3.15 Securing Lotus iNotes 

Table of Contents


There are a number of security topics that are specific to iNotes, including Notes ID files, browser cache management, encrypting offline databases, and encrypted mails (S/MIME). This article addresses these topics and covers the key points for these topics.

iNotes and the Notes ID files

For authentication purposes an ID file is not required when using Lotus iNotes. However; there are some functions that require an ID file including offline access to iNotes, recalling messages, and sending and receiving encrypted mail (S/MIME). When you register a user, you have the ability to have the ID file automatically stored in the user's mail file. Starting at 8.5.1, the password in the stored ID file can be synchronized using the ID Vault functionality of Domino. You can easily see if an ID file is stored within the mail file by accessing the security preferences within iNotes as shown in figure 1.




For additional information on synchronizing passwords or enforcing a custom password policy, refer to:

• Can I synchronize a Notes ID password change with an imported Notes ID in a DWA mail file?
• How to implement a Custom Password Policy for DWA Users

Active X Controls

ActiveX controls provide a way to create distributed applications that work over the internet through the Internet Explorer browser. In Domino 8.5.x, there are several iNotes functions that are implemented via an ActiveX control including: ability to drag and drop attachments, ability to select multiple files when uploading and downloading files and browser cache cleanup.

In order for an ActiveX control to install, the user must have Administrator or Power User authority on their workstation. They must also allow the installation of ActiveX controls within their browser. As an administrator you can control whether or not these controls will be used by enabling or disabling them at the server level in the configuration document as seen in figure 2 or for specific users in a mail policy.

Browser Cache Management

Browser cache manage is a way to define which temporary files stored on the PC during iNotes access should be cleaned up after the user exits iNotes. For more information refer to What is Browser Cache Management and how is it installed?

Frequently Asked Questions regarding Browser Cache Management:

Question: What happens when you log out of iNotes without the browser cache management feature enabled?
Answer: The browser cache will be cleared when clicking logout, regardless if the Browser Cache Management feature is enabled. The benefit of Browser Cache Management is that the browser cache will be cleared without having to click logout. Just closing the browser, for example, will clear the browser cache.

Question: Is there any way to force the user to restart their browser after automatically installing browser cache management?
Answer: iNotes is a web based application and therefore must comply with the limitations of the browser. iNotes does not have the ability to force the browser to close.

Question: What does it mean by clear history when the browser window is closed?
Answer: This refers to clearing the temporary files available in your web browser. The files are deleted from the appropriate directory. You can set the cache scrubbing level to remove all cache entries or only those related to the user's mail file. Since iNotes is a web application, it has limitations on what it can and cannot do. When it clears the browser cache, it deletes these files from the directory, the same as if you browsed to the directory and deleted them via Windows explorer. It is important to note that other than attachments, user's data is not stored on the hard drive, only design data to improve iNotes performance.

Question: How does the attachment get handled when you just read it and detach it? How does it get removed from hard-drive?
Answer: The same procedure applies: The file is deleted the same as if you browsed to the location and deleted it manually.

Encrypting Offline Databases

One thing great about iNotes is that if your server is accessible from the internet, then you can easily access your mail anywhere. Lotus iNotes also allow users to access their mail offline (requires DOLS). When a user configures an offline subscription, a local copy of their mail file is created. This can be a concern knowing that users could use a shared computer. One way to minimize this concern is to force a user to encrypt their mail file when going offline. This can be easily accomplished in the configuration document for your server. In the example shown in figure 3, the Domino Administrator defined that Medium encryption should be used and the user cannot change this setting.

S/MIME

Lotus iNotes fully supports sending and receiving encrypted messages using secure MIME (S/MIME). There are 2 requirements for this functionality. First, the user must access their mail via a secure connection (SSL). Secondly, a Lotus Notes id file must be stored within the mail file. Sending a secure message within iNotes is very simple. If the requirements have been met, the user can simply check the Encrypt option before sending the message.




If the recipient of a secure message does not have an ID file stored in their mail file, a warning message is displayed as shown in figure 5.



As you can see in the example, the error states that the body of the message is encrypted. This is an important thing for you and your users to understand. The subject of the message is not encrypted so all confidential information should be kept in the body of the message.