S 4.119 Instituting restrictions on access to Lotus Notes servers

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

Before access is allowed to a database on a Notes server, the server carries out its first access control check as early as during the establishment of a connection with a client. This ensures that the databases offered by the server can only be accessed by a particular user group or that access is linked to other characteristics. The following mechanisms can be used for restricting access:

• During user authentication the public key contained in the user ID is compared with the copy of the user's public key that is held in the Name and Address Book. This prevents the use of forged IDs.

• Anonymous access to the server can be refused. Access is also anonymous when a user seeks access using a Notes ID which has been issued by a certification body that is not known to the server, i.e. there is no common root CA certificate or no cross-certificate.

• The Notes ID password can also be checked. Here in each case a hash value of the current password is stored for precisely one user ID and updated whenever the password changes. This means that it is only possible to access the server with a particular user ID. It is then no longer possible to log on using a copy of the user ID (e.g. with a password that has been compromised) which does not carry the current password. Warning!If this option is enabled, the user ID copy on which the password is first changed becomes the ID which from then on is the only ID for which logon is possible (this can also be the copy used by the attacker).

• Access can be limited to the users contained in the Name and Address Book of the server.

• It is possible to specify explicit permission and exclusion lists (access/deny lists). Exclusion lists take precedence over permission lists. These can be used, for example, to deny access to individual users. To simplify administration of the lists, the use of groups is recommended.

• Servers also possess an identity and can be specified in access/deny lists or in the groups contained in those lists.

• Particular server operations can be restricted to a list of users or groups. Examples of such operations are the creation of databases, the generation of replicas, the use of monitors, administration via the Web interface and execution of agents and scripts. Depending on the option, different requirements apply when no explicit list has been specified. For example, by default all users are allowed to create new databases.

• Notes allows servers to be used as switching servers, e.g. on dial-up, or servers to be addressed by switching servers. Within the framework of the Notes security concept, it is necessary to plan whether this is necessary and which user groups should be granted "pass-through" access authorisation.

For every server to be installed, it is necessary to decide in advance which of these mechanisms should be used.

Additional controls:

• Have adequate access control mechanisms been installed on the Notes servers?