Tip from IBM Connect 2014: New security features in IBM Domino 8.5.x-9.x


Published on

This is a tip from the IBM Connect 2014 session "BP103 : Ready, Aim, Fire: Mastering the Latest in the Administrator’s Arsenal". Speakers Ben Menesi (Ytria) and Kim Greene (Kim Greene Consulting) step through the new features IBM has introduced to Domino from release 8.5.x-9.x.

This tip covers why you should use ID Vault, how to set up protected groups, what settings to tweak to make sure password checking is up and running, how to lock down your server’s ACLs and more.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Tip from IBM Connect 2014: New security features in IBM Domino 8.5.x-9.x

  1. 1. © 2014 IBM Corporation BP103 Ready, Aim, Fire: Mastering the Latest in the Administrator’s Arsenal Kim Greene, Kim Greene Consulting, Inc Ben Menesi, Ytria
  2. 2. 52 Securing Your Servers
  3. 3. ID Vault Use it!!! – Customer scenarios: • Lost ID because PC crashed, had to go back to original ID on network drive, which was created under different certifier than current certifier • Forgotten passwords • Setting up new users / existing users get new PCs/laptops - Notes client setup simply pulls ID from vault, no manual handling of ID file Tip: – If have multiple OUs, easiest to implement from top OU Gotcha: – Doesn’t work in Citrix® environments (yet) 53 Domino 8.5
  4. 4. Protected Groups Prevents accidental deletion of designated “critical” groups Configured in Directory Profile of the Domino Directory – Tip: You must edit and save once to become operational Requires Domino directory to have 9 design Defaults to LocalDomainAdmins, LocalDomainServers, and OtherDomainServers 54 Domino 9.0
  5. 5. Protected Groups Open Domino Directory→Actions→Edit Directory Profile 55
  6. 6. Protected Groups Prevent deletion of these groups 56
  7. 7. Password Checking Password checking is crucial for securing IDs Enable in both Server document and Person document 57 +
  8. 8. Internet Password Lockout Set threshold for Internet password authentication failures for HTTP users 58
  9. 9. Locking down your server’s ACLs Ensuring that your Domino databases are locked down from the server side can be vital. – Make sure Anonymous has no access to your databases (especially system databases!) – Use DominoHunter to gather information from the outside • You might be surprised what you find! DominoHunter: open-source PERL script that automates opening and querying standard databases from the web – Beware: even if you get satisfying results, you may have databases left open to the web that this script won’t find! • It works based on a pre-set list of system databases • Use syntax: dh.pl –h targetaddress.com –l results.txt 59
  10. 10. Locking down your server’s ACLs DominoHunter results 60
  11. 11. Locking down your server’s ACLs Easy to recognize when looking into Domlog.nsf (for v0.9 it records thousands of hits from the same IP!) – You can even write an agent to get notified about such attempts / attacks 61
  12. 12. Domino server ports Make sure not to leave ports open that you do not have to – This will be the number 1 step for any potential outside attack – Nmap is a great tool to test for open ports: 62
  13. 13. Domino server ports Make sure not to leave ports open that you do not have to – This is the number 1 step for any attacker – You can use Nmap to scan for open ports • DomLog records hit when selecting intense scan 63
  14. 14. How to Contact Us 76 @iSeriesDomino www.linkedin.com/in/kimgreeneconsulting @BenMenesi ca.linkedin.com/in/benedekmenesi Contact – Ben Menesi Contact – Kim Greene We’d love to hear from you! kim@kimgreene.comben.menesi@ytria.com
  15. 15. 78 Acknowledgements and Disclaimers © Copyright IBM Corporation 2014. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, and IBM Domino®, IBM Notes Domino®, IBM Notes®, IBM Traveler®, Sametime® LotusScript® are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml This slide presentation may contain the following copyrighted, trademarked, and / or restricted terms: Microsoft®, Windows®, Microsoft Office®, Ytria®, Panagenda®, Visual Basic®, Java®, Perl®, OGSi®, Trust-factory®, Citrix® Other company, product, or service names may be trademarks or service marks of others. Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.