Lotus Domino Security



Similar documents
Frequently Asked Questions. Secure Log Manager. Last Update: 6/25/ Barfield Road Atlanta, GA Tel: Fax:

User Identification and Authentication

Hackproofing Lotus Domino Web Server

IBM Proventia Management SiteProtector. Configuring Firewalls for SiteProtector Traffic Version 2.0, Service Pack 8.1

How to Secure a Groove Manager Web Site

Last Updated: July STATISTICA Enterprise Server Security

Securing Database Servers. Database security for enterprise information systems and security professionals

TestTrack. Server Admin Guide Version

Xerox DocuShare Security Features. Security White Paper

CHARTER BUSINESS custom hosting faqs 2010 INTERNET. Q. How do I access my ? Q. How do I change or reset a password for an account?

Configuration Guide BES12. Version 12.2

Content Filtering Client Policy & Reporting Administrator s Guide

Configuring Security Features of Session Recording

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

NeoMail Guide. Neotel (Pty) Ltd

Configuration Guide BES12. Version 12.3

Preparing for GO!Enterprise MDM On-Demand Service

Configuration Guide BES12. Version 12.1

Criteria for web application security check. Version

Web Plus Security Features and Recommendations

Citrix Access on SonicWALL SSL VPN

Using LDAP Authentication in a PowerCenter Domain

Dell SonicWALL SRA 7.5 Citrix Access

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Exploiting the Web with Tivoli Storage Manager

Web Application Report

Installing Management Applications on VNX for File

Sophos for Microsoft SharePoint startup guide

User Management Guide

Locking down a Hitachi ID Suite server

The Truth about False Positives

7.0 Self Service Guide

DOCUMENTATION MICROSOFT SQL BACKUP & RESTORE OPERATIONS

My FreeScan Vulnerabilities Report

What is Web Security? Motivation

Using Foundstone CookieDigger to Analyze Web Session Management

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Terms you ll need to understand:

v6.1 Websense Enterprise Reporting Administrator s Guide

Delegated Administration Quick Start

NSi Mobile Installation Guide. Version 6.2

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

MGC WebCommander Web Server Manager

DOCUMENTATION FILE BACKUP

QUANTIFY INSTALLATION GUIDE

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Microsoft Active Directory Oracle Enterprise Gateway Integration Guide

Migrating helpdesk to a new server

OpenLDAP Oracle Enterprise Gateway Integration Guide

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

F-Secure Messaging Security Gateway. Deployment Guide

Talk Internet User Guides Controlgate Administrative User Guide

Jobs Guide Identity Manager February 10, 2012

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

IBM Security QRadar Vulnerability Manager Version User Guide

Installation Guide. Release 3.1

Ahsay Replication Server v5.5. Administrator s Guide. Ahsay TM Online Backup - Development Department

Apache Server Implementation Guide

Clientless SSL VPN Users

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

Deploying F5 to Replace Microsoft TMG or ISA Server

IBM RealSecure Server Sensor System Requirements

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

MadCap Software. Upgrading Guide. Pulse

WhatsUp Gold v16.3 Installation and Configuration Guide

Sage Accpac CRM 5.8. Self Service Guide

IBM Security SiteProtector System Configuring Firewalls for SiteProtector Traffic

Web Application Penetration Testing

Setting up LDAP settings for LiveCycle Workflow Business Activity Monitor

CA Performance Center

Parallels Panel. Parallels Small Business Panel 10.2: User's Guide. Revision 1.0

How To Secure Your Data Center From Hackers

FREQUENTLY ASKED QUESTIONS

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

Interwise Connect. Working with Reverse Proxy Version 7.x

Avatier Identity Management Suite

FileMaker Server 11. FileMaker Server Help

Active Directory Synchronization with Lotus ADSync

Last update: February 23, 2004

qliqdirect Active Directory Guide

Request Manager Installation and Configuration Guide

End User Guide The guide for /ftp account owner

Active Directory Self-Service FAQ

QuickStart Guide for Mobile Device Management

Chapter 3 Authenticating Users

Creating a generic user-password application profile

Getting Started With Your Virtual Dedicated Server. Getting Started Guide

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

Security Assertion Markup Language (SAML) Site Manager Setup

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

2X SecureRemoteDesktop. Version 1.1

Client configuration and migration Guide Setting up Thunderbird 3.1

Configuration Guide. BES12 Cloud

DJIGZO ENCRYPTION. Djigzo white paper

NovaBACKUP. Storage Server. NovaStor / May 2011

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Transcription:

An X-Force White Paper Lotus Domino Security December 2002 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626

