IT Baseline Protection Manual Chapter 7.7 Lotus Notes

-->

7.7 Lotus Notes

Description

Lotus Notes is a product used to support workgroups. It provides facilities enabling office work routines that occur within an organisation to be supported and organised. All the communications, data transmission and data keeping that are necessary for this can be processed using Lotus Notes. The Notes concept is based on a client/server architecture whereby users connect themselves to the Domino server from a Notes client or browser and work in this mode.

In earlier versions of Lotus Domino/Notes, proprietary communications protocols were used. By contrast, the latest version (currently 5.0.5) incorporates standard Internet protocols. Since Version 4.5 it has also been possible to gain access to the data in a Lotus Domino server over the Internet from any browser, using a new Web interface. Access here is not restricted to read access, but write access and Administrator access to the server are also possible. From a security viewpoint, the most important change in the release update from version 5.0.3 to version 5.0.4 is the fact that, as a result of a change in US export policy, there is now a single, global version supplied with strong encryption mechanisms, as opposed to separate versions for the North American and international markets.

A brief summary is provided below of the current (as of November 2000) product designations of Lotus Domino/Notes components, as in the course of the last release update Lotus renamed some of the components. In the descriptions of the threats and security safeguards which follow, the terms Lotus Domino Server and Lotus Notes Server should be viewed as synonyms.

Server products:

Domino Application Server. This is the actual successor of the original Lotus Notes Server. Application Server has a modular design and, in addition to the components for database access, it also offers other modules, including an SMTP server module, an HTTP server module and an LDAP server module.

Domino Mail Server. The e-mail functionality is a constituent part of Domino Application Server. This configuration variant makes the functionality of an e-mail server also available independently of the other server modules.

Domino Enterprise Server. This enhanced version of Domino Application Server was previously known as Domino Advanced Services. This enhanced version includes functions for high availability, partitioning, server networks (clustering) and accounting information (billing).

Lotus QuickPlace. QuickPlace is a special configuration variant that is aimed at setting up Web-based team workstations rapidly and without problems. QuickPlace is a constituent part of Domino Application Server and Domino Enterprise Server.

Client products:

Notes Client. This is the "classic" client for accessing the Domino/Notes server and processing e-mail, appointments, contacts and much more. Notes Client also contains a browser component which can be used to display Web content. On the basis of the client query this is loaded from any Web server by the Web Retriever and passed on to the client.

Domino Administrator Client. Domino Administrator Client is not an independent client, but is contained in Domino Server R5 and Domino Designer R5 as an optional component. Domino Administrator Client is a central tool for the administration of security for the Domino server.

Domino Designer. Domino Designer is a development tool for the creation of Web applications. Domino applications can be created using Java, JavaScript, HTML4, C++, CORBA/IIOP, OLE and LotusScript.

From the point of view of security, the following aspects are relevant to Lotus Notes:

Access security. Only authorised users should be able to access the data held on a Notes server. To ensure that this is the case, access to a Notes server is controlled by the server itself. This means it is possible to control which users may in principle access which Notes server.

Access control. As well as control of server access, control of access to databases constitutes another important security mechanism. The methods provided by Lotus Notes permit in-depth control as to which users (or which user groups) are allowed to execute what actions on a particular database.

Communications security. When a client accesses a database on a server, the data retrieved is transmitted over a network connection. To ensure the confidentiality and integrity of the data, Lotus Notes provides encryption algorithms.

Availability. Use of a Notes system as an office communication medium by business units within an organisation imposes certain requirements as to availability. On the one hand there is a need to minimise the damage that could be caused by a failure through redundant data keeping or physical redundancy of computers, while on the other hand there is a requirement for a contingency plan which provides guidance and directions enabling rapid recovery of the system in the event of failure.

