SlideShare a Scribd company logo

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

Download as PPTX, PDF
Darren Duke
Darren Duke

Collabsphere 2018 (formally MWLUG) presentation where Darren Duke outlines how to protect, test and enhance your Domino web security.

Technology
1 of 41
SC 103 Domino on the Web - Yes, It's (Probably) Hackable Darren Duke
About Me • Ex co-host of This Week In Lotus podcast • Current (?) co-co-host of WTF Tech podcast • Sometime blogger https://blog.darrenduke.net • Twitter snark fountain @darrenduke • This maybe the best slide in the deck. Feel free to leave right now…
Agenda • What we will cover – Then eternal battle of admin vs developer – The simple things – The less simple things – The harder things – The much harder things
Be Careful • When you have a web server you are a target – Do the simple things first – Change one thing at time and test • You will break something • No, really you will • No. For real. You will break something. • I broke my blog search • I broke iNotes clipboard pasting
The Eternal Battle • Web server security, whose responsibility? – Is it the application developer? – Is it the web server administrator? – Yes • Developer – Tell • What is *your* required minimum security • Administrator – Ask • What is the maximum level of security I can use? • If no answer, start high and move down
Sanitize Input • Developers, you must sanitize the input uploaded by your web applications – Input fields need to be cleaned on form submission • Ex, on submit check for an remove <script> tags in the input • This reduces the risk of a compromised server – Try to hack your own applications
• The Domino HTTP stack – Not the most up-to-date HTTP stack available • I’m being nice – Missing many modern features • HTTP/2, SNI • Yes, I’m sure Domino 10 will address this along with world peace – Complicated HTTP header use – Sometimes TLS/SSL gets caught with pants down • Poodle • ROBOT
• So yes, you can do most of this in Domino • I would use a reverse proxy – Apache – Nginx • I use both – Blog behind Nginx (on Prominic) – iNotes, Traveler behind Apache (on-prem) • Proxies can also HA and LB – Try that in native Domino!
The Simple Things…..
The Simple Things • More Secure Internet Passwords
The Simple Things • More Secure EXISTING Internet Passwords
The Simple Things • Make your Domino LTPA cookie more secure – Require SSL • Mitigate man-in-the-middle-attacks – Restrict Use • Prevent script access to cookie • Mitigate XSS
The Simple Things • Notes.ini Settings – HSTS • https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino- adds-hsts-to-its-security-arsenal.htm – X-Frame Header Options • http://www- 01.ibm.com/support/docview.wss?uid=swg21568598 • 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN – DominoValidateFramesetSRC=1 • Frame content must be from the same database • https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames etSRC
The Simple Things • Other Notes.ini Settings – SSL_DISABLE_RENEGOTIATE=1 – HTTPEnableConnectorHeaders=0 – SSL_RESUMABLE_SESSIONS=0 – SSL_DISABLE_TLS_10=1
The Simple Things • Upgrade to latest Fix Pack – FP10 fixes ROBOT – Each FP will deprecate weak/vulnerable ciphers
The Less Simple Things
I’ll show mine, if you show yours • HTTP Headers are your friend • Prevents browser from doing stupid things – Headers can be disabled in the browser!!! – Implement with care • For example line 5 breaks Domino blog – Here is my starting header config for Apache 1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 2. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 3. Header always append X-Frame-Options SAMEORIGIN 4. Header always set X-XSS-Protection "1; mode=block" 5. Header always set X-Content-Type-Options: nosniff 6. Header always set Server NotTelling 7. Header always set Referrer-Policy strict-origin-when-cross-origin
