Security Basics mailing list archives
Re: Lotus Notes Security
From: roger.smith () calyonfinancial com
Date: Thu, 29 Jul 2004 08:47:36 -0500
I preface this post by saying I am not a Notes Admin but having done
numerous audits and forensic investigations on compromised Notes platforms
I am comfortable with these statements. However, I don't mind being
enlightened by more knowledgeable experts!
You have a big challenge.
Subject areas of concern:
1) Managing ID files and passwords.
2) Encryption
3) iNotes remote access - (eventually everyone wants remote access)
Controlling the ID file and Password is rarely addressed properly.
Regardless of roaming IDs or client held IDs the ID file is created and
given a password ...normally by a Notes Admin - but I would strongly
advise against having one person/group do both tasks of creating the ID
and assigning the password.
The password is associated with the Notes ID file. Authentication is
with the ID file - not a server.
There can be more than one copy of the ID file for any person. Each
copy can have a different password or they can all have the same
password.
If a user has multiple computers - Home, work, London, Paris the user
can have an ID file on each PC each with a different password.
If the user changes their password on one PC it won't synch to the other
PCs and it won't affect the ability of the user to logon with another
copy of the ID file.
This is very important to note: Each copy is independent of the others.
The Notes Admin will know the password of the copy he created for you.
He can, and often does, copy the ID file for himself ("safekeeping") and
sends a copy to the end user informing him of the password he set.
Actually, the Admin should have a copy of the ID file ( but not know
the password) in case the end user loses or corrupts his copy. The
ID file is a key file that uniquely links the holder to their Notes
files and databases. If the ID File is lost or corrupted the user
can't access mail or anything.
Knowing all that...consider this typical administration scenario:
Admin has access to every ID and knows the password to every ID...after
all he is the creator!
The Admin keeps a copy and a log of every ID / password he creates for
users. ( in case the end user forgets their password).
At any time the admin has the full ability to BECOME THE USER and almost
without detection.
On a single diskette the Admin can walk the planet with hundreds or
thousands of ID files. The admin can mass mail ID files with passwords
all over the company and then all people will be compromised and
everyone will then need a new ID file created - a VERY BIG BIG MESS! I
don't know of a Disaster Recovery plan to handle this.
UNLIKE WINDOWS OR UNIX - to remedy a compromised password the user just
changes their password and the hacker has to start all over again.
In Notes - the user can't do anything short of having the old ID file
replaced with a new ID file. That will cause the user's mail file to be
inaccessible...causing the user to start over.
Additionally - if your company is going to build hundreds of "mission
critical" applications then you have to deal with Access Control for the
user that just had his old ID file purged from the directory.
We have found admins using copied ID files to read the mail of
executives and others almost without detection.
An ID Management Solution:
One solution of securely managing IDs is for two parties to be involved
in the creation of the ID. Perhaps the Notes admin and a representative
from HR.
The Notes admin will generate the ID and HR will create (a unique
password) and hold the password. HR can inform the user of the initial
password and the Notes admin can deliver it. That way no one person or
group has both the ID and password in their possession except the end
user. Occasionally the Notes Admin will argue they need the user's
password to diagnose problems blah blah blah... I say BS to that. They
can cooperate with the user to diagnose problems.....
Encryption:
If your users require encrypted content with people outside your Notes
domain you will need to employ an S/MIME solution. That entails
managing some keys that Notes does easily.....when you know how.....just
find someone who knows how to do it well and you'll be fine. Don't let
the inmates run your S/MIME asylum. You may have regulatory
requirements to be able to monitor mail content. If you're not managing
the encryption then you may find yourself unable to meet regulatory
requirements.
iNotes:
Don't do it unless YOU can secure the remote PC or if you don't care
about what is divulged. Temp files, attachments are left on the remote
PC. VPN / SSL VPN products claim to clean up temp directories and they
do an excellent job........in a normal disconnect. If the connection
drops or the remote PC hangs the VPN won't help you clean up anything.
From my research they do nothing to guard against spyware, key loggers
and whatever else may be on hotel kiosks.
I would look at Blackberry for Domino for remote email users. It's
about as secure from end to end as anything I've seen. You can control
the end user device security to a large degree and it's relatively
cheap.
Roger Smith
Grant.Orchard@aws
.aust.com
To
07/27/2004 11:41 security-basics () securityfocus com
PM cc
Subject
Lotus Notes Security
Hi list,
I'm putting together a list of security recommendations for our company and
need to know if there is anything I should be recommending regarding Lotus
Notes and Domino, both 6.5.1. The server does only services mail and does
not hold any web content, it is not visible from the net. It has a few
databases used by management but that is all apart from being a mail
server.
Clients are left pretty much as they are installed. All users access their
mail files locally, encrypted with the "medium" level encryption that Notes
offers. Each location has a user ID to switch to.
Thanks for your help.
Grant Orchard
NOTICE - This e-mail (and any attachments) is confidential. It may contain
privileged information or copyright material. You should not read, copy,
use or disclose it without the written authorisation of AWS. If you are
not an intended recipient, please contact AWS by return e-mail and then
delete both messages. AWS does not accept liability in connection with
computer virus, data corruption, delay, interruption, unauthorised access
or unauthorised amendment.
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
DISCLAIMER:
This communication may contain privileged and/or confidential
information and is intended only for the use of the individual or
entity to whom it is addressed. No waiver of confidentiality or
privilege is made by mistransmission. If the reader of this
message is not the intended recipient, you are hereby notified
that any unauthorized dissemination, distribution, reading,
printing, copying and/or use of this communication is strictly
prohibited. If you have received this communication in error,
please immediately notify the sender by return e-mail and delete
this message from your system as well as destroy any paper
copies made. Calyon Financial makes no representation or
warranty regarding the correctness of any information contained
herein, or the appropriateness of any transaction for any person.
Nothing herein shall be construed as a recommendation to buy or
sell any financial instrument or security.
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Lotus Notes Security Grant . Orchard (Jul 29)
- Re: Lotus Notes Security roger . smith (Jul 29)
- Re: Lotus Notes Security SMiller (Jul 30)