S 4.117 Secure configuration of a Lotus Notes server

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

Lotus Domino Application Server consists of a number of function modules and can therefore be used not just as a pure database server, although most of the application scenarios are derived from this role. Now that Internet technologies have been integrated, the modules available include the following:

• The database server module allows database access for Notes clients.

• The HTTP server module permits database access via a browser and can also be used as a normal WWW server for the provision of HTML pages.

• The LDAP (Lightweight Directory Access Protocol) server module permits access to user information for LDAP clients.

• The e-mail server modules (e.g. SMTP and POP3 Server) allow the use of e-mail using Internet protocols.

• The NNTP server module permits access to news.

Depending on the operational scenario and the scope of functionality offered by the Domino server, it is necessary to check which modules have been enabled in the standard installation and which tasks are therefore executed by the server (as separate operating system processes or as threads).

It is also necessary to specify which modules should be used. Modules that are not used should not be installed or else they should be disabled. Every module that is installed should be viewed as a potential security loophole if configured incorrectly. This applies especially to the modules (e.g. HTTP, POP, SMTP, LDAP) which enable access to server data using third party programs (e.g. browser, e-mail programs).

Every module that is enabled requires corresponding security planning, which must be implemented through suitable configuration parameters (see also S 2.207 Defining security guidelines for Lotus Notes).

As most of the function modules of Domino Application Server usually revolve around databases and provide information from those databases to clients via appropriate communication protocols, a secure, database-specific basic configuration must be established in every case. After that the module-specific parameters that are necessary must also be configured.

There are two main types of access to a Notes system: via a Notes client and via a browser. The associated recommendations are summarised separately in

• S 4.118 Configuration as a Lotus Notes server, which describes the security-relevant basic configurations, and

• S 4.122 Configuration for browser access to Lotus Notes, which describes the additional configuration measures for access via browsers.

A Notes system generally consists not only of a Notes server but also of a whole server network (see also S 3.24 Training on the Lotus Notes system architecture for Administrators). The individual servers can replicate databases amongst each other. This can be an effective means of countering losses of data, but having copies of a database on several servers also has the effect of distributing the load. In order that the currency of the database copies can remain assured within certain limits, changes to the data must be exchanged between servers. For security reasons a replication concept must therefore be created. The following aspects should be taken into account here:

• Which server holds the original of a database?

• On which servers should a database be replicated?

• How often should the database be replicated? When should it be replicated?

• What information in a database should be replicated?

• Should changes to replicas of a database be permitted and should these be passed to the original?

• Should users be allowed to generate server-side or client-side replicas of a database?

• Should it be possible to modify access control lists or properties of replica databases?

The access authorisations for a database must be set in such away that the operations necessary for replication can be carried out. The replication log must be checked at regular intervals.

The security of a Notes system also depends on the security of the clients used for access. Therefore the client computers and client programs must also be included in the implementation of a secure configuration of a Notes system. The IT security aspects which need to be considered here are covered in safeguards

• S 4.126 Secure configuration of a Lotus Notes client and

• S 4.127 Secure configuration of browser access to Lotus Notes

As a system will generally be subject to continuous changes as a result of ongoing operations, the security must be continuously monitored and reconfigured as required. Information on this will be found in S 4.128 Secure operation of Lotus Notes.

If a network and system management system is in use or is planned to be in use in the future, this should be included in the deliberations relating to configuration. For example, it is necessary to clarify whether Notes-specific settings on the IT systems involved should be made via this system and whether the product used or planned supports this. If necessary, additional modifications or enhancements may be necessary.

Additional controls:

• Does a security concept for the use of the different function modules of Lotus Notes exist?

• Does documentation cover which modules should be used in which configuration?

• Is there a replication concept?