Over the past month, the increased attention on computer security has been remarkable. Recently, both HP and IBM made major announcements about beefed up services in this area. Since most of us cannot afford to hire HP or IBM to conduct a security audit of our systems, however, many Domino administrators are forced to go it alone.
If you want to assess your Domino/Notes system's security status, what is the best way to go about it? Do you start trying random hacks, hoping to find vulnerabilities? No. A good security audit is a careful process that follows a standard sequence of operations to produce a reliable result. Here are the guidelines I use in my consulting business when I conduct a Domino/Notes security audit. This is certainly not the only way to proceed, but I have found it to work well.
1. Make a factual listing of current hardware, software, networks, applications, user accounts, and security practices. This document states what you HAVE now and what DOES happen with computer security.
2. Create a Security Policies and Procedures document. This is a joint exercise among managers, users, and technical personnel. The document states what SHOULD happen with all aspects of system security. It covers all the computer systems, applications, and user groups listed in Step #1.
3. Evaluate how well your current system is meeting your security goals. This involves both "paper analysis" based on the two documents above and live testing where necessary to determine if what DOES happen matches what SHOULD happen
4. Conduct additional penetration tests that attempt to exploit publicly known weaknesses in the Domino/Notes installation. The goal here is to make sure you have the proper release levels to close the holes or have configured your system to mitigate the problems.
5. Write a set of recommendations about how to improve your system to better meet your security goals or to close vulnerabilities. Prioritize the list based on your judgment of each item's importance.
6. Implement the changes in a careful manner, taking into account priorities and cost.
Be sure not to short change Step # 2. It can take some time to develop a good Policies and Procedures document, but the effort pays off many times over. Here are two examples that illustrate this:
- Suppose your organization has a practice of assigning everyone the same Notes ID password and that everyone knows about the practice. Is this a security problem? Normally, we would say "Yes." But what if your organization has a special need for users to switch IDs often? After careful consideration among all parties involved, you decide on a security policy which gives everyone the same password, in order to make switching IDs easy. So your judgment about this practice depends on the policies and procedures that you define.
- More realistically, should you configure your firewall so that users have remote Notes access from only fixed, known IP addresses or from any IP address? The former is more secure, but the latter is more convenient for traveling users. The answer depends on the desired remote access that you state in the Policies and Procedures document.
This was first published in December 2001