You are correct, the system usually has far more permissions than what should be allowed for a production site.
Sorry for assumption, anything I see above H I typically use as a network drive.
First off, @pfreitag has some great tools and insite in locking down a CF box.
That being said
This is the general path We follow for Windows in production
Update everything - Web/ Os/ Apps
Configure Windows Firewall to block everything
Turn off RDP
disable and remove all vendor software not needed to run the app / server
ACF / Lucee installed on its own partition or drive
all static assets on their own partition or drive
all other web app items, on their own partition or drive
USE NTFS for fine grained file permissions
remove 8dot3 naming
1 user per application - kiss naming (Keep it simply short) CFLucee for Lucee, CfPython for Lucee python worker, python for python worker, so on and so forth
disable password changes
disable password expiration
For IIS / APACHE
create service user for either / or both as needed
remove users from any per-defined groups
disable inheritance for created users on newly defined folders
for LUCEE USER and others, change permissions from “Full control” to
read/execute
List Folder Contents
Read
(Write) if needed
For IUSR / Pool Users
Read & Execute
List Folder Contents
Read
IIS
host-headers on
directory-browsing off
application pool identity for for all applications
unique application pools for all sites
(if you can, 1 site per host)
application pool identity’ is configured for anonymous
disable WebDav
global authorization rule’ is set to restrict access
‘maxAllowedContentLength’ is configured
Ensure ‘maxURL request filter’ is configured
non-ASCII characters in URLs are not allowed
HTTP Trace Method’ is disabled
Unlisted File Extensions are not allowed
Handler is not granted Write and Script/Execute
notListedIsapisAllowed’ is set to false
‘notListedCgisAllowed’ is set to false
Default IIS web log location is moved (outside web and sysroot)
Advanced IIS logging is enabled
Dynamic IP Address Restrictions’ is enabled
‘ETW Logging’ is enabled
Configure Request Filtering
block all /CFIDE
/LUCEE/Administrator
/Lucee/WebContext
/CPANEL
/WEB-INF
/.git
/.ht*
/rest
/lucee
There are many others here, go wild if you get bored but as a base
Move the Lucee WEB-INF outside root
Remove any unused application pools
Change .Net Framework to “no managed code”
Remove ASP.NEt ISAPI filters
Remove any unused handler mappings
Bind and restrict Lucee administrator to 127.0.01 / localhost
Update java to the latest supported java by lucee and point config to lucee path
When ever possible use an external Firewall for handling encryption
There are some other steps, but this should get you started.