Threat Scenario

The following typical threats are assumed for the IT baseline protection of a Notes system:

Force Majeure:

T 1.1 Loss of personnel

T 1.2 Failure of the IT system

Organisational Shortcomings:

T 2.1 Lack of, or insufficient, rules

T 2.2 Insufficient knowledge of requirements documents

T 2.4 Insufficient monitoring of IT security measures

T 2.7 Unauthorised use of rights

T 2.16 Non-regulated change of users in the case of laptop PCs

T 2.18 Improper delivery of data media

T 2.19 Inadequate key management for encryption

T 2.37 Uncontrolled usage of communications lines

T 2.40 Complexity of database access

T 2.49 Lack of, or inadequate, training of teleworkers

Human Error:

T 3.9 Improper IT system administration

T 3.43 Inappropriate handling of passwords

T 3.44 Carelessness in handling information

T 3.46 Error in the configuration of a Lotus Notes server

T 3.47 Error in the configuration of browser access to Lotus Notes

Technical Failures:

T 4.26 Failure of a database

T 4.28 Loss of data in a database

T 4.35 Insecure cryptographic algorithms

Deliberate Acts:

T 5.7 Line tapping

T 5.8 Manipulation of lines

T 5.22 Theft of a mobile IT system

T 5.71 Loss of confidentiality of classified information

T 5.77 Unauthorised monitoring of E mails

T 5.83 Compromising cryptographic keys

T 5.84 Forged certificates

T 5.85 Loss of integrity of information that should be protected

T 5.100 Abuse of active contents on access to Lotus Notes

T 5.101 Hacking Lotus Notes

Recommended Countermeasures

To implement IT baseline protection, selection of the required packages of safeguards ("modules") is recommended, as described in Sections 2.3 and 2.4.

As well as protecting the Lotus Notes , however, it is also necessary to draw up a specific security policy which must be integrated into the existing security policy. the Notes system must implement existing security requirements while at the same time necessitating the creation of new, Notes-specific security provisions.

A Notes system will generally be used in the environment of other systems which serve to control access to the internal network from outside. Examples of other systems with which a Notes system has to work are firewall systems and remote maintenance systems. For this reason, when implementing the Notes-specific safeguards, the safeguards from the relevant modules of the affected systems must also be considered. In addition to the relevant modules from Chapters 5 and 6, the following modules should also be mentioned:

7.3 "Firewall", if Notes systems are used in a firewall environment (see also S 2.211 Planning the use of Lotus Notes in a demilitarised zone).

7.6 "Remote Access" if access to the Notes system is over dial-in lines.

The safeguards listed in module 9.2 "Databases" are not 100% applicable to Lotus Notes, as Notes is a proprietary database system.

In order to successfully set up a Notes system, a series of measures should be taken, starting with the design, then going on to installation and operation. The steps involved here and the safeguards which should be considered at each of the steps are listed below.

Following the decision to use Lotus Notes as an internal communications system, it is necessary to purchase the software and any additional hardware required. As Lotus Notes is available in a number of different configuration variants (see above) the software to be purchased will depend also on the planned operational scenarios. The following safeguards should therefore be implemented:
- At the outset it is necessary to plan exactly how the Notes system will be used (see safeguard S 2.206 Planning the use of Lotus Notes).
- In parallel to this, security guidelines which interpret the already existing security guidelines in a Lotus Notes specific manner while also including any additional Notes-specific provisions that may be necessary must be written (see safeguard S 2.207 Defining security guidelines for Lotus Notes).
- Prior to actual implementation of the Notes system, the users and Administrators must be prepared for working with Lotus Notes through appropriate training. In particular, due to the complexity of administering a Notes system, in-depth training is recommended for Administrators. This should include giving the Administrators detailed system knowledge (see S 3.24 Training on the Lotus Notes system architecture for Administrators), so that they are in a position to manage the system consistently and correctly. Users should be informed of the use of the security mechanisms within Lotus Notes (see S 3.25 Training on Lotus Notes security mechanisms for users).
After the organisational and planning preliminary work has been completed, the Notes system can be installed. The following measures should be noted here:

The installation can only be regarded as complete when the Lotus Notes systems have been made secure (see S 4.116 Secure installation of Lotus Notes). This will ensure that in the subsequent configuration phase only authorised Administrators can access the Notes system.
After the "raw installation" the Notes system, comprising the servers (see S 4.117 Secure configuration of a Lotus Notes server) and clients (see S 4.126 Secure configuration of a Lotus Notes client and S 4.127 Secure configuration of browser access to Lotus Notes), has to be configured for the first time.

