This month's security newsletter covers three brief topics: Information about another commercial security scanner; a warning about a security scanner I previously wrote about; and a useful (and free) Web checklist to help tighten up your Domino/Notes security configurations.
Another commercial scanner
Readers of this newsletter have consistently shown an interest in software tools that help find security vulnerabilities in Domino servers. Until recently, I had trouble finding any such tools, but now they seem to be coming out of the woodwork. My tip for November discussed DominoScan from Next Generation Security Software. Now, I have been contacted by some ex-Lotus employees at Rapid7 about their security tool named NeXpose. This product has the advantage of being a general-purpose security scanner, but is also Domino-aware and looks for vulnerabilities specific to Domino servers. NeXpose is a client/server system, where the client submits scan requests to the server-side software, the server executes the scans, and then reports the results back to the client in real time. NeXpose currently runs on Linux, Windows2000, and WindowsXP.
A warning on DomiLock
On several occasions, I have discussed the free Web-based security scanner named DomiLock. Reader RobE astutely pointed out to me that the format of this scanner puts the user at some risk. To use the scanner, you type the name of your Web site (to be scanned) into the DomiLock Web page. DomiLock produces a nice security report for you, for free. The only problem is that it is possible for DomiLock to be gathering information about scans that it does and be saving the names of vulnerable sites. I have absolutely no evidence that DomiLock is doing this or has any intention of doing so. Just be aware that you are safer to run security scanners on your own machine, rather than tell someone else the names of Web sites you are assessing.
Useful security checklist
Reader LawrenceZ contacted me about his Web site at http://www.rtdc.com. Of course, the Web site tries to sell his consulting services (just like mine does) but he also has some valuable checklists for Domino/Notes administrators and developers. One of the problems with Domino/Notes is that experts tend to have lots of valuable knowledge in their heads, but it is hard for beginners to find the same information. The checklists at Lawrence's site are a good place to start. Especially note the security list at http://www.rtdc.com/CKLS/NotesSec/notessec.htm.
This was first published in January 2002