DOMCFG vs IBM security audit

hcl-bot · March 17, 2015, 12:37pm

I have a security audit report which states:

3.1.7. Lotus Notes/Domino Anonymous Access to Domino Configuration Database (http-domino-0016)
Description:
The Domino server has been configured to allow anonymous access to the Domino Configuration Database (domcfg.nsf). This
database would allow an attacker to view and potentially modify URL mappings, URL redirection, and other administrative functions of
your Domino site.

I checked. -Default- and Anonymous both have No Access turned on. They both do have “Read Public Documents” checked. If I uncheck this will this do anything drastic? Like, if Anonymous cannot even get to a log in page to log in how will they be able to log in and become something other than Anonymous? Or is that not really a concern because it just doesn’t work that way. Like, the configuration is read by LocalDomainServers and the log in screen is then presented by that, (or some such thing)?

hcl-bot · March 18, 2015, 8:19am

Subject: Try it

In domcfg there is a login form. If your users are already authenticated then there should not be any issues.

hcl-bot · March 19, 2015, 4:30pm

Subject: Other authentication

Such as webseal.

hcl-bot · May 21, 2015, 3:16am

Subject: Read Daniel’s blog post. This may help.

Daniel Nashed's Blog http://blog.nashcom.de/nashcomblog.nsf/dx/inotes-redirect-without-anonymous-access.htm

hcl-bot · March 18, 2015, 8:03am

Subject: Changes sign on screen

We tried it. It changed our sign in screen. (There’s an image posted that only appears if I “edit” this. Strange.)

hcl-bot · March 18, 2015, 8:05am

Subject: I’d take that back to the security team

I didn’t infer that you are using a custom login page, but yes, if you are, then users have to be able to access it. You might provide this Technote to your security team and see if an exception can be granted or the scan tweaked.

http://www-01.ibm.com/support/docview.wss?uid=swg21230037 http://www-01.ibm.com/support/docview.wss?uid=swg21230037

hcl-bot · March 17, 2015, 6:52pm

Subject: Should be fine to disable

I can’t think of a reason why Anonymous/No Access users would need to view anything in domcfg.nsf and don’t even know if any forms are configured for public access.

IBM Documentation http://www-01.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/conf_accesslevelprivilegesintheacl_c.dita?lang=en

hcl-bot · March 19, 2015, 2:02pm

Subject: ???If your users are already authenticated???

How do they get authenticated before they sign on?

hcl-bot · March 19, 2015, 4:29pm

Subject: Other authentication

Such as webseal.

hcl-bot · March 29, 2015, 5:13pm

Subject: Autenticated see no login form

When you’re authenticated through Webseal, then you shouldn’t get a login form! Login Form through domcfg.nsf only appears for unauthenticated users.

Read http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21099267 http://www-01.ibm.com/support/docview.wss?rs=463&uid=swg21099267 how to configure domcfg masks for anonymous access!