Enforce consistent ACL

You Can View User Feedback To This Tip

Perhaps the most misunderstood security feature in the whole Domino/Notes product line is the option "enforce a consistent access control list across all replicas of this database." The reason for the confusion is simple: This option does not enforce a consistent Access Control List across all replicas of a database.

The option (referred to as enforce consistent here) does not ensure that local copies of a database have the same ACL as server copies. It does not require that multiple server copies have the same ACL as one another. It does not prevent local users from looking at restricted views and forms that they are not authorized to see. And it does not prevent local users from seeing documents that exclude them with a Reader field.

So, what good is enforce consistent if it does not provide any of these controls? The option does two things, both of which are indeed useful, if we understand what they are:

The first feature stops users from upgrading their local access for a database, reading unauthorized documents (or making unauthorized changes) and then replicating with a server copy. The server notices that the user is up to no good (because the local ACL is different) and disallows the replication.

The second feature adds a partial additional layer of protection by locking local users out of a database that they have no right to enter. It is a weak form of local security. This feature should not be considered a real security control, however, because it has several weaknesses.

Some versions of Domino/Notes R4 contained a NOTE.INI variable to bypass the enforce co

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

Email Address:
Create Password:
Confirm Password:

By joining SearchDomino.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

To read more you must become a member of SearchDomino.com

As an existing member of the TechTarget network please provide your password to activate your account (Forgot your password?):

Password:

By joining SearchDomino.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nsistent option (Disable_Local_Access_Control=1). While I have not conducted tests on this variable, my research says that the variable worked on both servers and workstations, on many early versions of 4.x. I understand that the variable was removed from later versions of 4.x and is not present in R5.

In R5, I strongly suspect that the enforce consistent option can be bypassed by a clever user. This is because a local user is free to create a Notes ID certifier with any name at all, then to use the certifier to create any kind of Notes ID with any name. So a local user can create ID files that match the names listed in a local database ACL. My brief attempt to do this on a test database was not successful, but I suspect it can be done.

In summary, the enforce consistent option is a valuable addition to the security administrators toolbox (and I use it myself). It is important to keep in mind, however, that the wording of the option is misleading and the option does not offer the strong level of protection that it appears to.

Credit: This article is based on my experience with this feature, information from Lotus documentation, research on several discussion groups, and a conversation with a Domino developer.

Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes, especially administration and security. CHC-3 helps companies to outsource their Domino administration needs via the Web site DominoAdministration.com and runs the popular security site DominoSecurity.org.

Code

USER FEEDBACK TO THIS TIP

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.