Introduction Lotus Domino is an Application server that provides groupware functionality and development tools to create messaging, collaboration, workflow, tracking, Internet, and intranet applications. Lotus Domino 6 currently supports Microsoft Windows NT 4.0, Microsoft Windows 2000, Sun Solaris SPARC, IBM AIX, IBM OS/400, and Red Hat Linux platforms. The Domino server stores information in Lotus Notes databases. All information, including POP3, HTTP, Web services, etc. resides in these Notes databases, which are the building blocks used by developers and administrators to create applications and services. Notes databases store information and the extra functionality required to develop applications on the Lotus Domino platform. Notes databases store data in documents rather than the more-common relational method utilized by SQL Server and Oracle databases. For example, user mail messages are stored in mail documents within a mail database. In addition to documents, design elements make up some of the structure of a database and allow the developer to specify how data is presented and inserted into the document. Databases are created using Domino templates, which have permission attributes associated with them. These permission attributes are called Access Control Lists (ACL), which define who can access their resources. Domino provides support for popular Internet services, including a Web server, mail, and newsgroup services (SMTP, POP3, IMAP, NNTP), LDAP, and DIIOP. These services integrate into the Lotus Domino framework. Although these features are very powerful, they create some security risks, especially if they are not configured correctly. Figure 1. Setting Up Lotus Domino Services An Internet Security Systems X-Force White Paper Page 1

Security Architecture Domino s security architecture is based on a hierarchical naming scheme and a domain structure. The hierarchical structure is based on the X.500 naming standard (see the Installing Domino Server document available from the Lotus Web page for more information on the hierarchical naming scheme): http://www- 12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/f4b82fbb75e942a6852566ac0037f28 4/6982b92c21cd254a85256c1d00390457?OpenDocument Figure 2. Administrator Client Viewing Basic Setup Domino resources are members of a domain, which includes users, groups, and servers. All of these resources use the same Domino directory. Users and servers are placed under organizational units that define their position in the hierarchy. Every resource in a domain requires an ID for authentication. When Domino creates user and server IDs, it also attaches a certificate. This certificate is signed using the organizational unit certifier ID. This allows resources within the domain to communicate with each other. Domino manages most of the domain information in a data structure known as the Domino directory. Information on user accounts, servers, and configuration information about the server is stored in this directory. This information is made available to the other members of the domain. An Internet Security Systems X-Force White Paper Page 2

Figure 3. Lotus Domino Setup Server And Domain Names Web Service Options The Domino Web service provides support for clients to access Domino resources. This allows well-known Web development languages such as Java, JavaScript, XML, and LotusScript to enhance Web and Domino resource interaction. By default, when a Web client attempts to access a Domino resource, it uses simple password authentication. This in itself is a security issue, since simple password authentication passes the user name and passphrase information across the network in plain text, allowing them to be intercepted. This security issue can be remedied by using one of the stronger authentication methods made available by Domino, such as SSL. Alternatively, if this functionality is not required, it can be disabled. Firewall restrictions for access to port 80 can also be useful in limiting Web service requests to those originating from an intranet. When a Web request references a Domino database or template, Domino checks the access control list before granting access. Domino first determines if anonymous users are able to access the requested resource. Anonymous users do not require a login or password to access Web resources. This option is ideal for a database published on a Web site for public use without authentication. If No Access is specified in the access control list for the anonymous user entry, the Web server will send the client a simple authentication pop-up window. An Internet Security Systems X-Force White Paper Page 3

Figure 4. Lotus Domino Setup Prohibit Anonymous Access Misconfigurations of access control lists associated with Domino resources can create serious security problems. It is crucial that to properly configure access control lists to provide access only to required users and servers. This level of security is achieve by individually and explicitly adding users and servers to the access control list, or by adding groups. Domino resource access control lists provide fine-grained permissions that can be configured to suit individual needs. For each database ACL, administrators specify different permissions based on an access title to which users, servers, or groups can be assigned. Each access title provides a combination of any of the following permissions: Read public documents Write public documents Create LotusScript/Java agents Create shared folders/views Create personal folders/views Create private agents Create documents Delete documents An Internet Security Systems X-Force White Paper Page 4

Figure 5. Configuring ACLs Administrators also assign users to specific roles such as Admin, which set up the required permissions. The following is a list of some of the default databases that come with Lotus Domino Release Candidate 6. This list may provide valuable information to an attacker: Database Database File URL Location Monitoring Results statrep.nsf http://server/statrep.nsf Domino LDAP Schema schema.nsf http://server/schema.nsf Reports For Server reports.nsf http://server/reports.nsf Domino Directory names.nsf http://server/names.nsf Domino Log Server log.nsf http://server/logs.nsf Monitoring Configuration events4.nsf http://server/events4.nsf Offline Services doladmin.nsf http://server/doladmin.nsf Domino Directory Cache dbdirman.nsf http://server/dbdirman.nsf Server Certificate Admin certsrv.nsf http://server/certsrv.nsf Certification Log certlog.nsf http://server/certlog.nsf Administration Requests admin4.nsf http://server/admin4.nsf Anonymous and restricted users should not be allowed to access these databases. Access can be enforced by using strict access control list permissions. Administrators need to check the default templates installed on Domino servers. An easy way to check for these resources is to use the Lotus Domino Administrator application and list all database and template files for a Domino domain. An Internet Security Systems X-Force White Paper Page 5

