Scanners, warnings and checklists

This month's security newsletter covers three brief topics: Information about another commercial security scanner; a warning about a security scanner I previously wrote about; and a useful (and free) Web checklist to help tighten up your Domino/Notes security configurations.

Another commercial scanner
Readers of this newsletter have consistently shown an interest in software tools that help find security vulnerabilities in Domino servers. Until recently, I had trouble finding any such tools, but now they seem to be coming out of the woodwork. My tip for November discussed DominoScan from Next Generation Security Software. Now, I have been contacted by some ex-Lotus employees at Rapid7 about their security tool named NeXpose. This product has the advantage of being a general-purpose security scanner, but is also Domino-aware and looks for vulnerabilities specific to Domino servers. NeXpose is a client/server system, where the client submits scan requests to the server-side software, the server executes the scans, and then reports the results back to the client in real time. NeXpose currently runs on Linux, Windows2000, and WindowsXP.

A warning on DomiLock
On several occasions, I have discussed the free Web-based security scanner named DomiLock. Reader RobE astutely pointed out to me that the format of this scanner puts the user at some risk. To use the scanner, you type the name of your Web site (to be scanned) into the DomiLock Web page. DomiLock produces a nice security report for you, for free. The only problem is that it is possible for DomiLock to be gathering information about scans that it does and be saving the names of vulnerable sites. I have absolutely no evidence that DomiLock is doing this or has any intention of doing so. Just be aware that you are safer to run security scanners on your own machine, rather than tell someone else the names of Web sites you are assessing.

Useful security checklist
Reader LawrenceZ contacted me about his Web site at http://www.rtdc.com. Of course, the Web site tries to sell his consulting services (just like mine does) but he also has some valuable checklists for Domino/Notes administrators and developers. One of the problems with Domino/Notes is that experts tend to have lots of valuable knowledge in their heads, but it is hard for beginners to find the same information. The checklists at Lawrence's site are a good place to start. Especially note the security list at http://www.rtdc.com/CKLS/NotesSec/notessec.htm.

Chuck Connell runs DominoAdministration.com, a service for outsourcing Domino and Notes administration; and DominoSecurity.org, a resource for Domino/Notes security information.

This was first published in January 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.