T 3.46 Error in the configuration of a Lotus Notes server

Errors in the configuration of a software system are frequently the cause of successful attacks. Because of the complexity of a Notes server, there is a real possibility that the Notes system might not satisfy the security requirements if configured incorrectly. Due to the large number of variables requiring configuration and the fact that a lot of parameters interact with other parameters, a number of threats can arise. Some typical incorrect configurations are listed below:

• No restrictions on access to the server. The basic settings generally allow anyone to access a Notes server. If there are no restrictions on access to a server, this first hurdle is wasted. Especially when combined with weak or incorrect access authorisations for other services or databases, security problems can arise.

• Flawed access control lists (ACLs) or insecure standard ACLs. Every database is given an access control list complete with standard entries following creation. This ACL will be based on the appropriate database template. Depending on the particular template, normally these do not offer adequate protection for the database as normally operated. This applies particularly where the database has to be initialised or further configuration settings have to be made following creation. Often generous privileges which are not necessary for ongoing operations are nevertheless initially necessary. If the standard access lists are not amended, this can result in unauthorised persons being able to access the database or users being granted excessive privileges.

• No encryption is used. Encryption of network communication (port encryption) and encryption of databases and database fields are normally disabled by default. To use the encryption facilities, they must be explicitly enabled. If this is overlooked, then the data will be unprotected.

• Insufficient authorisations for server or administrative processes. The correct functioning of a Notes database depends on its being administered and maintained from a dedicated server. The administrative and maintenance tasks of a server include updating database copies (data, access control lists etc.). If insufficient privileges are granted to the responsible server, the administrative actions cannot succeed. This can lead to security problems, for example, because changes to access authorisations cannot be passed on to the copies of a database.

• Acceptance of cross-certificates. Trust relationships between different certificate hierarchies (without a common certification entity) can be registered by effecting cross-certification (recognition of certificates issued by other bodies). Cross-certificates can generally be automatically generated when an unknown certificate is "discovered". This applies both to Notes certificates and also to X.509 certificates. It is also easy for users to create cross-certificates in personal local address books. On the other hand, only an authorised Administrator may create cross-certificates in the Name and Address Book. Ill-considered recognition of certificates as trustworthy can lead to security problems (e.g. in the case of active content which is signed with the certificate that is now viewed as trustworthy).

The problem areas listed are examples of possible threats which could come about as a result of incorrect configuration. Depending on the particular operational environment, there could be additional threats.

Example:

A server is configured in such a way that anonymous access is not permitted. On the Web interface only SSL connections are allowed. Therefore, when configuring the database ACLs no "Anonymous" entry is created. Moreover, SSL-protected Web access is not enforced as the server only accepts SSL connections to the Web interface. The "default" privileges defined in the database templates have not been changed in order to minimise the administrative effort involved in modifying the templates. A new database which contains public information is subsequently added, and the server is now configured so that normal Web access is permitted to this database (on an anonymous basis, not SSL-protected). From now on it is possible to gain anonymous access to all the server databases, with the "-Default-" privileges, which often permit at least read access, in force. As a result there is a danger that unauthorised persons could see confidential data or tamper with information.