Aufnahme: http://pan.news/20210420de
Abstract: Server sind das Rückgrat Ihrer IT-Umgebung. Deren Sicherheit ist für jeden IT-Profi von größter Bedeutung. Besonders bei Servern mit Fernzugriff wird dies zu einer heiklen Angelegenheit. Es ist ein schmaler Grat zwischen der komfortablen Nutzung auf der einen Seite und dem Schutz gegen Angreifer auf der anderen Seite.
Zu den Sicherheitsbedenken gehören die mangelnde physische Sicherheit von Geräten, die Verwendung ungesicherter Netzwerke, die ungewollte externe Verfügbarkeit interner Ressourcen und der unbefugte Zugriff aus dem eigenen Unternehmen.
HCL Domino ist eine leistungsfähige und ausgereifte Serverplattform mit einem großen Funktionsumfang. Das macht sie zwar zu einer guten Wahl für viele Anwendungen, bedeutet aber auch, dass es viele potenzielle Möglichkeiten gibt, sich angreifbar zu machen.
In diesem Webinar helfen Ihnen unsere Experten, jeden Aspekt der Absicherung Ihrer Domino-Umgebungen zu betrachten:
• Lernen Sie die Grundlagen der Domino-Server-Sicherheit kennen
• Beheben Sie Probleme mit der Standardkonfiguration und vermeiden Sie häufige Fallstricke
• Sorgen Sie für einen sicheren Zugriff über Notes-Client, HTTP oder SMTP
• Richten Sie eine Datenbank-Zugriffskontrolle für Ihre gesamte Infrastruktur ein
• Schützen Sie Ihre Server vor internen Angriffen
• Vermeiden Sie Schwachstellen, indem Sie Domino-Server und Betriebssystem auf dem neuesten Stand halten
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
1. Make Your Data Work For You
Best Practices for
HCL Notes/Domino Security
Part 2: The Domino Server
20th April 2021
2. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Marc Thomas
@IAM_Mthomas
Senior Consultant
panagenda
Speakers
Join the conversation using #NotesDominoSecurity & @panagenda
3. Agenda
1. Staying current with (security) updates
2. Domino Server Security Fundamentals (DSSF)
3. SMTP Security Settings (quick and dirty faultless)
4. Bonus: HTTP Security or how to get an A+ rating
4. Make Your Data Work For You
1. Staying current with
(security) updates
5. 1. Staying current with (security) updates
• Current available and supported releases
– Domino 11.0.1 FP3 (April 2021)
• No EOL defined yet
– Domino 10.0.1 FP6 (September 2020)
• No EOL defined yet, BUT “Support Update - List of Exceptions Starting 12/31/2021” here:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085697
– Domino 9.0.1 FP10 IF6 (August 2020)
• No EOL defined yet, BUT “Support Update - List of Exceptions Starting 12/31/2021” here
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085697
8. 1. Staying current with (security) updates (cont.)
• System requirements for Domino 11.0.1 FP3 (OS)
– Microsoft Windows
• Windows Server 2012 R2 - 2019
– Linux
• Red Hat Enterprise Linux (RHEL) Server 7.4+ & 8.x
• SUSE Linux Enterprise Server (SLES) 12.0+ & 15.0+
• CentOS Server 7.4+ (EOL - 2024-06-30) & 8.x (EOL - 2021-12-21)
– IBM AIX
• AIX 7.2 TL1+
– IBMi
• IBM i v7 r2, r3 & r4 (on IBM Power 8 & 9)
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0077033
9. Make Your Data Work For You
2. Domino Server Security
Fundamentals (DSSF)
10. 2. DSSF - Secure client-server communication
• NRPC port settings
– NRPC = Notes remote procedure call
– Port 1352
– Port settings in notes.ini
• Ports=TCPIP
• TCPIP = TCP,0,15,0,,45056,
→ with encryption only
• TCPIP = TCP,0,15,0,,45088,
→ with encryption & compression
• TCPIP = TCP,0,15,0,,12288,
→ DEFAULT - without encryption & compression
11. 2. DSSF - Secure client-server communication (cont.)
