This is the second in a two-part series on security.If the mere mention of network and infrastructure security leaves you squirming, don't worry. Although the advent of wireless communications and a burgeoning remote workforce seemingly makes things more open to attack, the real place to start according to computer security experts is close to home.
Rob Axelrod, Lotus Practice director with United Messaging, an enterprise-messaging solutions provider based in West Chester, PA, suspects that most problems occur from within but the temptation to fiddle can be put out of reach if documented Best Practices are in place. "If you build systems where IT is accountable and the temptation isn't there to fiddle, then you eliminate the problem," he said.
Kevin McPeake, computer security consultant with Trust Factory, a security consultancy firm based in The Hague, the Netherlands, agrees that the most devastating security breaches are internal such as those from threatening e-mails or having HR information compromised. "You don't usually hear about them because [companies] like to keep them quiet." Especially from high-profile companies such as banks or proprietary-software companies with a large installed base. "After all," says McPeake, "who wants to admit they have a major breach?"
Once Best Practices have been defined, its time to go to the source -- Lotus. "Almost no one is implementing the basic security precautions that Lotus recommends," McPeake points out. "Admins are under pressure to develop solutions and systems, they don't spend enough time on security."
McPeake and Trust Factory's computer-security consultant and co-founder Wouter Aukema both agree that now that the Notes/Domino community is "large enough" to make it a good target, hackers are working on it. The recently discovered "Domino Server Directory Traversal Vulnerability", they point out, is a good case in point. Lotus' response to the vulnerability was swift but it does seem to indicate that Notes, once thought of as a bit too obscure, is now a worthy target.
A Notes/Domino environment is one of the most secure infrastructures out there yet weak links are inherent in any software and Lotus' Notes/Domino is no exception. One weakness that Axelrod keys on is with the user creation and management process and the distribution and storage of IDs. Companies will often have policies and documents stored with the same passwords and stored in a "easy to get to" fashion.
Despite Domino having "robust tools," as Axelrod says, he takes issue with the "horrendous" way that many organizations have implemented Lotus' product. This is compounded, he says, by the way in which Notes has experienced organic growth within many organizations. "The original champions," he points out, " probably never expected [Notes] to be so great so they didn't start out building the level of security and Best Practices from the beginning." Additionally, he adds, the most common mistake in most implementations is with companies not "locking down their system databases."
Another weak link that could potentially pose big problems but which few admins really focus on is with server ID files, according to Trust Factory?s McPeake. "Many administrators never rename the server ID file from the default of 'server.id'," McPeake points out. "If they do," he cautions, "you can bet what their typical choice for a name is [one that reflects the actual host name of the Domino Server] -- mail.lotus.com or mail.id." A sitting ID duck, as it were, for those tempted to qu-hack about.
Another common problem defined by McPeake is Lotus' default prompt during the Domino server installation. The prompt asks, "Do you wish to copy your ID file into the Data Directory?" and of course, he explains, the majority of admins just click "yes." This,"is a very bad thing to do because it makes looking for a server ID file, child's play for a hacker," he said.
Continuing with this scenario, he adds, "You can bet -- 95%-- that the ID file is going to be in the data directory. What makes that so bad is that very few people ever put passwords on server ID files. This really almost ensures that an outside attacker can compromise -- not just that particular server -- but very possibly an entire Notes Infrastructure."
Aukema and McPeake would also like to see Lotus shore up its "out of the box" default configurations particularly with its ACLs. Some of the databases have a very open default access when installed while other [databases] are closed off, they explained, and they believe that "few admins actually do a follow up check to verify which are open and which are closed." Lotus should, they urge, prompt admins upon installation to specify whether a particular database should be open or closed and that would make admins stop to think about their overall security structure and access-control lists.
The hacker community is smaller with Notes/Domino, McPeake points out, because [a hacker] needs to know Domino which as a platform for Kiddie-Scripters is much less popular than C++ or Visual Basic. Also, he adds, Lotus' software being proprietary for so long made it a natural filter for the bad element. But, he cautions, "it wasn't too long ago that Lotus made it possible to download Domino and now suddenly we're seeing more people bringing it down to use and tinker with."
Before somebody comes to tinker at your company, start taking the steps you need to make sure it's locked up tight.
NOTES/DOMINO SECURITY LINKS
Lotus IT Central Security Zone
You'll never regret going to the source first.
Notes Net Notes/Domino Fix List Database
Here you'll find R5.0x SPRs that were fixed in Notes/Domino QMRs and QMUs and also information about some SPRs that Lotus and Iris plan to fix in future QMRs and/or QMUs.
Lotus Response to "Domino Server Directory Traversal Vulnerability"
Beyond Security's SecuriTeam.com has the full Lotus response along with other reported vulnerabilties. A full range of tools, news, reviews and special Unix and Win NT forums are available here as well.
Security Vulnerability in Lotus Notes
Read about how the Trust Factory unveiled Lotus Notes vulnerabilities, along with Security Design International, at last summer's DevCon.
Lotus Information for VU#590487 at CERT CC
Does Your Organization Need a CISSP?
This story from the Advisor's Internet Security details what the Certified Information Systems Security Professional -- CISSP --designation is about and takes a look at how it might help your company?
Domino R5 Security: Reducing Costs, Increasing Interoperability
Is Your Security Up to Snuff?
Part one of searchDomino's look at the steps to take to ensure security at your company.
Wendy Maxfield is a searchDomino.com contributing editor based in Littleton, Mass.