The Domino and Notes security model is rooted in its ID files, formidable keys that are unique to each Domino installation. The loss or compromise of any Notes ID results in a recovery process, especially time consuming if that ID happens to be an Organization or Organizational Unit certificate. Properly storing and maintaining your Notes certifier, user and server IDs will reduce the risk of having to go through a recovery process.
Don’t raise your hand, but how many of you have your Domino’s O or OU certifier on your C drive that you use to register new users? While this is convenient, it is far from a security best practice. These IDs are literally the keys to the kingdom and need to be protected. At a minimum begin using Domino’s Certificate Authority to register, re-certify and rename users. Now, the CA acts as a proxy to the certifiers and you can remove them from your computer’s disk. Be sure to keep back up copies of the certifiers in a secure location – ie on a USB flash drive in a safe. These back up copies should have multiple, complex passwords.
Like the certifier IDs, steps need to be taken to secure server and user ID files. If you are not already using the ID Vault, I cannot stress how important it is you start doing so today. The ID Vault is a living copy of the user’s ID file. I know many Domino administrators store a copy of the user ID on a secure network drive, and the ID either has a generic password or uses a known algorithm. Security issues aside, a problem with this approach is the IDs become outdated as renames and recertifications happen. With the ID Vault the ID is updated as these occur. And, they are stored in an encrypted format, enveloped with Domino security settings. Secure your IDs and free up your time spent bailing out users forgetting passwords or crashing hard drives by implementing an ID Vault. Also, be sure to follow IBMs best practices for ID Vault security.
Pssssst…. The Password is….
Another important piece regarding the security of an ID is the password. The Security Settings document as part of Policy architecture provides a multitude of ways to enforce password rules. First, you can configure password expiration, meaning that the password has to be changed on a regular basis. Note: this does require that password checking be configured on the user’s mail server via its server document For the Notes ID file you can set many requirements for the password by selecting the Use Custom Password Policy for Notes Clients. Once this box is checked a Custom Password Policy tab appears. Here, you can define rules for the password, i.e. the number of letters, numbers, special characters, etc. Just remember the reality of users being able to actually remember and type their passwords when selecting options.
The Security Settings document also contains a tab called Keys and Certificates. As Domino has matured as a product, so has the strength of the Notes ID. When a value is defined in the Minimum allowable key strength field, any user ID that has a weaker strength will be rolled over. And by using adminp, this becomes seamless to the user community. The native IBM Domino Administration help database provides the details for how to do the roll over in your environment.
Going back to the server document, the Security tab contains the Compare public keys field, which verifies public keys on ID files. For example, Jim Engle dropped his laptop in his swimming pool and nothing could be retrieved from the hard drive. Because there was no back up of his ID file, the admin created a new ID for him. However, the admin did not know that the public key in the ID file needed to be exported and copied to Jim’s person document. While this is a relatively harmless case of how public keys become mismatched, a malicious example would be if someone created an ID file of the HR director to review confidential information stored in Domino databases. Hence, blocking ID files with mismatched public keys is a way of preventing rogue IDs from accessing your Domino servers.
Don’t Forget About Server IDs….
And last, a public service announcement regarding Server IDs. As probably most of us have done, the Domino server ID has had its password cleared in order to allow for the Domino server to start automatically – because who really wants to log in at 2 AM and enter a password. Trust me – I completely get it and admit servers under my control do not have ID passwords. And while this is another necessary convenience, it does create a security hole. Consider using BCC’s DominoProtect product to allow auto reboots with a password protected server ID.
Want to be notified about upcoming blogs from the Domino Security Series? Enter you email below!
Sign up for my webinar on November 16th to get a first hand view of how to perform the configurations above and many more
RPR Wyatt Product Portfolio
|VitalSigns||Essential Tools||Essential Agent Master||Essential Frameworks|
|VitalSigns™ is a server monitoring tool for collaboration and messaging infrastructures, optimized for enterprise environments, that constantly checks the status of every server or service your email users depend on. When it detects a problem, it sends an alert to the appropriate person. While VitalSigns is running it also captures performance statistics that can be used to produce reports and graphs to share with colleagues.||
Essential Tools (ET) is an robust, Beacon award-winning server-based Domino Administration tool designed to assist Domino administrators perform their tasks significantly more efficiently and also allow them to fulfill certain tasks that the infrastructure did not allow them to do so before. The robustness of ET stems from the basic architectural fact that the Domino Infrastructure information is collected in a centralized single point.
|Essential Agent Master (EAM) is a Domino agent monitoring and management application. Designed to run on single or multiple Domino servers, Essential Agent Master collects detailed agent information on configuration settings and execution specifics, provides notification of key agent failures, and allows control of end-user created Domino agents.||The Essential Framework (EF) enables administrators to take over and complete tasks that normally require a developer or development. By leveraging one document and one agent, administrators have the ability to pull data from any source and manipulate it into eye pleasing charts and graphs. Reports are constructed through an iterative process in a web browser or in your preferred reporting mechanism.|