ColdFusion 11 Lockdown Guide Pete Freitag
Adobe documentation - Confidential Contents Introduction.................................................................................................................................................. 6 Default File Paths and Usernames ............................................................................................................ 6 Operating Systems and Web Servers ........................................................................................................ 6 ColdFusion Version ..
Adobe documentation - Confidential Run the ColdFusion Web Server Configuration Tool .............................................................................. 35 Run the ColdFusion WebSocket Proxy Configuration Tool ..................................................................... 35 Remove Unused Handler Mappings ....................................................................................................... 36 Create alias for /CFIDE/scripts ................................................
Adobe documentation - Confidential Server Settings > Mappings .................................................................................................................... 58 Server Settings > Mail ............................................................................................................................. 58 Server Settings > WebSocket ..................................................................................................................
Adobe documentation - Confidential Optionally Remove ASP.NET ................................................................................................................... 68 Change the Tomcat Shutdown Port ........................................................................................................ 68 Add a connector shared secret ............................................................................................................... 69 Disable Unused Servlet Mappings ..............
Adobe documentation - Confidential Introduction The ColdFusion 11 Server Lockdown Guide is written to help server administrators secure their ColdFusion 11 installations. In this document, you will find several tips and suggestions intended to improve the security of your ColdFusion server. The reader is strongly encouraged to test all recommendations on an isolated test environment before deploying into production.
Adobe documentation - Confidential ColdFusion on Windows This section covers the installation and configuration of ColdFusion 11 on a Windows 2012 server. If you are running Linux you may skip to section 3. In this section we will perform the following: • • • • • • • • • Installation Prerequisites Install ColdFusion Check for, and install any ColdFusion hotfixes. Create dedicated user account(s) for ColdFusion to run as. Create dedicated user account(s) for IIS Application Pool Identities.
Adobe documentation - Confidential Run the installer exe. On the Installer Configuration view select Server configuration unless you are deploying to an external JEE server (such as JBoss, Weblogic or Websphere).
Adobe documentation - Confidential Select Production Profile + Secure Profile, and specify IP addresses which may access ColdFusion Administrator. The Secure Profile option provides a more secure foundation of default settings. You can review the settings it toggles here: https://wikidocs.adobe.
Adobe documentation - Confidential Next select only the Sub-components which are required for your application(s). Check each servlet that is not needed to disable it. See Section 5 for more info. If you installed the PDFG or Solr service you can optionally specify which IP addresses can access these services. Keeping the Access Add-on Services Remotely checkbox unchecked will run the services so they are accessible from localhost only.
Adobe documentation - Confidential Select the Built-in web server, we will run the web server configuration utility later in this guide to connect ColdFusion to IIS. When the built-in web server is selected you will be prompted for a port to run the Built-in web server, select a port number different from the default 8500.
Adobe documentation - Confidential For Administrator Credentials, select a unique username (not admin) and a strong password.
Adobe documentation - Confidential Install ColdFusion Hotfixes and Updates Login to the ColdFusion administrator via the built-in web server. For example: http://127.0.0.1:8500/CFIDE/administrator/ (replace 8500 with your port you selected during installation). Click on Server Updates > Updates if any hotfixes are available select the latest hotfix, and click Download. Verify the integrity of the download by running FCIV -md5 on the hotfix_XXX.
Adobe documentation - Confidential Create User Accounts Create a windows user account (in Computer Management) for ColdFusion to run as. In this guide, we use cfuser, but you should select a unique user name.
Adobe documentation - Confidential Next create a user for the IIS Application pool identity. For each user created in this section right click and select Properties. In the Remote Desktop Services Profile tab check the box that says Deny this user permission to log on to Remote Desktop Session Host server. If the new users were added to any default groups (such as Users) remove them from that group.
Adobe documentation - Confidential Setup Permissions for ColdFusion User Grant the user you created for ColdFusion to run as (cfuser in our example) and the Administrators group full control over the ColdFusion installation directory. Remove all other user and group permission from this directory. Right click on your {cf.root} directory in Windows Explorer and select Properties. Click on the Security tab then click Advanced.
Adobe documentation - Confidential For maximum security you should consider a more detailed permission structure for the ColdFusion installation directory to prevent runtime changes to certain resources or configuration. Restrictive permissions may however break features like security hotfix installation from within ColdFusion administrator. If you run the ColdFusion Hotfix installer as described in section 2.