• Legacy/Default port encryption for Notes/Domino (up to 11.0.1)
– RC4 128Bit (Rivest Cipher 4)
– Use notes.ini entry LOG_AUTHENTICATION=1 to see this on the console:
– Starting with HCL Domino v12 the new default is → AES-GCM 256Bit
• Best practice settings for port encryption on Domino server >= 9.0.1 Fix Pack 7
– notes.ini → PORT_ENC_ADV=84 (AES-GCM 128Bit)
• See the following Technote for details and read before you use
the parameter:
– https://help.hcltechsw.com/domino/11.0.1/admin/conf_port_enc_adv_r.html
12. 2. DSSF – Take care about webadmin.nsf
• You can either
– Remove the webadmin.nsf from all your servers
OR
– You must take care of the ACL
• This DB will no longer be distributed with Domino v12 and higher
13. 2. DSSF – ACL (Anonymous & -Default- entries)
• ACL (Access Control List)
– -Default- access will be granted/used for every authenticated user which is not part of ACL (either
directly or using a group or wildcard entry)
– Anonymous access will be granted/used for every non-authenticated user (web access)
– If there is no Anonymous entry in the ACL, Domino will automatically use the -Default- entry for non-
authenticated users
– See the following two links to get more information:
https://help.hcltechsw.com/domino/11.0.0/conf_anonymousinternetintranetaccess_c.html
https://help.hcltechsw.com/domino/11.0.0/conf_validationandauthenticationforinternetintranetclien_c.ht
ml?hl=anonymous%2Cacl
15. 2. DSSF – Server Document → Internet Ports
• Be aware of open and non-used ports (disable them)
– Example: If you don’t want to use the HTTP/LDAP/SMTP/IMAP/POP3/DIIOP service on a server, ensure
that those ports are disabled in the Server Document(s)
16. 2. DSSF – Server Document → Internet Ports (cont.)
17. 2. DSSF – SSL/TLS (X.509) is not optional!
• Ensure that you always use secured connections from/to your Domino Servers
(including internal connections)
– The following link will help you to set up SSL on Domino servers:
https://help.hcltechsw.com/domino/11.0.1/admin/conf_settingupsslonadominoserver_t.html
18. 2. DSSF – SSL/TLS (X.509) is not optional! (cont.)
20. Make Your Data Work For You
3. SMTP Security Settings
(quick and dirty faultless)
21. 3. SMTP Security Settings (quick and dirty faultless)
a) SMTP Port settings (Server document)
– Inbound → only “Enabled”
– Outbound → “Enabled” & “Negotiated TLS/SSL”
22. 3. SMTP Security Settings (quick and dirty faultless) (cont.)
b) SMTP Port settings (Configuration document) - Inbound
− Inbound → “TLS/SSL negotiated over TCP/IP port” → “Enabled”
23. 3. SMTP Security Settings (quick and dirty faultless) (cont.)
c) SMTP Relay security (Configuration document)
24. 3. SMTP Security Settings (quick and dirty faultless) (cont.)
c) SMTP Inbound security (Configuration document)
25. 3. SMTP Security Settings (quick and dirty faultless) (cont.)
• What about non-encrypted connections (outbound only)?
– You can configure fallback to non-TLS using the following notes.ini entry:
RouterFallbackNonTLS=1
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0079251
• Verify if sender == authenticated user (optional)
– You can configure this using the following notes.ini entry:
SMTPVerifyAuthenticatedSender=1
https://ds_infolib.hcltechsw.com/ldd/dominowiki.nsf/dx/SMTPVerifyAuthenticatedSender
26. Make Your Data Work For You
4. Bonus: HTTP Security
or how to get an A+ rating
28. 4. Bonus: HTTP Security or how to get an A+ rating (cont.)
a) Always use the latest available version of Domino (incl. FPs)
– Domino 11.0.1 FP3
– Domino 10.0.1 FP6
– Domino 9.0.1 FP10 IF6
b) Disable outdated SSL/TLS protocols using the following notes.ini entries:
– SSL_Disable_TLS10=1
→ TLS 1.0 will automatically give you a B rating (since Jan. 2020)
– DISABLE_SSLV3=1
→ this should not be needed any longer, since SSL v3 should be disabled by default
29. 4. Bonus: HTTP Security or how to get an A+ rating (cont.)
c) Select only the modern SSL ciphers (see screenshot) in your
– Server Document(s)
– Web Site Document(s)
30. 4. Bonus: HTTP Security or how to get an A+ rating (cont.)
d) Configure the HTTP Strict Transport Security (HSTS) using the following notes.ini
entries (or using Web Site Document if used):
– HTTP_HSTS_INCLUDE_SUBDOMAINS=1
– HTTP_HSTS_MAX_AGE=31536000
See here:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0074868
31. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Marc Thomas
@IAM_Mthomas
Senior Consultant
panagenda
Speakers
Join the conversation using #NotesDominoSecurity & @panagenda
32. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Christoph Adler
@cadler80
Senior Consultant
panagenda
Join the conversation using #NotesDominoSecurity & @panagenda
Q & A