The Less Simple Things • NginX Version 1. set_cookie_flag HttpOnly secure; 2. add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'; 3. add_header X-Frame-Options "SAMEORIGIN"; 4. add_header X-XSS-Protection "1; mode=block"; 5. add_header X-Content-Type-Options "nosniff"; 6. server_tokens off; 7. add_header Referrer-Policy "strict-origin-when-cross-origin"; • Note 1, line 1 requires module support in NginX. • Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they seem it and miss as you may have to compile module support into NginX. more_clear_headers Server; more_clear_headers Server;
The Less Simple Things • You could put all those headers in Domino – But you have to add each one at a time – For each internet site • Oh, yeah, you need to be using Internet Sites • It may work with global, not tried it, YMMV – You end up with a *lot* of web rule documents • Much, much easier in a reverse proxy
The Harder Things
The Harder Things • There are more advanced headers – Access-Control-Allow-Methods – Access-Control-Allow-Headers – Content-Security-Policy – Access-Control-Allow-Origin – Think of these as X-XSS-Protection on steroids
The Harder Things • The blog NginX headers add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD'; add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache- Control,Content-Type'; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net"; add_header Access-Control-Allow-Origin "https://public.slidesharecdn.com,https://www.slideshare.net";
The Harder Things • Content-Security-Policy –default-src –script-src –font-src –img-src –frame-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net";
The Harder Things • Content-Security-Policy-Report-Only – Allows testing of policy BEFORE implementing • Clean up all the errors BEFORE turning on – Shows content errors in browser development tools console
The Much Harder Things
The Much Harder Things • ModSecurity – Available for Apache and NginX – Add-in module to prevent OWASP-known hacking attempts • OWASP - Open Web Application Security Project – Use rules to allow or disallow certain URL patterns and actions • Known vulnerabilities get blocked/reported – Use with caution • You probably want to “report” before turning it on fully • SecRuleEngine DetectionOnly
ModSecurity --d5cdc63e-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.0.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"] Stopwatch: 1532256930612640 6576 (- - -) Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552, p5=126, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2. Server: Apache/2.4.29 (Ubuntu) Engine-Mode: "DETECTION_ONLY" --d5cdc63e-Z--
ModSecurity • OWASP_TOP_10/A7 – Google it for a more in-depth description • [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] – Find out what the violation is
ModSecurity • Most often than not, you will just end up disabling the rule that hit because it’s not applicable or a risk to your application/server • In our example it is rule[id "920280"] • Rules can be disabled per URI, web server or for all servers • Depending on your ModSec version exceptions will be different, so Google it
Tools
Tools • Warning – Don’t scan a site you don’t have approval to scan • Scanning without explicit approval could be crime in your (or the servers) jurisdiction – Don’t scan a site during busy times • You could become the source of your own DDoS attack • Fun times!
Tools • Qualys – Most of you will have used the free version • Paid options to proactively scan your servers – Scans external web sites for free and provides detailed insight into SSL, ciphers, etc.
Qualys
Tools • SecurityHeaders.com – Will scan a given site and return security related header information – Provides warnings and recommendations for the different headers
SecurityHeaders.com
Tools • ZAP (Zed Attack Proxy) – The official OWASP scanning tool – Provides tons of information – Free
Tools • PenTest-Tools.com – Like Qualys, except for penetration tests – Online, no software to install – Free version provides limited but useful functionality – Really cheap for the paid version (relatively)
ZAP
Pentest-tools.com
Takeways • Know what the access the application needs • Implement the highest possible security whilst maintaining functionality • Scan often
Q&A • That was a lot • Question Time!

