CFMX and IIS 6 Virtual Directories

Can anyone provide information on why ColdFusion creates virtual directories for the CFIDE and CFDOCS folders under each IIS website on the server?

Is removing the virtual directories through IIS a logical step to make?

Is there a major security risk having a CFIDE folder under each website? If the site uses CFFORM, isn't it necessary to include the CFIDE folder so that the javascript reference is available to perform the validation of the tag?

Sorry to throw out all of these questions in one post, but these all stem from an issue I am having with a client.

Thanks in advance - I appreciate any information provided.

On a production server you probably want to remove these (copy them out of the web root). Keep in mind that once they are gone you won't have access to the CF administrator until you move them back.

I do understand that the directories should not be in a production environment.

However, there are CFIDE folders that appear under each website that have cfform.js and wddx.js files in them. Is having this folder with those scripts under the website a major security risk?

Is it logical to remove the CFIDE virtual directory through IIS 6?

thanks

The javascripts are not a security risk, they are just there to let you serialize WDDX data into javascript arrays, and to provide form validation.

If you want to be thorough, you can delete them from IIS itself. Remember again though that once you do this, you won't have access to the administrator interface any more. You'll have to move the folders back and recreate the virtual directories again if you need to access the administrator.

Thanks for your reply. How do you delete them from IIS?

Deleting them caused javascript errors on our site because the CFFORM tag could not reference the cfform.js file. If there are no risks, then deleting the virtual directories via IIS is not necessary, correct?

Well yes, if you are using the form validation in cfform then you'll have to leave those virtual directories intact. I was under the impression that you wern't using them and wanted to get rid of them.

The only directories that you need to be concerned about are the cf administrator directories and the samples. The samples should definitely be deleted. The CF administrator can be deleted, or you can secure it using Windows permissions and then anyone who wants to get to that directory must log in with an authorized Windows user name and pw as well. It's up to you, depending on which is easier for you to deal with.

I apologize for not making clear the cfform validation is in use.

Would you be able to go into a little more detail about securing the CF Administrator using Windows permissions? I am not a server administrator (as you could probably tell and any additional information would be very helpful.

thanks

In Windows explorer, you can right click on the directory and choose properties, and then one of the tabs should be security. You can assign permissions through this interface. Just be careful about what groups/users you authorize. If you have access to the server and you don't think you'll need to change much in the cf administrator once it is set up, you may find that just copying that whole administrator directory out of the web root is an easier solution. You can just copy it back when you need to make changes.

You have provided very good information to me. All is very helpful.

Thanks for your time.