Adobe documentation - Confidential Folder Principal Permission {cf.root}/config/wsconfig/ IUSR, iisuser Read & execute List folder contents Read {cf.root}/config/wsconfig/n/isapi_redirect.log iisuser Read Write {cf.root}/config/wsproxy/ IUSR, iisuser Read & execute List folder contents Read {cf.instance.root}/wwwroot/CFIDE IUSR, iisuser Read & execute List folder contents Read The ColdFusion IIS connector writes logs to a file called isapi_redirect.
Adobe documentation - Confidential ColdFusion service, for example ColdFusion 11 Application Server. Right click on each key and select Permissions and grant the ColdFusion user account read permission. If your application makes use of Client variables and uses the registry the ColdFusion user will need Full Permission to the HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\ColdFusion\CurrentVersion\Clients key (this key will not exist until client variables have been used).
Adobe documentation - Confidential Specify Log On User for ColdFusion Services Open the Services Manager and change the user the service runs as to be the user you created (cfuser in the guide example). The installation creates a service named ColdFusion 11 Application Server which runs the initial ColdFusion instance. Right click the service, click Properties and select the Log On tab to specify the username and password for the account you created. Restart the ColdFusion 11 Services.
Adobe documentation - Confidential Adobe documentation - Confidential
Adobe documentation - Confidential Setup Web Root Permissions Right click on the web site partition folder (eg d:\web-sites\), and select Properties. Select the Security tab and click the Advanced button. In the Permissions tab click the Disable inheritance button, then select Remove all inherited permissions from this object. Click Add, then click Select a principal and use table 2.8.1 to select the appropriate permissions for each Principal listed. Table 2.8.
Adobe documentation - Confidential Principal (User / Group) IUSR (the anonymous authentication account) Permissions Read & execute List folder contents Read cfuser (Your ColdFusion Service Identity) Adobe documentation - Confidential Read & execute List folder contents Read (Add additional permissions as needed, for example if CFFILE is used to write image files in an images folder under the webroot, grant write permission to the images folder).
Adobe documentation - Confidential Check Replace all child object permission entries with inheritable permission entries from this object and click OK. Add Required IIS Roles & Role Services Open the Windows Server Manager application, under the Manage menu select Add Roles and Features. If IIS is not already installed check Web Server (IIS).
Adobe documentation - Confidential • Application Development: ISAPI Filters • Management Tools: IIS Management Console If you use WebSockets you should also install Application Development: WebSocket Protocol.
Adobe documentation - Confidential Configure IIS Open IIS, expand Sites and remove any sites that you do not need, for example the Default Web Site. Configure Request Filtering Open the Internet Information Services (IIS) Manager application and click on the root node above Sites. Click on Request Filtering and the select the URL tab. Click on Deny Sequence and enter /CFIDE/administrator to block access to it. Consult table 2.10.1 and 2.10.2 and block all URIs that are not needed.
Adobe documentation - Confidential Table 2.10.1 : CFIDE URIs URI Purpose Safe to Block /CFIDE/administrator ColdFusion Administrator Yes, we will create a dedicated web site for ColdFusion administrator access. /CFIDE/adminapi Admin API Yes, if the admin API is called from internal CFML code it will still work when the URI is blocked. If the admin api is accessed through a remote cfc function call then use another method to protect this uri (eg IP restriction).
Adobe documentation - Confidential URI Purpose Safe to Block /CFIDE/multiservermonitoraccess-policy.xml Used to set a policy for allowing viewing the server monitor from multiple domains. /CFIDE/orm Contains interfaces used with Yes ORM. These interfaces do not need to be accessible through the web server. /CFIDE/portlets Contains API for building portlets with JSR-286, JSR168 or WSRP. The API does not need to be accessible through the web server. Yes /CFIDE/probe.
Adobe documentation - Confidential URI Purpose Safe to Block /CFIDE/services Contains CFCs that can act as a service layer to Flex, or other client side applications. The client application must have a username / password and also an allowed IP. Enabling this feature can open up a large amount of security risk to the application server. Yes /CFIDE/websocket API for web socket listener CFCs. Does not need to be open via the web server if used.
Adobe documentation - Confidential URI Purpose Safe to Block /flex2gateway Flex Remoting Only if Flex Remoting is not used. /cfform-internal Used for Only if Flash Forms are not used. /flex-internal Flex Remoting Only if Flex Remoting is not used. /cffileservlet Serves dynamically generated assets. It supports the cfreport, cfpresentation, cfchart, and cfimage Only if cfreport, cfpresentation, cfchart and cfimage are not used.