Recommended

dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxUlrich Krause
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview hemantnaik
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin TipsGabriella Davis
 
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtsZusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtspanagenda
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...Ales Lichtenberg
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino AdminblastGabriella Davis
 

Recommended

dominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxdominocamp2022.t1s1.dde.pptx
dominocamp2022.t1s1.dde.pptxUlrich Krause
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview hemantnaik
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin TipsGabriella Davis
 
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtsZusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehts
Zusammenführung von HCL Nomad Web und Domino ohne SafeLinx - So gehtspanagenda
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...Ales Lichtenberg
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino AdminblastGabriella Davis
 
All You Need to Know About HCL Notes 64-Bit Clients
All You Need to Know About HCL Notes 64-Bit ClientsAll You Need to Know About HCL Notes 64-Bit Clients
All You Need to Know About HCL Notes 64-Bit Clientspanagenda
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....DNUG e.V.
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesHoward Greenberg
 
Daos
DaosDaos
DaosUlrich Krause
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationIBM Connections Developers
 
Domino policies deep dive
Domino policies deep diveDomino policies deep dive
Domino policies deep diveMartijn de Jong
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkJohn Dalsgaard
 
Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Ranjit Rai
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14panagenda
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesDylan Redfield
 
Die ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web AdministratorenDie ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web Administratorenpanagenda
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Webpanagenda
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationBenedek Menesi
 
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...Christoph Adler
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingjayeshpar2006
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientChristoph Adler
 
HCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for DummiesHCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for Dummiespanagenda
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersColdFusionConference
 

More Related Content

What's hot

All You Need to Know About HCL Notes 64-Bit Clients
All You Need to Know About HCL Notes 64-Bit ClientsAll You Need to Know About HCL Notes 64-Bit Clients
All You Need to Know About HCL Notes 64-Bit Clientspanagenda
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....DNUG e.V.
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesHoward Greenberg
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationIBM Connections Developers
 
Domino policies deep dive
Domino policies deep diveDomino policies deep dive
Domino policies deep diveMartijn de Jong
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkJohn Dalsgaard
 
Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Ranjit Rai
 
Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14panagenda
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesDylan Redfield
 
Die ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web AdministratorenDie ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web Administratorenpanagenda
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Webpanagenda
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationBenedek Menesi
 
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...Christoph Adler
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingjayeshpar2006
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientChristoph Adler
 
HCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for DummiesHCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for Dummiespanagenda
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 

What's hot (20)

All You Need to Know About HCL Notes 64-Bit Clients
All You Need to Know About HCL Notes 64-Bit ClientsAll You Need to Know About HCL Notes 64-Bit Clients
All You Need to Know About HCL Notes 64-Bit Clients
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 
Daos
DaosDaos
Daos
 
Learn everything about IBM iNotes Customization
Learn everything about IBM iNotes CustomizationLearn everything about IBM iNotes Customization
Learn everything about IBM iNotes Customization
 
Domino policies deep dive
Domino policies deep diveDomino policies deep dive
Domino policies deep dive
 
RESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWorkRESTful services on IBM Domino/XWork
RESTful services on IBM Domino/XWork
 
Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
 
Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14Everything You Need to Know About HCL Notes 14
Everything You Need to Know About HCL Notes 14
 
MES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best PracticesMES102 - Verse on Premises 2.0 Best Practices
MES102 - Verse on Premises 2.0 Best Practices
 
Die ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web AdministratorenDie ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web Administratoren
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
 
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
RNUG - Virtual, Faster, Better! How to deploy HCL Notes 11.0.1 FP2 for Citrix...
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routing
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
 
HCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for DummiesHCL Notes and Nomad Troubleshooting for Dummies
HCL Notes and Nomad Troubleshooting for Dummies
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 

Similar to CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headersdevObjective
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server SecurityPeter Baylies
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hostingshendison
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Stoyan Stefanov
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website securitySucuri
 

Similar to CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable (20)

Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
WordPress Server Security
WordPress Server SecurityWordPress Server Security
WordPress Server Security
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
DefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysisDefCamp 2013 - Http header analysis
DefCamp 2013 - Http header analysis
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting2010 11 pubcon_hendison-hosting
2010 11 pubcon_hendison-hosting
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2Progressive Downloads and Rendering - take #2
Progressive Downloads and Rendering - take #2
 
10 tips to improve your website security
10 tips to improve your website security10 tips to improve your website security
10 tips to improve your website security
 

More from Darren Duke

Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxDarren Duke
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxDarren Duke
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soupDarren Duke
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
BES 4.1.x on Domino
BES 4.1.x on DominoBES 4.1.x on Domino
BES 4.1.x on DominoDarren Duke
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDarren Duke
 

More from Darren Duke (9)

Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101
 
LS10 Show102
LS10 Show102LS10 Show102
LS10 Show102
 
BES 4.1.x on Domino
BES 4.1.x on DominoBES 4.1.x on Domino
BES 4.1.x on Domino
 
Domino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUGDomino 8.5 Presentation for ATLUG
Domino 8.5 Presentation for ATLUG
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable

