Setting the Execution Control List

In R5.0.2 Lotus did a complete about-face on the Execution Control List (ECL). Prior to R5.0.2, the ECL was set to allow you complete control and access to your workstation. In R5.0.2, Lotus decided to change that policy to only allow the user and Lotus Development full access.

What does this mean to you?

Well, you and any of your users with fresh installs of R5.0.2 or higher may start seeing a lot of pop-up boxes indicating "Execution Security Alerts." This won't affect incrementally upgraded versions of Notes, only new installations. The ECL stays wide open from the prior install.

The Execution Security Alert box will state that "Notes has been asked to execute the following action which does not fit within your security profile:"

The box shows you what the action is, who signed it, and what in that action is not allowed by the ECL. It is then up to the user to choose from the following buttons: Abort, Execute Once, Trust Signer, or Help.

If the signer is either one of your servers, you, or Lotus, it is wise to trust the signer. However, if it is not signed by a recognized source, proceed with caution. Someone may be trying to harm your system! Prior to R5.0.2, this would have occurred without your true consent. In R5.0.2x, it must be set up as a trusted signer to do anything.

As an administrator, you need to decide on an ECL policy. The ECL is often overlooked because it never presented itself as an issue before R5.0.2. It was set to allow access and it wasn't noticed unless you went digging for it. However, it is something that should be set in any release.

It is accessible via File/Preference/User Preferences. It is under the Security Options button on the Basics tab. In 4.6, it is in the same place, but User Preferences are under File/Tools/User Preferences. Your ECL policy is going to be unique to your organizational needs, but a good starting point is to trust your servers to do anything other than modify the ECL, and let the user do the same. Only items signed by a Notes administrator should be allowed to change the ECL. This way you can maintain control over the user's ECL without affecting their normal usage of Notes.

For more information on the ECL see the Domino Administration Help database.

Michael Lazar is a SearchDomino advisor

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.