IT Baseline Protection Manual S 4.126 Secure configuration of a Lotus Notes client
S 4.126 Secure configuration of a Lotus Notes client
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
Usually access to the Notes server is from a Lotus Notes client. To access the server, authentication is performed through the Notes ID. The Notes ID must therefore be kept so that it is protected against third party access. The client configuration must of course be altered so that working with the Notes client can be as secure as possible.
As well as physical security and the secure operating system configuration of the client (see also the relevant modules in Chapters 4 and 6), the Notes-specific security aspects listed below require special consideration.
For the client to access the Notes ID file, the user must input the Notes ID password. But once the Notes ID has been released in this form, in principle anyone with access to the client console can access the server or the servers with the status of having been authenticated. To prevent this, it is possible to get the Notes client to request input of the Notes ID password prior to the next action. This is done by pressing function key F5. This mechanism can be used to block the Notes client during a short absence from one's desk (see also S 4.129 Secure handling of Notes ID files). Users must be told to activate a password-protected screen saver whenever they leave their desks.
Depending on the particular database, it is possible for database access to trigger execution of active database content (scripts or agents) by the client. Depending on the origin of this active content, it may conceal dangers, for example someone could obtain unauthorised access to local databases using a Trojan horse. All databases and all active content should therefore be signed using a special Notes ID (see S 4.130 Security measures following the creation of a new Lotus Notes database). It can then be specified via the Execution Control List (ECL) whether active content which has been signed using a particular Notes ID should be allowed to be executed on a client and which should not. Generally speaking, we would recommend that no unsigned active database content should be allowed to execute. The ECL is distributed to all clients on client set-up, controlled by the server. The fact that under Windows NT the ECL is stored on a client in the file "DESKTOP.DSK", which the user can delete, enabling the ECL settings to be circumvented, is a problem. The importance of this setting for the system security should therefore be drawn to users' attention. However, it is also possible for the client ECL to be automatically updated periodically, so that the client ECL is forever being resuscitated. Two mechanisms are available here:
The parameter "ECLSetup" is set to a value of less than 3 in the "Notes.ini" file on the client. As a result, the next time the client is started, the ECL on the server is loaded. However, this means additional organisational effort as the parameter has to be changed on the client.
The update is controlled by a script ("@RefreshECL" function) by changing the template for a database which the users regularly access (e.g. e-mail database). However, this requires extra programming and amendment of a database template.
In the actual ECL, the authorisations for all ECL entries must be checked and set so that they comply with the IT security guidelines. The entries "-Default-" and "No Signature" must be checked particularly carefully.
To enforce secure communication between server and client, port encryption can be used (see S 5.84 Use of encryption procedures for Lotus Notes communication).
Example:
The ECL settings shown in the table below can be used as the starting point for your own ECLs. Depending on the application scenario, the ECLs may have to be extended to include authorisations for active content which carry appropriate signatures. denotes an Administrator and a testing body internal to the organisation which checks active content and releases it for use.
Flag
-Default-
-No signature-
<admin>
Lotus Notes Template development/Lotus Notes
<QA>
Allow user to modify ECL
--
--
--
--
--
Access to the file system
X
X
X
Access to the current database
X
X
X
Access to environment variables
X
X
X
Access to non-Notes databases
X
X
X
Flag
-Default-
-No signature-
<admin>
Lotus Notes Template development/Lotus Notes
<QA>
Access to external code
X
X
X
Access to external programs
X
X
X
Ability to send mail
X
X
X
Ability to read other databases
X
X
X
Ability to modify other databases
X
X
X
Ability to export data
X
X
X
Access to the Workstation Security ECL
X
Additional controls:
Is a current version of Notes client used?
Have the users been informed about the security mechanisms of the Notes client?
Are Notes IDs kept protected so that unauthorised copying is not possible?