This document summarizes a presentation on best practices for securing HCL Notes/Domino. It discusses securing client-server communication through encryption settings, safeguarding data in local replicas with encryption and access controls, protecting the client from untrusted code using execution control lists, staying up-to-date with security updates, and using authentication security practices like password policies and single sign-on. Commercial services from panagenda can help organizations implement these security configurations and topics.
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Bewährte Praktiken für HCL Notes/Domino-Sicherheit Teil 1: Der Notes-Client
1. Make Your Data Work For You
Best Practices for HCL Notes/Domino Security
Part 1: The Notes Client
16th March 2021
2. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Marc Thomas
@IAM_Mthomas
Senior Consultant
panagenda
Speakers
Join the conversation using #NotesDominoSecurity & @panagenda
3. Agenda
1. Introduction
2. Secure client-server communication over any port (with and without SafeLinx)
3. Safeguarding data in local replicas/databases
4. Protecting the client environment from running untrusted code
5. Staying current with security updates
6. Authentication security
4.
5. 1. Introduction – Available clients
• Available clients
– HCL Notes – Basic configuration
– HCL Notes – Standard (incl. Eclipse)
– HCL Notes – Standard (incl. Eclipse + Admin and/or Designer client)
– HCL Client Application Access – aka HCAA
– HCL Nomad – mobile app for Android
– HCL Nomad – mobile app for iOS/iPadOS
– HCL Nomad Web (beta) – via Browser
– HCL Verse – via Browser
6. 2. Secure client-server communication – Client
• NRPC port settings
– NRPC = Notes remote procedure call
– Port 1352
– Legacy
• LAN0 / COM(.*) / DisabledPorts
→ Should be removed
– Port settings in notes.ini
• Ports=TCPIP
• TCPIP = TCP,0,15,0,,45056,
→ with encryption only
• TCPIP = TCP,0,15,0,,45088,
→ with encryption & compression
• TCPIP = TCP,0,15,0,,12288,
→ DEFAULT - without encryption & compression
7. 2. Secure client-server communication – Server
• Legacy/Default port encryption for Notes/Domino
– RC4 128Bit (Rivest Cipher 4)
• Best practice settings for port encryption on Domino server >= 9.0.1 Fix Pack 7
– AES-GCM 128Bit (Advanced Encryption Standard)
– notes.ini → PORT_ENC_ADV=84
• See the following Technote for details and read before you use the parameter:
– https://help.hcltechsw.com/domino/11.0.1/admin/conf_port_enc_adv_r.html
8. 2. Secure client-server communication – mobile app
• HCL Nomad mobile app
– Classic → NRPC (direct using VPN/Passthrough)
– New → SSL Tunneling (port 443) using Nomad Proxy aka HCL SafeLinx
9. 3. Safeguarding data in local replicas/databases
• Local replicas of (Domino) server databases
– One of the most powerful features of Notes/Domino is “Replication”
– Almost every customer has local replicas on some or on all Notes clients
(managed and/or unmanaged)
– Local replicas in general should always be encrypted
– Use “Strong Encryption” or even better “128 bit AES”
10. 3. Safeguarding data in local replicas/databases (cont.)
• Access Control List (ACL) of local replicas
– Use the option “Enforce a consistent Access Control List” in the ACL’s of your server Application
Databases to ensure ACL is identical on all replicas (incl. local).
11. 4. Protecting the client environment from running untrusted code
• Execution Control List (ECL)
– The ECL takes care that code only gets executed if the “code signer” is trusted
– Either a user or admins can put “signers/users” on the ECL
– Using an Administration-ECL or manage the ECL (incl. lock down) is highly recommended and also
ensures that a user cannot add users/Signers to the list
• If a user then gets an “Execution Security Alert” → it is a security alert!
12. 5. Staying current with security updates
• Do you remember our first slide?
• Available clients
– HCL Notes – Basic configuration
– HCL Notes – Standard (incl. Eclipse)
– HCL Notes – Standard (incl. Eclipse + Admin and/or Designer client)
– HCL Client Application Access – aka HCAA
– HCL Nomad – mobile app for Android
– HCL Nomad – mobile app for iOS/iPadOS
– HCL Nomad Web (beta) – via Browser
– HCL Verse – via Browser
13. 5. Staying current with security updates (cont.)
• Do you remember our first slide?
• Available clients and latest releases
– HCL Notes 11.0.1 FP2 SHF46 – Basic configuration
– HCL Notes 11.0.1 FP2 SHF46 – Standard (incl. Eclipse)
– HCL Notes 11.0.1 FP2 SHF46 – Standard (incl. Eclipse + Admin and/or Designer client)
– HCL Client Application Access 3.0.3 – aka HCAA
– HCL Nomad 1.0.15 20210219-1541 – mobile app for Android
– HCL Nomad 1.0.11– mobile app for iOS/iPadOS
– HCL Nomad Web (beta) – via Browser
– HCL Verse 2.0.1 – via Browser
14. 5. Staying current with security updates (cont.)
• More security options
– The newer the version, the more modern and better the security options and features
• Vulnerability
– The older the version, the higher the risk of being vulnerable
– Check out this link (sorted in ascending order by date):
https://support.hcltechsw.com/csm?id=kb_search&spa=1&language=en&u_document_type=Security%20B
ulletin&kb_category=1ec026dc1b45730083cb86e9cd4bcb24
15. 6. Authentication security
• The following may sound silly, but
– PLEASE use ID files protected with passwords
– Use a Security-Policy to force password
• expiration after xx days
• complexity
• Single Sign-On (SSO) may help here
– Comfort combined with security
– Notes Shared Login (NSL)
• https://help.hcltechsw.com/domino/11.0.1/admin/conf_usingnotessharedlogintosuppresspasswordpr
ompts_c.html
– Notes Federated Login (NFL)
• https://help.hcltechsw.com/domino/11.0.1/admin/secu_using_security_assertion_markup_language_saml
_to_configure_federated_identity_authentication_t.html?hl=federated%2Clogin
16. - Commercial break -
All the 6 topics and more can be easily covered/solved/managed by
17. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Marc Thomas
@IAM_Mthomas
Senior Consultant
panagenda
Q & A
Join the conversation using #NotesDominoSecurity & @panagenda
18. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Marc Thomas
@IAM_Mthomas
Senior Consultant
panagenda
Thank you!
Join the conversation using #NotesDominoSecurity & @panagenda
19. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Marc Thomas
@IAM_Mthomas
Senior Consultant
panagenda
Thank you!
Join the conversation using #NotesDominoSecurity & @panagenda