IT Baseline Protection Manual S 4.122 Configuration for browser access to Lotus Notes
S 4.122 Configuration for browser access to Lotus Notes
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
If browser access to a Lotus Domino server is to be allowed, then a reasonable level of security must be guaranteed for this type of access also.
To protect browser-based access, the following recommendations, which affect server, client and their communication mechanisms, should be implemented:
All accesses which require authentication should be protected with SSL (see S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes).
Browsers which support the SSL protocol must be used (see S 4.127 Secure configuration of browser access to Lotus Notes). The browser should support strong encryption, i.e. algorithms with a minimum 80 bit key length.
The Domino server must be configured for SSL-protected Web access (see S 4.123 Configuration of SSL-protected browser access to Lotus Notes). To ensure that encryption is strong, at least version 5.0.4 of Domino Server should be used.
Access restrictions should be configured at database level also (see S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).
If Web access to a Notes system is planned, then the following additional security-relevant aspects must be considered:
The Notes ID password must not be the same as the Internet password.
the mechanism "Username and password" can be used for authentication on the Web interface. This means that the Internet password can be freely specified for every user. This is generally defined on the occasion that a new user is created. However, care must be taken here to ensure that use is not made of the option of setting the Internet password to the same value as the Notes ID password. There are essentially two reasons for this. First of all it is possible for the Internet password to be transmitted in plaintext between client and server, so that it can easily be compromised. Furthermore, the password hash is stored in a user's personal document in the Name and Address Book. Depending on the configuration, this value can also be viewed by other persons, so that a dictionary attack on the hash value could be carried out. In both cases once the Internet password is known it is also possible to access a Notes ID file if the same password has been chosen here (see also S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes).
The desired type of access for users to the Name and Address Book must be configured.
Access for users to the Name and Address Book can be configured as read and write. With write access, users may only change their own personal document. This means in particular that it is possible for the user to change the Internet password, which may simplify administration. On the other hand, the facts that there is no control over the Internet password, for example with regard to quality and length, and that the user can also edit other entries in his personal document are a disadvantage. Read configuration prevents this, but requires the intervention of an Administrator whenever a user wishes to change his Internet password. User access to the Name and Address Book can also be completely prohibited. This has the advantage that the hash value of the Internet password is protected from third parties gaining knowledge of it. However, this also prevents the Name and Address Book from being available for addressing, for example, of e-mails (see also S 4.120 Configuration of access control lists for Lotus Notes databases and S 4.121 Configuration of rights of access to the Lotus Notes Name and Address Book).
Additional controls:
Is all browser access to Lotus Notes SSL-protected?
Has it been specified which type of access is configured for browser access to Lotus Notes?