Following the initial installation and a test operation phase, normal operation commences. From a security point of view the following aspects should be taken into account here:
- A Notes system is normally subject to continuous changes. This means that security-relevant configuration parameters require constant modification. In addition, in a client/server-based system security also depends on the security of all the subsystems - in this case, particularly, the clients. The safeguards that are relevant to secure operation are summarised in S 4.128 Secure operation of Lotus Notes and the safeguards for the protection of communications (see S 5.84 Use of encryption procedures for Lotus Notes communication, S 5.85 Use of encryption procedures for Lotus Notes e-mail and S 5.86 Use of encryption procedures with browser access to Lotus Notes).
- As well as protection during ongoing operations, however, contingency planning also plays an important role as the only way of containing damage in the event of an emergency. Information on contingency planning will be found in S 6.73 Creation of a contingency plan for failure of the Lotus Notes system.

The safeguards package for the "Lotus Notes" module is presented below.

Infrastructure:

S 1.29 (1) Adequate siting of an IT system (server)

Organisation:

S 2.2 (2) Resource management

S 2.25 (1) Documentation of the System Configuration

S 2.40 (2) Timely involvement of the staff/factory council

S 2.206 (1) Planning the use of Lotus Notes

S 2.207 (1) Defining security guidelines for Lotus Notes

S 2.208 (1) Planning of the domains and certificate hierarchy of Lotus Notes

S 2.209 (1) Planning the use of Lotus Notes in an intranet

S 2.210 (2) Planning the use of Lotus Notes in an intranet with browser access

S 2.211 (2) Planning the use of Lotus Notes in a demilitarised zone

Personnel:

S 3.4 (1) Training before actual use of a program

S 3.5 (1) Education on IT security measures

S 3.10 (1) Selection of a trustworthy administrator and his substitute

S 3.11 (1) Training of maintenance and administration staff

S 3.24 (1) Training on the Lotus Notes system architecture for Administrators

S 3.25 (1) Training on Lotus Notes security mechanisms for users

Hardware and Software:

S 4.116 (1) Secure installation of Lotus Notes

S 4.117 (1) Secure configuration of a Lotus Notes server

S 4.118 (1) Configuration as a Lotus Notes server

S 4.119 (1) Instituting restrictions on access to Lotus Notes servers

S 4.120 (1) Configuration of access control lists for Lotus Notes databases

S 4.121 (1) Configuration of rights of access to the Lotus Notes Name and Address Book

S 4.122 (2) Configuration for browser access to Lotus Notes

S 4.123 (2) Configuration of SSL-protected browser access to Lotus Notes

S 4.124 (2) Configuration of authentication mechanisms with browser access to Lotus Notes

S 4.125 (2) Instituting restrictions on access to Lotus Notes databases with browser access

S 4.126 (1) Secure configuration of a Lotus Notes client

S 4.127 (2) Secure configuration of browser access to Lotus Notes

S 4.128 (1) Secure operation of Lotus Notes

S 4.129 (1) Secure handling of Notes ID files

S 4.130 (1) Security measures following the creation of a new Lotus Notes database

S 4.131 (2) Encryption of Lotus Notes databases

S 4.132 (1) Monitoring of a Lotus Notes system

Communications:

S 5.68 (2) Use of encryption procedures for network communications

S 5.84 (2) Use of encryption procedures for Lotus Notes communication

S 5.85 (2) Use of encryption procedures for Lotus Notes e-mail

S 5.86 (1) Use of encryption procedures with browser access to Lotus Notes

Contingency Planning:

S 6.71 (2) Data backup for a mobile IT system

S 6.49 (1) Data backup in a database, in this case Lotus Notes databases

S 6.73 (1) Creation of a contingency plan for failure of the Lotus Notes system

last update:
July 2001

home