RE: Security flaw-accessing other people's databases Tom Kuczek 14.Feb.07 03:01 PM a Web browser Domino Everyplace All ReleasesAll Platforms
This is not a security flaw, this is a weak implementation of Lotus Domino security. Domino is very secure when implemented properly and in your case, it was not.
Being the auditor, I would come down hard on the IT group and have them find a solution for moving the ID files out of the domino directory and off of the invalid user's machines. When a user is created, the notes administrator has the ability to store the ID in the directory or store it out on the file system - your group obviously did not know how to create users properly to have a secure Domino environment.
There are no logs indicating which ID file was copied or detached from the domino directory. There are creative solutions that can be developed to fix the problem and I would ask IT to come up with a solution. There are many solutions and answers to your questions and they can be found in this forum. A login script can be executed to search the user's system for .id files and write this information out to a log file. At least you would know which users have invalid id files on their systems.
I did not mean to be negative or condescending but If your group does not have domino expertise (and it sounds like you don't), I would recommend hiring a domino consultant to resolve your issues.