← Back to ColdFusion Administrator Reference

Security - Secure Profile

Pre-configured security hardening profiles for ColdFusion

Last updated: October 27, 20258 min read

Overview

ColdFusion Secure Profile is a comprehensive security hardening feature that applies multiple security settings simultaneously to lock down your server. Rather than manually configuring dozens of security options, Secure Profile provides pre-configured profiles optimized for different environments (production, development) and use cases.

Applying a Secure Profile modifies settings across multiple administrator sections including file access restrictions, disabled functions and tags, sandboxing, and more. This provides a quick way to implement security best practices and meet compliance requirements.

Important: Secure Profile settings are restrictive and may break existing applications. Always test in a non-production environment before applying to production servers.

Available Secure Profiles

ColdFusion provides built-in profiles for common deployment scenarios.

Production Secure Profile (High Security)

PurposeMaximum security for production internet-facing applications

Use CaseProduction servers, public-facing applications, compliance requirements

Key Restrictions• RDS disabled
• Robust exception information disabled
• Administrative API access restricted
• File/directory operations limited
• Potentially dangerous tags/functions disabled
• Sandbox security enabled

RecommendationAlways use for production deployments

What Gets Disabled:

<cfexecute> - Prevent command execution
<cfregistry> - Block Windows registry access
<cfobject> type="java" - Restrict Java object creation
File upload to certain directories
Access to ColdFusion administrator API
Debug output and error details
RDS (Remote Development Services)

Development Profile (Moderate Security)

PurposeBalanced security for development environments

Use CaseLocal development, internal staging servers, testing environments

Key Features• RDS optionally enabled
• Debugging and error details available
• More permissive file operations
• Development tools accessible
• Less restrictive sandboxing

RecommendationUse for isolated development environments only

Development Allowances:

Detailed error messages and stack traces
Debug output enabled
Less restrictive file system access
Access to development/debugging tags
Administrative API may be accessible

Warning: Never use Development Profile on production or publicly accessible servers. The reduced security restrictions create vulnerabilities.

Custom Secure Profile

PurposeCustomize security settings based on specific application needs

Use CaseApplications with specific security or functionality requirements

ApproachStart with Production Profile, then selectively enable required features

Best Practice: Always start with the most restrictive profile (Production) and only relax specific restrictions that your application absolutely requires. Document why each exception is needed.

Applying a Secure Profile

Application Steps

Step 1Navigate to Security → Secure Profile in CF Administrator

Step 2Review current security settings and profile status

Step 3Select desired profile (Production, Development, or None)

Step 4Review the list of settings that will be changed

Step 5Click Apply to implement the profile

Step 6Test application thoroughly to verify functionality

Critical: Applying a Secure Profile immediately changes security settings. Test thoroughly before applying to production. Some settings may require server restart.

Deployment Checklist for Production Secure Profile

Production Secure Profile Deployment Checklist

PRE-DEPLOYMENT:
□ Backup current configuration (neo-security.xml and other config files)
□ Document current security settings
□ Apply Production Secure Profile to staging/test environment
□ Run full application test suite
□ Test all critical user workflows
□ Verify file upload/download functionality
□ Test any admin or privileged operations
□ Review application logs for permission errors
□ Document any required exceptions/modifications

DEPLOYMENT:
□ Schedule during maintenance window
□ Notify stakeholders of deployment
□ Apply Production Secure Profile in administrator
□ Restart ColdFusion service (if required)
□ Verify profile applied successfully
□ Test critical application functions immediately

POST-DEPLOYMENT:
□ Monitor application logs for errors
□ Test core functionality
□ Verify no unexpected permission errors
□ Document applied profile and date
□ Update security documentation
□ Schedule regular security reviews

ROLLBACK PLAN:
□ Have configuration backup ready
□ Document rollback procedure
□ Test rollback in staging first
□ Keep previous config for quick restore

Security Settings Modified by Profiles

Detailed breakdown of settings changed when applying Production Secure Profile.

RDS Settings

Production Profile: RDS disabled completely
Development Profile: RDS optionally enabled
Impact: Prevents remote IDE access

Critical for production security - RDS provides extensive server access

Robust Exception

Production Profile: Disabled
Development Profile: Enabled
Impact: Hides error details from users

Prevents exposure of paths, SQL queries, and code structure

AJAX Debug Logging

Production Profile: Disabled
Development Profile: Enabled
Impact: Prevents debug info exposure

Stops debug information from being sent to client browsers

WebSocket Logging

Production Profile: Disabled
Development Profile: Enabled
Impact: Reduces log verbosity

Prevents excessive WebSocket logging in production

Admin API Security

Production Profile: Restricted or disabled
Development Profile: Available
Impact: Blocks programmatic admin access

Prevents applications from modifying server configuration

Sandbox Security

Production Profile: Enabled with restrictions
Development Profile: Less restrictive
Impact: Limits file/resource access

Creates security boundaries for application file system access

Disabled Tags and Functions

Tags and functions typically disabled by Production Secure Profile.

