When I started working with Lotus Notes in 1994, there was only the Lotus Notes client in the client server model. Majority of the workstations were located in the same geographical location on the same LAN as the server and remote users were also Lotus Notes clients that dialed in to the server via a modem. For the most part security was a non-issue. Fast forward to the modern day and oh boy did things get complicated. The explosion of the Internet, globally dispersed organizations, and mobile technology has certainty expanded the concept of a Notes user and their points of entry.
First, of course there is the old fashioned Notes client. A good place to start is to understand where the workstations reside and what networks are they using to access the Domino system. Are there laptops that travel to various locations, are the end users using pubic WiFi, is a VPN solution available and used? And even for a workstation that always resides in a secure office, that workstation probably accesses the Internet and opens email attachments. So, even with a basic Notes client you need to consider multiple security options. As a best practice consider the following common sense measures.
• Workstations should be configured to have the Notes password lock after a period of inactivity in order to prevent unauthorized access
• Encrypt local replicas of server based databases
♦ Note: Accomplish the above two with a Desktop settings document
• Encrypt the server’s TCP/IP port/s to encrypt server-client traffic
• Strive for remote access to begin with a VPN connection to the network vs opening 1352 through the firewall
• Every workstation should have anti-virus software
• Consider using a third party tool to inventory and configure workstations
• Work with the PC team to secure the local OS
Moving past the Notes client, there is understanding the various access points to include internet browsers (which can quite literally be any computer, tablet, or smart phone in the world,) Traveler devices, IMAP, POP3, LDAP, and SMTP. Security concepts for each of these were introduced in the first blog article in my Domino Security Series. I cannot stress enough how important it is to cement these configurations and reduce risk. Implement logging to know who is doing what and deny access lists to prevent lurking. Also, if you have a Domino system that has been around for a while, it is possible that some of these are no longer needed. Review the Domino servers to determine what services and protocols are configured and then verify they are still being used. A very simple step in security is reducing access points. Just by removing IMAP and POP3 from the configuration you can include on your weekly status report to your boss that you increased the security of your server.
When it comes to security, there is the ultimate secure system that was secured with an unlimited budget and dropped in the Marianas trench. And then, there is reality where financial resources are limited and users actually do use it. Security becomes a balancing act, what can be done and what makes sense with the resources available. As we have discussed in this blog series, there are many Domino and Notes configuration settings that can be implemented at no cost to you. Taking the time to implement these can greatly improve the security and integrity of your Domino system. Good luck!
This is the final post in my Domino Security Series be sure to sign up for my webinar on November 16th for a deeper dive into Domino security configurations.
RPR Wyatt Product Portfolio
|VitalSigns||Essential Tools||Essential Agent Master||Essential Frameworks|
|VitalSigns™ is a server monitoring tool for collaboration and messaging infrastructures, optimized for enterprise environments, that constantly checks the status of every server or service your email users depend on. When it detects a problem, it sends an alert to the appropriate person. While VitalSigns is running it also captures performance statistics that can be used to produce reports and graphs to share with colleagues.||
Essential Tools (ET) is an robust, Beacon award-winning server-based Domino Administration tool designed to assist Domino administrators perform their tasks significantly more efficiently and also allow them to fulfill certain tasks that the infrastructure did not allow them to do so before. The robustness of ET stems from the basic architectural fact that the Domino Infrastructure information is collected in a centralized single point.
|Essential Agent Master (EAM) is a Domino agent monitoring and management application. Designed to run on single or multiple Domino servers, Essential Agent Master collects detailed agent information on configuration settings and execution specifics, provides notification of key agent failures, and allows control of end-user created Domino agents.||The Essential Framework (EF) enables administrators to take over and complete tasks that normally require a developer or development. By leveraging one document and one agent, administrators have the ability to pull data from any source and manipulate it into eye pleasing charts and graphs. Reports are constructed through an iterative process in a web browser or in your preferred reporting mechanism.|