This is hypothetical scenario where notes admin employment is terminated. An individual has full access to domino environment, access to certifier and all server IDs. What steps need to be taken to ensure this individual has no longer access to systems?Of course first step is taking terminated individual personal account out from notes group with full admin access, put account in deny access group, eventually delete account. Assuming access to any notes server from external networks requires VPN then this is as easy as cut VPN (and Active Directory) access but what in case if 1532 is open on firewall for client access to Notes Server(s) ? and in addition to that let say servers IDs do not have password (blank) – lot of notes admins do this for automatic notes startup without a need to provide ID password when server is rebooted, which is ok as long as physical and logical (file system level) access to notes server is restricted to authorized personnel only, who cares if notes server ID does not have password if unauthorized individual cannot get hold of this ID… but
Short of long situation is you have terminated Notes admin, with 1532 directly open and you know this terminated Notes admin has copies of your server IDs which means she/he can install admin client at home PC with your server ID and connect with full admin access acting as server, what would you do to protect your systems?
Ideas?
Subject: Many possibilities exist…
You can use server key rollover to change the RSA keys on your server IDs, rendering old copies less than useful. As long as you don’t have any data encrypted by your servers, you can simply re-register new servers with the same names and use the new ID files instead of the old ones. You can use server-based public key checking to make newly registered “extra” copies of user ID files generated by a stolen certifier unable to connect to the server, and can use public key checking in conjunction with user key rollover to guard against undetected theft of user ID files.
On the pro-active front, you can protect your server IDs and SSL keyring files with smartcards or hardware cryptographic accelerators, making theft obvious (and contain a physical component, which would make the police more useful in investigation and prosecution). You can protect your certifier ID with the CA process, and limit the number of admins with access to the CA’s ID file, and/or use multiple passwords on the certifier ID file.
Finally, if an admin does manage to walk off with the certifier ID, you can use CA key rollover in 8.0 to render the stolen copy of the certifier useless – but it is far better to protect your certifier ID intelligently than to roll over your entire organization every time an “untrustworthy” admin leaves.
And then there are the ACL/ECL/group-related/legal options that were mentioned elsewhere in this thread.
dave
Subject: Departure for notes admin security issues
Why would you need 1352 open through your external firewall, to the internet? I can understand 1352 being open on you internal firewall for NRPC mail transfer between Notes servers in your interal network and a DMZ Notes server. Please explain. Thanks!
Subject: RE: Departure for notes admin security issues
Like I said this is strictly hypothetical situation but can and does happen in real world, to answer your question in my years of working experience I saw different setups while accessing internal systems not necessarily domino/notes related, so one can have two factor authentication to access internal resources i.e. RSA OTP token, then AD uid and password to access internal servers, and finally notes ID which actually makes it three-factor auth, others can use just VPN with LDAP to AD and then Notes ID via client, so you have to have VPN connectivity before accessing any internal servers, but I have seen people opening 1352 and access Domino servers from Notes client directly from Internet, people do this.“Why would you need 1352 open through your external firewall, to the internet?”
For direct email access when people traveling, does this make sense?
Subject: RE: Departure for notes admin security issues
I’m afraid the only real answer is ‘soft’ control - your (or your client) have to explain to the departing admin that they know that he may have some tools which he thinks would give him unauthorised access, but that the servers will be monitored very carefully, and any such access WILL be detected, followed swiftly by legal actionsIn the UK we have the draconian Regulation of Investigatory Powers Act, which allows for unlimited fines, unlimited jail sentences and seizure of all assets, (and all with no legal representation allowed, because it’s an offence even to tell anyone that you’re under investigation! So much for Civil Liberties), which is intended for just such cases as this.
I am sure your local legislature has similar statutes on its books to deter would-be crackers
Subject: RE: Departure for notes admin security issues
Hi
I have in one of my customers site a domino server at DMZ, with port 1352 open to the internet.
This server is in a different notes domain, and it’s used for PASS THROUGH users only. No servers
are able to pass through this server.
I understand the hours of work because of ID files is a pain, but I really don’t know of any security issue
with domino servers, but there is a lot on AD, so the AD is really simple but not secure.
I have a lot of servers under my control, some of them by VPN, but some of them by direct access. You
can be sure when I’ll leave one of them, they remove my user from admin group, and add me to “fired” group, I will have nothing to do.
Daniel
Subject: RE: Departure for notes admin security issues
Tim, I understand what you’re saying. I’ve also seen the same set up. I just didn’t think that it was really done that way, anymore. For external access into the internal Notes servers, I was used to putting a reverse proxy server, into the DMZ, and accessing the Notes server, via the client, in that aspect. I wish Lotus had an easier way to deal with their product, when an admin leaves.
Subject: RE: Departure for notes admin security issues
This is why I brought up this question as hypothetical situation how other people deal with such situation which can happen for anyone of us where you are responsibility for securing systems you work with but your ability to do so are limited by setup of system (where you not necessarily person who did set it up in the first place). And this does not have to be situation where admin is terminated, it could as well be where person left company you are new admin and real have no idea what back door the other person left open… I apologize if I’m stepping on someone else thumbs but I never understood “advantage” of lotus notes IDs usage and its grater security then other vendors software. Would be so much easier if all you have to do is change admin password.
Subject: RE: Departure for notes admin security issues
Tim, I totally agree. Why not get rid of the ID’s and go more along the lines of Active Directory. ID’s are so antiquated, and hard to manage. If it was more like AD, when an admin is terminated, the proper steps could be taken to remove the access from 1 specific group, which would go throughout the entire AD domain, and Forest, and nothing else would have to be done. With Domino, because of ACL’s, reader/author fields, document level security, server documents, etc etc, you’re afraid that somehow the former admin could bypass security by having an ID file on him/her.
Subject: Departure for notes admin security issues
You can put two or more passwords on your cert id’s. Give one to the admins and one to someone like the IT director.
Only when both passwords are known can the certifier be used.
It’s a bit late now if someone has already left and taken the cert.id but useful to know for the future.
Frunobulax
Subject: Departure for notes admin security issues
I would rather have concern with “un-authorized” person to Domino server but “authorized” to Windows OS server level, because nsf files can be copied to thumb drive, bring it home, install notes client on home pc, and that’s it.
My concern here is more to person who read other’s mailbox.
Cheers,
Ivan,