In the past I have rolled my eyes at top 10 lists. Then, about a year ago I became enthralled with the “Hamilton” soundtrack. Composer Lin Manual Miranda conveys the concept of duels in “Ten Duel Commandments”, listing the 10 rules of engagement. Towards the end of the musical, the 10 list is reprised in The “World Was Wide Enough,” as Alexander Hamilton and Aaron Burr duel in 1804. So, as homage to this Broadway phenomenon – here are 10 things you need to know about Domino security.
Number One – Domino Directory Access Control List
As any Domino administrator quickly learns, the foundation of a Domino infrastructure is the Domino Directory, aka names.nsf or the public address book. Securing the Domino environment begins with ensuring the directory’s access control list is properly configured.
• Default and Anonymous access should be No Access – no exceptions
• Manager and Designer level rights should be reserved for only a select few
• Assign User type for ACL entries to prevent rogue access
♦Tip♦ The Advanced tab of the ACL dialog box has a button called “Look up User Types for Unspecified Users”
• Set an administration server
• Other than the administration server, avoid individual user and server names – use groups
• Assign roles to provide document access
» For example, assign the GroupCreator role to an ACL entry to allow group document creation
• Conversely, do not assign roles to prevent document access.
» For example, do not assign the PolicyCreator role to prevent an entry with Create documents rights from creating policy and setting documents
Once the ACL has been configured, it should remain static. Create a Domino Events document to monitor changes to the Access Control List. In the event the ACL is modified you will get an email notifying you of the change. RPR Wyatt’s Essential Tools product has a feature called ACL Enforcer. Similar to event monitoring, the ACL Enforcer notifies you of an ACL change. Also, it can reset the ACL back to the values that you have previously configured, automatically nullifying unauthorized changes.
Number Two – Understanding Full Access Administrator
Full Access Administrator provides manager access to all databases and reader access to all documents, regardless of ACL and document reader field settings – both great get out of jail free cards when administering Domino databases. This right is configured on the Security Tab of the Server Document of the directory. Those listed in the Full Access administrators field have the ability to invoke this access as needed. In order to become a Full Access administrator in the IBM Domino Administrator client select Administration – Full Access Administration.
When an administrator enables full access administrator, a line like the following is written to the server’s log.nsf. This allows for full access administration to be audited. For example you can use RPR Wyatt’s VitalsSigns tool to monitor Domino log files and report when the access has been invoked.
09/28/2017 03:08:09 PM Heather Hottenstein/RPRWyatt was granted full administrator access.
Full access administrator rights will follow the admin to databases on other servers, meaning the menu option does not have to be selected again when accessing a database on a server that is different from the one that was in focus at the time of enablement. The enhanced access can be disabled by selecting the same menu choice that was used to activate it or by closing all Notes clients on the workstation.
Finally, an interesting trivia item regarding full access administrator. It trumps deny access. Several years ago I stumbled across this when I discovered on a particular server I was in a deny access group and a group listed in the full access administrator field. Even after restarting the Domino server and rebooting my workstation, I was still able to access the server and enable the enhanced access. Sure enough, this is working as designed. So, if you have an administrator that leaves but you need to retain their person document, you will want to both add them to deny access and remove them from the corresponding group for full access administration.
Number Three – Best Practices for assigning server rights
The server document in the directory has a multitude of fields on the security tab for assigning server rights. Probably too many, just looking at it can be overwhelming. Whether you are configuring a new server or doing a security cleanup, use the following tips when deciding what values to add.
• Always use groups. Some of these values are cached at server start up. Groups allow changes to be made without a Domino reboot.
• Servers are not administrators. If you have servers in any of the fields or groups listed in the Administrators section, remove them.
• Less is more. If you are unsure of what level of access to provide, err with the one that provides the lower level of access. You can always increase rights if needed.
» For example, only a few select people should be full access administrators. Others should be administrators.
• The fields on the security tab have pop up help. Place your cursor over the field title, press the left mouse button and help text will appear. The text tends to be verbose, meaning it is truly helpful in understanding the field’s purpose.
Number Four – Help! A terminated user was able to log in using a web browser
When a user leaves, a common practice is to initially place the account in a deny list to prevent further access. How many of you have then discovered that this person can still access their email via iNotes? A common work around is to change the Internet password in the person document following a termination. However, you can avoid this step by configuring the HTTP engine to respect the server’s access list. I am unsure why IBM has protocols by default configured to ignore the deny access list. But, you can quickly change this by going to the server document’s Ports – Internet Ports – Web tab, set Enforce server access settings to Yes and restart HTTP. Now, you can simply place accounts in deny access to lock them out.
