timeout: 30 seconds (default)
   - Use Proxy: If behind corporate proxy

Security Note:
Always use HTTPS for RDS over internet connections
to prevent password interception.

Adobe Dreamweaver

Setting up RDS for file browsing and database connectivity:

Dreamweaver RDS Setup

Dreamweaver RDS Configuration:

1. Site Setup → Servers → Add New Server

2. Basic Settings:
   - Server Name: CF Dev Server
   - Connect Using: FTP or Local/Network

3. Advanced Settings:
   - Server Model: ColdFusion
   - Access: RDS

4. RDS Connection:
   - Host: dev.example.com
   - Port: 8500
   - Security: Use Secure Connection (HTTPS)
   - Password: [RDS password]
   - Context Root: /CFIDE

5. Test Connection

Features Enabled:
✓ Browse server files via RDS tab
✓ Execute database queries
✓ View datasources
✓ Live data preview in design view

Security Best Practices

Production Environment

Mandatory Security Requirements:

Disable RDS completely - No exceptions for production
Verify RDS is disabled in administrator before deployment
Block RDS ports (default 8500) at firewall level
Remove or restrict /CFIDE directory web access
Include RDS disabled check in deployment checklist
Monitor logs for any RDS connection attempts

Compliance: Most security frameworks (PCI-DSS, SOC 2, ISO 27001) require RDS to be disabled on production systems due to the extensive access it provides.

Development Environment

Secure RDS Usage Guidelines:

Enable RDS only on local development machines
Use strong, unique passwords (16+ characters)
Enable separate RDS and admin passwords
Never expose RDS ports to the internet
Use VPN for remote RDS access if absolutely required
Restrict access by IP address when possible
Disable RDS when not actively developing
Use HTTPS for all RDS connections
Rotate RDS passwords quarterly

Alternatives to RDS

File AccessUse SFTP, SCP, or file sync tools (rsync, WinSCP)
More secure with granular access control

Database AccessUse dedicated database clients (DataGrip, DBeaver, MySQL Workbench)
Direct database connection with better security

DebuggingUse FusionReactor or ColdFusion debugging output
CommandBox server for local development

Modern Development Workflow: Most developers have moved away from RDS in favor of Git-based version control, SFTP deployment, and dedicated database tools. Consider adopting these more secure alternatives.

RDS Port and Network Configuration

Default RDS Ports

HTTP Port8500 (default for standalone ColdFusion)

HTTPS Port8501 (if SSL configured)

J2EE DeploymentUses web server port (80/443) with /CFIDE path

Firewall Rules: Block RDS ports from external networks. Only allow from trusted development workstations or VPN ranges.

Firewall Configuration Example (Linux iptables)

# Block RDS ports from external networks
# Allow only from specific IP (replace with your IP)

# Block RDS HTTP port from all
iptables -A INPUT -p tcp --dport 8500 -j DROP

# Allow RDS from trusted IP only
iptables -I INPUT -p tcp -s 192.168.1.100 --dport 8500 -j ACCEPT

# Block RDS HTTPS port from all
iptables -A INPUT -p tcp --dport 8501 -j DROP

# Allow RDS HTTPS from trusted IP only
iptables -I INPUT -p tcp -s 192.168.1.100 --dport 8501 -j ACCEPT

# Allow from local network (adjust subnet as needed)
iptables -I INPUT -p tcp -s 192.168.1.0/24 --dport 8500 -j ACCEPT
iptables -I INPUT -p tcp -s 192.168.1.0/24 --dport 8501 -j ACCEPT

# Save rules
service iptables save

# PowerShell commands for Windows Firewall

# Block RDS HTTP port
New-NetFirewallRule -DisplayName "Block RDS HTTP" `
  -Direction Inbound -LocalPort 8500 -Protocol TCP -Action Block

# Allow RDS from specific IP
New-NetFirewallRule -DisplayName "Allow RDS from Dev IP" `
  -Direction Inbound -LocalPort 8500 -Protocol TCP `
  -Action Allow -RemoteAddress 192.168.1.100

# Block RDS HTTPS port
New-NetFirewallRule -DisplayName "Block RDS HTTPS" `
  -Direction Inbound -LocalPort 8501 -Protocol TCP -Action Block

# Allow RDS HTTPS from specific IP
New-NetFirewallRule -DisplayName "Allow RDS HTTPS from Dev IP" `
  -Direction Inbound -LocalPort 8501 -Protocol TCP `
  -Action Allow -RemoteAddress 192.168.1.100

Common Issues & Solutions

Cannot Connect to RDS

Symptom: IDE shows "Cannot connect to RDS server" or timeout errors

Solutions:

Verify RDS is enabled in ColdFusion Administrator
Check ColdFusion service is running
Confirm correct port number (8500 default)
Verify firewall allows RDS port from your IP
Test connectivity: telnet server.com 8500
Check RDS password is correct
Review ColdFusion logs for authentication failures

RDS Authentication Failed

Symptom: "Authentication failed" or "Invalid password" errors

Solutions:

Verify RDS password in CF Administrator (Security → RDS)
Ensure "Use a separate password for RDS" is configured correctly
Check for special characters that may need escaping
Reset RDS password in administrator and retry
Clear IDE's saved RDS credentials and re-enter
Check for account lockout after multiple failed attempts

RDS Security Audit Failed

Symptom: Security audit or penetration test identifies RDS as vulnerability

Immediate Actions:

Disable RDS immediately on production servers
Verify RDS disabled: check Security → RDS in administrator
Block ports 8500/8501 at firewall level
Restrict /CFIDE directory access in web server config
Review access logs for unauthorized RDS usage
Document remediation for audit report
Add RDS check to deployment verification checklist

Verifying RDS Status

Programmatic RDS Status Check

/**
 * Check if RDS is enabled on the server
 * Useful for deployment verification scripts
 */
function isRDSEnabled() {
    try {
        // Create admin API object
        adminAPI = createObject("component", "cfide.adminapi.administrator");

        // Login to admin API (requires admin password)
        adminAPI.login("your_admin_password");

        // Create security API object
        securityAPI = createObject("component", "cfide.adminapi.security");

        // Get RDS security settings
        rdsSettings = securityAPI.getRDSecurity();

        return rdsSettings.RDSEnabled;
    } catch (any e) {
        writeLog(file="rds-check", type="error",
                 text="Failed to check RDS status: #e.message#");
        return false;
    }
}

// Usage in deployment script
if (isRDSEnabled()) {
    writeLog(file="deployment", type="error",
             text="SECURITY ALERT: RDS is enabled on production!");
    // Fail deployment or send alert
}

Related Resources

Security - AdministratorAdministrator login and password security settings Security - Sandbox SecurityFile system and resource access restrictions ColdFusion Administrator ReferenceComplete administrator guide and settings reference