Domino Server Security – There are 10 Things You Need to Know

In the past I have rolled my eyes at top 10 lists. Then, about a year ago I became enthralled with the “Hamilton” soundtrack. Composer Lin Manual Miranda conveys the concept of duels in “Ten Duel Commandments”, listing the 10 rules of engagement. Towards the end of the musical, the 10 list is reprised in The “World Was Wide Enough,” as Alexander Hamilton and Aaron Burr duel in 1804. So, as homage to this Broadway phenomenon – here are 10 things you need to know about Domino security.

Number One – Domino Directory Access Control List

Domino Server Security ibm notes acl directory
(click to expand)

As any Domino administrator quickly learns, the foundation of a Domino infrastructure is the Domino Directory, aka names.nsf or the public address book. Securing the Domino environment begins with ensuring the directory’s access control list is properly configured.

• Default and Anonymous access should be No Access – no exceptions
• Manager and Designer level rights should be reserved for only a select few
• Assign User type for ACL entries to prevent rogue access

♦Tip♦ The Advanced tab of the ACL dialog box has a button called “Look up User Types for Unspecified Users”

• Set an administration server
• Other than the administration server, avoid individual user and server names – use groups
• Assign roles to provide document access
          » For example, assign the GroupCreator role to an ACL entry to allow group document creation
• Conversely, do not assign roles to prevent document access.
          » For example, do not assign the PolicyCreator role to prevent an entry with Create documents rights from creating policy and setting documents

Once the ACL has been configured, it should remain static. Create a Domino Events document to monitor changes to the Access Control List. In the event the ACL is modified you will get an email notifying you of the change. RPR Wyatt’s Essential Tools product has a feature called ACL Enforcer. Similar to event monitoring, the ACL Enforcer notifies you of an ACL change. Also, it can reset the ACL back to the values that you have previously configured, automatically nullifying unauthorized changes.

Number Two – Understanding Full Access Administrator

Domino Server Security ibm notes full access administration
(click to expand)

Full Access Administrator provides manager access to all databases and reader access to all documents, regardless of ACL and document reader field settings – both great get out of jail free cards when administering Domino databases. This right is configured on the Security Tab of the Server Document of the directory. Those listed in the Full Access administrators field have the ability to invoke this access as needed. In order to become a Full Access administrator in the IBM Domino Administrator client select Administration – Full Access Administration.

When an administrator enables full access administrator, a line like the following is written to the server’s log.nsf. This allows for full access administration to be audited. For example you can use RPR Wyatt’s VitalsSigns tool to monitor Domino log files and report when the access has been invoked.

09/28/2017 03:08:09 PM Heather Hottenstein/RPRWyatt was granted full administrator access.

Full access administrator rights will follow the admin to databases on other servers, meaning the menu option does not have to be selected again when accessing a database on a server that is different from the one that was in focus at the time of enablement. The enhanced access can be disabled by selecting the same menu choice that was used to activate it or by closing all Notes clients on the workstation.

Finally, an interesting trivia item regarding full access administrator. It trumps deny access. Several years ago I stumbled across this when I discovered on a particular server I was in a deny access group and a group listed in the full access administrator field. Even after restarting the Domino server and rebooting my workstation, I was still able to access the server and enable the enhanced access. Sure enough, this is working as designed. So, if you have an administrator that leaves but you need to retain their person document, you will want to both add them to deny access and remove them from the corresponding group for full access administration.

Number Three – Best Practices for assigning server rights

Domino Server Security Best Practices for assigning server rights
(click to expand)

The server document in the directory has a multitude of fields on the security tab for assigning server rights. Probably too many, just looking at it can be overwhelming. Whether you are configuring a new server or doing a security cleanup, use the following tips when deciding what values to add.

• Always use groups. Some of these values are cached at server start up. Groups allow changes to be made without a Domino reboot.
• Servers are not administrators. If you have servers in any of the fields or groups listed in the Administrators section, remove them.
• Less is more. If you are unsure of what level of access to provide, err with the one that provides the lower level of access. You can always increase rights if needed.

» For example, only a few select people should be full access administrators. Others should be administrators.

• The fields on the security tab have pop up help. Place your cursor over the field title, press the left mouse button and help text will appear. The text tends to be verbose, meaning it is truly helpful in understanding the field’s purpose.