Adobe documentation - Confidential Configure Application Pool Defaults Click on Application Pools, remove any unused or unnecessary Application Pools that may exist. Click on Set Application Pool Defaults. Change .NET Framework Version to No Managed Code. Under Process Model, change the default Identity. Select Custom account and specify the user name you created in Section 2.4 Remove X-Powered-By Response Header Double click on HTTP Response Headers under the root IIS node.
Adobe documentation - Confidential Create ColdFusion Administrator Web Site In this section we will create an IIS site which will be used exclusively for accessing the ColdFusion administrator. An alternate approach is to access the ColdFusion administrator from the built-in web server instead. Please read Section 5.1 for additional consideration.
Adobe documentation - Confidential Click the Test Settings… button to verify that permissions are setup correctly. Consider disabling anonymous access to this site and require web server authentication for an additional layer of protection and auditing. Next Require SSL for this website by double clicking on the SSL Settings icon for the cfadmin site and check the Require SSL checkbox. Visit https://127.0.0.1/ and ensure that it requires SSL and authentication.
Adobe documentation - Confidential If you blocked /CFIDE globally in section 2.10, add request filtering rules to block all the /CFIDE uri’s except /CFIDE/administrator (see table 2.10.1). Add Sites to IIS At this point it is a good time to add your website(s) to IIS so they can be configured by the web server configuration tool in the next step. Important: It is important to note that because ColdFusion has not been connected to IIS yet, requests to cfm, cfc, etc.
Adobe documentation - Confidential Run the ColdFusion Web Server Configuration Tool Right click on wsconfig.exe, located in {cf.instance.root}/runtime/bin/ and select Run as Administrator. Click the Add... button. Under Web Server make sure Internet Information Server (IIS) is selected. For IIS Web Site, you can either install the connector for All sites on IIS or select only certain sites.
Adobe documentation - Confidential Sites that use the ColdFusion WebSocket proxy must change the .NET Framework Version in Application Pool Settings from No Managed Code to a version of .NET that supports WebSockets (v4+). Remove Unused Handler Mappings In IIS under the root/global configuration node double click Handler Mappings. You will see several handler mappings defined by both ASP.NET and the ColdFusion Web Server Configuration Tool.
Adobe documentation - Confidential Add IP Restrictions to /CFIDE In IIS expand the ColdFusion Administrator site you created and select the CFIDE folder. Click on Edit Feature Settings… and specify Access for unspecified clients: Deny, and Deny Action Type: Not Found Click Add Allow Entry… and enter IP addresses that are allowed to access /CFIDE for example 127.0.0.1. Next, if you use any of the tags listed in section 2.
Adobe documentation - Confidential Before editing, create a backup of the jvm.config file located in the {cf.instance.root}/bin/ directory. Open the file with a text editor to locate the line beginning with java.home= for example: java.home=C:\\CF11\\jre Change that line to the path of the new JRE, for example: java.home=C:/java/jdk1.7.0_XX/jre Note: The path must use forward slashes / or escaped backslashes \\ otherwise ColdFusion will not start. Restart ColdFusion.
Adobe documentation - Confidential ColdFusion on Linux This section covers installation of ColdFusion on Linux with Apache, Windows/IIS readers may skip to Section 4. To install ColdFusion 11 on Linux we will perform the following steps: • Perform installation prerequisites • Create a Dedicated User Account for ColdFusion to run as. • Install ColdFusion • Check for, and install any ColdFusion hotfixes. • Configure Apache • Configure file system permissions.
Adobe documentation - Confidential # adduser -g webusers -s /sbin/nologin -M -c ColdFusion cfuser Specify a strong password for the new user: # passwd cfuser If you are running multiple instances of ColdFusion consider creating a dedicated user account for each instance to run as. ColdFusion Installation • Run the installer as root or using sudo. • Installer Configuration: Choose #1 - Server configuration • If you are deploying ColdFusion a JEE server such as WebSphere, WebLogic, JBoss, etc.
