Re: Lotus Notes - Is this a bad thing?

From: Frank Lockburner (flockburner@rapidllc.com)
Date: 08/13/02


From: "Frank Lockburner" <flockburner@rapidllc.com>
To: "Peter V.E." <peter.ve@pandora.be>, <c_brauckmiller@LEK.COM>, "Holmes, Ben" <Ben.Holmes@getronics.com>
Date: Tue, 13 Aug 2002 11:10:53 -0400

When putting the server onto the internet, ensure that you only open up port
1352. This will ensure that users only connect using Notes Client Software.
Run an external pen test to ensure that only port 1352 opens (I have seen
many clients open both LDAP and HTTP services causing intrusions/risk). As
Peter.ve stated, ensure the ACL is locked down. The default is not good
enough. Also look on the web for security papers on securing notes (I have
them, but forget where I got them). Also, use:
http://domilockbeta.2y.net/. This will do some quick checks on your setup.
Also, as Craig Brauckmiller stated, don't store your notes IDs in the
names.nsf database. This will help lower your risk if someone does get
privileges into the names.nsf database.

Frank Lockburner
Rapid
(973) 829-0319 x200
flockburner@rapidllc.com

----- Original Message -----
From: "Peter V.E." <peter.ve@pandora.be>
To: <c_brauckmiller@LEK.COM>; "Holmes, Ben" <Ben.Holmes@getronics.com>
Cc: <security-basics@securityfocus.com>
Sent: Monday, August 12, 2002 7:10 AM
Subject: Re: Lotus Notes - Is this a bad thing?

> make sure you are not allowing anonymous connections to your databases,
> (check the ACL. In R6, you can edit the server doc and enable 'do not
allow
> anonymous connections to this server')
> Also, do not store notes ids in your NAB/Domino Directory (names.nsf)
when
> creating new people
>
>
>
> ----- Original Message -----
> From: <c_brauckmiller@LEK.COM>
> To: "Holmes, Ben" <Ben.Holmes@getronics.com>
> Cc: <security-basics@securityfocus.com>
> Sent: Friday, August 09, 2002 2:10 PM
> Subject: Re: Lotus Notes - Is this a bad thing?
>
>
> >
> >
> > Ben, we used to do that with our Notes servers.
> > I'd suggest that your have your associate only allow access to port 1352
> for the
> > specific Notes servers in the other country via the firewall. This way,
> you
> > minimize your exposure.
> >
> > Unless the person connecting to the Notes box has an ID file from the
> Notes
> > domain that your company has setup, there is very little that can be
done.
> > Notes encrypts its traffic with either 40 bit or 128 bit encryption
(Notes
> R4.
> > Notes R5 and 6 probably support higher levels.)
> >
> > Hope that helps.
> >
> > Craig Brauckmiller
> > LEK Consulting LLC
> >
> >
> >
> >
> >
> > "Holmes, Ben" <Ben.Holmes@getronics.com> on 08/07/2002 12:12:26 AM
> >
> > To: security-basics@securityfocus.com
> > cc: (bcc: Craig Brauckmiller/LEK)
> >
> > Subject: Lotus Notes - Is this a bad thing?
> >
> >
> >
> >
> > An associate is thinking of putting port 1352 open to the 'net.
> >
> > They are running Notes and they have it patched up and need to use this
> > port to replicate it with another country.
> >
> > They basically want this setup...
> >
> > <Notes server>---(NAT)---<FIREWALL>-----(Port 1352 routes to <Notes
> > Server>)
> > |
> > |
> > <Remote Network and Notes server>
> >
> > What is the problem with this...
> >
> > Assuming anyone can connect to port 1352 on a notes server, what can
> > they do assuming it is set up by a good sys-admin?
> >
> > Although I have limited experience with Notes, I don't like this.
> >
> > --
> > Benjamin Holmes
> > Managed Services Division
> >
> > Getronics Australia Pty Limited
> > 27 James Street
> > Fortitude Valley QLD 4006
> > Australia
> > Tel: +61 7 3251 7430
> > Fax: +61 7 3251 7499
> > E-Mail: brisbane.workshop@getronics.com
> > www.getronics.com.au
> >
> > The information transmitted is intended only for use by the addressee
> > and may contain confidential and/or privileged material. Any review,
> > re-transmission, dissemination or other use of it, or the taking of any
> > action in reliance upon this information by persons and/or entities
> > other than the intended recipient is prohibited. If you received this in
> > error, please inform the sender and/or addressee immediately and delete
> > the material.
> >
> > Thank you.
> >
> >
> >
> >
>
>



Relevant Pages

  • Re: Any Good white Papers on remote access
    ... Port 4125 opens up on an as-needed basis. ... Something must be wrong in the firewall configuration. ... The question do you port foward 4125 to the external NIC server How do you do that??? ...
    (microsoft.public.windows.server.sbs)
  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: Managing "capabilities" for security
    ... default tickets are held by the kernel and can be chosen by the parent ... The default ticket for any particular call is assumed unless the ... than to check that the server address on the ticket is good. ... the kernel had to invoke the RPC if the service port IN YOUR ...
    (comp.arch.embedded)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)
  • Re: Still cant connect to RWW or OWA remotely
    ... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
    (microsoft.public.windows.server.sbs)