S 4.118 Configuration as a Lotus Notes server

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

The configuration of a Notes server as a database server must take into account the environment in which it will be operated and the planned application profile (see S 2.206 Planning the use of Lotus Notes and S 4.117 Secure configuration of a Lotus Notes server). In general, physical security and the secure configuration of the operating system of the computer on which the Notes software is used are also necessary for the security of a Notes installation. The safeguards for the relevant modules from Chapters 4 and 6 (e.g. 4.3.2 "Server Room", 4.4 "Protective cabinets", 6.4 "Windows NT Network", 6.2 "UNIX Server") must therefore be used.

In general the following aspects must be considered for the secure configuration of a Notes server:

• Control of access to the server must be configured. This controls who is allowed to connect to the server and takes effect before the controls on access to databases come into play. The restrictions on access to the server must be configured in accordance with the access plan (see S 4.119 Instituting restrictions on access to Lotus Notes servers).

• Control of access to databases must be configured in accordance with the access plan. For this purpose the access control lists (ACLs) must be changed for all databases in accordance with the access restrictions that are to be implemented (see S 4.120 Configuration of access control lists for Lotus Notes databases and S 4.121 Configuration of rights of access to the Lotus Notes Name and Address Book).

• The administration process must be set up correctly in order that the administrative activities periodically executed through the process can be triggered. Information on this will be found in the Notes help.

• All databases should be signed with a special Notes ID provided for this purpose. It is especially important that agents and scripts are signed. If this is done, then the execution of agents and scripts on Notes clients can be linked to the signature used so that unsigned, alien agents and scripts are not automatically executed.

• The necessary logging and function databases must be generated. Not all the databases that are necessary for operation of a Domino Server are created during the installation process. Thus, for example, the log database which logs all the certification processes of a server (including the issue of user IDs) must be created manually. This involves, for example, the file "certlog.nsf" and the template "certlog.ntf" (see also S 5.86 Use of encryption procedures with browser access to Lotus Notes).

• The server should be accommodated in either a server room (see Section 4.3.2) or a protective cabinet (see Section 4.4). In addition, the server console must be protected against unauthorised use. The best way of doing this is to use the lock mechanism of the operating system (e.g. the Lock computer function available under Windows NT) or a password-protected screen saver (e.g. under UNIX). Activation of the Lotus Notes console password offers little protection here as it is displayed in plaintext as it is entered and the input line can generally be made visible again using the console window scrollbar.

If a server is networked with other servers, then the authorisations of the servers amongst each other must be configured also. This concerns also the exchange of data between servers in the course of database replication. The communication paths that are necessary for communication must be configured through creation of so-called connection documents. Information on the encryption of communication links which may sometimes be necessary is provided in S 5.84 Use of encryption procedures for Lotus Notes communication.

The security of the server depends also on the security of user authentication. This is essentially determined also by the security of the Notes ID password of a given user. It is possible to define quality requirements which passwords must satisfy. These are specified on creation of a new user ID and then have to be adhered to every time that the password is changed. A numeric quality scale from 0 (no password) to 16 is provided. The minimal password quality for user should be set to the value "8" or higher (see also S 4.129 Secure handling of Notes ID files).

Additional controls:

• Is the configuration of the Lotus Notes servers documented?

• Are all the communication partners of a server known?

• Is the physical security of the server computer assured?

• Is the protection of the Notes server console assured?

• Are access restrictions implemented at operating system level?