Number Five – Locking down the Domino Web server
If your Domino server is used for iNotes or an application web server, then you will want to ensure measures are taken to properly secure this component.
• Set Anonymous access in system databases (log.nsf, catalog.nsf, statrep.nsf, etc), mail files, and any application database that is not purposely open to all to No Access. RPR Wyatt’s Essential Tools product’s ACL Enforcer can set and enforce this setting for your Notes databases.
• Configure HTTPS, force login on HTTPS, set HTTP to redirect to HTTPS
• Set Allow HTTP clients to browse databases to No
• Enable HTTP monitoring to track web access
• Configure idle session timeout to automatically disconnect inactive sessions
• Set Enforce Internet Password Lockout to Yes to prevent unlimited attempts at password guessing
• Read the next section on Internet password security
Number Six – Internet password security
A key piece of system security is the credential pair used in the authentication process. For allowed user names reduce the number of possible options by setting the Internet authentication field to Fewer name variation with higher security. While Domino’s security settings document allows for controlling the complexity and expiration of the Notes ID’s password, there is not a native method for the Internet password. If you are fortunate to have all users on Lotus Notes, then you can take advantage of the security document’s advanced settings and configure the Internet password to change when the Notes ID password changes.
Additionally, enhance the security of Internet password storage. This is done by editing the Domino Directory Profile document and for Use more secure Internet Passwords select Yes – Password verification compatible with Notes/Domino release 8.01 or greater. Now, Internet passwords will be stored in a unique hashed value, preventing dictionary hacks against the stored password. Note – you will need to refresh the People documents to have the enhanced hash take effect.
Finally, you can force the user to change their Internet password by selecting Person documents – Actions – Set Password fields and set Force User to Change Internet Password on Next Login to Yes. Similarly, you can use this action anytime you may want to force password change or believe a password has been compromised.
Number Seven – How to avoid SMTP pitfalls
Configure a Domino server to be an SMTP server without any security and more than likely it will quickly wind up on a black list for relaying spam. Prevent unauthorized SMTP usage, reduce spam, and prevent malware attacks by using the following settings in the server’s configuration document.
• Reduce the amount of valid email addresses by setting the Address Lookup field to Fullname only
• On the Router/SMTP – Restrictions and Controls – SMTP Inbound Controls use the fields in the Inbound Relay Controls and Inbound Relay Enforcement sections to prevent being an open relay. Specifically, as a best practice the Deny messages to be sent to the following external internet domains and Deny messages from the following internet hosts to be sent to external internet domains fields should be set to *, which means no systems are allowed to relay through the Domino server.
• Use the Verify connecting hostname in DNS and Verify sender’s domain in DNS fields to ensure your server is only accepting emails from valid systems.
• Use the Verify that local domain recipients exist in the Domino Directory field to reject email that is not intended for one of your users.
• While effective, the Verify fields do cause overhead during SMTP chat sessions. Consider placing an SMTP inbound proxy in front of your Domino server that can perform these functions. Once a proxy is in place, configure it in the Allow connections only from the following SMTP internet hostnames/IP addresses field to deny connections from all other SMTP systems.
• While auto forwarding of emails via a user mail rule can be helpful in business continuity when a person is out of the office, it does allow for someone to auto forward emails to external email addresses. Set User rules mail forward to Disabled to prevent this from happening.
• Configure a server mail rule to prevent zip, exe and other potentially harmful files from reaching your users.
Number Eight – Securing Traveler connected devices
Bring your own device has been adopted by organizations as a way of allowing people to use technology they prefer. However, being that IT may never see these devices it is important to configure server side rules that control them.
• In the server document use the Access server field of the Lotus Traveler tab to define who can access the server via Traveler
• In the directory configure a Traveler settings document to control data synchronization, device logging, and device settings – at a minimum require device passwords
• In the IBM Traveler database (lotustraveler.nsf) use the action buttons available in the Device Security view to deny access and clear corporate data from devices that belong to terminated employees
Number Nine – Lurking third party products
If you have inherited a Domino environment, it is important to know what third party tools were previously installed on the servers. Add in products can be very powerful – they run at the API level, they potentially can transfer data with an external system and can circumvent security. In the directory review the configured program documents to determine if any are running. Similarly, third party programs can be started via the ServerTasks or ServerTasksAtx lines of the server’s notes.ini. If there are third party tools present, understand what they are doing and ensure they are still providing value.
Number Ten – Who is doing what in Domino?