Build an Extranet (Lockdown Guide)

Hardening your server includes applying the latest security updates available for your Windows server and ensuring Windows Updates are regularly downloaded and installed.  As well, it's recommended to turn off any services that are not essential on the server.  Microsoft provides a Security Configuration Wizard (Server Manager > Tools > Security Configuration Wizard) to help you assess what services are running and apply the correct policies on your server.  

Install Anti-Virus software -  If you have real-time scanning, ensure that you exclude the drive location(s) where your web files are, or you may affect the performance of the intranet.

IIS Security Best Practices - There are many considerations when looking at securing IIS 8.  We'll run through a number of these in the following steps but it's best to read through these to understand best practices.

SQL Server, Lucee/Railo/ColdFusion - Make sure you have the latest updates installed, particularly ones that address security vulnerabilities.

Use Microsoft's Baseline Server Hardening Guide to ensure the operating system is as secure as possible.

By default, your intranet is accessible internally using machine name, IP, or a local DNS name.  To have a consistent URL you should configure your DNS & IIS so your users can use the same URL when accessing the site outside your network as inside (a fully qualified DNS entry).  The standard is to use a subdomain of your company domain with the name you have given your intranet (e.g. sqintranet.sqbox.com (our company intranet)).

1. Decide on a URL you can use inside and outside your network
2. Configure a public DNS record to point to a public IP your intranet server can answer on (this can take some time to propagate to the internet)
3. Verify your server responds to this DNS name and that traffic is allowed through your firewall

In most cases, customers have Intranet Connections deployed by default under the "Default Web Site" as a subfolder called "Intranet".  As well, it's common that this site is in the default location of C:\inetpub\wwwroot.  Under this scenario you can browse the site as http://localhost/Intranet on the web server.  It's best practice to have the intranet run as its own website under its own application pool, to use non-default drive locations and restrict access to the "Default Web Site".

Before making the changes below, go to the Lucee/Railo admin pages and take note of the current Datasource, Mappings, and mail settings.

1. Stop Lucee/Railo/ColdFusion and IIS (World Wide Web Publishing Service) services
2. Create a different drive location for your Intranet site.  If you have a separate drive from your OS one, it's recommended to move there.  A suggested format is C:\home\domain\subdomain
3. Move the Intranet files to the newly created folder. See the table below for a list of default folders that need to be moved for each version:

Note if you have /intranet within the URL you will have to also move "Web-INF"

4. If your site is on version 14.0 or above, please follow the below three sub-steps; otherwise skip to step 5.

• Adjust the schedule.json file in the TaskManager/Config file. Make sure the two "basepath" values accurately reflect the path to your Intranet.
• Adjust the value for "WorkDir" in the C:\SQBoxService\config accurately reflect the path to your TaskManager directory.
• If you have made any changes to the statistics components above, restart the SQBoxTaskManager service on the web server.

5. Create a new web site in IIS for your Intranet with the physical path pointed at the new "Intranet" folder location. Within the sites Bindings, configure the site to answer to the public URL you chose in the last section.

• Note If you have /intranet, point the IIS site physical path to the new webroot instead of the "Intranet" folder. If the site has already been created the physical path can be changed in the sites basic settings.

6. Start IIS and Lucee/Railo/ColdFusion services. For Lucee and Railo only browse to the Railo Web Administrator (e.g. http://sqintranet.sqbox.com/railo-context/admin/web.cfm) or Lucee Web Administrator (e.g. http://sqintranet.sqbox.com/lucee/admin/web.cfm), login (default password is 'connections'), click on Mappings.  You will need to check the / mapping (the mapping may be /intranet depending on your URL) and delete it and create a new one like this (Railo screen shown. Lucee is similar):

7. Browse to your new intranet web location and confirm it's working (e.g. http://sqintranet.sqbox.com)
8. Go to Admin > Setup and click update locations to change any absolute URLs in your data from the old web location to the new one you've just configured

Note if you log in and get redirected to the old path, type in your base URL and add this text to go directly to the admin setup page: admin/sitesettings/site_settings.cfm?tabidx=1 (e.g. http://sqintranet.sqbox.com/admin/sitesettings/site_settings.cfm?tabidx=1).

Now we need to limit access to the Lucee/Railo Server Admin and Web Admin (or ColdFusion Admin) and create more secure passwords.  We’re going to place a general block on access to Lucee/Railo and then open access specifically for this server only.

1. Install "IP and Domain Restrictions" role service in IIS if not already installed. For Windows 2012, this is found in the Add Roles and Features wizard (within the server manager) under Web Server > Web Server > Security.
2. Using “Request Filtering” block the Lucee/Railo Admin at the server level.  

