If you're like many people, you've probably found that there are few resources available for Domino security. Interestingly, if you need standards and secure practices for locking down SharePoint, IIS, and other mainstream applications, it's no problem. NIST, the Center for Internet Security and similar standards bodies have just what you need. However, these types of resources don't exist for Domino.
First, consider the question: What does a hardened Domino system mean? The reality is that everyone's definition of a hardened Domino system is different. What's considered locked down and secure in your business situation may not be enough for another business in a completely different industry. It all depends on the context, scope and type of information that is stored and processed within the system. Of course, regulations, politics and culture play a big part as well.
So where to start? First off, I suggest determining what you consider "secure enough." You can do this by assessing which information your business processes/stores, what is considered sensitive, where the sensitive information is located within your Domino environment, and which weaknesses are currently putting it at risk. You can do this by looking at the following areas:
- Network design and resistance to denial of service
- Operating system patches and passwords
- Email environment patches and passwords
- Web/application server cross-site scripting, SQL injection, login mechanisms and file permissions
- Database system patches and passwords
Once you've found the low-hanging fruit and shore up the big issues, then you can move into more specific areas related to user permissions, audit logging and other best practices outlined in the NIST Guide to General Server Security (download pdf).
Most Domino-related exploits and subsequent data breaches are the result of default configurations easily guessed passwords and outdated software. Weak IT processes and lack of management support are the primary causes, so hardening Domino to fit your business' needs shouldn't be too complicated.
So, do the basics now and stop the bleeding. Each year, you can tweak your business procedures and culture further until you have a rock-solid Domino environment. It will take some time and effort to get things where they need to be, but no one ever said security was simple.
|ABOUT THE AUTHOR:|
Kevin Beaver is an information security consultant, expert witness, author, and speaker with Atlanta-based Principle Logic, LLC. With over 20 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around compliance and minimizing information risks. He has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.
This was first published in January 2010