Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Transcription

1 Security Comparison Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management PistolStar, Inc. PO Box 1226 Amherst, NH USA Phone: Fax: Website: , PistolStar, Inc. All rights reserved.

2 Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management Lotus Notes 8.5 Issues 1. Notes Shared Login New Feature to Eliminate Notes Password Prompts With Notes Shared Login, users can start Lotus Notes 8.5 by logging into Microsoft Windows using their Windows password they do not also have to provide their Notes password. A random password is generated and set on the Notes ID as well as stored on the local hard drive using Microsoft s Data Protection API (DPAPI) to encrypt and save data tied to the Windows profile. Because Notes Shared Login integrates the Windows password, it is implied that there is true integration with Microsoft Active Directory when there is not. The Active Directory password and password policies (password expiration, password complexity) do not apply to Notes Client authentication and the Active Directory password policies are not enforced; the static Notes ID file s password expiration and complexity differ and are not linked to Active Directory, therefore its password policies are out of synch with Active Directory. Users are still required to manage the Notes ID password, therefore they still have two passwords to manage (Notes ID and Windows). Placing the user s Notes ID file password on their local hard drive poses a security risk, even with the DPAPI used. Notes Shared Login works only on the computer on which it is activated, as the Notes ID can only be stored on the user s local hard drive; Notes ID files on network shares are not supported. The credentials that are stored locally using DPAPI can only be used on the local computer. When a user tries to launch the Notes client using the Notes ID file password from another computer, they must first have exported the Notes ID from that machine using a new Notes-centric process, set a password on it, and provide that password again when launching Notes on the second computer. The DPAPI is vulnerable to attack whenever there is an open Windows session. If the user s Windows password expires while logged into Windows or if their account is disabled while logged in, Notes Shared Login will still allow them to gain access to Lotus Notes; thus, Notes Shared Login does not always reflect the status of their Active Directory account. Windows users using Windows mandatory profiles will not be able to use Notes Shared Login since no user-specific data persists across Windows logins. With Notes Shared Login, Lotus continues its practice of employing proprietary methods for password authentication. With Notes Shared Login activated, other Lotus Notes features (including the new roaming capabilities offered in 8.5) are disabled specifically, smart card integration, which has been available since Notes , PistolStar, Inc. All rights reserved. Page 2

3 With Notes Shared Login activated, support ceases for Citrix environments, Domino Password Checking, Domino HTTP Password synchronization and third-party applications (see #7 below). The Notes Shared Login functionality is only available with Lotus Notes 8.5, therefore phased upgrades to 8.5 would present a unique set of challenges, requiring a full client/ server upgrade. Organizations need to upgrade their entire environment at one time, not piecemeal, or incompatibility issues with previous versions will result. Password Power offers true and complete integration with Active Directory; users can achieve single sign-on to the Notes Client via authentication redirection using their Active Directory password. The Active Directory and Notes ID passwords are fully synchronized, allowing users to just remember, make changes to and manage their Active Directory password. Active Directory password policies are fully enforced and applied to Notes client authentication; the Notes ID file password expires when the Active Directory password policies require it to. Active Directory authentication is performed using the Kerberos authentication protocol, which adds a layer of security due to Kerberos practice of mutually authenticating the user and the server to which they are attempting access. Passwords are encrypted in volatile memory each time the user logs into Windows; they are not stored on the user s hard drive. If the user logs out of Windows or their computer shuts down or crashes, the encrypted password is lost. Single sign-on is available again the next time the user logs into Windows. Password Power saves any changes the user makes in the Windows mandatory profiles. Password Power s authentication functionality is not proprietary. Smart card integration is fully supported and without restrictions. Support for Citrix environments, Domino Password Checking, Domino HTTP password synchronization and third-party applications is fully included and without restrictions. Active Directory integration works with all recent versions of Notes (Notes 6, 7, 8, and 8.5). 2. Recovery of Forgotten Notes ID File Password With Notes 8.5, Lotus now offers automatic password recovery of the Notes ID File, allowing users to more easily recover damaged, lost and forgotten ID files. Copies of the Notes ID file are stored in a highly protected ID vault, providing administrators with the ability to more easily manage and reset individual's passwords. This feature is only available with the Notes 8.5 upgrade. The automatic Notes ID password recovery capability is only available with the Notes 8.5 upgrade and is limited to the user s computer. Restoring access to Lotus Notes using Notes Shared Login is limited to the user s computer on which Notes Shared Login is activated. 2009, PistolStar, Inc. All rights reserved. Page 3