Adobe documentation - Confidential Click on Server Updates > Updates and then select the latest hotfix, and click Download. Verify the integrity of the download by performing an md5sum on the hotfix_XXX.jar file, see that it matches the value found in Adobe ColdFusion update feed: https://www.adobe.com/go/coldfusionupdates If the md5 checksum matches install the hotfix: /opt/cf11/jre/bin/java -jar /opt/cf11/cfusion/hfupdates/hotfix_XXX.jar Replace hotfix_XXX.
Adobe documentation - Confidential # fgrep LoadModule /etc/httpd/conf/httpd.conf Some modules that you may be able to remove (or comment out by placing a # at the beginning of the line) include: mod_imap, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex. Add apache user to webusers group The Apache web server runs as user apache by default (consider changing this username to a non default username) on Red Hat Enterprise Linux. Add the apache user to the webusers group we created in section 3.
Adobe documentation - Confidential SELinux requires permissions to allow apache to read the web root, we will copy the permissions from /var/www (the default apache web root on RHEL 6, using the --reference flag) and apply it to /www (our web site partition). # chcon -R --reference=/var/www /www Note: When you add new files to the web root be sure that the permissions are correct. Configure Default Site Edit httpd.
Adobe documentation - Confidential Next you must specify the URI alias you used in the ColdFusion administrator under the Default ScriptSrc Directory on the Server Settings > Settings Page. Lock Down CFIDE and other URIs First lets tell apache to deny all requests to /CFIDE except those from 127.0.0.
Adobe documentation - Confidential RedirectMatch 404 (?i).*/WSRPProducer.* Restart apache and test URIs that should be blocked. Specify permissions for ColdFusion Directories Next we will make cfuser the owner and root the group of the installation directory recursively. chown -R cfuser:root /opt/cf11/ chmod -R 750 /opt/cf11/ You should consider a more restrictive file permission structure which removes any unnecessary write permissions.
Adobe documentation - Confidential /opt/coldfusion10/config/wsconfig/1/mod_jk.so: failed to map segment from shared object: Permission denied If you are not running SELinux you can skip any commands that begin with chcon or setsebool. First create an empty log file: touch /opt/cf11/config/wsconfig/1/mod_jk.
Adobe documentation - Confidential Next we will use the semanage utility (you may need to run yum install policycoreutils-python) to add port 8014 to the list of ports httpd can connect to. semanage port -a -t http_port_t -p tcp 8014 Restart apache and test accessing a cfm file. Setup ColdFusion Administrator Web Site In this section we will create an Apache virtual host which will be used exclusively for accessing the ColdFusion administrator.
Adobe documentation - Confidential # /usr/bin/htdigest -c /etc/httpd/cfadmin.digest.pwd cfadmins petefreitag The above command will create or overwrite password file in the specified location, and create a user named petefreitag in group cfadmins. To add more users omit the -c flag. Next let’s specify permissions such that only root can write to this file, and apache can only read it: # chown root:apache /etc/httpd/cfadmin.digest.pwd # chmod 640 /etc/httpd/cfadmin.digest.
Adobe documentation - Confidential To update using ColdFusion Administrator: click on Server Settings > Java and JVM and then add /usr/java/latest/ to the Java Virtual Machine Path text box. To update via shell: Edit jvm.config in a text editor to locate the line beginning with java.home= for example: java.home=/opt/cf11/jre Change that line to: java.home=/usr/java/latest Restart ColdFusion for the new JVM to take effect.
Adobe documentation - Confidential ColdFusion Administrator Settings In this section several recommendations are made for ColdFusion server settings. It is important to understand that changes to some of these settings may affect how your website functions, and performs. Be sure to understand the implications of all settings before making any changes. Server Settings > Settings Setting Default Recommendation Description Timeout Requests after Checked / 60 Sec. Checked / 5 Sec.
Adobe documentation - Confidential Setting Prefix serialized JSON with Default Unchecked: // Recommendation Checked: // Description This setting helps prevent JSON hijacking, and should be turned on. ColdFusion AJAX tags and functions automatically remove the prefix. If developers have written CFC functions with returnformat=”json” or use the SerializeJSON function, the prefix will be applied, and should be removed in the client code before processing.
Adobe documentation - Confidential Setting Watch configuration files for changes (check every N seconds) Default Unchecked Recommendation Unchecked Description If your configuration requires this setting to be enabled (if using WebSphere ND vertical cluster for example), increase the time to be as large as possible. If an attacker is able to modify the configuration of your ColdFusion server, their changes can become active within a short period of time when this setting is enabled.
