Haste makes waste, as they say, and setting the ACL for your important Domino server files is no exception. Knock on the door and you shall hear the answer, but what if that door was open, certainly you wouldn't notice.
Question: When was the last time you checked the ACL of your names.nsf, catalog.nsf or any other file? Probably not recently. We all agree that the Domino server provides several fields or methods to secure our server from intruders. But too often, those fields are left untamed.
I have been on the Internet lately looking for some material on Lotus Notes, and I ran into several sites that host that info. To my curiosity I wanted to check how secure their systems were, Domino server-wise. To tell you the truth, it was not what I expected. I ran into two situations that led me to write this tip.
One of those had a huge network with four servers and approximately 3,000 users. I don't blame anyone with a big network like that. They had the names.nsf without authentication, but of course they were not that ignorant, and they set the ACL to Reader. Guess what, I was still able to detach several of their server's ID. I believe all of you understand the wealth of information that the names.nsf provide. I was lucky, because they also forgot to turn on the logging, which this means they didn't even know I was there.
The other site was a little bit more conservative than the first. It only had one server and approximately 1,500 users. And by checking the names in the administrator group, I found that there were more administrators, which meant that fewer adjustments were needed. Their logging was on, but the names.nsf had no authentication with Reader Access level. I also went to their catalog.nsf and found discovered lots of databases that had either the Default or the Anonymous with Manager level. (I enjoyed this a lot.)
In both cases, a lot of information was exposed to the public. I even know some of their pets' names, not to mention their fax numbers, phone numbers and more. I can assure you that in either case, the info that was available to the public would have been a major threat on both site identities.
Most administrators, including myself, spend most of their time using the administrator client and rarely open any of those important databases through a browser to find more about what they could provide as information to us or the intruders.
Wondering what I did with them? Well, Lotus geeks always stick together, I e-mailed them both and I believe they have learned their lessons.
This tip is meant to be a reminder that simple actions in each case were necessary to keep them on the safe side.
For more information, see Chuck Connell's tips on searchDomino: Scanners warning and checklist. In this tip, Chuck says he doesn't recommend running this on your server. I would suggest that you run the security check on a lab server and write down those files that the test examined. Then go through your system and check the ACL for those files.
Also see Chuck's tip titled Enforce Consistent ACL.
Finally, I do suggest a schedule for security check every now and then. And of course, Lotus Notes' scheduling will make sure that you are notified!