4 Password recovery involving the ID vault is a manual process requiring the Help Desk. Self-service password recovery is not available (users must engage an IT administrator or the Help Desk). The Help Desk must change the password in two places: Windows/Active Directory and the ID vault. For Help Desk access, the user must be a Notes user and have access to the Notes Admin Client; otherwise, customized code must be written to programmatically integrate the ID vault with the organization s existing Help Desk application(s) and with a new API offered by Lotus. This action involves costs for initial training, development and subsequent associated maintenance. Notes ID file password recovery is automatic; self-service password reset is also enabled using challenge question and answer functionality. Recovery of the Notes ID file without single sign-on is fully automatic and supported on multiple computers. Stores encrypted recovery Notes ID file either locally or on a file server; as well as optionally in Active Directory or ADAM, where it can be replicated between domain controllers. Passwords only need to be changed in one location Active Directory. Automatic self-service Notes ID password recovery functionality works with all recent versions of Notes (Notes 6, 7, 8, and 8.5). 3. Notes ID File Password Storage - The ID Vault Only a single ID vault is supported in Notes 8.5. The single ID vault becomes a single point of failure if the server goes down (unless vault replicas are created on other servers). With the single ID vault, any ID vault replication delays can cause issues such as the Notes ID file password being out of synch during a password reset by the Help Desk. Collecting thousands of Notes ID files in an ID vault could create scalability issues, which will likely require multiple vaults. Possibility exists that populating and collecting Notes ID files in an ID vault will lead to performance issues, as settings must be configured correctly the first time or numerous pilots must be conducted since the functionality is prohibitively difficult to validate in test environments with more than a few test users. When launching Notes on a machine, the user s name must be in the drop-down in the Notes Login Dialog (they cannot type their name and see it come up in the drop-down). This means the ID vault can only be used on machines where the user has previously logged into the Notes client. When the Notes ID file gets updated in the ID vault (e.g. after a name change), uploading to the ID vault is unpredictable. Notes ID password changes must be done manually (are not automatic) when password expiration occurs in the Notes Client for the ID vault. 2009, PistolStar, Inc. All rights reserved. Page 4

5 Does not involve collecting/populating Notes ID files in an ID vault, therefore there is no potential for performance and scalability issues. IT does not have the concern of having the risk of failure if the server goes down. Administrators and users are not required to struggle with untested functionality IT does not have to deal with the possibility of having to employ multiple vaults There is no possibility of unpredictable uploading to an ID vault after a Notes ID file is updated. Provides Notes ID automatic password expiration and password change capabilities leveraging Active Directory password policies. The standard Notes Login Dialog is replaced with one that allows the user to type in their name; there is no login dialog at all with single sign-on. 4. Limited Roaming User Capabilities With Notes 8.5, users can be set up to log into any available Notes client and use all the Notes functionality. However, if the Notes Shared Login feature is activated, this functionality/capability does not work. With Notes Shared Login activated, if user only employs Notes on a single machine, the functionality works fine. With Notes Shared Login activated, if user employs multiple machines or uses a machine in more than one place, they will find some functionality is not available or working. With Notes Shared Login activated, Notes roaming does not work for users with Notes IDs stored in the Domino Directory; Notes Shared Login needs to be deactivated for Notes roaming support. The Notes ID cannot be moved to other machines; only the machine on which the Notes ID is initialized will know it. There is no support for single sign-on with roaming the user must know and enter their password each time the Notes client is launched. Users with Windows roaming profiles can only be logged into one computer at a time. The Roaming Profile document containing the Notes ID file is not supported in Notes 8.5 (roaming users had a special profile document with the Notes ID attached in their local names.nsf in previous versions of Notes). Roaming users obtain fully supported single sign-on and on more than one machine. Notes roaming users with Notes IDs stored in the Domino Directory are fully supported, as are users with ID files on network drives. The Notes ID can be used on machines other than one on which it was initialized. Users with Windows roaming profiles can be logged into more than one computer at a time. The Roaming Profile document containing the Notes ID file is supported by synchronizing its password with Active Directory, ensuring encrypted support via Blackberry and/or Domino Web Access is uninterrupted by password changes. 2009, PistolStar, Inc. All rights reserved. Page 5

