Lotus Domino 5 - Security Advice 1

[JensenMax]

Hi,

I am new to Domino and I have a few books and have searched the web et al. I was wondering if any one could help me.

I am after the Top Ten Tips for Securing Lotus Domino, i.e. the most common areas whereby if installed there is weakness or exploit.

Any help would be fantastic.

Max

 

[spi200]

Hi Max

Good question, you can always do with a little more security - I will get the list started - Not in any real order...Some of these tips maybe overkill if your in a small company.

1. Ensure your users change their password after being setup. Teach them how to change it or better still sych with a directory such as AD and NDS.
2. Keep a copy of your Notes.id for every user with a defualt password, but ensure you have these files in a very secure location.
3. Keep your Cert.id and server.id secure as well
4. Do not use a default password like "lotusnotes" for these id's.
5. Only set your users ACL to editor (Not Manager) on their database so they can change their own ACL and lock out you or the helpdesk.
6. Setup a an agent (under programs) to email you if any ACL is changed for any database - this is one of those secret ways you can monitor your users\helpdesk without them knowing. If they are mucking about with ACL's you will get an email and you can give them a call.
7. Teach your users to never give out their passwords for any reason.
8. Be sure the users ID file is secured and back'd up ( not on the C: drive.
9: Always secure the Lotus Notes Server - preferble in a locked cabinet inside a secure computer room that has camera's. - This is because you can open any database from the Notes server - No password required and no logging of who accessed the database.
10. Have one person only responsible for HR and excutive staff (All helpdesk calls)as it is not hard for a helpdesk guy to learn a password for a particular user and then use it to find out sensitive info. ie Your public company's CIO has never changed his default password and the helpdesk guy helps himself to the company profit results prior to their release - With that information he can buy\sell stocks or Call or Put options and make large sums of money for himself\family and friends. With only a minimum number of people that can access these sensitive users then it becomes easier to enforce security and leads to the helpdesk staff being responsible - If he is not responsible then he gone.
11. If your using your Domino as a Web server and you are using SSL ensure your SSL keys are secured and back'd up.
12. If using SSL use only 128 bit SSL keys (no 40 bit encryption) if you want your data secure. I would also disable SSL 2.0 and below and only allow SSL 3.0 TLS 1.0 and above.
13. Keep the same security settings for any Domino servers in any location that you replicate database's to. Otherwise your security can be compromised.
14. Ensure all Windows security patches are deployed in a timely maner (Critical vulnerabilities should be patched ASAP).
15. Keep your Domino release upto date and at the supported version. Old versions (R4 and R5)had some security holes as I recall.
16. Ensure you have a good company wide Anti-virus and not limited to just the desktop. You need antivirus on your mail gateway, your server and all you desktops\notebooks.
17. Good firewall management in and out of your company goes without saying.
18. Good change management with good configuration management will help the audit team to track changes.
19. Do not assume hackers are only on the Internet, but may be anywhere in your company - these hackers have an advantage - they are already in the door and have a computer connected to your corporate network. Un-aurhtorised access by users is very common, it is just not discussed by companies as they find it embarrasing, the employee is just dismissed and swept under the carpet. The Admin and security or audit guy ends up with the most pain.

There are probably another 10 which I have not covered, but its a start.

Test any of your settings on a Testbed prior to putting into production.
If you need more info on how to do any of the above then just ask the question and I am sure the guys here will help you.


Regards

David

 

[JensenMax]

Thanks for this... I shall put it to good use!

 

[spi200]

Hi Max

Glad to help,

I have found all versions of Domino to be very good from the security propective when compared to the oposition. I have also found this old saying to be true.
"10% of your users cause you 90% of the problems"
This is for security aspects on your Lan and\or Domino setup, our company has about 600 employee's and we would have a small handfull of people who always seem to be doing the wrong thing. Some are up to no good and some users are just plain dumb and write their password on their keyboard.

Regards


David