This is an extremely technical process. All steps must be completed as outlined. Any misconfiguration or missed steps could lead to your site being completely inaccessible. Be extremely cautious.
There are many reasons to consider externalizing your intranet, including allowing mobile access, access from home or outside the office, or access for end users who are not full-time employees. The first thing to consider is your reason and evaluate your options. Many customers will simply use VPN client technology to grant access outside their LAN. Alternatively, you can make your intranet available over the internet.
This article focuses on the steps you need to perform to ensure your server is locked down and your data is secure if you choose to externalize the intranet.
In This Article
The steps will differ slightly depending on your CFML engine: Lucee (13.5), Railo (12.5 or 13.0) or Coldfusion (<13.0). You can find this setting on your Intranet admin page, after CFML Engine (bottom-right corner)
A. Harden Your Server
Hardening your server includes applying the latest security updates available for your Windows server and ensuring Windows Updates are regularly downloaded and installed. As well, it's recommended to turn off any services that are not essential on the server. Microsoft provides a Security Configuration Wizard (Server Manager > Tools > Security Configuration Wizard) to help you assess what services are running and apply the correct policies on your server.
Install Anti-Virus software. Be careful, if you have real-time scanning, that you exclude the drive location(s) where your web files are or you may affect the performance of the intranet.
IIS Security Best Practices - There are many considerations when looking at securing IIS 8. We will run through a number of these in the following steps but it's best to read through these to understand best practices.
SQL Server, Lucee/Railo/ColdFusion - Make sure you have the latest updates installed, particularly ones that address security vulnerabilities.
Use Microsoft's Baseline Server Hardening Guide to ensure the operating system is as secure as possible.
B. Decide on a Consistent Web Location and Configure Public DNS
By default, your intranet is accessible internally using machine name, IP, or a local DNS name. To have a consistent URL you should configure your DNS & IIS so your users can use the same URL when accessing the site outside your network as inside (a fully qualified DNS entry). The standard is to use a subdomain of your company domain with the name you have given your intranet (e.g. sqintranet.sqbox.com (our company intranet)).
- Decide on a URL you can use inside and outside your network
- Configure a public DNS record to point to a public IP your intranet server can answer on (this can take some time to propagate to the internet)
- Verify your server responds to this DNS name and that traffic is allowed through your firewall
C. Isolate Web Applications, Change Drive Paths, Bindings & Web Location
In most cases, customers have Intranet Connections deployed by default under the "Default Web Site" as a subfolder called "Intranet". As well, it's common that this site is in the default location of C:\inetpub\wwwroot. Under this scenario you can browse the site as http://localhost/Intranet on the web server. It's best practice to have the intranet run as its own website under its own application pool, to use non-default drive locations and restrict access to the "Default Web Site".
- Stop Lucee/Railo/ColdFusion and IIS services
- Create a different drive location for your Intranet site. If you have a separate drive from your OS one, it's recommended to move there. A suggested format is C:\home\domain\subdomain
- Move the "Intranet", "coldbox" and "elasticsearch" folders from C:\inetpub\wwwroot to this new folder (Versions prior to 13.0 only have the Intranet folder)
- Create a new web site in IIS for your Intranet pointed at the new "Intranet" folder location. This new site will isolate your intranet to its own app pool. In the Bindings, configure it to answer to your public URL you chose in the last section.
- Start IIS and Lucee/Railo/ColdFusion services
- (Lucee/Railo only) Browse to the Railo Web Administrator (Eg. http://sqintranet.sqbox.com/railo-context/admin/web.cfm) or Lucee Web Administrator (Eg. http://sqintranet.sqbox.com/lucee/admin/web.cfm), login (default password is 'connections'), click on Mappings. You will need to check the /Intranet mapping and delete it and create a new one like this (Railo screen shown. Lucee is similar):
- Browse to your new intranet web location and confirm it's working (e.g. http://sqintranet.sqbox.com)
- Go to Admin > Setup and click update locations to change any absolute URLs in your data from the old web location to the new one you've just configured
D. Secure Lucee/Railo/ColdFusion Services
This section involves altering the application server to run under a more restricted local user account and limiting access to the web administrators and the Default Web Site to local server access only.
- Create a new local user account named "Lucee" or "Railo"
- Alter the "Lucee" or "Railo Server" service to run as this account
- Grant this account "Full Control" over the drive location setup in the last section (C:\home) and C:\lucee or C:\railo (or C:\coldfusionX) and C:\inetpub
E. Secure Lucee/Railo Administrator
Now we need to limit access to the Lucee/Railo Server Admin and Web Admin (or ColdFusion Admin) and create more secure passwords. We’re going to place a general block on access to Lucee/Railo and then open access specifically for this server only.
- Install "IP and Domain Restrictions" role service if not already in IIS
- Using “Request Filtering” block the Lucee/Railo Admin at the server level.
Create a deny sequence for lucee/admin/server.cfm or railo-context/admin/server.cfm
For ColdFusion this would be cfide/administrator/index.cfm
- Using "Request Filtering", remove the block of the Lucee/Railo Server admin in the Default Web Site. Click on Request Filtering in the Default Web Site. You should see the deny sequence that has been delegated down from the server level. Remove this sequence setting to allow access to the page from the web server itself using ‘localhost’.
