I recently received an advertisement for the book Notes/Domino Security, An Administrators Guide, published by the technical journal The View. The book lists at $195. My first thought on seeing the ad was: Why pay for information that is already available for free on the Internet? There are many well-known places to find articles about Notes/Domino security, including:
- Domino 6 Administration Guide
- Lotus security page
- DominoSecurity.org (my site)
- IBM Redbooks on this topic
- Lotus Technical Library
But I thought the book deserved a fair chance, so I reviewed a copy. The 200-page book contains nine articles, most of which originally appeared in issues of The View. Despite the plethora of free information on the Web, this book is a worthwhile purchase for Domino/Notes administrators and security professionals. The View prides itself on providing in-depth treatment of technical topics that go beyond what you can find for free. In this case, they have delivered.The nine articles are:
- X.509 Certificates for SSL and S/MIME
- Securing Your SMTP Infrastructure in Domino
- Secure Remote Access to Your Domino Infrastructure
- An IT Security Policy: What Every Hacker Does Not Want You to Have
- A Security Audit for Your Notes/Domino Installation
- Agents in Notes/Domino 6: A Comprehensive Preview
- Secure Ways to Change the Apparent Sender in Agent-Generated Mail
- Configuring ECLs for Improved Security and Administration
- Domino Controller and Domino Console, Secure Remote Access
The lead piece about X.509, SSL and S/MIME covers some of the same ground as my own S/MIME article, which Lotus links to from its security home page. The article in The View (written by Andrew Wharton) goes beyond the e-mail topics I addressed and also covers SSL for server authentication, how to create a key ring, and setting up your own Certificate Authority. Wharton's treatment provides a broader treatment than my article. (I should point out that both articles are a few years old and need to be updated for R6.)
The article about agents is written by Julie Kadashevich. Readers of the Notes.net discussion boards recognize Julie as one the principal developers of the Domino Agent Manager and, as such, she frequently answers posts on this topic. I suspect that everything Julie says in this article can be found elsewhere for free, but the article does a good job of pulling together many agent topics in one place.
The article on conducting a security audit also hit close to home, since I spend a good part of my consulting life delivering this service. This article is thorough and covers many of the areas I also look at when auditing an organization. But I disagree somewhat with the article's philosophy, since it keeps referring the reader back to the organization's security policy document. This sounds fine in theory, but the reality is that most organizations do not have any written security policy, much less a comprehensive one. So telling the reader to "determine whether Configuration document settings and controls are in compliance by checking your company's Corporate Messaging Policies document" is a bit circular. Domino sites want specific guidance about how to set up the complex Domino server configuration document, not a pointer to go read something they have not yet written. Despite this, the article does provide a good overview of the areas to address during a Domino/Notes security review.
In summary, I recommend this book for Domino administration professionals. If the book saves you just one hour of server configuration headache, it will pay for itself. Besides, anyone working in this field is probably spending company money on this type of resource, so ask your boss to pony up. I predict the book will help you enough to make it worth the price.
For more info on The View on Notes/Domino Security: An Administrator's Guide – eview.com
Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.
Do you have comments on this tip? Let us know.
Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.