Re: Lotus Notes Security
SMiller_at_unimin.com
Date: 07/29/04
- Previous message: Ed Spencer: "RE: fax software in the domain"
- In reply to: Grant.Orchard_at_aws.aust.com: "Lotus Notes Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Grant.Orchard@aws.aust.com Date: Thu, 29 Jul 2004 08:32:10 -0400
Grant,
I think that you will find Domino/Notes a sound platform from a security
standpoint. Just off the top of my head: protect your mail server with
good antivirus and antispam. We use Trend Scanmail for Notes for AV. It
is more than adequate, but our choices are constrained as we run Domino
server in an IBM iSeries environment, you may have a broader selection. We
also subscribe to several spam blacklists using the service native to
Domino R6.5.1. We initially did not have antispam measures on Domino and
found that implementing the blacklist capability reduced spam by over 60%.
You also might consider an integrated approach. By coincidence, my
neighbor is in IT for a different employer with a much larger and wider
deployment of Notes (~10,000 desktops) and he strongly recommends the
Postini filtering services. Also, if you deploy Notes clients with a
default password and depend on users to change it to something more secure
(not uncommon), make certain you have (and execute) a plan to follow up on
the change. I believe that R6.5.1 Domino server has improved tools over R5
to monitor client passwords. One question about R6.5.1 client that I have
not yet resolved is whether the apparent increased integration with Windows
makes it more dependant on Windows/IE dynamic link libraries and therefore
more vulnerable to malicious html content. Therefore until I learn
otherwise I am regarding IE vulnerabilities on Windows clients as potential
Notes client vulns, and treating them with requisite urgency.
-Scott
Grant.Orchard@aws
.aust.com
To
07/28/2004 12:41 security-basics@securityfocus.com
AM cc
Fax to
Subject
Lotus Notes Security
Hi list,
I'm putting together a list of security recommendations for our company and
need to know if there is anything I should be recommending regarding Lotus
Notes and Domino, both 6.5.1. The server does only services mail and does
not hold any web content, it is not visible from the net. It has a few
databases used by management but that is all apart from being a mail
server.
Clients are left pretty much as they are installed. All users access their
mail files locally, encrypted with the "medium" level encryption that Notes
offers. Each location has a user ID to switch to.
Thanks for your help.
Grant Orchard
NOTICE - This e-mail (and any attachments) is confidential. It may contain
privileged information or copyright material. You should not read, copy,
use or disclose it without the written authorisation of AWS. If you are
not an intended recipient, please contact AWS by return e-mail and then
delete both messages. AWS does not accept liability in connection with
computer virus, data corruption, delay, interruption, unauthorised access
or unauthorised amendment.
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Ed Spencer: "RE: fax software in the domain"
- In reply to: Grant.Orchard_at_aws.aust.com: "Lotus Notes Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
