Getting started with hardening Domino

How locked-down is your Domino installation? Would you feel safe saying that it's resilient against brute-force hack attacks and insider manipulation? Even if your Domino environment has had a penetration test or vulnerability scan, is it truly hardened from the elements?

If you're like many people, you've probably found that there are few resources available for Domino security. Interestingly, if you need standards and secure practices for locking down SharePoint, IIS, and other mainstream applications, it's no problem. NIST, the Center for Internet Security and similar standards bodies have just what you need. However, these types of resources don't exist for Domino.

First, consider the question: What does a hardened Domino system mean? The reality is that everyone's definition of a hardened Domino system is different. What's considered locked down and secure in your business situation may not be enough for another business in a completely different industry. It all depends on the context, scope and type of information that is stored and processed within the system. Of course, regulations, politics and culture play a big part as well.

So where to start? First off, I suggest determining what you consider "secure enough." You can do this by assessing which information your business processes/stores, what is considered sensitive, where the sensitive information is located within your Domino environment, and which weaknesses are currently putting it at risk. You can do this by looking at the following areas:

  • Network design and resistance to denial of service
  • Operating system patches and passwords
  • Email environment patches and passwords
  • Web/application server cross-site scripting, SQL injection, login mechanisms and file permissions
  • Database system patches and passwords

Once you've found the low-hanging fruit and shore up the big issues, then you can move into more specific areas related to user permissions, audit logging and other best practices outlined in the NIST Guide to General Server Security (download pdf).

Most Domino-related exploits and subsequent data breaches are the result of default configurations easily guessed passwords and outdated software. Weak IT processes and lack of management support are the primary causes, so hardening Domino to fit your business' needs shouldn't be too complicated.

So, do the basics now and stop the bleeding. Each year, you can tweak your business procedures and culture further until you have a rock-solid Domino environment. It will take some time and effort to get things where they need to be, but no one ever said security was simple.

Kevin Beaver
Kevin Beaver is an information security consultant, expert witness, author, and speaker with Atlanta-based Principle Logic, LLC. With over 20 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around compliance and minimizing information risks. He has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.

This was first published in January 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.