Create a deny sequence for lucee/admin/server.cfm or railo-context/admin/server.cfm

For ColdFusion this would be cfide/administrator/index.cfm

3. Using "Request Filtering", remove the block of the Lucee/Railo Server admin in the Default Web Site.  Click on Request Filtering in the Default Web Site. You should see the deny sequence that has been delegated down from the server level. Remove this sequence setting to allow access to the page from the web server itself using ‘localhost’.
4. Block all access to the "Default Web Site" other than localhost.  Click on Default Web Site, choose IP Address and Domain Restrictions, click Edit Feature Settings and change access to Deny for unspecified clients.  Now add an Allow entry for 127.0.0.1.  This will prevent all access to the Lucee/Railo Server Admin and Default Web Site other than locally.
5. Block access to the Lucee/Railo Web Admin.  Create an empty folder named "lucee" or "railo-context" under your "Intranet" folder.  Click on your "Intranet" web site and select this folder in IIS.  Choose IP Address and Domain Restrictions, click Edit Feature Settings and change access to Deny for unspecified clients.  Now add an Allow entry for the IP of the machine (e.g. "192.168.1.61").  This will prevent all access to the Lucee/Railo Web Admin other than locally.  This assumes your "Intranet" site has a binding for this local IP.
6. Make sure you can login to your Lucee/Railo (or ColdFusion) admin screens locally but you cannot from any other machine.
7. Now change the Lucee/Railo Server Admin password to something more secure.  The default password is "connections" or whatever you selected when you installed ColdFusion.  For your intranet site, you should also alter the Lucee/Railo Web Admin password to something other than the default of "connections".

Stop your intranet site from being indexed by Google, Bing, Yahoo, and other search engines by deploying a robots.txt file in the root.

1. Download a sample robots.txt file (https://support.intranetconnections.com/attachments/token/wY0q0NcAyNe0zicnVSWPqDEBk/?name=robots.txt)
2. Place this file in the "Intranet" folder (your intranet web site root)

Intranet Connections supports Windows Authentication and Form-based Authentication or a mixture of both.  It also allows for anonymous access.  You can configure the authentication mode in the product to "Windows" only.  If you support Form-based logins, you should leverage some of the more advanced login settings offered in the product, such as strong passwords, password reset, session management and login CAPTCHA.

Steps to setup Windows Authentication only:

1. Go to Admin > Security > Site Level Login and set this setting to "YES" to require end users to login
2. Go to Admin > Security > Authentication Mode and set this setting to "Windows Authentication"

Steps to improve Form-based security:

1. Go to Admin > Security and you will find many options
2. Under Session Management you can control timeouts and session IP checking
3. Under Password Options, you can enable lockout, password resets, strength checking and whichever options you like
4. For added security you can require users to enter a CAPTCHA image when logging in

Contact your server administrator to see if you have a SSL certificate already.  If you are using Form-based logins or allow Anonymous access to your site, it is highly recommended that you configure a certificate to encrypt communication with the server.

1. In IIS > Server Certificates, click Create Certificate Request.  Your selected vendor will give instructions on how to fill out the details required
2. Pass the certificate request info to the vendor who will issue you a certificate
3. In IIS > Server Certificates, click Complete Certificate Request
4. Once installed, you can now add a new Binding to your Intranet site for "https", the IP you want, port 443, and select your certificate
5. You can then use a redirect rule to direct all http traffic over https
6. Go to Admin > Setup and click on update locations to change absolute URLs in your data to use the https address
   • If you log in and get redirected to the old path, type in your base URL and add this text to go directly to the admin setup page: admin/sitesettings/site_settings.cfm?tabidx=1 Example: http://sqintranet.sqbox.com/admin/sitesettings/site_settings.cfm?tabidx=1
7. You may need to add a certificate to the Railo/Lucee Server administration, to make sure that the scheduled task runs smoothly by following Step 2 in the 'Enable SSL' article.
8. Finally, you may need to open port 443 in your firewall and allow traffic to your web server

Once you've externalized your intranet, if your intention is now to grant access to users who you do not want to see content that is globally visible (e.g. contractor, consultant, vendor), you should provision user accounts and make use of an additional feature in Intranet Connections.  

On the user record you can enable a checkbox setting labelled Global permissions do not apply.  If you turn this on, the user will only be able to view content you explicitly give them view permissions to at the site, application, or folder/category level.

To make detailed errors visible only in the error logs, go to Admin > Errors & Logging and check Display enable generic error message only.