The previous sections focused on secure ColdFusion coding practices, but if the installation of ColdFusion is configured insecurely, all of that work is for nothing. Securing the ColdFusion Application Server requires making the OS, web server, and the ColdFusion configuration secure. Adobe has published Lockdown Guides for each version of ColdFusion:
ColdFusion has had security sandboxing for quite a long time, but is probably an under utilized option that can help secure ColdFusion because it is only really useful in Enterprise. Sandboxing allows you to restrict access to data sources, ColdFusion tags/functions, directories, and servers/ports on a subdirectory. If a piece of ColdFusion code tries to access a restricted resource in the sandbox, ColdFusion will throw an error. The best use of sandboxing is to restrict everything on the webroot of a server and then only allow what is needed per the subdirectory (web application).