I just downloaded the latest extJS 2.0.1 zip file and unzipped it into a web folder.

When I went to go look at the examples I got a "403 Forbidden" error from Apache. I figured it must have been some odd security setting on the files. So I compared the security settings on the files that got a 403 to other files on my laptop that Apache served just fine. Unfortunately the same Windows users had the same permissions.

I even went so far as to ask Nat what in the world was going on. He basically told me he wasn't smart enough to know the answer. Well not in so many words. I think he ended the conversation with something like "It has to be F#$!ing Vista. F%!@ Vista!" Or something like that.

Anyway I kept digging around. What it turned out to be was that for some reason the files were encrypted. If you right click a file or folder click on advanced you'll see if it's encrypted or not. Once I unencrypted the files they worked just fine. Here is a site to turn off file encryption completely.

-Steve Nelson

I just bought a new laptop after working on an Dell m700 for 2 1/2 years. No real reason, I just figured it was time to upgrade. I bought another Dell, an XPS 1330. So far it's slick. The downside? It ONLY comes with Vista. Just like you, I've heard nothing but bad things about Vista.

After it arrived, I loaded up everything from my old laptop onto the new one. Like any normal geek, I started messing around with various settings in Vista. It was running fine, it's just a habit I guess. (No wonder Windows has such a bad name! haha) For kicks I decided to try and turn off "Data Execution Protection" (an edit to the boot.ini file). Why not, right? I figured my machine would run at *least* twice as fast if it's off. Well I reboot it, Bios...then Windows logo...BOOM! blue screen. Aw crap! Now all the Webappers are going to make fun of me for using Vista! (Yes, you read that right, I'm not worried about not using my computer, I'm worried about being made fun of)

So I reboot it again and it gives me this options to try and repair the problem. Which is pretty cool on its own. I say yes and wait like 5 minutes while it does all these tests. It does something (I don't remember what, something about a boot sector virus) tells me to reboot; same thing happens. Now what? I try it a couple times with no luck. I'm about to suck it up and pop in the Vista CD and sigh... reformat. It's going through the tests and I click "cancel" figuring it'll reboot again. W00t! it gives me another option to do 'advanced' edits. Kick ass! It gives me a bunch of options and exactly what i wanted, a sweet sweet command prompt.

To make a long story long, I typed this in:

bcdedit.exe /set {current} nx Optin

Rebooted. Held my breath and closed my eyes (literally). Now everything is back to normal. Take that you Mac lovers!

Ok, back to work for me. I've got a TON of new stuff to post, come back soon.

-Steve Nelson

I recently set up a virtual server with hostmysite.com and we installed our own copy of ColdFusion Enterprise. In the process, I wanted to follow hms's guidelines about putting all log files on the E: drive as opposed to the default C: drive where ColdFusion gets installed. Now I'm not entirely certain why they're so adamant about the segregation (beyond the obvious security considerations of growing log files impeding the smooth operation of the OS), but I am personally concerned about the lack of hard drive space on the VPS. There's only 2 gigs allocated to the C: drive, and after loading it up with ColdFusion (two instances), MSSQL 2005, Subversion (repos on a different drive), and some other tidbits, I'm down to only 750 MB free. Another production server I manage has almost that much taken up in the JRun log files alone!

It's easy enough to use the ColdFusion administrator to move the ColdFusion log files (like application.log and server.log, etc), but I really need to move the JRun-specific log files, namely default-err.log, since that's the one that grows bit-by-bit whenever an error is thrown in CF (including those pesky "java.net.SocketException: Connection reset").

You can't use the CF administrator to modify the location of those log files, but you can use regedit to do so. The key is in

If you have multiple CF instances, you'll have to make the change in each key, where "Macromedia CFMX AS cfusion" above is the Windows service name. For a single-instance, standalone ColdFusion installation, the key would be in

Change the "SystemErr" and "SystemOut" values from

to

and bounce the service. Voila! You don't need to shuttle the log files by hand. When the service starts, new log files will be created in the new location. You can do this for the -err and -out logs.

If you're on hostmysite's VPS plan that includes CF, you may want to make this change yourself. The default image for the CF VPS plans don't put these log files on the E: drive, which means you could run out of room on the C: drive in a relatively short amount of time, depending on traffic and your application's profile.

We find people placing Windows servers "naked" on the Internet with frightening regularity. Without any sort of firewall or packet filtering protection, these machines make very easy targets for hackers. Even if you have a firewall, adding host-based packet filtering adds an additional layer of protection, though in that case you'll have to decide for yourself if the only-marginally-better security is worth the hassle of the added access complexity.