Number Four – Help! A terminated user was able to log in using a web browser

Domino Server Security HTTP and terminated user
(click to expand)

When a user leaves, a common practice is to initially place the account in a deny list to prevent further access. How many of you have then discovered that this person can still access their email via iNotes? A common work around is to change the Internet password in the person document following a termination. However, you can avoid this step by configuring the HTTP engine to respect the server’s access list. I am unsure why IBM has protocols by default configured to ignore the deny access list. But, you can quickly change this by going to the server document’s Ports – Internet Ports – Web tab, set Enforce server access settings to Yes and restart HTTP. Now, you can simply place accounts in deny access to lock them out.

Number Five – Locking down the Domino Web server

Domino Server Security Web server settings
(click to expand)

If your Domino server is used for iNotes or an application web server, then you will want to ensure measures are taken to properly secure this component.

• Set Anonymous access in system databases (log.nsf, catalog.nsf, statrep.nsf, etc), mail files, and any application database that is not purposely open to all to No Access. RPR Wyatt’s Essential Tools product’s ACL Enforcer can set and enforce this setting for your Notes databases.
• Configure HTTPS, force login on HTTPS, set HTTP to redirect to HTTPS
• Set Allow HTTP clients to browse databases to No
• Enable HTTP monitoring to track web access
• Configure idle session timeout to automatically disconnect inactive sessions
• Set Enforce Internet Password Lockout to Yes to prevent unlimited attempts at password guessing
• Read the next section on Internet password security

Number Six – Internet password security

Domino Server Security Web passwords
(click to expand)

A key piece of system security is the credential pair used in the authentication process. For allowed user names reduce the number of possible options by setting the Internet authentication field to Fewer name variation with higher security. While Domino’s security settings document allows for controlling the complexity and expiration of the Notes ID’s password, there is not a native method for the Internet password. If you are fortunate to have all users on Lotus Notes, then you can take advantage of the security document’s advanced settings and configure the Internet password to change when the Notes ID password changes.

Additionally, enhance the security of Internet password storage. This is done by editing the Domino Directory Profile document and for Use more secure Internet Passwords select Yes – Password verification compatible with Notes/Domino release 8.01 or greater. Now, Internet passwords will be stored in a unique hashed value, preventing dictionary hacks against the stored password. Note – you will need to refresh the People documents to have the enhanced hash take effect.

Finally, you can force the user to change their Internet password by selecting Person documents – Actions – Set Password fields and set Force User to Change Internet Password on Next Login to Yes. Similarly, you can use this action anytime you may want to force password change or believe a password has been compromised.

Number Seven – How to avoid SMTP pitfalls

Domino Server Security SMTP Configuration
(click to expand)

Configure a Domino server to be an SMTP server without any security and more than likely it will quickly wind up on a black list for relaying spam. Prevent unauthorized SMTP usage, reduce spam, and prevent malware attacks by using the following settings in the server’s configuration document.

• Reduce the amount of valid email addresses by setting the Address Lookup field to Fullname only
• On the Router/SMTP – Restrictions and Controls – SMTP Inbound Controls use the fields in the Inbound Relay Controls and Inbound Relay Enforcement sections to prevent being an open relay. Specifically, as a best practice the Deny messages to be sent to the following external internet domains and Deny messages from the following internet hosts to be sent to external internet domains fields should be set to *, which means no systems are allowed to relay through the Domino server.
• Use the Verify connecting hostname in DNS and Verify sender’s domain in DNS fields to ensure your server is only accepting emails from valid systems.
• Use the Verify that local domain recipients exist in the Domino Directory field to reject email that is not intended for one of your users.
While effective, the Verify fields do cause overhead during SMTP chat sessions. Consider placing an SMTP inbound proxy in front of your Domino server that can perform these functions. Once a proxy is in place, configure it in the Allow connections only from the following SMTP internet hostnames/IP addresses field to deny connections from all other SMTP systems.
While auto forwarding of emails via a user mail rule can be helpful in business continuity when a person is out of the office, it does allow for someone to auto forward emails to external email addresses. Set User rules mail forward to Disabled to prevent this from happening.
• Configure a server mail rule to prevent zip, exe and other potentially harmful files from reaching your users.

 

Number Eight – Securing Traveler connected devices

Domino Server Security Traveler security
(click to expand)

Bring your own device has been adopted by organizations as a way of allowing people to use technology they prefer. However, being that IT may never see these devices it is important to configure server side rules that control them.

