Server Admin available from the net?

Should the server admin page be available from the net?
Here’s my steps:

  1. Launch AWS Win Server 2019 Base instance.
  2. Attach my extra volumes (1 containing Lucee installer).
  3. Use Windows Update to install updates (a single windows defender update)
  4. User Server Manager to add Web Server Role,
    Accepted all defaults until Role Services, where I killed Directory Browsing and added IP and Domain Restrictions
  5. Ran lucee-
    Accepted all defaults, except set max heap to 1024
    Presented with nice looking Lucee Welcome screen
    (You are now successfully running Lucee on your system!)
    So far, so good.
  • Surf from the net to the machine’s IP address
    500 Error
  • Gave Local Service full access to C:/inetput/wwwroot/
    Deleted everything in C:/inetpub/wwwroot/ except index.cfm
  • Surf from the net to the machine’s IP address
    I get the Lucee Welcome screen, but w/o the css.
  • Click on the “Server” link in the Secure Administrators section.
    I get the Lucee Server Admin login screen, and am able to log in.

Doesn’t seem that should be available from outside.

Being a very small shop, I have no need, whatsoever, for web-based Admin, at all.
Be fine with me if I had to RDP to the server to do that.

Can I do that?


OS: Win Server 2019 Base
Java Version: 11.0.7 (AdoptOpenJDK) 64bit
Tomcat Version: Apache Tomcat/9.0.35
Lucee Version: Lucee

Hi @KludgeMaker,

very glad you are making progress.

Of course you should/must lock down server/web admin. It is a good practice to block it, although there are situations (example Hosters) who like to have them accessable, or want to make them accessible to the outside world. Here is what you can/should do:

  1. Use boncode connector setting EnableRemoteAdmin=false in your C:\windows\BonCodeAJP13.settings. For more information see the setting in the boncode docs

  2. Don’t let the IIS default website with the unassigned host name/IP active. This is a pool for unknown hostnames/all IP Addresses. That may cause IIS to accept any incoming host names (even spoofed ones) and that may cause tomcat to load from its default webroot C:\lucee\tomcat\webapps\ROOT. Better is to deactivate it and add your specific sites that match hosts names/ip-addresses.

  3. Use IIS Request Filtering. See Lucee Lockdown Guide
    The video applies to Railo, but you only need change the URL to match Lucees Admin URL.

That’s all for now. Hope that helps a little.

1 Like

Again, thank you for your time.
You have become an invaluable resource already.
I did know to do part of that, but only 1 out of 3.
In the future I will try to read so you can possibly type less.

Now on to my next question … (after I at least TRY to look it up first)


1 Like

It is always a pleasure to help. Typing is not a problem to me, because questions get documented here and will leave hints/help to others in the same situation like yours. We ALL have been there!!! We all have to learn walking somehow. The first steps may be difficult, but every single step you go further, the easier it gets. Again… Welcome in our community.

I’ve just added a video guide on how to block your admin pages from being accessed, if you still want to take a look into: