TickYouOff
Sign in
Back
🔒

Adobe ColdFusion STIG Checklist

Hard 19 items · 3 hours
testuser's avatar
testuser Published 1 month ago
Security

A practical checklist to implement the Adobe ColdFusion STIG (Ver 1, Rel 1) for Windows Server deployments. Ideal for system administrators, security engineers, and IT teams who need a step-by-step guide to harden ColdFusion, Tomcat, JVM, and integrate centralized logging and authentication.

Source: https://ncp.nist.gov/checklist/1319

Progress
0 / 19
  1. Download latest Adobe ColdFusion STIG — Obtain Ver 1, Rel 1 from DoD Cyber Exchange or public.cyber.mil.
  2. Inventory ColdFusion components and versions — List ColdFusion, Tomcat, JVM, OS, and installed modules.
  3. Apply ColdFusion product patches and hotfixes — Install vendor patches and security hotfixes per release notes.
  4. Update Java Virtual Machine and configure secure startup arguments — Use a supported, patched JVM and document startup flags.
  5. Set JVM memory management startup arguments — Tune Xms/Xmx and GC settings to match workload and stability needs.
  6. Configure JVM cryptographic and secure settings — Enable secure crypto providers and restrict insecure algorithms.
  7. Harden Apache Tomcat configuration — Remove default apps, restrict manager/host-manager, and secure connectors.
  8. Enforce TLS 1.2+ and strong cipher suites — Disable SSLv3/TLS1.0/1.1 and prefer strong ciphers and secure protocols.
  9. Disable or restrict ColdFusion Administrator access — Limit Admin to allowed IPs, use strong auth, and audit admin logins.
  10. Integrate ColdFusion logging with SIEM and centralize logs — Forward application, system, and audit logs to your SIEM for alerts.
  11. Configure LDAP/IdP authentication and enforce least-privilege roles — Map ColdFusion roles to LDAP groups and enforce role-based access.
  12. Set secure file and directory permissions for ColdFusion — Restrict write/execute access to service accounts only.
  13. Disable unused ColdFusion services and connectors — Turn off features and connectors not required by your deployment.
  14. Enable session timeout and secure cookie flags — Set reasonable session lifetimes and mark cookies Secure and HttpOnly.
  15. Enable request validation and XSS/CSRF protections — Activate built-in input validation and anti-CSRF measures for apps.
  16. Backup ColdFusion configuration and application files — Create and secure backups of cfconfig, webapps, and data before changes.
  17. Perform a vulnerability scan and remediate findings — Run authenticated scans and fix high/critical issues promptly.
  18. Restart ColdFusion service and verify application functionality — Gracefully restart and run smoke tests to confirm uptime and features.
  19. Document changes and schedule periodic STIG reviews — Record configurations, rationales, and set review cadence per policy.
Sign in to save
📝 My Notes