← Back to ColdFusion Administrator Reference

Security - Administrator

Configure administrator passwords, RDS access, and authentication security

Last updated: October 27, 20256 min read

Overview

The Security - Administrator page controls access to the ColdFusion Administrator interface and RDS (Remote Development Services). These settings are critical for protecting your server from unauthorized access and potential security breaches. Proper configuration of administrator passwords, session timeouts, and access restrictions is essential for maintaining server security.

Administrator Password Settings

Configure secure passwords for ColdFusion Administrator and RDS access.

Administrator Password

PurposeMaster password for accessing ColdFusion Administrator
DefaultSet during installation (cannot be blank)
RecommendationUse strong, unique password (16+ characters)
StoragePassword is hashed and stored in jvm.config or similar
Password Requirements:
  • Minimum 8 characters (recommend 16+)
  • Mix of uppercase, lowercase, numbers, and special characters
  • Avoid dictionary words and common patterns
  • Never reuse passwords from other systems
  • Rotate password quarterly or after personnel changes

Confirm Password

PurposeVerification field to prevent typos when setting password
RequirementMust match Administrator Password exactly

Enable Password Protection for RDS

PurposeRequire authentication for Remote Development Services
DefaultEnabled (strongly recommended)
RecommendationAlways enable, disable RDS entirely in production
ImpactPrevents unauthorized remote access to server resources
RDS CapabilitiesFile browsing, database access, debugging

RDS Password

PurposeSeparate password for RDS access (if enabled)
DefaultSame as admin password
RecommendationUse different password from administrator
ProductionDisable RDS entirely, or use very strong password with IP restrictions
Security Warning: RDS provides significant access to server resources. Never enable in production without strict IP restrictions and monitoring.

Session and Timeout Settings

Control administrator session timeouts and login behavior.

Administrator Session Timeout (minutes)

PurposeAuto-logout after period of inactivity
Default20 minutes
RecommendationProduction: 10-15 minutes
Development: 30-60 minutes for convenience
Security ImpactShorter timeout reduces risk of unauthorized access via unattended session
Trade-offMore frequent re-authentication vs. security

Enable Login Timeout

PurposeLimit time window for completing login process
DefaultEnabled
RecommendationAlways enable
Timeout DurationTypically 60 seconds
Security ImpactPrevents certain authentication bypass attempts

Access Control Settings

Configure IP restrictions and access auditing for enhanced security.

Allowed IP Addresses

PurposeWhitelist IP addresses allowed to access administrator
DefaultEmpty (all IPs allowed)
RecommendationConfigure for production environments
FormatSingle IP: 192.168.1.100
CIDR range: 192.168.1.0/24
Multiple: Comma-separated list
Best Practices:
  • Limit to VPN IPs, office networks, or bastion hosts
  • Test configuration before deploying to production
  • Keep backup access method in case of lockout
Warning: Incorrect configuration can lock you out of the administrator. Always test IP restrictions carefully.

Blocked IP Addresses

PurposeBlacklist specific IP addresses
DefaultEmpty
Use CaseBlock known malicious IPs
PrecedenceBlocked list takes priority over allowed list

Enable Administrator Access Audit

PurposeLog all administrator login attempts and actions
DefaultDisabled
RecommendationEnable for production security monitoring
Log Locationcf_root/logs/admin-access.log
Logged InformationIP address, username, timestamp, action
Compliance: Required for many security standards including PCI-DSS, HIPAA, and SOC 2. Review logs regularly for suspicious activity.

RDS (Remote Development Services)

Remote Development Services provides remote access to ColdFusion server resources. Used by development tools like ColdFusion Builder and Dreamweaver for file browsing, database access, and debugging capabilities.

Enable RDS

PurposeEnable/disable Remote Development Services
DefaultDisabled (production), Enabled (development)
RecommendationProduction: Always disable
Development: Enable only if using compatible IDE
Security Risk: RDS can expose sensitive data and allow file manipulation. Significant security risk if not properly secured.

RDS Configuration Options

Separate PasswordUse different credentials than administrator
IP RestrictionsLimit RDS access to specific IPs
SSL/TLSUse encrypted connections for RDS
Audit LoggingEnable logging of RDS access
Best Practices:
  • Never enable RDS in production environments
  • Use strong, separate password for RDS
  • Restrict RDS access to specific developer IPs
  • Always use HTTPS/SSL for RDS connections
  • Monitor RDS access logs for unauthorized attempts

Password Security Best Practices

Strong Password Requirements

Length
Minimum 16 characters (20+ recommended)
Complexity
Mix of uppercase, lowercase, numbers, symbols
Avoid
Dictionary words, personal information, patterns
Unique
Different from other system passwords

Use a password manager to generate and store complex passwords securely.

Password Management

Rotation
Change passwords quarterly or after security events
Sharing
Never share passwords between team members
Storage
Store in encrypted password manager
Documentation
Keep secure backup of credentials in safe location

Change passwords immediately when admins leave the organization.

