S 4.129 Secure handling of Notes ID files

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, users

Lotus Notes users authenticate themselves to a Domino server through their Notes IDs. The Notes ID is held in the form of file and is generally identified with this. As well as the Notes certificate (certified public key) and the associated private key of a user, additional information can be stored in the Notes ID as well. Such information includes, for example, Internet certificates, symmetric encryption keys and information needed to recover Notes ID files (recovery information). All this information is protected by the Notes ID password. Before the Notes ID can be used, the user must enter the appropriate password. As a Notes ID contains sensitive information, it has a high protection requirement. The following aspects must therefore be considered when handling Notes IDs:

There are four categories of Notes ID:

1. Certifier IDs. These constitute the identities which issue Notes IDs for servers and users. Generally, certifier IDs represent organisational units within an agency or company and form a hierarchy. As a result of their intended use certifier IDs are particularly sensitive and therefore require special protection. This applies especially to the first Certifier ID generated - the root certifier ID - with which all other certifier IDs are signed.

2. Server IDs. These identify servers to users (or rather, to their Notes clients) and other servers. For a server to function, it needs a separate identity in the form of the server ID. The server ID is automatically generated during installation of the server and it is certified by a certifier ID. As server IDs are used to identify critical system components, they must be correspondingly well protected.

3. Administrator IDs. These are used to identify Administrators to servers. Administrator IDs may be distinguished from user IDs through extended privileges which make it possible to administer servers. As Administrators have a privileged position among the users, Administrator IDs require special protection.

4. User IDs. These are used to identify ordinary users to servers.

Depending on the various security requirements, different protective measures must be taken for Notes IDs. The following aspects need to be considered here:

• creation

• period of validity

• password quality

• distribution and storage location

• recovery

Password quality requirements can be specified at the point at which a new user ID is created. A numeric quality scale from 0 (no password) to 16 is available here. Although generally the accepted password length agrees with the numeric quality value, it is not the only evaluation criterion. Unfortunately at present no list is available from Lotus which describes what precise conditions a password must satisfy to achieve a specific quality level.

For the various categories of Notes ID, the following list contains appropriate recommendations which can be adapted and expanded as required.

• Certifier/root certifier ID

• Validity. Long validity (several decades, default = 100 years), never changed (except if the certifier ID has been compromised).

• Password. Multiple passwords necessary (at least two persons, two-person rule). Secure passwords required (Notes quality at least 10). To implement the two-person rule, Notes offers the possibility of protecting one Notes ID file with several passwords. The Notes ID file can only be used following input of all the passwords. Intervals for the enforced changing of passwords must be specified (a maximum of 30 to 40 days is recommended).

• Storage. Required during creation of new users or servers. Storage in the Name and Address Book (NAB) is not permitted. Storage only on mobile data media, e.g. diskette or CD-ROM, two backup copies with stored passwords, to be kept in different locations protected against third party access.

• Recovery. Must contain recovery information in order that user IDs certified with it can be recovered. Additional steps are necessary for recovery (e.g. the creation of the database), which are described in the Notes help.

• Server ID

• Validity. Long validity (several decades, default = 100 years), never changed (except if ID has been compromised).

• Password. The use of a password requires that the password is input every time the server boots up. If there are no organisational reasons opposed to this (e.g. where servers in different locations regularly have to be booted remotely and without on-site support), the use of server ID passwords is recommended. Backup copies must always be given a password. Intervals for the enforced changing of passwords must be specified (a maximum of 60 days is recommended).

• Storage. Required every time the server is booted up. Stored in the "Data" directory of the Notes server. Must not be held in a directory with a network share. Storage in the Name and Address Book (NAB) is not permitted. If no password is used (automatic server reboot), restrictive file authorisations must be configured. Warning. If a non-password protected server ID can be accessed by an unauthorised person, then this person (under most privileged authorisations) will also be able to access other servers. Backup copies analogous to certifier ID.

• Recovery. Contains the recovery information for the certifier ID with which the server ID was certified.

• Administrator ID

• Validity. The period of validity must be tailored to the local situation. Here security and administrative effort associated with changing the Administrator ID must be weighed up against each other.

• Password. The Administrator ID must be password-protected. Due to the privileged position of the Administrator, a very secure password must be chosen (at least Notes quality 9-10). Intervals for the enforced changing of passwords must be specified (a maximum of 90 days is recommended).

• Storage. The Administrator ID must be delivered to the Administrator by a secure route. Storage in the Name and Address Book (NAB) is not permitted. The Notes ID file must be kept so that it is protected against third party access. It is recommended making a backup copy.

• Recovery. Contains the recovery information for the certifier ID with which the Administrator ID was certified.

• User ID

• Validity. The period of validity must be tailored to the local situation. However, a validity period of two years has proved appropriate in practice.

• Password. User IDs must be password-protected. A secure password must be chosen (Notes quality at least 8). Intervals for the enforced changing of passwords must be specified (90 days is recommended).

• Storage. The user ID must be delivered to the user by a secure route. Storage in the Name and Address Book (NAB) is not permitted. The Notes ID must be kept so that it is protected against third party access. It is recommended making a backup copy.

• Recovery. Contains the recovery information for the certifier ID with which the user ID was certified. Old Notes ID files (version 4.x) must be converted to the new recovery mechanism of version 5 (see Notes help).

In general it should be borne in mind when handling Notes IDs that these are used for the unique authentication (identification) of users. While it is true that the Notes ID files are password protected, this password must be of appropriate quality and must only be known to the owner of the Notes ID. If the password is compromised, then unauthorised third parties could succeed in identifying themselves to a server using the Notes ID.

A user (or Administrator) can also possess more than one copy of a Notes ID. Every copy of a user's Notes ID can be given its own password. If a Notes ID file is copied unauthorised and its password is compromised, then unauthorised usage cannot be prevented by changing the password on the original without additional safeguards as well.

Additional controls:

• Are all Notes IDs kept protected so that unauthorised copying is not possible?