- Block all access to the "Default Web Site" other than localhost. Click on Default Web Site, choose IP Address and Domain Restrictions, click Edit Feature Settings and change access to Deny for unspecified clients. Now add an Allow entry for 127.0.0.1. This will prevent all access to the Lucee/Railo Server Admin and Default Web Site other than locally.
- Block access to the Lucee/Railo Web Admin. Create an empty folder named "lucee" or "railo-context" under your "Intranet" folder. Click on your "Intranet" web site and select this folder in IIS. Choose IP Address and Domain Restrictions, click Edit Feature Settings and change access to Deny for unspecified clients. Now add an Allow entry for the IP of the machine (e.g. "192.168.1.61"). This will prevent all access to the Lucee/Railo Web Admin other than locally. This assumes your "Intranet" site has a binding for this local IP.
- Make sure you can login to your Lucee/Railo (or ColdFusion) admin screens locally but you cannot from any other machine.
- Now change the Lucee/Railo Server Admin password to something more secure. The default password is "connections" or whatever you selected when you installed ColdFusion. For your intranet site, you should also alter the Lucee/Railo Web Admin password to something other than the default of "connections".
Secure Lucee/Railo Administrator - Tomcat
You must also restrict web access to the Tomcat administrator screens if accessing directly using port 8888 which bypasses IIS.
- Edit the Tomcat server file: C:\lucee\tomcat\conf\server.xml or C:\railo\tomcat\conf\server.xml
- Comment out the section which starts with <Connector port="8888" ... />
Comments start with <!-- and end with -->
F. Migrate Uploaded Files outside Web Root
To prevent against insecure direct file access, you can migrate the location of your uploaded files from the default "Intranet" folder. Earlier, we walked through migrating the "Intranet" folder from the default location. This step runs you through the File Migration Utility to change your uploaded files location.
- Create a folder named "Files" under your subdomain location created earlier
- Copy the contents of the "Intranet" folder into the new "Files" folder
- Go to Admin > Security > File Migration Utility and click next
- Paste in the new upload location (Eg. C:\home\sqbox.com\sqintranet\Files) and click next
- Follow the prompts to complete the migration
G. Prevent Internet Search Engine Indexing
Stop your intranet site from being indexed by Google, Bing, and other search engines by deploying a robots.txt file in the root.
- Download a sample robots.txt file (https://support.intranetconnections.com/attachments/token/wY0q0NcAyNe0zicnVSWPqDEBk/?name=robots.txt)
- Place this file in the "Intranet" folder (your intranet web site root)
H. Login Settings & IIS Authentication
Intranet Connections supports Windows Authentication and Form-based Authentication or a mixture of both. It also allows for anonymous access. You can configure the authentication mode in the product to "Windows" only. If you support Form-based logins, you should leverage some of the more advanced login settings offered in the product, such as strong passwords, password reset, session management and login CAPTCHA.
Steps to setup Windows Authentication only:
- Go to Admin > Security > Site Level Login and set this setting to "YES" to require end users to login
- Go to Admin > Security > Authentication Mode and set this setting to "Windows Authentication"
Steps to improve Form-based security:
- Go to Admin > Security and you will find many options
- Under Session Management you can control timeouts and session IP checking
- Under Password Options, you can enable lockout, password resets, strength checking and whichever options you like
- For added security you can require users to enter a CAPTCHA image when logging in
It may be possible to disable Anonymous access through IIS, but this may affect access to the site so you may need to leave it enabled. Anonymous is required on certain folders to allow our processes to continue as expected.
- In IIS, select your Intranet site, click on Authentication and disable "Anonymous Authentication"
- In IIS, select the subfolders "Scheduled" and "mfu" and enable "Anonymous Authentication"
I. Install a SSL Certificate
Contact your server administrator to see if you have a SSL certificate already. If you are using Form-based logins or allow Anonymous access to your site, it is highly recommended that you configure a certificate to encrypt communication with the server.
- In IIS > Server Certificates, click Create Certificate Request. Your selected vendor will give instructions on how to fill out the details required
- Pass the certificate request info to the vendor who will issue you a certificate
- In IIS > Server Certificates, click Complete Certificate Request
- Once installed, you can now add a new Binding to your Intranet site for "https", the IP you want, port 443, and select your certificate
- You can then use a redirect rule to direct all http traffic over https
- Go to Admin > Setup and click on update locations to change absolute URLs in your data to use the https address
- You may need to add a certificate to the Railo/Lucee Server administration, to make sure that the scheduled task runs smoothly by following Step 2.
- Finally, you may need to open port 443 in your firewall and allow traffic to your web server
J. Setup Restricted External User Access as Needed
Once you've externalized your intranet, if your intention is now to grant access to users who you do not want to see content that is globally visible (e.g. contractor, consultant, vendor), you should provision user accounts and make use of an additional feature in Intranet Connections.
On the user record you can enable a checkbox setting labelled Global permissions do not apply. If you turn this on, the user will only be able to view content you explicitly give them view permissions to at the site, application, or folder/category level.
K. Enable Generic Errors (Version 13.0.4 and up)
To make detailed errors visible only in the error logs, go to Admin > Errors & Logging and check Display enable generic error message only.