Lotus Domino Security

Transcription

1 An X-Force White Paper Lotus Domino Security December Barfield Road Atlanta, GA Tel: Fax:

2 Introduction Lotus Domino is an Application server that provides groupware functionality and development tools to create messaging, collaboration, workflow, tracking, Internet, and intranet applications. Lotus Domino 6 currently supports Microsoft Windows NT 4.0, Microsoft Windows 2000, Sun Solaris SPARC, IBM AIX, IBM OS/400, and Red Hat Linux platforms. The Domino server stores information in Lotus Notes databases. All information, including POP3, HTTP, Web services, etc. resides in these Notes databases, which are the building blocks used by developers and administrators to create applications and services. Notes databases store information and the extra functionality required to develop applications on the Lotus Domino platform. Notes databases store data in documents rather than the more-common relational method utilized by SQL Server and Oracle databases. For example, user mail messages are stored in mail documents within a mail database. In addition to documents, design elements make up some of the structure of a database and allow the developer to specify how data is presented and inserted into the document. Databases are created using Domino templates, which have permission attributes associated with them. These permission attributes are called Access Control Lists (ACL), which define who can access their resources. Domino provides support for popular Internet services, including a Web server, mail, and newsgroup services (SMTP, POP3, IMAP, NNTP), LDAP, and DIIOP. These services integrate into the Lotus Domino framework. Although these features are very powerful, they create some security risks, especially if they are not configured correctly. Figure 1. Setting Up Lotus Domino Services An Internet Security Systems X-Force White Paper Page 1

3 Security Architecture Domino s security architecture is based on a hierarchical naming scheme and a domain structure. The hierarchical structure is based on the X.500 naming standard (see the Installing Domino Server document available from the Lotus Web page for more information on the hierarchical naming scheme): 12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/f4b82fbb75e942a ac0037f28 4/6982b92c21cd254a85256c1d ?OpenDocument Figure 2. Administrator Client Viewing Basic Setup Domino resources are members of a domain, which includes users, groups, and servers. All of these resources use the same Domino directory. Users and servers are placed under organizational units that define their position in the hierarchy. Every resource in a domain requires an ID for authentication. When Domino creates user and server IDs, it also attaches a certificate. This certificate is signed using the organizational unit certifier ID. This allows resources within the domain to communicate with each other. Domino manages most of the domain information in a data structure known as the Domino directory. Information on user accounts, servers, and configuration information about the server is stored in this directory. This information is made available to the other members of the domain. An Internet Security Systems X-Force White Paper Page 2

4 Figure 3. Lotus Domino Setup Server And Domain Names Web Service Options The Domino Web service provides support for clients to access Domino resources. This allows well-known Web development languages such as Java, JavaScript, XML, and LotusScript to enhance Web and Domino resource interaction. By default, when a Web client attempts to access a Domino resource, it uses simple password authentication. This in itself is a security issue, since simple password authentication passes the user name and passphrase information across the network in plain text, allowing them to be intercepted. This security issue can be remedied by using one of the stronger authentication methods made available by Domino, such as SSL. Alternatively, if this functionality is not required, it can be disabled. Firewall restrictions for access to port 80 can also be useful in limiting Web service requests to those originating from an intranet. When a Web request references a Domino database or template, Domino checks the access control list before granting access. Domino first determines if anonymous users are able to access the requested resource. Anonymous users do not require a login or password to access Web resources. This option is ideal for a database published on a Web site for public use without authentication. If No Access is specified in the access control list for the anonymous user entry, the Web server will send the client a simple authentication pop-up window. An Internet Security Systems X-Force White Paper Page 3

5 Figure 4. Lotus Domino Setup Prohibit Anonymous Access Misconfigurations of access control lists associated with Domino resources can create serious security problems. It is crucial that to properly configure access control lists to provide access only to required users and servers. This level of security is achieve by individually and explicitly adding users and servers to the access control list, or by adding groups. Domino resource access control lists provide fine-grained permissions that can be configured to suit individual needs. For each database ACL, administrators specify different permissions based on an access title to which users, servers, or groups can be assigned. Each access title provides a combination of any of the following permissions: Read public documents Write public documents Create LotusScript/Java agents Create shared folders/views Create personal folders/views Create private agents Create documents Delete documents An Internet Security Systems X-Force White Paper Page 4