• In the server document use the Access server field of the Lotus Traveler tab to define who can access the server via Traveler
• In the directory configure a Traveler settings document to control data synchronization, device logging, and device settings – at a minimum require device passwords
• In the IBM Traveler database (lotustraveler.nsf) use the action buttons available in the Device Security view to deny access and clear corporate data from devices that belong to terminated employees

Number Nine – Lurking third party products

Domino Server Security Lurking third parties
(click to expand)

If you have inherited a Domino environment, it is important to know what third party tools were previously installed on the servers. Add in products can be very powerful – they run at the API level, they potentially can transfer data with an external system and can circumvent security. In the directory review the configured program documents to determine if any are running. Similarly, third party programs can be started via the ServerTasks or ServerTasksAtx lines of the server’s notes.ini. If there are third party tools present, understand what they are doing and ensure they are still providing value.

Number Ten – Who is doing what in Domino?

Domino Server Security Who is logging in
(click to expand)

While log file data in Domino is reactive administration, it does provide a method for discovering who has performed actions in the system. Natively, Domino servers write to the log.nsf database. The Usage by User and Usage by Database views allow for you to see what activities have occurred. Similiarly, when enabled the domlog.nsf database records web browser connections, letting you know what IP addresses have connected, what user’s have authenticated and what resources were requested. If you have one Domino server that is moderately used then manually reading the log files is doable. However, reading log files is boring, most of us are too busy and on busy servers there is simply too much data. Use event monitoring, Domino Domain Monitoring or consider a third party tool like RPR Wyatt’s VitalSigns to automatically review the log files and send you notifications about the stuff that matters.

 

Want to be notified about upcoming blogs from the Domino Security Series? Enter you email below!

 

Sign up for my webinar on November 16th to get a first hand view of how to perform the configurations above and many more

REGISTER HERE

 

RPR Wyatt Product Portfolio

vitalsigns server monitoring square logo essential tools logo essential agent master logo essentials framework logo
VitalSigns Essential Tools Essential Agent Master Essential Frameworks
VitalSigns™ is a server monitoring tool for collaboration and messaging infrastructures, optimized for enterprise environments,  that constantly checks the status of every server or service your email users depend on.  When it detects a problem, it sends an alert to the appropriate person. While VitalSigns is running it also captures performance statistics that can be used to produce reports and graphs to share with colleagues.

Learn more →

Essential Tools (ET) is an robust, Beacon award-winning server-based Domino Administration tool designed to assist Domino administrators perform their tasks significantly more efficiently and also allow them to fulfill certain tasks that the infrastructure did not allow them to do so before. The robustness of ET stems from the basic architectural fact that the Domino Infrastructure information is collected in a centralized single point.

Learn more →

Essential Agent Master (EAM) is a Domino agent monitoring and management application. Designed to run on single or multiple Domino servers, Essential Agent Master collects detailed agent information on configuration settings and execution specifics, provides notification of key agent failures, and allows control of end-user created Domino agents.

Learn more →

The Essential Framework (EF) enables administrators to take over and complete tasks that normally require a developer or development. By leveraging one document and one agent, administrators have the ability to pull data from any source and manipulate it into eye pleasing charts and graphs. Reports are constructed through an iterative process in a web browser or in your preferred reporting mechanism.

Learn more →

2 thoughts on “Domino Server Security – There are 10 Things You Need to Know

  1. Why does “Enforce server access settings” default to “No”? Here is my guess. Back in the days when Lotus released full periodic upgrades of Notes/Domino, major releases would include changes in the On-disk Structure of the NSF file to accommodate new features. Early on in the product’s history, the ODS of databases would be automatically updated at or soon after the installation of the new version of the product. Customers didn’t much like this because it introduced uncertainty – they feared that new features might disable existing apps in unpredictable ways. So at some point (version 5? 6?) Lotus responded by changing their new feature roll-out policy such that all new features (or perhaps only ones that had potentially far reaching or unpredictable results in customer environments) would be disabled at roll-out. Customers would have to decide if and when to enable the features. Thus was born the “create_rX_databases” notes.ini variable, among other things. And I’ve always assumed the default disablement of server access settings in HTTP resulted from the same policy.

Leave a Reply

Your email address will not be published. Required fields are marked *