Adobe documentation - Confidential Setting Default ScriptSrc Directory Default /CFIDE/scripts/ Recommendation /somewhere-else/ Description See section 2.16 (Windows) or 3.4 (Linux). Because the scripts directory also contains CFML source code (such as FCKeditor), you should move this directory to a non-default location. Allowed file extensions for CFInclude tag Empty Missing Template Handler Blank or Specified /CFIDE/administr ator/templates/m issing_template_e rror.
Adobe documentation - Confidential Setting Default Recommendation Description Maximum number of POST request parameters 100 50 or as low as your application allows. Set this to the maximum number of form fields you have on any given page. Allowing too many form fields may allow for a DOS attack known as HashDOS. See http://www.petefreitag.com/item/8 08.
Adobe documentation - Confidential Server Settings > Request Tuning The Request Tuning settings can help mitigate the ability to perform a successful Denial of Service (DOS) attack on your server. Setting Default Recommendation Description Maximum number of simultaneous Template requests 25 Tuned based on hardware capabilities, and application characteristics. When this setting is too high or too low the ability to perform a denial of service attack increases.
Adobe documentation - Confidential Setting Maximum number of simultaneous CFC function requests Default 15 Recommendation Description 1 if not using Remote CFC function requests, otherwise tuned. This setting applies only to CFC functions that have access=remote specified, when they are invoked via a HTTP request, for example: /example.cfc?method=MethodNam e. The ColdFusion AJAX proxy uses this method to invoke CFCs. If your applications do not make use of this feature set to 1.
Adobe documentation - Confidential Setting Default Storage Mechanism for Client Sessions Default Cookie Recommendation None / Cookie Description If applications have client management enabled a large amount of data can accumulate on the server. This can lead to a storage failure if disks become full. Because the registry is typically located on the system partition it is not recommended to use the Registry.
Adobe documentation - Confidential Setting Default Recommendation Description Cookie Timeout 1440 Minutes -1 By setting to -1 ColdFusion will set the session cookie as a browser session cookies, which is valid as long as the users browser window is open. HTTPOnly Checked Checked Session cookies should always be marked as HTTPOnly to prevent JavaScript or other client side technologies from accessing their values (on supported clients). Secure Unchecked Checked if all sites require SSL.
Adobe documentation - Confidential Setting Enable WebSocket Service Default Unchecked Recommendation Unchecked if not needed. Description Disable the WebSocket Service if not required by your applications. Data & Services > Data Sources Remove the example data sources, cfartgallery, cfbookclub, cfcodeexplorer, cfdocexamples. Setting Default Recommendation Description Login Timeout (sec) 30 Seconds 5 Seconds Decrease this value to be less than the Timeout Requests after setting.
Adobe documentation - Confidential Data & Services > PDF Service If the PDF Service is used to generate PDFs containing sensitive data ensure that HTTPS is enabled. Debugging & Logging > Debug Output Settings Setting Default Recommendation Description Enable Robust Exception Information Unchecked Unchecked When robust exception information is enabled sensitive information may be disclosed when exceptions occur.
Adobe documentation - Confidential Setting Default Recommendation Description Maximum number of archives 10 Larger When a log file reaches the Maximum File Size (5000KB by default), it is archived. When the maximum number of archives is reached for a particular log file, the oldest log file is deleted. Some security compliance regulations require that log files are kept for a minimum period of time. Ensure that this value is high enough to retain log files for the required duration.
Adobe documentation - Confidential Security > Administrator Setting ColdFusion Administration Authentication Default Separate user name and password authentication Password Seed Recommendation Description Separate user name and password authentication Using separate usernames and passwords allows you to specify which parts of the ColdFusion administrator each user may use.
Adobe documentation - Confidential Security > Allowed IP Addresses Setting Default Recommendation Description Allowed IP Addresses for Exposed Services None Any IP address in this list may execute remote services that expose server functionality via web services. To invoke these web services the client must be on the allowed IP list, and have a username and password. It is recommended that you do not use this feature in environments requiring maximum security.
Adobe documentation - Confidential Setting Default Recommendation Check for Updates every N days Unchecked Site URL http://www.adob HTTPS version of e.com/go/coldfusi url - or specify an internal URL on-updates Checked Description Setup email alerts to be notified when a server update is available. Change the default URL to https to avoid a spoofed update.
