IT Baseline Protection Manual S 2.210 Planning the use of Lotus Notes in an intranet with browser access
S 2.210 Planning the use of Lotus Notes in an intranet with browser access
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management, Administrator
If a Notes server within the intranet is also to be accessed via a browser, then the relevant security issues must be considered and planned for.
Compared with access via the Notes client, the Web interface generally offers less functionality. In particular it should be noted that, compared with access from a Notes client, quite different security mechanisms are used for authentication on the Web interface. Again, data security at database level is only supported here to a limited extent. Decryption and encryption of document fields is currently not offered on the Web interface. Another restriction is the lack of any facility for replicating databases locally on clients in order to enable offline processing.
Since browser access inevitably carries certain IT security risks, this is not recommended. It should therefore be made as restrictive as possible, i.e. enabled only when this is absolutely necessary.
If browser access is still to be enabled despite the additional security problems, the following issues must be considered at the planning stage:
Which users should be allowed to access what servers over the Web interface? This decision will affect the configuration of database access which must then be modified accordingly (see S 4.120 Configuration of access control lists for Lotus Notes databases and S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).
Is access to Lotus Notes to be exclusively over the Web interface? If this is the case, then certain limitations, e.g. with regard to encryption mechanisms, will have to be accepted as not all functions and security mechanisms are available on the Web interface. A decision must therefore be made as to whether these limitations are acceptable.
Can all the necessary databases be used over the Web interface? Database functionality that is implemented using client-side LotusScript and agents is lost when databases are accessed via the Web, as LotusScript is not supported by the browsers. For this reason it is necessary to check whether such databases are used.
Which data should it be possible to access over the Web interface? A rough distinction can be made between public data, internal data (e.g. customer data, project data, HR data) and the office data of employees (e.g. diary, e-mail, To Do lists etc.). A further distinction, e.g. following an assessment of protection requirements as per Section 2.2, may be appropriate. Only data with no particular protection requirement should be released for access over the Web interface.
Can the data which is to be accessed over the Web interface be held on dedicated servers? This would make configuration of servers easier, as there would be no mixed access (Notes client and browser). The data should therefore if possible be kept separate.
Which databases should it be possible to access using the Web interface? Special security settings must be made for such databases (see S 4.120 Configuration of access control lists for Lotus Notes databases, S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).
Does the data need to be protected during transportation over the Web interface? If so, communications must be protected (see S 5.86 Use of encryption procedures with browser access to Lotus Notes). Unprotected transportation of data should definitely be avoided. Only where the data can be accessed anonymously is it possible to dispense with encryption.
Is anonymous access using the Web interface necessary? In this case the relevant server and the databases affected must be modified accordingly (see S 4.119 Instituting restrictions on access to Lotus Notes servers, S 4.120 Configuration of access control lists for Lotus Notes databases, S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes). Public data which is to be accessed anonymously should be held on a special server. Anonymous access to all other servers should then be disabled.
Where databases are accessed over the Web interface should privileges be restricted? This is strongly recommended due to the restricted security functionality. In this case, however, due to the loss of functionality which this implies, generally it is not possible to enforce exclusive use of the Web interface. The databases must be appropriately configured (see S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).
Should a separate certification authority (CA) be operated for the issue of Internet certificates? In this case the setting up of a separate certification authority (e.g. a Notes CA) and the certificate hierarchies must be planned. In addition provision must be made for the distribution of certificates to servers and users.
Can the security of the computers which function as clients be assured? The security level of these computers has an impact on the authentication procedures used on the Web interface (see S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes).
Which browser will be used for Web access? The security mechanisms of the browser also have an impact on the authentication procedures used on the Web interface (see S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes, S 4.127 Secure configuration of browser access to Lotus Notes).
Should servers be administered over the Web interface? Administration over the Web interface should only be adopted after thoroughly weighing up the risks involved. Administrator access must use all the security mechanisms (see S 4.123 Configuration of SSL-protected browser access to Lotus Notes, S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).
Should users be allowed to access their e-mail databases over the Web interface? This requires corresponding configuration of the access mechanisms of the individual e-mail databases (see S 4.123 Configuration of SSL-protected browser access to Lotus Notes, S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).
Do e-mails need to be encrypted? In this case, the Web interface cannot be used as the sole means of access to the Notes server if Notes encryption must be used. S/MIME encryption is not available on the Web interface either. Therefore all the users must use an S/MIME-capable e-mail client and be supplied with an "Internet certificate" that can be used with S/MIME (see S 5.85 Use of encryption procedures for Lotus Notes e-mail).
Depending on the specific operational scenario, there may be other issues which need to be considered where Lotus Notes is to be used in an intranet with browser access.
Additional controls:
Are there any compelling reasons for allowing browser access to Notes servers?
Does a concept exist for the use of Lotus Notes with browser access?