(NOTE: This admin tip discusses security scanners, a topic I have addressed in the past. Please note the following warning, which I have emphasized in the past:
*** WARNING: Only use security scanners against your own Web sites or Web sites whose owners have asked you to test them. If the Web site is hosted by an ISP, first tell the ISP what you are doing. Breaking these rules is bad ethics and will get you kicked off of many Internet service providers. ***)
DominoScan is a Domino scanner that is a commercial product from Next Generation Security Software in the United Kingdom (www.nextgenss.com). In previous tips on searchDomino, I discussed the free Domino security scanner called DomiLock, located at http://domilockbeta.2y.net/. (You can view my previous tips on Domino scanners, see URLs below.) Many people have found DomiLock to be a useful tool to check the security of Domino Web sites. DomiLock has the unfortunate habit, however, of vanishing from the Internet at random times.
DominoScan provides system administrators with yet another scanner option when determining which scanner works best for them. Unlike DomiLock, which is a Web site, DominoScan is an actual piece of software that you download and install on your computer.
When I tested DominoScan, it provided a lot of information about vulnerabilities in the target Web site, including information that is not gathered by DomiLock. I liked the thoroughness of DominoScan and the large amount of information in its audit report. One drawback to the product is that the audit report almost has too much information. I'd like to see an "executive summary" at the top that quickly summarizes any problems found.
In this respect, DomiLock is easier (and faster) than DominoScan for a quick security check of a Web site. But DominoScan is more complete. DominoScan also comes with a separate document titled "Hack Proofing Lotus Domino Web Servers" that is well worth reading.
You can download a trial version (usable only against localhost) from Next Generation's Web site. If you want to buy it, there are three purchase options: Single (can audit one Web server), Enterprise (can audit any Web server in your organization), and Consultant (can audit any Web server). The prices are $695, $1395, and $5595, respectively.
Previous tips on Domino scanners:
Scanning Domino for Security Holes
Data encryption and more security scanners
Chuck Connell is president of CHC-3 consulting http://www.DominoAdministration.com, and a searchDomino.com security expert.