6 5. Use of Functionality on Multiple Machines and in Multiple Locations Notes 8.5 does not support Kiosk logins with a guest account. Users can login with a Windows guest account and gain access, but there is no security because the DPAPI is effectively shared by all users of Lotus Notes on that machine. There is limited support for Kiosk logins using an Active Directory user account with single sign-on. With the initial setup, users must know the correct password; with ID vault storage, the Help Desk is required if the password is unknown. Support is provided for multiple computers automatically. Support is provided for access to kiosks with a guest account because Active Directory credentials can be entered when launching the Notes client; employing an Active Directory user account to login to their own Windows profile allows users to obtain full single sign-on. 6. Password Checking Not Working Rendered Inactive The Notes ID file password checking functionality does not work, particularly when using Notes Shared Login. Different passwords on different copies of the user s Notes ID files are not allowed when Password Checking is enabled. With Notes Shared Login, manual synchronization is not possible. Notes ID file password checking is fully functional and supported. All Notes ID file copies are brought into synch with the user s Active Directory password. 7. No Support for Citrix/Terminal Server Environments and Third-Party Applications Support for Citrix environments does not work with Notes 8.5. Notes native smart card support does not work when Notes Shared Login is activated, as Notes Shared Login does not allow the Notes ID file to be moved around to other machines. Smart card integration with a mutable key stored on the smart card is also not supported. Domino HTTP password synchronization is not supported, requiring an additional login to access Domino and limiting browser-based access to Domino (see Lotus Domino issues below). Support is not available for third-party applications requiring the Notes ID file password (e.g. Domino Web Access and Blackberry encrypted with the embedded Notes ID file in the mail file). Blackberry requires the Notes client to be running in order to synchronize. Support is not provided for the passwords for other enterprise systems, such as IBM 2009, PistolStar, Inc. All rights reserved. Page 6

7 WebSphere, IBM System i, SAP, Oracle and Web portals (e.g. (Microsoft SharePoint); single sign-on and password synchronization are not available for these systems. Smart card integration for all smart card vendors is fully supported. Built-in Domino HTTP password synchronization is fully supported. Third-party systems, particularly Citrix, are fully supported. Third-party applications such as Domino Web access and Blackberry encrypted with the embedded Notes ID file are fully supported by synchronizing the passwords with Active Directory. Single sign-on or password synchronization are provided for WebSphere, System i, SAP, Oracle and Web portals. Lotus Domino 8.5 Issues 1. Single Sign-On to Lotus Domino Not Available While Lotus Notes enables single sign-on to the Notes Client, it does not also enable single sign-on to Lotus Domino, which Notes users need to log into as well. Therefore, any benefit of reduced logons and password prompts does not really exist. Lotus users only to need to remember their Active Directory password and to login with it one time to achieve true single sign-on to all their Lotus applications (Domino, Sametime, Sametime Connect, Quickr). Password Power enables Lotus users to also have single sign-on to Domino using Active Directory with Kerberos. Users also gain the added security of the Kerberos authentication protocol, which mutually authenticates the user and the server to which they are attempting access. 2. Browser-based Users Accessing Domino Have Limited Usability and Lack Security Users working remotely and others who need to access Domino via a browser do not have the advantage of a full set of features enabling convenience and flexibility. Notes users accessing Domino via a browser also sacrifice security. Password Power/Web Set Password Benefits: With PistolStar s Web Set Password, browser-based users obtain access to Domino easily and with the benefit of comprehensive password authentication, management and security features if single sign-on is not desired. Web Set Password provides users with the option of logging in with either their Active Directory or Domino HTTP password to access all Domino domains. Users gain the ability to manage their own passwords and perform self-service password resets. Users can also self-register, creating their own user accounts without involving administrators (if optionally enabled in the configuration). 2009, PistolStar, Inc. All rights reserved. Page 7

8 Globally and remotely-based users achieve streamlined access to corporate-wide intranets and extranets. Web Set Password customizes the native domcfg.nsf Domino database to provide a powerful upgrade to Domino s authentication and password security functionality. IT administrators obtain capabilities and best practices for optimizing the security of the authentication process without increasing Help Desk calls. These added capabilities and best practices also enable IT administrators to meet the security requirements of government and industry regulations. 3. Domino Password Synchronization with the Notes and Active Directory Passwords is Not Available Domino HTTP access does not synchronize the Notes ID password or the Active Directory password with the Domino HTTP password, therefore users need to remember more than one password to access their Lotus applications and encounter multiple logins. Password Power/Web Set Password Benefits: Web Set Password allows users to synchronize their Domino HTTP password with their passwords for the Notes ID and Active Directory from a browser, reducing the number of logins. Password synchronization increases security because having only one password to commit to memory decreases the likelihood end-users will write it down and become a target for internal network intruders. Password Power Deployed to Millions of Users, Fully Supported By Its Developers Unlike Lotus Notes version 8.5, Password Power is a proven technology that has been deployed in over 400 enterprise environments. It is easy to use, predictable and reliable, providing powerful authentication, access control, and password management capabilities. Password Power optimizes the usability, security and compliance of Lotus applications by integrating Active Directory and the Kerberos authentication protocol. Organizations realize a dramatic reduction in Help Desk calls, decreased IT security costs and increased administrator and end-user productivity. Best of all, Password Power is delivered and supported by PistolStar s expert development and technical support team. ### 2009, PistolStar, Inc. All rights reserved. Page 8