6 Figure 5. Configuring ACLs Administrators also assign users to specific roles such as Admin, which set up the required permissions. The following is a list of some of the default databases that come with Lotus Domino Release Candidate 6. This list may provide valuable information to an attacker: Database Database File URL Location Monitoring Results statrep.nsf Domino LDAP Schema schema.nsf Reports For Server reports.nsf Domino Directory names.nsf Domino Log Server log.nsf Monitoring Configuration events4.nsf Offline Services doladmin.nsf Domino Directory Cache dbdirman.nsf Server Certificate Admin certsrv.nsf Certification Log certlog.nsf Administration Requests admin4.nsf Anonymous and restricted users should not be allowed to access these databases. Access can be enforced by using strict access control list permissions. Administrators need to check the default templates installed on Domino servers. An easy way to check for these resources is to use the Lotus Domino Administrator application and list all database and template files for a Domino domain. An Internet Security Systems X-Force White Paper Page 5

7 Domino resources accessed over the Web are rendered into HTML using object types that can represent database elements like form, view, or navigator. These object types provide actions that can be referenced in a Web URL request. Domino also utilizes Java applets to provide a Lotus Notes-style client interface for the resource at the Web browser. The following are common database object names used in Domino: $help $about $first $file $icon $defaultview $defaultform $defaultnav $searchform Objects have actions associated with them, which provide a way to manipulate the object. Some objects and associated actions can provide a great deal of information to an attacker. For example, the?opennavigator action opens a navigator to help view documents within the database. Use URL redirection mapping to restrict default object names and actions in Domino. However, it is necessary to account for each different reference to the same resource using a different URL. URLs can be referenced by using different case variants, hex characters, universal ID, or notes ID. LDAP Directory Implementation Domino provides an implementation of the Lightweight Directory Access Protocol (LDAP). LDAP provides functionality for accessing information stored within directories and offers a common method to access data for clients in a distributed environment. Clients can include applications and servers that need to share information within an infrastructure. Domino uses LDAP to provide Domino Directory information to clients. This becomes quite useful for applications that support LDAP lookups, since they can obtain information within the Domino Directory, such as mail programs that can look up and name addresses stored in the Domino Directory. Not only can LDAP be used to obtain information, but it can also be useful for updating information in the Domino Directory. This ability is useful for applications requiring a standard interface to Domino Directory data. LDAP can allow anonymous users to browse the directory and access public information. For example, the ldapsearch tool can remotely retrieve information from the Domino Directory about the current configuration. No authorization is required by default. For example, you can obtain some basic information about the server and organization of a Domino server using the following command: C:\Lotus\Domino>ldapsearch -h objectclass=dominoserver CN=ruxer,O=HT objectclass=dominoserver objectclass=top dominocertificate= EF5D128 06G0160F G The following example displays the results of a dominoperson object class query: C:\Lotus\Domino>ldapsearch -h objectclass=dominoperson CN=roger david,o=ht An Internet Security Systems X-Force White Paper Page 6

8 objectclass=dominoperson objectclass=inetorgperson objectclass=organizationalperson objectclass=person objectclass=top dominocertificate= A1900C45 06G01611 G givenname=roger sn=roger cn=roger david uid=rdavid maildomain=ht This query reveals useful information for a potential attack. An attacker can create a list of user names and attempt brute force attacks. If a strong password policy is not enforced, it is likely that some passwords will be easily guessed based on user name, common passwords, or information about the organization. Using the server document, the Ports - Internet Ports Directory tab displays configurable options for the directory service: Directory (LDAP) TCP/IP Port Number 389 TCP/IP Port Status Enabled Enforce Server Access Settings No Authentication Options Name & Password Yes Anonymous Yes SSL Port Number 636 SSL Port Status Disabled Authentication Options Client Certificate No Name & Password No Anonymous Yes Anonymous access to the directory service should be disabled if it is not required. Using a stronger authentication method is recommended, as communication occurs on the network in plaintext, including user name and password if the Name & password option is set. Using Secure Sockets Layer (SSL) is a much better option, since SSL encrypts all communication. An Internet Security Systems X-Force White Paper Page 7

9 Figure 6. SSL Configuration Options Administrators may require anonymous access to directory services by specifying which attributes an anonymous user can query and whether users can write to the Domino Directory via the directory service. These settings are available from the Configurations document in the Domino Directory. Leave the write feature disabled unless it is required. Because the directory service can be configured to offer simple or no authentication, it can provide intruders with an easy avenue of attack by remotely manipulating the Domino Directory and leveraging privileges. Using the directory assistance database, configure access control lists along with an extended access control list to define search access for a user query to the directory service. Configuration Options for Server Security Specific configuration options help harden Domino servers. Most of these options can be found in the Domino Directory. As a Domino administrator, it is valuable to become familiar with all of the security options and determine if these need to be changed. By default, some security options are not set by default during Domino installation. The Servers document Security tab allows for configuration of some options, including assigning administrator roles to users that grant control over different Domino server and database elements. There is also a configuration setting that sets programming restrictions. These restrictions assist in restricting the execution of code and access to resources. An Internet Security Systems X-Force White Paper Page 8