High-Risk Tags

Tags Disabled for Security:

<cfexecute> - Execute system commands
Risk: Remote code execution, command injection
<cfregistry> - Access Windows registry
Risk: System configuration changes, privilege escalation
<cfobject type="java"> - Create Java objects
Risk: Unrestricted Java class access, security bypass
<cfobject type="com"> - Create COM objects
Risk: Windows system manipulation, security bypass

Restricted File Operations

File/Directory Restrictions:

File uploads to system directories blocked
Protected: /CFIDE, /WEB-INF, system paths
Read/write access to sensitive directories restricted
Protected: Configuration directories, admin areas
Directory browsing/listing may be restricted
Prevents reconnaissance and file discovery

Testing for Disabled Tags

/**
 * Test if specific tags/functions are disabled by Secure Profile
 * Use this to verify production security settings
 */

// Test cfexecute
try {
    cfexecute(name="whoami", variable="result", timeout=1);
    writeOutput("⚠️ WARNING: cfexecute is ENABLED<br>");
} catch (any e) {
    writeOutput("✓ cfexecute is disabled (expected)<br>");
}

// Test cfregistry (Windows only)
try {
    cfregistry(action="list", branch="HKEY_LOCAL_MACHINE", name="regTest");
    writeOutput("⚠️ WARNING: cfregistry is ENABLED<br>");
} catch (any e) {
    writeOutput("✓ cfregistry is disabled (expected)<br>");
}

// Test Java object creation
try {
    javaObj = createObject("java", "java.lang.System");
    writeOutput("⚠️ WARNING: Java object creation is ENABLED<br>");
} catch (any e) {
    writeOutput("✓ Java object creation is restricted (expected)<br>");
}

// Test Admin API access
try {
    adminAPI = createObject("component", "cfide.adminapi.administrator");
    writeOutput("⚠️ WARNING: Admin API is accessible<br>");
} catch (any e) {
    writeOutput("✓ Admin API is restricted (expected)<br>");
}

writeOutput("<br><strong>Note:</strong> All restricted items should show as disabled in production.");

Custom Security Configurations

Selective Exception Enabling

ScenarioApplication requires a feature disabled by Production Profile

Approach1. Apply Production Secure Profile
2. Document the specific feature needed
3. Enable only that specific feature
4. Use Sandbox Security to limit scope
5. Document exception and business justification

Example Use Cases:

PDF Generation: May require Java object access - enable for specific sandbox only
Report Generation: May need cfexecute for external tools - restrict to specific directory
System Integration: May need COM objects - limit to specific application

Security Review Required: Every exception to the Production Secure Profile should be reviewed by security team, documented, and periodically re-evaluated for necessity.

Documenting Security Exceptions

SECURITY EXCEPTION DOCUMENTATION

Exception ID: SEC-EXC-001
Date Requested: 2025-10-27
Requested By: Development Team

SECURE PROFILE EXCEPTION REQUEST
=================================

Affected Setting:
  cfexecute tag - Currently disabled by Production Secure Profile

Business Justification:
  Report generation system requires cfexecute to call external
  PDF processing tool (wkhtmltopdf) for invoice generation.
  Approximately 10,000 invoices generated monthly.
  No viable alternative found.

Security Impact Assessment:
  RISK LEVEL: Medium-High
  - Command injection possible if user input not sanitized
  - Limited to specific directory via sandbox
  - Only specific executable allowed

Mitigation Measures:
  ✓ Sandbox security restricts cfexecute to /reports directory only
  ✓ Only whitelisted executable allowed: /usr/local/bin/wkhtmltopdf
  ✓ All user input validated/sanitized before execution
  ✓ Command arguments built using parameterization
  ✓ Execution logging enabled
  ✓ Monitoring alerts for unusual execution patterns

Implementation:
  1. Enable cfexecute in Administrator
  2. Configure sandbox for /reports directory
  3. Whitelist only required executable
  4. Enable audit logging
  5. Deploy monitoring alerts

Approved By: Security Team (Jane Doe)
Date Approved: 2025-10-27
Review Date: 2026-01-27 (quarterly review)

QUARTERLY REVIEW CHECKLIST:
□ Is this exception still required?
□ Have alternative solutions become available?
□ Have there been any security incidents?
□ Are mitigation measures still effective?
□ Update review date for next quarter

Common Issues & Solutions

Application Breaks After Applying Profile

Symptom: Features stop working after applying Production Secure Profile

Solutions:

Review ColdFusion exception logs for permission/security errors
Identify which tags/functions are being blocked
Test in staging environment before production
Create sandbox exceptions for required functionality
Enable specific features if business-critical (with security review)
Refactor code to use safer alternatives where possible
Document all exceptions and mitigation measures

File Upload Failures

Symptom: File uploads fail with permission errors after applying Secure Profile

Solutions:

Verify upload directory is outside restricted paths
Never upload to /CFIDE, /WEB-INF, or system directories
Configure sandbox security to allow uploads to specific directory
Ensure upload directory has proper OS permissions
Use dedicated uploads directory outside web root when possible
Implement file type validation and virus scanning

Cannot Access Admin API

Symptom: Application code using Admin API fails after Secure Profile applied

Solutions:

Production Secure Profile restricts Admin API access (by design)
Evaluate if Admin API is truly necessary in production
Move admin tasks to separate maintenance scripts
Use scheduler for admin tasks instead of real-time API calls
If required, enable Admin API with sandbox restrictions
Limit Admin API access to specific IP addresses only
Implement additional authentication for Admin API operations

Compliance and Security Frameworks

Security Standards Alignment: Production Secure Profile helps meet requirements for:

PCI-DSS: Requirement 2.2 - Develop configuration standards for all system components
PCI-DSS: Requirement 6.5 - Address common coding vulnerabilities
OWASP Top 10: Mitigates several categories including A05:2021 Security Misconfiguration
NIST Cybersecurity Framework: PR.AC-3 Remote access is managed
ISO 27001: A.12.6.1 Management of technical vulnerabilities
SOC 2: CC6.6 Logical and physical access controls
CIS Benchmarks: Application server hardening guidelines

Audit Evidence: Document when Secure Profile was applied, which profile was used, and any exceptions granted. This documentation is often required during security audits and compliance assessments.

Related Resources

Security - Sandbox SecurityFile system and resource access restrictions per application Security - AdministratorAdministrator login and password security settings ColdFusion Administrator ReferenceComplete administrator guide and settings reference