Password Reset Procedure

Lost Password
Can be reset via command line utility
Command
cf_root/cfusion/bin/cfsetadminpassword.sh (Unix) or .bat (Windows)
Process
Requires server restart after password reset

Document reset procedure for emergencies and test in development.

Best Practices

Production Environment

  • Use strong, unique administrator password (16+ characters)
  • Set session timeout to 10-15 minutes
  • Configure allowed IP addresses to limit access
  • Disable RDS entirely
  • Enable administrator access audit logging
  • Rotate passwords quarterly
  • Monitor admin-access.log for unauthorized attempts
  • Use VPN or bastion host for administrator access
  • Implement two-factor authentication if available
  • Restrict administrator access to minimal necessary personnel

Development Environment

  • Use strong password even in development
  • Enable RDS only if actively using compatible IDE
  • Set separate RDS password from administrator password
  • Longer session timeout acceptable (30-60 minutes)
  • Still implement IP restrictions if possible
  • Test security configurations before production deployment

Security Hardening

Hide Administrator URL
Change default /CFIDE/administrator path
Web Server Restrictions
Use web server rules to limit access
SSL/TLS
Always access administrator over HTTPS
Network Segmentation
Place admin interface on separate network
Jump Box
Require access through bastion host
Monitoring
Alert on failed login attempts
Rate Limiting
Implement login rate limiting

Compliance Considerations

PCI-DSS
Requires strong passwords, access logging, IP restrictions
HIPAA
Audit trail of administrative access required
SOC 2
Password complexity, rotation, and access controls
GDPR
Limit access to personal data via administrator

Common Issues and Solutions

Forgotten Administrator Password

Symptom: Cannot log into ColdFusion Administrator
Solutions:
  • Use cfsetadminpassword utility located at cf_root/cfusion/bin/cfsetadminpassword.sh or .bat
  • Run command: ./cfsetadminpassword.sh newpassword
  • Restart server after password reset
  • Store password securely in password manager to prevent recurrence

Locked Out by IP Restrictions

Symptom: Cannot access administrator from current IP address
Solutions:
  • Edit cf_root/lib/neo-security.xml to modify IP restrictions
  • Remove IP restrictions temporarily, restart server, reconfigure properly
  • Ensure IP not in blocked list or missing from allowed list
  • Prevention: Always add new IP before removing old access

Session Timing Out Too Quickly

Symptom: Frequent re-authentication required
Solutions:
  • Increase session timeout (balance security vs convenience)
  • Development: 30-60 minutes acceptable
  • Production: Keep at 10-15 minutes for security
  • Configure in Security - Administrator page

RDS Connection Failures

Symptom: IDE cannot connect via RDS
Solutions:
  • Verify RDS is enabled in administrator
  • Check RDS password is correct
  • Ensure firewall rules allow RDS port (typically 80/443 or separate port)
  • Verify SSL certificate if using HTTPS
  • Check IP restrictions aren't blocking your IP

Multiple Failed Login Attempts

Symptom: Login failures logged in admin-access.log
Solutions:
  • Investigate source IP address in logs
  • Legitimate causes: User forgotten password, typing errors
  • Malicious causes: Brute force attack attempt
  • Implement IP blocking for suspicious addresses
  • Prevention: Use IP restrictions, strong passwords, rate limiting

Monitoring and Auditing

Access Log Monitoring

Log File
cf_root/logs/admin-access.log
Contents
All administrator login attempts and actions
Review
Daily review of access logs
Alerts
Configure alerts for suspicious activity
Retention
Keep logs for compliance period (typically 90+ days)

Suspicious Activity Indicators

  • Multiple failed login attempts from same IP
  • Login attempts from unexpected geographic locations
  • Login attempts outside business hours
  • Access from unknown IP addresses
  • RDS access in production environment
  • Configuration changes by unauthorized users

Security Monitoring Tools

Log Aggregation
Splunk, ELK Stack, CloudWatch Logs
SIEM
Security Information and Event Management systems
Alerting
PagerDuty, OpsGenie for critical events
Intrusion Detection
Fail2ban, OSSEC for brute force protection

Advanced Security Configuration

Changing Administrator URL

Purpose
Obscure default administrator path
Default
/CFIDE/administrator
Method
Configure web server alias or use URL rewrite
Example
Map /secretadmin to /CFIDE/administrator
Security
Reduces automated attacks targeting default path

Security through obscurity - not a substitute for strong password and access controls.

Web Server Access Controls

Apache
Use Directory or Location directives with IP restrictions
IIS
Configure IP Address and Domain Restrictions
Nginx
Use allow/deny directives

Blocks access before reaching ColdFusion for better performance and security.

SSL/TLS Configuration

Requirement
Always use HTTPS for administrator access
Certificate
Valid SSL certificate (not self-signed in production)
Protocol
TLS 1.2 or higher
HSTS
Enable HTTP Strict Transport Security
Redirect
Automatically redirect HTTP to HTTPS

Related Resources

Security - Sandbox SecurityApplication-level security restrictions and sandboxingColdFusion Lockdown GuideComprehensive security hardening proceduresColdFusion Administrator ReferenceComplete administrator guide and settings reference