Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security issue with names.nsf

Status
Not open for further replies.
spi200

spi200

IS-IT--Management
Jun 9, 2002
371
AU
All


Our security team ran a PEN test on our Domino Web server and found that the names.nsf could be read form the web. There was only read only access to authenticated users, however there is a great deal of detail contained in there that you would not want to be shown to other web users.
Have any of you seen this:
http:\\servername/names.nsf
Once you authenticate you can browse away. A user with limited right could attempt to hack other account names such as admins etc.
Does anyone know how this can be avoided as my application will not work unless it has "Read" to the names.nsf database.
I have checked version from R4.6 to R6.5 and appear to all fail in my environment.

Any help would be appreaciated.


Dave.

 
Sort by date Sort by votes
That's how it's designed - once you authenticate to the server you get to see the address book.

What do you mean by "other web users"? Do you mean Internet-based users or just other web users within your network?
 
Upvote 0 Downvote
Thanks m4ilm4n

We have external customers who connect via SSL to our Domino Web Server. Its a mission critical financial application and would prefer that these uses did not see all the details of our names.nsf. Info in names.nsf includes email addresses, group names, test users, Admin names etc. etc.
I guess if that is the way its designed then there is not much I can do about it.

Regards


Dave
 
Upvote 0 Downvote
You could try putting your more sensitive stuff into another address book and using a cascaded names.nsf config. We put all our administrative addresses (groups, customer notification lists, et al) in a cascaded names.nsf.
 
Upvote 0 Downvote
Hi

Not sure how to cascade the names.nsf, but have cleaned up all my users and groups and assigned stronger passwords to all users.
Not sure how to set a minimum password length for web users, so if any knows a way let me know.
I will post a specfic question for this.


Thanks

Dave.

 
Upvote 0 Downvote
My bad - in older versions of Domino (think v5) it's called cascaded address books; since v6 it's called Directory Assistance. Search for it in the Domino Admin help - there's tons of info on it (hey, if I can set it up anyone can).

For password length, in Domino 7 admin, from the People & Groups tab go to Policies/Organizational Policies. Open your root organization doc and click on Organization Security Settings. The Password Management tab has what I think you're looking for.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CDIV
  • Locked
  • Question
Inote9 social edition issue 1
Replies
4
Views
3K
CDIV
CDIV
Baltic00
  • Locked
  • Question
Lotus Notes Replication and Sync issue
Replies
2
Views
3K
Baltic00
Baltic00
Sundesa
  • Locked
  • Question
Cisco AIR-CT2504-5 configuration with AIR-CAP2702I-E
Replies
0
Views
655
Sundesa
Sundesa
stevenvanaken
  • Locked
  • Question
Extract data from names.nsf through VB to .txt file
Replies
0
Views
94
stevenvanaken
stevenvanaken
Spoorti
  • Locked
  • Question
Not able to access names.nsf using C# and lotus Notes 8.5.
Replies
0
Views
49
Spoorti
Spoorti

Part and Inventory Search

Sponsor

Back
Top