I'm a Information Security Analyst and currently I'm trying to strengthen our ColdFusion hardening standards and I have an issue that I need to understand.
I'm referencing two separate Adobe documents,
First document:
ColdFusion 9 Lockdown Guide
Recommends:
Page 16 of 35. Do not enable RDS. Click next...
Next document:
Security Advisory for ColdFusion
Release date: January 4, 2013
Last updated: January 16, 2013
Vulnerability identifier: APSA13-01
Recommends:
- Setting the password for Remote Development Services (even if RDS is disabled)
- Enabling password protection for RDS
- Setting the Admin password and enabling password protection for Administrator
So, Adobe recommends, 1st, not to Enable RDS at all, but then recommends as a "mitigation", Enabling RDS (post installation) to setup a username and password, but the ColdFusion 9 Lockdown Guide "Do not enable RDS.".
Maybe as a "Remediation", Adobe should just remove RDS since a) they recommend keeping it disabled and b) it's such a vulnerability? Also, I would suggest that the recommendations from the Security Advisory (s) be incorporated into an updated ColdFusion 9 Lockdown Guide.
I'm sure this cannot be the first time they've heard this.
Don