Security Basics mailing list archives
RE: Lotus Notes Security
From: "Ferino Mardo" <RMardo () ALJOMAIHBEV com>
Date: Mon, 2 Aug 2004 15:41:56 +0300
In addition, if I recall correctly one can prevent the administrator from looking at the user's files from the server by removing some default settings in Domino. But you have to be aware that restoring or resetting the password would be very difficult. Well at least that's how I remembered it in R4. 2cents.
-----Original Message----- From: roger.smith () calyonfinancial com [mailto:roger.smith () calyonfinancial com] Sent: Thursday, July 29, 2004 4:48 PM Subject: Re: Lotus Notes Security I preface this post by saying I am not a Notes Admin but having done numerous audits and forensic investigations on compromised Notes platforms I am comfortable with these statements. However, I don't mind being enlightened by more knowledgeable experts! You have a big challenge. Subject areas of concern: 1) Managing ID files and passwords. 2) Encryption 3) iNotes remote access - (eventually everyone wants remote access) Controlling the ID file and Password is rarely addressed properly. Regardless of roaming IDs or client held IDs the ID file is created and given a password ...normally by a Notes Admin - but I would strongly advise against having one person/group do both tasks of creating the ID and assigning the password. The password is associated with the Notes ID file. Authentication is with the ID file - not a server. There can be more than one copy of the ID file for any person. Each copy can have a different password or they can all have the same password. If a user has multiple computers - Home, work, London, Paris the user can have an ID file on each PC each with a different password. If the user changes their password on one PC it won't synch to the other PCs and it won't affect the ability of the user to logon with another copy of the ID file. This is very important to note: Each copy is independent of the others. The Notes Admin will know the password of the copy he created for you. He can, and often does, copy the ID file for himself ("safekeeping") and sends a copy to the end user informing him of the password he set. Actually, the Admin should have a copy of the ID file ( but not know the password) in case the end user loses or corrupts his copy. The ID file is a key file that uniquely links the holder to their Notes files and databases. If the ID File is lost or corrupted the user can't access mail or anything. Knowing all that...consider this typical administration scenario: Admin has access to every ID and knows the password to every ID...after all he is the creator! The Admin keeps a copy and a log of every ID / password he creates for users. ( in case the end user forgets their password). At any time the admin has the full ability to BECOME THE USER and almost without detection. On a single diskette the Admin can walk the planet with hundreds or thousands of ID files. The admin can mass mail ID files with passwords all over the company and then all people will be compromised and everyone will then need a new ID file created - a VERY BIG BIG MESS! I don't know of a Disaster Recovery plan to handle this. UNLIKE WINDOWS OR UNIX - to remedy a compromised password the user just changes their password and the hacker has to start all over again. In Notes - the user can't do anything short of having the old ID file replaced with a new ID file. That will cause the user's mail file to be inaccessible...causing the user to start over. Additionally - if your company is going to build hundreds of "mission critical" applications then you have to deal with Access Control for the user that just had his old ID file purged from the directory. We have found admins using copied ID files to read the mail of executives and others almost without detection. An ID Management Solution: One solution of securely managing IDs is for two parties to be involved in the creation of the ID. Perhaps the Notes admin and a representative from HR. The Notes admin will generate the ID and HR will create (a unique password) and hold the password. HR can inform the user of the initial password and the Notes admin can deliver it. That way no one person or group has both the ID and password in their possession except the end user. Occasionally the Notes Admin will argue they need the user's password to diagnose problems blah blah blah... I say BS to that. They can cooperate with the user to diagnose problems..... Encryption: If your users require encrypted content with people outside your Notes domain you will need to employ an S/MIME solution. That entails managing some keys that Notes does easily.....when you know how.....just find someone who knows how to do it well and you'll be fine. Don't let the inmates run your S/MIME asylum. You may have regulatory requirements to be able to monitor mail content. If you're not managing the encryption then you may find yourself unable to meet regulatory requirements. iNotes: Don't do it unless YOU can secure the remote PC or if you don't care about what is divulged. Temp files, attachments are left on the remote PC. VPN / SSL VPN products claim to clean up temp directories and they do an excellent job........in a normal disconnect. If the connection drops or the remote PC hangs the VPN won't help you clean up anything. From my research they do nothing to guard against spyware, key loggers and whatever else may be on hotel kiosks. I would look at Blackberry for Domino for remote email users. It's about as secure from end to end as anything I've seen. You can control the end user device security to a large degree and it's relatively cheap. Roger Smith Grant.Orchard@aws .aust.com To 07/27/2004 11:41 security-basics () securityfocus com PM cc Subject Lotus Notes Security Hi list, I'm putting together a list of security recommendations for our company and need to know if there is anything I should be recommending regarding Lotus Notes and Domino, both 6.5.1. The server does only services mail and does not hold any web content, it is not visible from the net. It has a few databases used by management but that is all apart from being a mail server. Clients are left pretty much as they are installed. All users access their mail files locally, encrypted with the "medium" level encryption that Notes offers. Each location has a user ID to switch to. Thanks for your help. Grant Orchard NOTICE - This e-mail (and any attachments) is confidential. It may contain privileged information or copyright material. You should not read, copy, use or disclose it without the written authorisation of AWS. If you are not an intended recipient, please contact AWS by return e-mail and then delete both messages. AWS does not accept liability in connection with computer virus, data corruption, delay, interruption, unauthorised access or unauthorised amendment. -------------------------------------------------------------- ------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethica>
l_hacking_training.html
-------------------------------------------------------------- -------------- DISCLAIMER: This communication may contain privileged and/or confidential information and is intended only for the use of the individual or entity to whom it is addressed. No waiver of confidentiality or privilege is made by mistransmission. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized dissemination, distribution, reading, printing, copying and/or use of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the sender by return e-mail and delete this message from your system as well as destroy any paper copies made. Calyon Financial makes no representation or warranty regarding the correctness of any information contained herein, or the appropriateness of any transaction for any person. Nothing herein shall be construed as a recommendation to buy or sell any financial instrument or security. -------------------------------------------------------------- ------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Lotus Notes Security Ferino Mardo (Aug 02)