  • 1. SC 103 Domino on the Web - Yes, It's (Probably) Hackable Darren Duke
  • 2. About Me • Ex co-host of This Week In Lotus podcast • Current (?) co-co-host of WTF Tech podcast • Sometime blogger https://blog.darrenduke.net • Twitter snark fountain @darrenduke • This maybe the best slide in the deck. Feel free to leave right now…
  • 3. Agenda • What we will cover – Then eternal battle of admin vs developer – The simple things – The less simple things – The harder things – The much harder things
  • 4. Be Careful • When you have a web server you are a target – Do the simple things first – Change one thing at time and test • You will break something • No, really you will • No. For real. You will break something. • I broke my blog search • I broke iNotes clipboard pasting
  • 5. The Eternal Battle • Web server security, whose responsibility? – Is it the application developer? – Is it the web server administrator? – Yes • Developer – Tell • What is *your* required minimum security • Administrator – Ask • What is the maximum level of security I can use? • If no answer, start high and move down
  • 6. Sanitize Input • Developers, you must sanitize the input uploaded by your web applications – Input fields need to be cleaned on form submission • Ex, on submit check for an remove <script> tags in the input • This reduces the risk of a compromised server – Try to hack your own applications
  • 7. • The Domino HTTP stack – Not the most up-to-date HTTP stack available • I’m being nice – Missing many modern features • HTTP/2, SNI • Yes, I’m sure Domino 10 will address this along with world peace – Complicated HTTP header use – Sometimes TLS/SSL gets caught with pants down • Poodle • ROBOT
  • 8. • So yes, you can do most of this in Domino • I would use a reverse proxy – Apache – Nginx • I use both – Blog behind Nginx (on Prominic) – iNotes, Traveler behind Apache (on-prem) • Proxies can also HA and LB – Try that in native Domino!
  • 10. The Simple Things • More Secure Internet Passwords
  • 11. The Simple Things • More Secure EXISTING Internet Passwords
  • 12. The Simple Things • Make your Domino LTPA cookie more secure – Require SSL • Mitigate man-in-the-middle-attacks – Restrict Use • Prevent script access to cookie • Mitigate XSS
  • 13. The Simple Things • Notes.ini Settings – HSTS • https://blog.darrenduke.net/darren/ddbz.nsf/dx/domino- adds-hsts-to-its-security-arsenal.htm – X-Frame Header Options • http://www- 01.ibm.com/support/docview.wss?uid=swg21568598 • 9.0.1 FP6+ HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN – DominoValidateFramesetSRC=1 • Frame content must be from the same database • https://www- 10.lotus.com/ldd/dominowiki.nsf/dx/DominoValidateFrames etSRC
  • 14. The Simple Things • Other Notes.ini Settings – SSL_DISABLE_RENEGOTIATE=1 – HTTPEnableConnectorHeaders=0 – SSL_RESUMABLE_SESSIONS=0 – SSL_DISABLE_TLS_10=1
  • 15. The Simple Things • Upgrade to latest Fix Pack – FP10 fixes ROBOT – Each FP will deprecate weak/vulnerable ciphers
  • 16. The Less Simple Things
  • 17. I’ll show mine, if you show yours • HTTP Headers are your friend • Prevents browser from doing stupid things – Headers can be disabled in the browser!!! – Implement with care • For example line 5 breaks Domino blog – Here is my starting header config for Apache 1. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 2. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" 3. Header always append X-Frame-Options SAMEORIGIN 4. Header always set X-XSS-Protection "1; mode=block" 5. Header always set X-Content-Type-Options: nosniff 6. Header always set Server NotTelling 7. Header always set Referrer-Policy strict-origin-when-cross-origin
  • 18. The Less Simple Things • NginX Version 1. set_cookie_flag HttpOnly secure; 2. add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload'; 3. add_header X-Frame-Options "SAMEORIGIN"; 4. add_header X-XSS-Protection "1; mode=block"; 5. add_header X-Content-Type-Options "nosniff"; 6. server_tokens off; 7. add_header Referrer-Policy "strict-origin-when-cross-origin"; • Note 1, line 1 requires module support in NginX. • Note 2, line 6 only removes version and OS, it still says “nginx”. There are other ways but they seem it and miss as you may have to compile module support into NginX. more_clear_headers Server; more_clear_headers Server;
