Continuing from part one of this two-part series, Chuck Connell answers more ACL questions from SearchDomino.com...
SearchDomino.com member: I recently read an article about a hacker who was able to break into a Domino server. This was done as a demonstration to the company owners as an audit of their vulnerability to attacks. The hacker was able to open the names.nsf file and to see various IDs that I assume were stored in a directory folder. If the ACL of the names.nsf was set to enforce consistent ACL, how would a hacker be able to open it?
Connell: Easy. If the Default or Anonymous entries in the Access Control List are set to Read, anyone can see the IDs that are attached to the person documents. This highlights the fact that Domino/Notes is a very secure system IF IT IS SET UP CORRECTLY. Leaving names.nsf wide open for reader access is a known problem, and smart hackers know to look for it.
SearchDomino.com member: I would like to secure -- as much as is possible -- the NAB of my company domain, especially in checking "enforce consistent ACL." Could you tell me what the good and the bad aspects of this feature are?
Connell: Good question. This feature is so commonly misunderstood that I hope to write a column about it sometime. Until then, below is the section of the Domino R5 Admin Help that pertains to the feature. You can see this (and more information) by going to the Admin Help file and selecting Contents -> Security -> The database access control list -> Setting up a database ACL; then scroll down until you see the link for Enforce Consistent.
Note the important point that this feature does not disable the ability of users to modify the ACL of a local copy of a database. A local user can still change an ACL and see parts of the database that you don't want them to. The feature does disallow such a local replica from replicating back to the server. In essence, Domino says, "If you have modified the ACL of a local copy of the database, I don't trust that copy anymore."
So, to answer your question: This feature is a good security option and it definitely helps with overall Domino/Notes security. The drawback is that people often misunderstand the feature and think that it does more than it really does. It does NOT provide local security if a user can get a local copy of a database.
From Domino R5 Admin Help:
Enforcing a consistent access control list
You can ensure that an ACL remains identical on all database replicas on servers, as well as on all local replicas that users make on workstations or laptops.
Select the "Enforce a consistent Access Control List" setting on a replica whose server has Manager access to other replicas to keep the access control list the same across all server replicas of a database. If you select a replica whose server does not have Manager access to other replicas, replication will fail because the server has inadequate access to replicate the access control list.
Enforcing a consistent access control list does not provide additional security for local replicas. To keep data in local replicas secure, encrypt the database.
Note: If a user changes a local or remote server database replica's ACL when the enforce a consistent access control list option is selected, the database stops replicating. The log file records a message indicating that replication could not proceed because the program could not maintain a uniform access control list on replicas.