At the bare minimum, you should enable packet filtering on every Windows box you have directly attached to the Internet. Both Windows 2000 and Windows XP/2003 have built-in functionality for basic filtering.

The goal is to only allow the public [I use the term "public" here to refer to anyone not physically at the machine] to connect to the services explicitly offered to them, and prevent connection to all other services. Examples of public services are your Web server, Mail server, and administrative remote access service, such as Terminal Services / Remote Desktop; things we want to protect include Windows File and Print sharing, RPC, and database servers. Note that (in almost all cases) the public does not directly connect to ColdFusion or database servers; the public connects to the Web server, which in turn connects to ColdFusion, which then connects to the database. Therefore, ports used by CF and your DBMS should be blocked from the Internet.

For Windows 2000, we'll use TCP/IP Filtering. Note that any changes to TCP/IP Filtering require a reboot; fortunately, you'll rarely need to make changes to TCP/IP Filtering once it's set up.

Because of difficulties with DNS and packet filtering, you'll need to install the Windows DNS Server service, using the "Add/Remove Programs" control panel, under "Add/Remove Windows Components".

• Start->Control Panels->Network Connections
  
• Choose your active NIC (usually "Local Area Connection")
  
• Click "Properties"
  
• In the list of protocols, click on TCP/IP, then click "Properties"
  
• Set the "Preferred DNS Server" to "127.0.0.1".
  
• Click "Advanced..."
  
• Click on the "Options" tab
  
• Click on "TCP/IP filtering" and click "Properties"
  
• Check "Enable TCP/IP Filtering"
  
• Select "Permit Only" for both TCP and UDP
  
• Add the following ports under TCP:
  20 (ftp)
  21 (ftp)
  25 (smtp)
  53 (dns server)
  80 (http)
  110 (pop3)
  443 (https)
  3389 (remote desktop - important!)
  8999 (SeeFusion / SeeJava)
  
• Add the following port under UDP:
  53 (dns client/server)

If you're running services other than those I listed, and the general public needs to connect to them directly, be sure to add their "listen ports" to that list.

The next problem to solve is DNS. The Windows DNS Server (and client) will, by default, choose a random UDP port from which to send outbound DNS queries. Since all but one of those ports are now firewalled off, in order for DNS to work we have to ask the DNS Server to always use port 53 to send DNS queries. This is done with a simple registry update; create a DWORD entry named "SendPort" under "HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ DNS\ Parameters\", and set the value to 35 hex (which is 53 decimal.) Or, create a .reg file with the following content, and "import" it into your registry:

For Windows XP/2003, we'll use the Windows Firewall, which allows configuration without rebooting, and is a bit easier to set up than TCP/IP Filtering.

• Start->Control Panels->Windows Firewall
• (A dialog will appear prompting you to start the Windows Firewall/ICS service.)
• Click "Yes"
• Click on the Exceptions tab
• Make sure "Remote Desktop" is checked
  -- For added security, only enable Remote Desktop access from networks you want to access it from, by clicking "Edit...", "Change Scope", and selecting "Custom List", then add a comma-delimited list of IP addresses or subnets that are allowed remote access. Be very careful with this, as it's fairly easy to lock yourself out of the machine, requiring a trip to the data center to "unlock" access to your machine.
• Make sure "File and Printer Sharing" is NOT checked
  -- If you /need/ File sharing to nearby machines, then enable it, click Edit, double click on each port in the list, and change the scope to "My network (subnet) only".

Next, we add exceptions for the programs, or just ports, that directly accept connections from the Internet. First, add the following ports, by clicking "Add Port...":

25 (smtp)
80 (http)
110 (pop3)
443 (https)
8999 (SeeFusion / SeeJava)

Next, use "Add Program..." for any other servers you're running, that the public directly connects to, such as your FTP server. The easiest way to do this is to go to the properties for the service (in the Services control panel), and copy the value of "Path to executable" on the service properties panel, then go back to the Windows Firewall exceptions list, click "Add Program...", "Browse", and paste. Repeat as necessary.

If the server you're configuring happens to be a database server that's only accessed by nearby application servers, be sure to change the scope for your database server program to "Custom List", then add the IP address(es) of the application server(s). [You can also use this technique to allow you to connect to the database server from the office, or from home.]

Once this is done, click back to the "General" tab, turn the firewall On, and click OK. (Do NOT check "Don't allow exceptions".)

You'll need to restart any service you added using "Add Program...", so Windows Firewall can detect and authorize their ports.

Now, people on the Internet can only connect to the ports you've explicitly authorized, the first important step in a secure system.

Be sure to test all of your public services, to ensure you didn't miss anything!