Security Basics mailing list archives

Re: Lotus Notes Security

From: SMiller () unimin com
Date: Thu, 29 Jul 2004 08:32:10 -0400




Grant,

I think that you will find Domino/Notes a sound platform from a security
standpoint.  Just off the top of my head:  protect your mail server with
good antivirus and antispam.  We use Trend Scanmail for Notes for AV.  It
is more than adequate, but our choices are constrained as we run Domino
server in an IBM iSeries environment, you may have a broader selection.  We
also subscribe to several spam blacklists using the service native to
Domino R6.5.1.  We initially did not have antispam measures on Domino and
found that implementing the blacklist capability reduced spam by over 60%.
You also might consider an integrated approach.  By coincidence, my
neighbor is in IT for a different employer with a much larger and wider
deployment of Notes (~10,000 desktops) and he strongly recommends the
Postini filtering services.  Also, if you deploy Notes clients with a
default password and depend on users to change it to something more secure
(not uncommon), make certain you have (and execute) a plan to follow up on
the change.  I believe that R6.5.1 Domino server has improved tools over R5
to monitor client passwords.  One question about R6.5.1 client that I have
not yet resolved is whether the apparent increased integration with Windows
makes it more dependant on Windows/IE dynamic link libraries and therefore
more vulnerable to malicious html content.  Therefore until I learn
otherwise I am regarding IE vulnerabilities on Windows clients as potential
Notes client vulns, and treating them with requisite urgency.

-Scott


                                                                           
             Grant.Orchard@aws                                             
             .aust.com                                                     
                                                                        To 
             07/28/2004 12:41          security-basics () securityfocus com   
             AM                                                         cc 
                                                                           
                                                                    Fax to 
                                                                           
                                                                   Subject 
                                       Lotus Notes Security                
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           








Hi list,

I'm putting together a list of security recommendations for our company and
need to know if there is anything I should be recommending regarding Lotus
Notes and Domino, both 6.5.1. The server does only services mail and does
not hold any web content, it is not visible from the net. It has a few
databases used by management but that is all apart from being a mail
server.

Clients are left pretty much as they are installed. All users access their
mail files locally, encrypted with the "medium" level encryption that Notes
offers. Each location has a user ID to switch to.

Thanks for your help.

Grant Orchard


NOTICE - This e-mail (and any attachments) is confidential. It may contain
privileged information or copyright material. You should not read, copy,
use or disclose it without the written authorisation of AWS.  If you are
not an intended recipient, please contact AWS by return e-mail and then
delete both messages.  AWS does not accept liability in connection with
computer virus, data corruption, delay, interruption, unauthorised access
or unauthorised amendment.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less

to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:

Lotus Notes Security Grant . Orchard (Jul 29)
- Re: Lotus Notes Security roger . smith (Jul 29)
- Re: Lotus Notes Security SMiller (Jul 30)