The ColdFusion Root Administrator account must have a unique username.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279104	SRG-APP-000516-AS-000237	APAS-CF-001015	SV-279104r1171486_rule	2025-12-19	1

Description
The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, update and delete data within the entire ColdFusion Administrator Console. The account is meant to be used to set up ColdFusion after installation but should only be used in emergency situations once user accounts are created. The account is similar to the Administrator account in Windows or the root account in Linux. To help protect the account, the account username should not be admin or administrator. If set up with these usernames, an attacker already knows 50 percent of the information needed to gain access. A unique and not easily guessable username must be used to hinder the discovery of the account credentials.

Description

The ColdFusion Root Administrator account is an administrative account setup during the installation process. This account has privileges to view, update and delete data within the entire ColdFusion Administrator Console. The account is meant to be used to set up ColdFusion after installation but should only be used in emergency situations once user accounts are created. The account is similar to the Administrator account in Windows or the root account in Linux. To help protect the account, the account username should not be admin or administrator. If set up with these usernames, an attacker already knows 50 percent of the information needed to gain access. A unique and not easily guessable username must be used to hinder the discovery of the account credentials.

ℹ️ Check
Verify that the ColdFusion Root Administrator username is not set to a default or easily guessable value such as "admin" or "administrator" (in any case variation). 1. Locate the neo-security.xml file. The file is typically located in the "lib" folder under the ColdFusion instance directory. 2. For ColdFusion on Windows: a. Open neo-security.xml in Notepad. Right-click the file and choose "Open With Notepad". Tip: Enable Word Wrap under the "Format" menu for easier reading. b. Navigate to Edit >> Find and search for: 'admin.userid.root'> c. Locate the <string> element immediately following this tag. <var name='admin.userid.root'><string>Administrator</string></var> 3. For ColdFusion on Linux: a. Navigate to the directory containing neo-security.xml. b. Run the following command to extract the relevant tag: grep -ohE "'admin.userid.root'><string>[^<]*</string>" neo-security.xml c. Note the username displayed between <string> and </string>. If the Root Administrator username is any uppercase or lowercase variation of "admin" or "administrator" (Examples: admin, Admin, ADmIN, admInistrAtor, Administrator, ADMINISTRATOR), this is a finding.

ℹ️ Check

Verify that the ColdFusion Root Administrator username is not set to a default or easily guessable value such as "admin" or "administrator" (in any case variation). 1. Locate the neo-security.xml file. The file is typically located in the "lib" folder under the ColdFusion instance directory. 2. For ColdFusion on Windows: a. Open neo-security.xml in Notepad. Right-click the file and choose "Open With Notepad". Tip: Enable Word Wrap under the "Format" menu for easier reading. b. Navigate to Edit >> Find and search for: 'admin.userid.root'> c. Locate the <string> element immediately following this tag. <var name='admin.userid.root'><string>Administrator</string></var> 3. For ColdFusion on Linux: a. Navigate to the directory containing neo-security.xml. b. Run the following command to extract the relevant tag: grep -ohE "'admin.userid.root'><string>[^<]*</string>" neo-security.xml c. Note the username displayed between <string> and </string>. If the Root Administrator username is any uppercase or lowercase variation of "admin" or "administrator" (Examples: admin, Admin, ADmIN, admInistrAtor, Administrator, ADMINISTRATOR), this is a finding.

✔️ Fix
Change the Root Administrator username to a unique value that is not a variation of "admin" or "administrator". 1. Locate the neo-security.xml file. The file is typically located in the "lib" folder under the ColdFusion instance directory. 2. Make a backup copy of the file before making any modifications. 3. For ColdFusion running on Windows: a. Open neo-security.xml in Notepad. Right-click the file and choose "Open With Notepad". Tip: Enable Word Wrap under the "Format" menu for easier reading. b. Navigate to Edit >> Find and search for: 'admin.userid.root'> c. Locate the <string> element that contains the Root Administrator username: <var name='admin.userid.root'><string>Administrator</string></var> d. Replace the existing username with a unique name that is not any case variation of "admin" or "administrator". e. Save the file. f. Restart ColdFusion for the changes to take effect. 4. For ColdFusion running on Linux: a. Navigate to the directory containing neo-security.xml. b. Open the file neo-security.xml in a preferred text editor (e.g., nano, vim). c. Locate the <var name='admin.userid.root'> tag: The username appears between the <string> and </string> tags Example: <var name='admin.userid.root'><string>Administrator</string></var> d. Replace the existing username with a unique name that is not any case variation of "admin" or "administrator". e. Save the file. f. Restart ColdFusion to apply the changes. 5. Validate that the new username is being used and that the system is operating properly. 6. Once validated, securely delete the backup neo-security.xml file created earlier.

✔️ Fix

Change the Root Administrator username to a unique value that is not a variation of "admin" or "administrator". 1. Locate the neo-security.xml file. The file is typically located in the "lib" folder under the ColdFusion instance directory. 2. Make a backup copy of the file before making any modifications. 3. For ColdFusion running on Windows: a. Open neo-security.xml in Notepad. Right-click the file and choose "Open With Notepad". Tip: Enable Word Wrap under the "Format" menu for easier reading. b. Navigate to Edit >> Find and search for: 'admin.userid.root'> c. Locate the <string> element that contains the Root Administrator username: <var name='admin.userid.root'><string>Administrator</string></var> d. Replace the existing username with a unique name that is not any case variation of "admin" or "administrator". e. Save the file. f. Restart ColdFusion for the changes to take effect. 4. For ColdFusion running on Linux: a. Navigate to the directory containing neo-security.xml. b. Open the file neo-security.xml in a preferred text editor (e.g., nano, vim). c. Locate the <var name='admin.userid.root'> tag: The username appears between the <string> and </string> tags Example: <var name='admin.userid.root'><string>Administrator</string></var> d. Replace the existing username with a unique name that is not any case variation of "admin" or "administrator". e. Save the file. f. Restart ColdFusion to apply the changes. 5. Validate that the new username is being used and that the system is operating properly. 6. Once validated, securely delete the backup neo-security.xml file created earlier.