Domino resources accessed over the Web are rendered into HTML using object types that can represent database elements like form, view, or navigator. These object types provide actions that can be referenced in a Web URL request. Domino also utilizes Java applets to provide a Lotus Notes-style client interface for the resource at the Web browser. The following are common database object names used in Domino: $help $about $first $file $icon $defaultview $defaultform $defaultnav $searchform Objects have actions associated with them, which provide a way to manipulate the object. Some objects and associated actions can provide a great deal of information to an attacker. For example, the?opennavigator action opens a navigator to help view documents within the database. Use URL redirection mapping to restrict default object names and actions in Domino. However, it is necessary to account for each different reference to the same resource using a different URL. URLs can be referenced by using different case variants, hex characters, universal ID, or notes ID. LDAP Directory Implementation Domino provides an implementation of the Lightweight Directory Access Protocol (LDAP). LDAP provides functionality for accessing information stored within directories and offers a common method to access data for clients in a distributed environment. Clients can include applications and servers that need to share information within an infrastructure. Domino uses LDAP to provide Domino Directory information to clients. This becomes quite useful for applications that support LDAP lookups, since they can obtain information within the Domino Directory, such as mail programs that can look up email and name addresses stored in the Domino Directory. Not only can LDAP be used to obtain information, but it can also be useful for updating information in the Domino Directory. This ability is useful for applications requiring a standard interface to Domino Directory data. LDAP can allow anonymous users to browse the directory and access public information. For example, the ldapsearch tool can remotely retrieve information from the Domino Directory about the current configuration. No authorization is required by default. For example, you can obtain some basic information about the server and organization of a Domino server using the following command: C:\Lotus\Domino>ldapsearch -h 127.0.0.1 objectclass=dominoserver CN=ruxer,O=HT objectclass=dominoserver objectclass=top dominocertificate=03002402 7EF5D128 06G0160F G0025126 The following example displays the results of a dominoperson object class query: C:\Lotus\Domino>ldapsearch -h 127.0.0.1 objectclass=dominoperson CN=roger david,o=ht An Internet Security Systems X-Force White Paper Page 6

objectclass=dominoperson objectclass=inetorgperson objectclass=organizationalperson objectclass=person objectclass=top dominocertificate=03002602 A1900C45 06G01611 G0029992 givenname=roger sn=roger cn=roger david uid=rdavid maildomain=ht This query reveals useful information for a potential attack. An attacker can create a list of user names and attempt brute force attacks. If a strong password policy is not enforced, it is likely that some passwords will be easily guessed based on user name, common passwords, or information about the organization. Using the server document, the Ports - Internet Ports Directory tab displays configurable options for the directory service: Directory (LDAP) TCP/IP Port Number 389 TCP/IP Port Status Enabled Enforce Server Access Settings No Authentication Options Name & Password Yes Anonymous Yes SSL Port Number 636 SSL Port Status Disabled Authentication Options Client Certificate No Name & Password No Anonymous Yes Anonymous access to the directory service should be disabled if it is not required. Using a stronger authentication method is recommended, as communication occurs on the network in plaintext, including user name and password if the Name & password option is set. Using Secure Sockets Layer (SSL) is a much better option, since SSL encrypts all communication. An Internet Security Systems X-Force White Paper Page 7

Figure 6. SSL Configuration Options Administrators may require anonymous access to directory services by specifying which attributes an anonymous user can query and whether users can write to the Domino Directory via the directory service. These settings are available from the Configurations document in the Domino Directory. Leave the write feature disabled unless it is required. Because the directory service can be configured to offer simple or no authentication, it can provide intruders with an easy avenue of attack by remotely manipulating the Domino Directory and leveraging privileges. Using the directory assistance database, configure access control lists along with an extended access control list to define search access for a user query to the directory service. Configuration Options for Server Security Specific configuration options help harden Domino servers. Most of these options can be found in the Domino Directory. As a Domino administrator, it is valuable to become familiar with all of the security options and determine if these need to be changed. By default, some security options are not set by default during Domino installation. The Servers document Security tab allows for configuration of some options, including assigning administrator roles to users that grant control over different Domino server and database elements. There is also a configuration setting that sets programming restrictions. These restrictions assist in restricting the execution of code and access to resources. An Internet Security Systems X-Force White Paper Page 8

