Security flaw-accessing other people's databases
Marcus Trendar 02/14/2007 02:50 PM
Domino Everyplace All Releases All Platforms
I work as an internal auditor at a mid sized (around 600 employee) company. Currently, I am auditing the IT department. During auditing I figured out that anyone can access other people’s mailboxes and open them/view them. (we use lotus notes 6)
At the server I found the Company’s Domino Directory / Adress book directory database or whatever it is called. (FOR YOU TO UNDERSTAND WHAT KIND OF DATABSE THAT IS: when the admin cut off my access to that database my address book didnt work. “access is forbidden” message came) I clicked on some person’s name and a new window opened-showing the database’s properties. The UserID of the person was there too. I copied it on my C drive, and following the steps (switch user id/open database) I opened the person’s database and viewed them.
As a curious internal auditor I checked some other people’s databases and saw this:
At the administration tab of someone’s database properties there is a “client Information” area where it includes “notes client machine”. At some people’s databases, in that area, it was written 3-4 computers’ name some of which is not that person’s computer.
My questions are:
1. How can my IT department fix this problem? (I told them to copy the COMPANY’s DOMINO DIRECTORY without ID’S and delete the old one...they said there will be caos)
2. at the “notes client machine” area, what it is written-what do those computer names mean?(are those the ones who opened that database)
3. Are there anly logs showing who copied the IDs to their computers?
4. Are there any logs to see who accessed whose database with the UserID they copied?
I will be more than pleased if you can inform me on this.
Thanks in advance.