10 Figure 7. Domino Administrator s Security Tab Administrators enable password checking on notes IDs from the security settings a recommended action. With this option enabled, if a user s Notes ID file is stolen, the attacker will still have to obtain the password associated with the ID. Administrators will also have to enable password checking in the Person documents. Server Access specifies users that may obtain access to various resources or execute different actions. For example, it is possible to restrict access to the server, template creation and databases, or other trusted servers. Secure Communication through Encryption Options Domino provides many encryption options for securing communications. For limiting access to Internet services to certain users, administrators should use SSL connections. SSL helps prevent data eavesdropping attacks by providing an encrypted communications channel between the client and server. Using the server document in the Domino Directory, you can set up SSL functionality for Internet services. Under Ports Internet ports, there are the following settings: SSL settings SSL Key File Name SSL Protocol Version (For Use With All Protocols Except HTTP) Accept SSL Site Certificates Accept Expired SSL Certificates keyfile.kyr Negotiated No Yes Here is where to set up various aspects of the SSL protocol. The following are the Internet service specific options: An Internet Security Systems X-Force White Paper Page 9

11 Web (HTTP/HTTPS) TCP/IP Port Number 80 TCP/IP Port Status Enabled Enforce Server Access No Settings Authentication Options Name & Password Yes Anonymous Yes SSL Port Number 443 SSL Port Status Disabled Authentication Options Client Certificate No Name & Password Yes Anonymous Yes SSL port status should be enabled for any restricted Internet service. This setting regulates anonymous users access to these services either over SSL or plaintext communication. Other authentication methods are made available for Internet services. Administrators may choose to either use X.509 client certificate authentication or simple username/password authentication. The Lotus Notes client uses a protocol called Notes RPC to communicate with a Domino server. By default, communication between Notes and Domino is not encrypted. Use the Domino Administrator tool to enable encryption. 1. From the Domino Administrator tool, click the configuration tab 2. Choose Server Setup Ports from the Tools pane 3. Select the port that you want to encrypt (in most cases it will be TCP/IP) 4. Select Encrypt Network Data, and click OK For this change to take effect administrators need to use the Tools pane and select RestartPort. An Internet Security Systems X-Force White Paper Page 10

12 Figure 8. Port Setup And TCP/IP Options Underlying Operating System Security Operating system (OS) security is important to Domino, as the OS supports the environment Domino requires to operate. Anyone who can bypass the security of the operating system can most likely bypass Domino security. Users should not be able to access regions of the file system where the Lotus Domino files are stored. On the Windows platform, these files are generally in c:\lotus\domino. Of particular importance is the data directory where the Domino databases and templates are stored, including the Domino Directory database that stores user names and password hashes. If somebody was able to read this database from the file system, they could steal information and use it to log into the Domino server. The Domino server should run on an independent host computer running no other services. Access to the host s operating system should be restricted to Administrators and developers requiring access. Windows SMB shares, network file systems, and similar services should be disabled. Any service offering functionality to remote clients should be disabled if it is not required. Administrator management channels to the host should be encrypted. By using a firewall, administrators may provide even stricter remote access to the Domino server. Only allow access to ports that run required services. Typically, a Domino server requires these services and their corresponding ports: Service Port Web Service 80 Directory Service 389 SMTP Mail Service 25 POP Mail Service 110 An Internet Security Systems X-Force White Paper Page 11

13 IMAP Mail Service 143 Lotus Notes Service 1352 DIIOP CORBA Service Keeping up to date with new security issues is critical to ensure a secure system. Buffer overflows and other classes of bugs are constantly being discovered in services and applications that the operating system runs. Domino has a list of published vulnerabilities, with advisories for these issues listed on the Lotus security Web site at: Conclusion There are many services and options that are included with Lotus Domino. These features combine to create an application server that is powerful, extensible, and customizable for many different tasks. However, these features must be carefully configured to prevent security issues that may render these servers as gateways to an internal corporate network, or may inadvertently serve sensitive or restricted information to malicious users. It is critical to ensure that both the Domino server and the underlying operating system have current patches installed and are configured as securely as possible. This includes using encryption for communication, disabling unused services, and checking permissions to directories and files that contain sensitive information. About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (NASDAQ: ISSX) is a pioneer and world leader in software and services that protect corporate and personal information from an ever-changing spectrum of online threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. For more information, visit the Internet Security Systems Web site at or call Copyright 2002, Internet Security Systems, Inc. All rights reserved worldwide. Internet Security Systems, the Internet Security Systems logo, Internet Scanner, System Scanner, Database Scanner, Wireless Scanner, and X-Press Update are trademarks and service marks, and RealSecure a registered trademark, of Internet Security Systems, Inc. Other marks and trade names mentioned are the property of their owners, as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifications and content are subject to change without notice. An Internet Security Systems X-Force White Paper Page 12