Configuring Administrator Security

ColdFusion Express Server offers one level of security: Basic security. Basic security allows you to secure the ColdFusion Administrator with a password.

To access Basic security settings in the ColdFusion Administrator, open the Server, Basic Security page.

If you upgrade to ColdFusion Professional or Enterprise edition, ColdFusion also offers Advanced security. Advanced security allows you to exercise a high degree of control over a wide range of ColdFusion resources, including CFML tags (as well as individual tag ACTION types), specific SQL operations, as well as other ColdFusion resources.

Installation defaults

The ColdFusion Administrator installs with secure access enabled. The password you enter as part of the setup is saved as the default, so that when you open the Administrator for the first time, you are prompted to enter the password. We recommend that you continue to use Administrator security until you complete the ColdFusion server configuration.

Disabling Administrator security

You can disable Basic security for the ColdFusion Administrator on the Server, Basic Security page. Once you've disabled this option, anyone can open the Administrator pages and make changes to ColdFusion Server settings.

Securing data sources

You can take the following measures to secure the data sources that you intend to use with ColdFusion Express:

Use a database system that supports security and create a user account that has access to only selected tables and operations (such as, SELECT, INSERT). You can then configure ColdFusion to use that account when interacting with the data source.
Select the ColdFusion Settings button from the ColdFusion ODBC page to allow only certain SQL operations (such as SELECT and INSERT) in interactions with the data source.

Basic Security limitations

ColdFusion Basic security hinges on the protection of a single password per server. As long as the password is kept secret, unauthorized access to the Administrator and databases on the server is impossible. It's important to understand that this security model has two liabilities:

Password vulnerability. The password can be lost, stolen, or hacked.
Access control is generalized, that is, remote developers have access either to all data sources, or none. With Basic security, you can't protect individual directories and/or databases as you can with ColdFusion Enterprise and ColdFusion Professional.