ColdFusion must execute as a nonprivileged user.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279103	SRG-APP-000516-AS-000237	APAS-CF-001010	SV-279103r1171485_rule	2025-12-19	1

Description
Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applications that have a need for such unfettered access. Because ColdFusion does not need to run with access to all the system resources, the ColdFusion services must be set up to execute as unprivileged users. This protects server resources, OS hosted applications, and organization resources should the ColdFusion application server become compromised.

Description

Privileged user accounts are accounts that have access to all the system resources. These accounts are reserved for administrative users and applications that have a need for such unfettered access. Because ColdFusion does not need to run with access to all the system resources, the ColdFusion services must be set up to execute as unprivileged users. This protects server resources, OS hosted applications, and organization resources should the ColdFusion application server become compromised.

ℹ️ Check
1. For ColdFusion running on Windows, run the snap-in services.msc. a. Locate the ColdFusion section of services. b. Right-click on each ColdFusion service and select "Properties". c. Select the "Log On" tab. If any service has "Local System account" selected, this is a finding. 2. For each user account of the services that is a local account run the snap-in compmgmt.msc. a. Expand the "Local Users and Groups" in the left pane under "System Tools" to view the "Users" and "Groups" folders. b. Select the "Users" folder and the users will be listed in the right pane. c. Right-click a user that runs a ColdFusion service. d. Select "Properties" on the menu. e. Select the "Member Of" tab. If any groups are listed, this is a finding. 3. Click on the "Remote Desktop Services Profile" tab. If the "Deny this user permissions to log on to Remote Desktop Session Host server" is not checked, this is a finding. 4. For each user account of the services that is a domain account, review the groups for each user account on the domain controller. If any groups are listed, this is a finding. 5. For ColdFusion running on Linux: a. Change to the bin directory in the ColdFusion instance directory. b. Execute the command: grep -i -m 1 runtime_user sysinit c. The user being used to execute ColdFusion will be listed. d. View the user within the /etc/passwd file. e. Make note of the user id and group id. For example, if the line in the passwd file is cfuser:x:500:501:ColdFusion:/home/cfuser:/sbin/nologin, the user id is 500 and the group id is 501. If the user id or the group id is set to 0, this is a finding.

ℹ️ Check

1. For ColdFusion running on Windows, run the snap-in services.msc. a. Locate the ColdFusion section of services. b. Right-click on each ColdFusion service and select "Properties". c. Select the "Log On" tab. If any service has "Local System account" selected, this is a finding. 2. For each user account of the services that is a local account run the snap-in compmgmt.msc. a. Expand the "Local Users and Groups" in the left pane under "System Tools" to view the "Users" and "Groups" folders. b. Select the "Users" folder and the users will be listed in the right pane. c. Right-click a user that runs a ColdFusion service. d. Select "Properties" on the menu. e. Select the "Member Of" tab. If any groups are listed, this is a finding. 3. Click on the "Remote Desktop Services Profile" tab. If the "Deny this user permissions to log on to Remote Desktop Session Host server" is not checked, this is a finding. 4. For each user account of the services that is a domain account, review the groups for each user account on the domain controller. If any groups are listed, this is a finding. 5. For ColdFusion running on Linux: a. Change to the bin directory in the ColdFusion instance directory. b. Execute the command: grep -i -m 1 runtime_user sysinit c. The user being used to execute ColdFusion will be listed. d. View the user within the /etc/passwd file. e. Make note of the user id and group id. For example, if the line in the passwd file is cfuser:x:500:501:ColdFusion:/home/cfuser:/sbin/nologin, the user id is 500 and the group id is 501. If the user id or the group id is set to 0, this is a finding.

✔️ Fix
For ColdFusion running on Windows: 1. Create a user for the ColdFusion services locally by running the snap-in compmgmt.msc or on the domain controller. 2. Follow any organization specific policies in place and Windows STIGs for password complexity, usernames, etc. Remove all groups and ensure the user account does not have permission to connect via Remote Desktop. 3. Run the snap-in services.msc. 4. Locate the ColdFusion services. 5. Right-click on a ColdFusion service and select "Properties". 6. Select the "Log On" tab. 7. Click on the "This account:" radio button. 8. Enter the username and password for the user account that was just created. 9. Select "Ok" to save the changes. 10. Repeat steps 3 through 9 for each ColdFusion service. ColdFusion running on Linux: 1. Create a group for the user account that will run the ColdFusion service by executing the command groupadd. For example, if the group being created is webusers, the command would be "groupadd webusers". 2. Create the user account for the service by executing the command useradd. For example, if the user being created is cfuser without creating a home directory, the command would be "useradd -M cfuser". 3. Lock the user account so that it cannot be used to log in by executing the command usermod. For example, to lock user cfuser, the command would be "usermod -L cfuser". 4. Add the user account to the group by executing the command usermod. For example, to add cfuser to the group webusers, the command would be "usermod -G webusers cfuser". 5. Change to the bin directory in the ColdFusion instance directory. 6. Edit the sysinit file. 7. Locate the text "RUNTIME_USER= within sysinit". 8. Update the user account being used to run the ColdFusion service.

✔️ Fix

For ColdFusion running on Windows: 1. Create a user for the ColdFusion services locally by running the snap-in compmgmt.msc or on the domain controller. 2. Follow any organization specific policies in place and Windows STIGs for password complexity, usernames, etc. Remove all groups and ensure the user account does not have permission to connect via Remote Desktop. 3. Run the snap-in services.msc. 4. Locate the ColdFusion services. 5. Right-click on a ColdFusion service and select "Properties". 6. Select the "Log On" tab. 7. Click on the "This account:" radio button. 8. Enter the username and password for the user account that was just created. 9. Select "Ok" to save the changes. 10. Repeat steps 3 through 9 for each ColdFusion service. ColdFusion running on Linux: 1. Create a group for the user account that will run the ColdFusion service by executing the command groupadd. For example, if the group being created is webusers, the command would be "groupadd webusers". 2. Create the user account for the service by executing the command useradd. For example, if the user being created is cfuser without creating a home directory, the command would be "useradd -M cfuser". 3. Lock the user account so that it cannot be used to log in by executing the command usermod. For example, to lock user cfuser, the command would be "usermod -L cfuser". 4. Add the user account to the group by executing the command usermod. For example, to add cfuser to the group webusers, the command would be "usermod -G webusers cfuser". 5. Change to the bin directory in the ColdFusion instance directory. 6. Edit the sysinit file. 7. Locate the text "RUNTIME_USER= within sysinit". 8. Update the user account being used to run the ColdFusion service.