ColdFusion must separate the hosted application from the web server.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279066	SRG-APP-000211-AS-000146	APAS-CF-000430	SV-279066r1171607_rule	2025-12-19	1

Description
Separating hosted ColdFusion applications from the web server is critical for enforcing strong access control and minimizing the risk of unauthorized access to sensitive server components. When hosted applications and the web server operate within the same execution context or process space, vulnerabilities in one can directly compromise the other. Separating the hosted application logic from the core web server components limits the application's access to only the resources it requires. This containment ensures that application-level vulnerabilities cannot be easily escalated to affect the broader server environment. It also allows for more granular security controls, input validation, and auditing. This separation supports defense-in-depth by establishing clear trust boundaries between application and server functions. It enforces the principle of least privilege, protects critical infrastructure from exploitation.

Description

Separating hosted ColdFusion applications from the web server is critical for enforcing strong access control and minimizing the risk of unauthorized access to sensitive server components. When hosted applications and the web server operate within the same execution context or process space, vulnerabilities in one can directly compromise the other. Separating the hosted application logic from the core web server components limits the application's access to only the resources it requires. This containment ensures that application-level vulnerabilities cannot be easily escalated to affect the broader server environment. It also allows for more granular security controls, input validation, and auditing. This separation supports defense-in-depth by establishing clear trust boundaries between application and server functions. It enforces the principle of least privilege, protects critical infrastructure from exploitation.

ℹ️ Check
If a separate web server is used for hosted applications, requirement is Not Applicable. 1. From the Admin Console Landing Screen., navigate to Enterprise Manager >> Instance Manager. If all of the hosted applications have their own instance(s) under "Available Servers", this is not a finding. If neither web servers nor separate instances are being used, this is a finding.

✔️ Fix
If a separate web server is used for hosted applications, requirement is Not Applicable. 1. Set up the web server. For Linux: Execute the Web Server Configuration tool. In the ColdFusion install folder, find: <ColdFusion_Installation_Directory> /cfusion/runtime/bin/wsconfig For Windows: In the ColdFusion install folder, find: <ColdFusion_Installation_Directory> \cfusion\runtime\bin\wsconfig.exe 2. In the tool, click "Add". 3. Provide the application server host, instance, and cluster. 4. Enter the appropriate Web Server Properties. 5. Select "OK". 6. Set up separate instances. a. From the Admin Console Landing Screen, navigate to Enterprise Manager >> Instance Manager. b. Select "Add New Instance". c. Enter a server name. d. Choose a directory. e. Select "Submit".

✔️ Fix

If a separate web server is used for hosted applications, requirement is Not Applicable. 1. Set up the web server. For Linux: Execute the Web Server Configuration tool. In the ColdFusion install folder, find: <ColdFusion_Installation_Directory> /cfusion/runtime/bin/wsconfig For Windows: In the ColdFusion install folder, find: <ColdFusion_Installation_Directory> \cfusion\runtime\bin\wsconfig.exe 2. In the tool, click "Add". 3. Provide the application server host, instance, and cluster. 4. Enter the appropriate Web Server Properties. 5. Select "OK". 6. Set up separate instances. a. From the Admin Console Landing Screen, navigate to Enterprise Manager >> Instance Manager. b. Select "Add New Instance". c. Enter a server name. d. Choose a directory. e. Select "Submit".