Re: Lotus Domino as an access control to internal network

[Rik Farrow <rik () spirit com>]

Andreas Siegert <afx () ibm de> may have written:
> You should be aware that any Domino server can act as a relay to all other
> Domino Servers it is in contact with. Make sure this is turned off in the
> server configuration.

Notes users will also have access to other Web servers in the
internal network.  While this may be okay for internal Notes users,
if an organization is using the Domino server to expose selected 
information to non-employees, it becomes critical to prevent those
users from access other internal Web servers.

Aleph One <aleph1 () dfw net> may have written:
> The password only unlocks your RSA key. The session key is used to
> exchange a randomly generated session key. There is no need for one time
> passwords.

True enough.  But when I last looked at Notes (about 8 months
ago), I learned that Notes permits password guessing, adding a 30
second delay with each failed attempt, but no lockout and no logging.
Guessing the password using a dictionary attempt doesn't get you
into Notes because RSA is also used.  However, users typically
maintain the same password everywhere they login.  So using a Notes
server to guess a users password might provide access to other 
servers as well (for example, terminal servers with internal
network access, but lockouts on password guessing).

Regards,
Rik