Skip to main content link. Accesskey S
  • Anonymous
  • Log on
  • Help
  • IBM logo
  • Lotus Notes and Domino wiki
  • All Wikis
  • Home
  • Community Articles
  • Product Documentation
  • Learning Center
Search
Advanced Search

Categories

Tag Cloud

  • 6.0
  • 6.5
  • 6.5.4
  • 6.x
  • 7.0
  • 7.0.2
  • 7.5
  • 7.x
  • 8.0
  • 8.0.1
  • 8.0.2
  • 8.5
  • 8.5.1
  • 8.5.2
  • 8.5.3
  • 8.5.x
  • 8.x
  • address
  • admin
  • administering
  • administration
  • administrator
  • attachment
  • best practice
  • Blackberry
  • cache
  • calendar
  • Client deployment
  • contacts
  • DAOS
  • database
  • database properties
  • db2
  • DCT
  • demo
  • deployment
  • deployment Notes
  • directory
  • document
  • documents
  • Domino
  • Domino Server
  • Domino Web Access
  • dwa
  • email
  • getting started
  • http
  • IMAP
  • inotes
  • install
  • iPhone
  • LDAP
  • logging
  • Lotus iNotes
  • Lotus Notes
  • Lotus Notes Traveler
  • Lotus Traveler
  • mail
  • mail file
  • max
  • media_notes
  • memory
  • message
  • messaging
  • MIME
  • moving_advanced
  • moving_cal
  • moving_mail
  • ND6
  • notes
  • Notes ID Vault
  • notes.ini
  • NotesBench
  • performance
  • plug-ins
  • Policies
  • preferences
  • R5
  • reference card
  • replication
  • router
  • Sametime
  • search
  • Security
  • server
  • smtp
  • table
  • text
  • tips
  • to do
  • Traveler
  • troubleshooting
  • upgrade
  • user
  • using
  • video
  • videofest
  • web
  • Widgets and Live Text
  • Windows
InformationInformation
You are currently viewing machine translated content. IBM translation might be available. Click IBM Translated Product Documentation to see what is available.X


Home > IBM Redbooks: Optimizing Lotus Domino Administration > 1.3 Security Checklist
Rate this article 1 starRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

1.3 Security Checklist 
expanded Abstract
collapsed Abstract
This article describes activities which administrators should perform on a regular basis to keep their environments secure. Security level of a server is defined by the weakest node in its chain. Server security consists of different areas, such as server physical security (server room), operating system (OS) access by OS administrators, and services that run on this machine.
ShowTable of Contents
HideTable of Contents
  • 1 Security Checklist
  • 2 Additional References
Table of Contents

According to some estimates, 80-90% of threats come from current or ex-employees. This article describes activities which administrators should perform on a regular basis to keep their environments secure. Server security consists of different areas, such as server physical security (server room), operating system (OS) access by OS administrators, and services that run on this machine. The security level of a server is defined by the weakest node in the chain.

Security Checklist

The following checklist guides you on what needs to be checked regularly to keep your servers in good shape from a security perspective:

  • Check for unneeded account by enabling the License Tracking in Configuration document. For small and medium environments, check every six months. For large environments, check quarterly. According to statistics, about 10% of the accounts in large environments are not used or not closed properly. For more information, see License Tracking
  • Run ACL analysis on all databases. Check to make sure that there is no high Default access, such as Default=Manager or Designer.
    Also, if your server is accessible from the Internet make sure that all databases have an Anonymous entry.
    Note: Catalog.nsf may not have all databases. It lists existing entries. It does not show that Anonymous entry is missing. You can write a simple LotusScript agent to check the ACL or use the Domino Administrator client to perform a mass ACL update.
  • Consider enabling LOG_USERSESSION=2 server notes.ini parameter as this will log the IP address of the PC from which the user accesses the Domino server.
  • Ensure that the Domino web server is logging requests. You may filter some resources from being logged. For more information, see License Tracking
  • Check that the Domino web server logs for attacks and scan your web site for brute force password attempts.
  • If you have HTTP access to your server, consider deploying SSL for authorization so that passwords are not transmitted in plain text over the network.
  • Check DDM database daily for new tickets. Consider enabling Security Probes in Lotus Domain Monitoring. For more information, see Security Probe
  • Make sure that no person records have attached USER.ID files. You can run a scheduled script to check this. In the case that the attached USER.ID is found, the script should notify the administrator. Many organizations have default start password. If password checking is not enabled, old copies of USER.ID may be used for the wrong purposes.
  • Check if deny access group is updated and is populated in server documents.
  • Check for unneeded tasks running on server. For example LDAP running on public server with Anonymous access allowed.
  • Check that only needed ports are open. Ask firewall administrators which ports are allowed from outside (Internet). Make sure only needed ports are open. If a port is no longer needed, close it on Domino and at the firewall level. Every opened port is a potential way to get inside your system.
  • If you plan to do vulnerability scanning with third-party software, do this outside of working hours. Notify administrators who are responsible for this system when you plan to perform the test.
  • Check against information theft. There are third-party solutions that allow you to check if anyone is accessing unauthorized data. There are Data Leakage Prevention systems that can protect you against information theft.
  • Ensure that the Domino server has Internet password locking feature enabled. If somebody does a brute force attack on a server, you can see this in the internet lockout database. For more information, see Securing an IBM Lotus Domino Web server: Using the new Internet lockout feature
  • Consider implementing stronger and more complex passwords. Do this step by step. If a user’s password does not comply with policy, the user will be asked to change the password. If the user cancels the password change procedure, Lotus Notes will notify the user that the current password is not complying with policy and the client will close.
  • Review the Security tab of your servers. Check who can enable Full Access Administration mode, who can sign scripts that has server operating system access, etc. Enable notification for enabling Full Access Administration to others, or a special mailbox. For more information, see Technote # 1197579

Keep in mind, security can impact system performance and user experience. The more secure the environment, the harder for users to access data to perform their work. You should find a balance between the needed security level required by the business holders and user comfort.

Additional References

For additional references and reading, see:

  • Lotus Security Handbook
    http://www.redbooks.ibm.com/abstracts/sg247017.html
  • Security Considerations in Notes and Domino 7: Making Great Security Easier to Implement
    http://www.redbooks.ibm.com/abstracts/sg247256.html

expanded Article information
collapsed Article information
Category:
IBM Redbooks: Optimizing Lotus Domino Administration
Tags:
Redbooks
This Version: Version 6 February 1, 2011 2:46:09 PM by Wei-Dong Zhu  IBMer

expanded Attachments (0)
collapsed Attachments (0)

 
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
Version Date Changed by               Summary of changes
This version (6) Feb 1, 2011 2:46:09 PM Wei-Dong Zhu  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedSubscribe to RSSHelpAbout
  • All Lotus and WebSphere Portal wikis
  • IBM developerWorks
  • IBM Software support
  • IBM Social Business User Experience Blog
  • IBMSocialBizUX on Twitter
  • IBMSocialBizUX on Facebook
  • Lotus product forums
  • IBMSocialBizUX blog
  • IBM Collaboration Solutions
  • Recently added feedRecently added
  • Recently edited feedRecently edited
  • Recently added comments feedRecently Added Comments
  • Wiki Help
  • Forgot user name/password
  • Wiki design feedback
  • Content feedback
  • About the wiki
  • About IBM
  • Privacy
  • Contact IBM
  • IBM Terms of use
  • Wiki terms of use