  • 19. The Less Simple Things • You could put all those headers in Domino – But you have to add each one at a time – For each internet site • Oh, yeah, you need to be using Internet Sites • It may work with global, not tried it, YMMV – You end up with a *lot* of web rule documents • Much, much easier in a reverse proxy
  • 21. The Harder Things • There are more advanced headers – Access-Control-Allow-Methods – Access-Control-Allow-Headers – Content-Security-Policy – Access-Control-Allow-Origin – Think of these as X-XSS-Protection on steroids
  • 22. The Harder Things • The blog NginX headers add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,HEAD'; add_header Access-Control-Allow-Headers 'DNT,X-CustomHeader,Keep- Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache- Control,Content-Type'; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net"; add_header Access-Control-Allow-Origin "https://public.slidesharecdn.com,https://www.slideshare.net";
  • 23. The Harder Things • Content-Security-Policy –default-src –script-src –font-src –img-src –frame-src add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://www.slideshare.net https://public.slidesharecdn.com https://fonts.gstatic.com; img-src 'self' https://www.gravatar.com https://i.creativecommons.org https://licensebuttons.net; frame-src https://www.slideshare.net";
  • 24. The Harder Things • Content-Security-Policy-Report-Only – Allows testing of policy BEFORE implementing • Clean up all the errors BEFORE turning on – Shows content errors in browser development tools console
  • 25. The Much Harder Things
  • 26. The Much Harder Things • ModSecurity – Available for Apache and NginX – Add-in module to prevent OWASP-known hacking attempts • OWASP - Open Web Application Security Project – Use rules to allow or disallow certain URL patterns and actions • Known vulnerabilities get blocked/reported – Use with caution • You probably want to “report” before turning it on fully • SecRuleEngine DetectionOnly
  • 27. ModSecurity --d5cdc63e-H-- Message: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.0.195] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "612"] [id "920280"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack- protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost.localdomain"] [uri "/"] [unique_id "W1RiorhE-6pWl72XxvlgcAAAABg"] Stopwatch: 1532256930612640 6576 (- - -) Stopwatch2: 1532256930612640 6576; combined=5424, p1=635, p2=1014, p3=96, p4=3552, p5=126, sr=86, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2. Server: Apache/2.4.29 (Ubuntu) Engine-Mode: "DETECTION_ONLY" --d5cdc63e-Z--
  • 28. ModSecurity • OWASP_TOP_10/A7 – Google it for a more in-depth description • [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] – Find out what the violation is
  • 29. ModSecurity • Most often than not, you will just end up disabling the rule that hit because it’s not applicable or a risk to your application/server • In our example it is rule[id "920280"] • Rules can be disabled per URI, web server or for all servers • Depending on your ModSec version exceptions will be different, so Google it
  • 30. Tools
  • 31. Tools • Warning – Don’t scan a site you don’t have approval to scan • Scanning without explicit approval could be crime in your (or the servers) jurisdiction – Don’t scan a site during busy times • You could become the source of your own DDoS attack • Fun times!
  • 32. Tools • Qualys – Most of you will have used the free version • Paid options to proactively scan your servers – Scans external web sites for free and provides detailed insight into SSL, ciphers, etc.
  • 34. Tools • SecurityHeaders.com – Will scan a given site and return security related header information – Provides warnings and recommendations for the different headers
  • 36. Tools • ZAP (Zed Attack Proxy) – The official OWASP scanning tool – Provides tons of information – Free
  • 37. Tools • PenTest-Tools.com – Like Qualys, except for penetration tests – Online, no software to install – Free version provides limited but useful functionality – Really cheap for the paid version (relatively)
  • 38. ZAP
  • 40. Takeways • Know what the access the application needs • Implement the highest possible security whilst maintaining functionality • Scan often
  • 41. Q&A • That was a lot • Question Time!