Figure 7. Domino Administrator s Security Tab Administrators enable password checking on notes IDs from the security settings a recommended action. With this option enabled, if a user s Notes ID file is stolen, the attacker will still have to obtain the password associated with the ID. Administrators will also have to enable password checking in the Person documents. Server Access specifies users that may obtain access to various resources or execute different actions. For example, it is possible to restrict access to the server, template creation and databases, or other trusted servers. Secure Communication through Encryption Options Domino provides many encryption options for securing communications. For limiting access to Internet services to certain users, administrators should use SSL connections. SSL helps prevent data eavesdropping attacks by providing an encrypted communications channel between the client and server. Using the server document in the Domino Directory, you can set up SSL functionality for Internet services. Under Ports Internet ports, there are the following settings: SSL settings SSL Key File Name SSL Protocol Version (For Use With All Protocols Except HTTP) Accept SSL Site Certificates Accept Expired SSL Certificates keyfile.kyr Negotiated No Yes Here is where to set up various aspects of the SSL protocol. The following are the Internet service specific options: An Internet Security Systems X-Force White Paper Page 9

Web (HTTP/HTTPS) TCP/IP Port Number 80 TCP/IP Port Status Enabled Enforce Server Access No Settings Authentication Options Name & Password Yes Anonymous Yes SSL Port Number 443 SSL Port Status Disabled Authentication Options Client Certificate No Name & Password Yes Anonymous Yes SSL port status should be enabled for any restricted Internet service. This setting regulates anonymous users access to these services either over SSL or plaintext communication. Other authentication methods are made available for Internet services. Administrators may choose to either use X.509 client certificate authentication or simple username/password authentication. The Lotus Notes client uses a protocol called Notes RPC to communicate with a Domino server. By default, communication between Notes and Domino is not encrypted. Use the Domino Administrator tool to enable encryption. 1. From the Domino Administrator tool, click the configuration tab 2. Choose Server Setup Ports from the Tools pane 3. Select the port that you want to encrypt (in most cases it will be TCP/IP) 4. Select Encrypt Network Data, and click OK For this change to take effect administrators need to use the Tools pane and select RestartPort. An Internet Security Systems X-Force White Paper Page 10

Figure 8. Port Setup And TCP/IP Options Underlying Operating System Security Operating system (OS) security is important to Domino, as the OS supports the environment Domino requires to operate. Anyone who can bypass the security of the operating system can most likely bypass Domino security. Users should not be able to access regions of the file system where the Lotus Domino files are stored. On the Windows platform, these files are generally in c:\lotus\domino. Of particular importance is the data directory where the Domino databases and templates are stored, including the Domino Directory database that stores user names and password hashes. If somebody was able to read this database from the file system, they could steal information and use it to log into the Domino server. The Domino server should run on an independent host computer running no other services. Access to the host s operating system should be restricted to Administrators and developers requiring access. Windows SMB shares, network file systems, and similar services should be disabled. Any service offering functionality to remote clients should be disabled if it is not required. Administrator management channels to the host should be encrypted. By using a firewall, administrators may provide even stricter remote access to the Domino server. Only allow access to ports that run required services. Typically, a Domino server requires these services and their corresponding ports: Service Port Web Service 80 Directory Service 389 SMTP Mail Service 25 POP Mail Service 110 An Internet Security Systems X-Force White Paper Page 11

IMAP Mail Service 143 Lotus Notes Service 1352 DIIOP CORBA Service 63148 Keeping up to date with new security issues is critical to ensure a secure system. Buffer overflows and other classes of bugs are constantly being discovered in services and applications that the operating system runs. Domino has a list of published vulnerabilities, with advisories for these issues listed on the Lotus security Web site at: http://www.lotus.com/developers/itcentral.nsf/wdocs/securityzone Conclusion There are many services and options that are included with Lotus Domino. These features combine to create an application server that is powerful, extensible, and customizable for many different tasks. However, these features must be carefully configured to prevent security issues that may render these servers as gateways to an internal corporate network, or may inadvertently serve sensitive or restricted information to malicious users. It is critical to ensure that both the Domino server and the underlying operating system have current patches installed and are configured as securely as possible. This includes using encryption for communication, disabling unused services, and checking permissions to directories and files that contain sensitive information. About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (NASDAQ: ISSX) is a pioneer and world leader in software and services that protect corporate and personal information from an ever-changing spectrum of online threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. For more information, visit the Internet Security Systems Web site at www.iss.net or call 888-901-7477. Copyright 2002, Internet Security Systems, Inc. All rights reserved worldwide. Internet Security Systems, the Internet Security Systems logo, Internet Scanner, System Scanner, Database Scanner, Wireless Scanner, and X-Press Update are trademarks and service marks, and RealSecure a registered trademark, of Internet Security Systems, Inc. Other marks and trade names mentioned are the property of their owners, as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifications and content are subject to change without notice. An Internet Security Systems X-Force White Paper Page 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information