Adobe documentation - Confidential Additional Lockdown Measures The steps outlined in this section can provide additional security but may require special care or attention to configure and maintain. Configure or Disable the Builtin Web Server When you installed ColdFusion it setup the Tomcat web server running on a port selected at installation (8500 is the default).
Adobe documentation - Confidential To Configure the Builtin Web Server to listen on a single IP Address By default the connector will listen on all IP addresses. To configure the builtin web server to only listen on a single address (for example 127.0.0.1) locate the in {cf.instance.root}/runtime/conf/server.xml with a port attribute matching the port your builtin web server is running on, add an address attribute. For example:
Adobe documentation - Confidential Consider adding additional URIs to this file (see table 2.10.1 and 2.10.2), also consider restricting all of /CFIDE to a set of IP addresses: */CFIDE/*=127.0.0.1,::1 Repeat this section for each connector. Lockdown File Extensions ColdFusion provides a number of capabilities that are not used commonly which can be blocked. A good example of this is JSP file execution.
Adobe documentation - Confidential Blocking by File Extension on IIS Click on the root node of IIS and then double click Request Filtering. Click on the File Name Extensions tab, and then click Deny File Name Extension in the Actions menu on the right. Add a file name extension including the dot and click ok. File Extension Whitelisting A more robust solution is to specify a whitelist of allowed file extensions, and block the rest. For example allow only .cfm .css .js .png and block anything else.
Adobe documentation - Confidential Change 8007 to -1 to disable this feature, or to random port number. Tomcat should only listen on 127.0.0.1 for this port, however you should also ensure that your firewall does not allow external connections to this port. Also consider changing the shutdown command, that is the value of the shutdown attribute of the Server tag. This string is essentially a password used to shut down the server locally when the port is enabled.
Adobe documentation - Confidential All JEE web applications have a file in the WEB-INF directory called web.xml this file defines the servlets and servlet mappings for the JEE web application. A servlet mapping defines a URI pattern that a particular servlet responds to. For example the servlet that handles requests for .cfm files is called the CfmServlet the servlet mapping for that looks like this: CfmServlet *.
Adobe documentation - Confidential Servlet Mapping *.cfml Servlet CfmServlet Handles execution of CFML contained in files with the .cfml file extension. These servlet mappings can be commented out if you do not have any files with a .cfml file extension in your code base. CFCServlet Handles execution of remote function calls in cfc files.
Adobe documentation - Confidential Servlet Mapping Servlet Purpose /rest/* CFRestServlet Used for rest web services *.hbmxml CFForbiddenServlet Used to prevent serving Hibernate mapping files. This should not be removed. /cfform-internal/* CFInternalServlet Required for flash forms , can be commented out if not needed. *.cfswf CFSwfServlet Dynamically generated swf files from flash forms, can be commented out if flash forms are not needed. *.
Adobe documentation - Confidential the files located in {cf.instance.home}/runtime/conf/ contain important configuration files utilized by the Tomcat container. Adding ClickJacking Protection ColdFusion 10 introduced two Servlet Filters CFClickJackFilterDeny and CFClickJackFilterSameOrigin. When a URL is mapped to one of these servlets the X-Frame-Options HTTP header will be returned with a value of DENY or SAMEORGIN. You can add a filter-mapping in web.
Adobe documentation - Confidential POST ONLY SSL /post/* POST CONFIDENTIAL POST ONLY BLOCK NOT POST /post/* GET
Adobe documentation - Confidential Patch Management Procedures Staying up to date with patches is essential to maintaining security on the server. The system administrator should monitor the vendors security pages for all software in use. Most vendors have a security mailing list that will notify you by email when vulnerabilities are discovered. Signup for the Adobe Security Notification Service: http://www.adobe.com/cfusion/entitlement/index.
Adobe documentation - Confidential Appendix A: Sources of Information A.1 - Microsoft Security Compliance Management Toolkit: http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92ba8e545573a3e A.2 - NSA Operating System Security Guides: http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml A.3 - NSA Guide to Secure Configuration of Red Hat Enterprise Linux 5: http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf A.
Adobe documentation - Confidential © 2014 Adobe Systems Incorporated. All rights reserved. Adobe documentation. This guide is licensed for use under the Creative Commons Attribution Non-Commercial 3.0 License. This License allows users to copy, distribute, and transmit the guide for noncommercial purposes only so long as (1) proper attribution to Adobe is given as the owner of the guide; and (2) any reuse or distribution of the guide contains a notice that use of the guide is governed by these terms.
