Lotus Notes

[rnapro]

I was chating with a Lotus Notes Administrator and he was bragging about the security of Lotus Notes sever. I am only slightly fimilar with the use of Lotus Notes and co not verify his claims.

For the record I am not asking someone to teach me how. At this point I could care less, but I am interested in validating his claims of security. I am interested in what the AO member have to say.

[alittlebitnumb]

Wow, Lotus is still around? I remember when Ami Pro and 123 were bigger than MSWord. Does anybody know the story behind how Lotus lost it?

As for Lotus Notes, I am going to look into it. I am curious about the whole thing now. Good question.

[SoggyBottom]

From a user of Notes, and working in Network Security, I have some security isues with Lotus Notes, client, not specifically the Notes Server.

1. The user is authenticated when entering Notes to their Notes.id file, which is stored in hash format under the Notes directory, and not to a centralised server as most other applications, which in itself, is a security risk.

2. What happens if a user forgets their password?

3. What happens if a user deletes or modifies their ID File.

Someone else here may be able to talk about the Notes Server, there is also security issues with the associated authentication mechanism called the http password, but I think that this is only in the web-enabled version of Notes.

[Therealmaster]

mmm although not being a notes user i remember a friend of mine who had a server running it, and i found several security problems, all remote which allowed me to do pretty much what i wanted to. These will have probably been fixed by now though.

[kelly goff]

Notes security is pretty much like any other development environment.
If you are stupid then the security is bad.
If you are security minded they you can make it very secure.

You can apply the security to a database, document, or field on a document.
You can encrypt at the same levels.


To answer the questions about ID's.
If the user loses the password then the administrator can send the user a new copy of the original ID (if he saved a copy). The user would be required to add any certifiers that were not included in the original ID.

[tomdcb]

kelly goff is right.

also the user needs to remember his first password, since it is saved within the ID-file. When he can't remember that one, then there's no way to login to secured databases.

With every access request, the user rights are controlled. If no user is logged in (as per web-access) then the rights are compared to an anonymous user (remember, Domino has seven access levels!), otherwise they are compared with the current user.

The web-login could be performed by anybody, with the internet password of a specific user. This internet password does not necessarily need to be the same as saved in the user-id, since it is saved in the public address book. Usually it is the same as the very first password of a user.

[SoggyBottom]

Saving the Internet password in the Name and Address book is a security risk in itself.

If I recall correctly, the password is "encrypted", but doesnt use what is known as "salt". Eg. I changed by Internet Password to "abc123" and it gave the hashed value of "AJKSD77JDKS8992DHJF" for example. All you then need to do is search the name and address book for the hashed password, and is convieniently provides you with a list of all the users who have the password of "abc123".

As for storing the password as a file locally, although it is (in my opinion) a stupid way to handle passwords, it is also a huge administrativer overhead. Users should be able to change, reset their own passwords freely, and passwords should expire after x amount of days. And they should be stored locally oin a users machine.

[tomdcb]

Each user has his own account, just like in an NT domain, too.

Therefore in the public adress book of the Domino domain, an entry will be created for every user, that exists - with an internet password. It can be disabled, but then users won't be able to login from the web.
Usually this opportunity is given, and the internet-password is needed, if a user wants to login from the internet. This password is always saved in the public adress book.

The point with the hash value is right, so you'd have to run a brute force and compare hashed values, but it works only, when Domino uses the same hash-algorithm as you do. Right now, I don't know which one that is.

User passwords are always stored in a user-id file. That's a way of Domino and cannot be changed. Every user can move his own id file around, where ever he wants to. He can also change his password, which will be updated within this id-file, too.

If a user loses his password, then he does not have any access to a Domino server anymore. There is usually no way to get it back. If the admin has the very first id-file, which was created when the user account was created, then he can send this one to the user.
The user himself just has to know what his very first password was. Usually companies follow a certain guideline, like the last name of a user as his first password.
Remember, users can change their passwords freely, as they like.

Another word to the id's. When being created, a time-stamp can be given. When it runs out, the user has to re-certify his id-file, from the administrator.