The default installation of CFMX/JRUN is not especially secure. For example the JMC password is stored as plain text, so if you do not have security sandboxes enabled and have cffile enabled, any user on the server could easily extract this password.

So first we need to secure the JRUN Admin.

1. Login to the JRUN management console.
2. From left menu select the ADMIN server.
3. Now select Services and security
4. In the right panel, click “Edit Users”
5. Check the box “Encrypt Passwords”
6. Now add a new user called “administrator”, with roles “admin” and “jcmadmin”, and assign the current default password that you are using for the JRUN Admin Console and/or coldfusion administrator.
7. Now default the “admin” user that you are currently logged in with.
8. Close the browser window, and now run the JRUN Admin console again and login as “administrator” to test that it works.

NOTE: Some passwords appear to not work, so try to avoid using special characters. Just user upper/lower case letters and numbers.

If for any reason you find you are unable to login to the JRUN Management Console, you can reset the password as follows.

Open the following file in notepad.

<install path>:\JRun4\servers\admin\SERVER-INF\jrun-users.xml

Change this line

<encryption>true</encryption>

To

<encryption>false</encryption>

Then edit the following

And type a new password between the <password></password> tags.
Now perform the previous steps again.

For added security on a shared server you may also want to totally disable the CFEXECUTE and REGISTRY tags.

Edit the following file.

<install path>:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cftags\META-INF\taglib.cftld

Find the following two sections and comment them out like this. The first <name> attribute identifies the tag,

If you now want to be clever and replace these tags with something else, just put replacements here.

<install path>:\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cftags

create 2 files, execute.cfm and registry.cfm

These files can contain anything you like, just as throwing a custom ColdFusion error to tell users that the tags are disabled.

whenever you create a new instance, the default “cfusion” instances files can be copied, including the ones you have now modified, therefore these tags should now be disabled in all instances. A restart may be required.

NB: The above examples presume you are working on the default [cfusion] instance.
For other instances, the paths are slightly different.

E.G.
<install path>:\JRun4\servers\[instance name]\cfusion.ear\cfusion.war\WEB-INF\cftags

It is also important to note that any changes you make to the default [cfusion] instance will be replicated to any new instance you create from the ColdFusion enterprise manager as it simply copied the [cfusion] instance. So any DSN's, mappings etc will be duplicated.
If you do not want this to happen, then do not ever makes any changes to the default instance via the ColdFusion Administrator. Keep it as a base template and stop the service when you are not using it. when you want to create a new instance, start the [cfusion] instance and login to the CFAMDIN.

Views: 885