Five pitfalls (and their remedies) in IBM Domino security you need to know!

Boost Your Domino Security with BCC DominoProtect

E-Mail: [email protected]

Web: www.bcc.biz

Tel.: +44 20 3290 9224

Fax: +44 20 7100 3714

Becket House, 36 Old Jewry

London EC2R 8DD

BCC Business Collaboration

Company Ltd

Webinar 30th Oct 2014

@BCC_Ltd #BCCWebinar

Boost Your Domino Security

with


Introduction

Arshad Khalid • Director of Technical Services

• Working with Notes/Domino since

1998

• Consultant, Project Manager

• IBM Lotus Top Achiever 2009

• IBM Champion 2014

• @arshad101


About BCC

Housekeeping

• Protect the server ID

Fort Knox without backdoors

• Protect the ID Vault

God mode trap

• Protect against misuse of Full Access Administration

Stealth mode trap

• Prevent & track unauthorised changes in real time

Who let the dogs out?

• Logging and rollback

Questions

Agenda



About BCC

Founded in 1996

IBM Business Partner

Locations: Frankfurt (HQ), Vienna and London

Implementation Partner: Maarga Systems, NJ, US

800+ customers


BCC Solutions


About BCC

Housekeeping




God mode trap


Stealth mode trap




Questions

Agenda



Why Protect the Server ID?

YES, it makes it easy to reboot the server!

But it IS a dangerous practice to not password protect the Server

ID

An unsecured Server ID is your WEAK SPOT!

But you don’t have to take our word for it…


IBM Says So…

“We understand that most Domino servers are not password-protected to make

unattended reboots simpler, but the vault server's ID file is a key element in the

security of your ID vault”

“..a sophisticated attacker with a vault database and one of the corresponding

server IDs...would have all of the cryptographic information needed to

masquerade as the vault server and decrypt all of the ID files stored in the vault”

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vault-server

















Paul Mooney Says So…

https://twitter.com/SandraCH/status/428268770793381888




BCC DominoProtect

Protect the Server ID with password(s)

• Assign a random password to the server ID

• Assign multiple passwords fulfilling the “two man rule”

• DominoProtect provides the password at startup

• Facilitates automatic server restart


Demo

Protect the server ID


About BCC

Housekeeping




God mode trap


Stealth mode trap




Questions

Agenda



ID Vault: Why secure the ACL?

Change ACL?

• Full Access Admins are able to do this

• Server based Script Agents

Preventing unwanted changes in ID Vault is mandatory!

Anyone with Role Auditor & AdminClient is able to download ID Files from ID Vault


BCC DominoProtect

Protect ACL

• Prevent ACL Change

• Track ACL Changes

• Change request via approval workflow


Demo

Protect the ID Vault


About BCC

Housekeeping




God mode trap


Stealth mode trap




Questions

Agenda



Full Access Administration

Can be used to bypass many IBM Domino restrictions

Directly update ACLs

Access sensitive data

Change configuration documents in the Domino Directory


BCC DominoProtect

Disable Full Access Administration

• Via the licence

Field level document security

• Protect specific fields in a document

• Manager, Designer or Editor is not allowed to change secured fields

Change Management

• Request workflows for controlled changes


About BCC

Housekeeping




God mode trap


Stealth mode trap




Questions

Agenda



Real time tracking & prevention

Domino logging out of the box is quite basic

Someone with malicious intent could

• Add their name to a group

• Access sensitive data

• Make changes to the data

• Remove themselves from the group


BCC DominoProtect

Protect against unauthorised changes

• Track access to document

• Track modification

• Prevent modification or deletion

• Trigger an email notification

• Start an approval workflow


Demo

Protect against misuse of Full Access Administration

Prevent & track unauthorised changes in real time


About BCC

Housekeeping




God mode trap


Stealth mode trap

• Protect against unauthorised changes in real time



Questions

Agenda



Logging and Rollback

Changes made by an interim admin

Changes made by mistake

Not easy to track

Reversing the changes a considerable drain on admin time and

resources

Systems need to be up and running quickly


BCC DominoProtect

Change Management

• Request workflows for controlled changes

• Automated change history and roll back

Detailed monitoring and logging

• Automatic audit proof documentation of all actions related to protected

elements


Demo

Logging and rollback


Demo: Log shows that a request has been received and forwarded to the approvers


Demo: Change request was accepted & the change made in the Domino Directory. It also records old and new values of the field

for audit purposes


In summary

An essential extra layer of security for IBM Domino

Prevent and track changes in real time

Protect server IDs with password and start servers unattended

Safeguard and secure ID Vault & Domino Directory

Prevent misuse of Full Access Admin

Facilitates implementing a “two man rule” via approval workflow

One click Rollback and recovery

Ensure compliance for corporate governance and legal regulations


Arshad Khalid

• [email protected]

• @arshad101

BCC

• www.bcc.biz

• @BCC_Ltd

It’s a wrap!

Thank You!

mailto:[email protected]

http://www.bcc.biz/


Register to watch the video:

http://www.bcc.biz/hp/bcc_hp.nsf/id

/EN_NotesCode_Webinar_10-2014

Webinar replay online

http://www.bcc.biz/hp/bcc_hp.nsf/id/EN_NotesCode_Webinar_10-2014





Software

Five pitfalls (and their remedies) in IBM Domino security you need to know!