FORUM PLAN UPDATE
Date revision: This forum will remain open to new posts and responses until December 1, 2018. (After that date, you will still be able to view and search the forum.) Also, we're taking a second look at the best place to host future conversation. For now, keep using this forum, and stay tuned for more news.


Apr 5, 2017, 11:17 AM
319 Posts

Another Puzzler... Execution Security Alert

  • Category: Security
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator,End User
  • Tags:
  • Replies: 5

New Puzzler. again, have never seen this in 18 years....

Lately, for the past couple months or so, out of the blue a user will report having the Execution Security Alert pop up, containing my (or another Admin's) name.

It's odd, because we've both been listed in the Administration ECL for years.

A couple times that this has happened I've gotten a copy of the user's ECL - 'File -> Security -> User Security -> What Others Do' - at it's been reset to the default.

Weird thing is, they've been working sometimes for months with no ESA, then all of a sudden... It seems to happen in the morning, on a fresh client startup. As if the ECL gets reset, maybe during policy refresh?

It seems, but I can't be 100% sure, that these have mostly been 9.0.1FP6 machines, but there may have been a FP3 or two. Servers are all 9.0.1FP7.

Thoughts?

 

 

Apr 6, 2017, 5:14 PM
320 Posts
Policy

Perhaps the user did this to them selves or switched to a test environment and the ecls from the pub nab came down.

 

Why not have a security policy that has all the id and wild cards listed that this isse will go away.

Apr 7, 2017, 10:42 AM
319 Posts
Policy

We do.

When I say the the user's ECL was set to the default, i meant the default as seen when the client is first installed. The list only includes the base Lotus Notes Development entries, NONE of what we set in the Admininstraion ECL.

We do have a security Policy to push out the complete ACL, and both admins, servers, etc are listed there.

For the last couple users that gets the ESA, when we check their and we check the user's ECL - 'File -> Security -> User Security -> What Others Do' - at it's been reset to the default Lotus entries. A couple of times, the user has been prompted to allow the Admin ID to update their ECL. When they accept it, the entire ECL gets re-populated. Or, again, for the ones that I've looked at, clicking the 'Refresh all' button will pull in the Administration ECL.

But none of these have been fresh installs - in other words, the client has been running for weeks or months, then, one morning, a random client will get the alert. It's as if their entire ECL was cleared, and it seems to be shortly after they sign on.

Apr 7, 2017, 11:31 AM
320 Posts
question

Is the policy set to enforce or allows the users to clear things?   With all other things goign wrong with the installs you need to stop that bleeding  One trick to keep on forcing policies down is to write and agent that does a resave daily on the policies docs so every time the user authenticates they will get the latest policy.   Do you see the polices in the users local nab policies hidden  view?   If that disappeared it means the user has a new local nab and chances are no polcies

Apr 7, 2017, 2:45 PM
319 Posts
Policy

Security Policy is set to Enforce, Refresh, Once Daily.  It doesn't seem to have an option that prevents the user from making changes; so we set it to refresh daily.

That particular Security Policy document hadn't been changed since Jan 2016, so at least there wasn't any recent changes that might explain what we're seeing...

Re: refreshing Policy docs... I have forced a Policy refresh in the past by re-saving documents, but it seems that every time I do, people complain that a bunch of their settings have been lost, so I've tried to steer clear of  changing policy docs unless necessary. But I think I will re-save documents now, just for sake of doing something (as opposed to nothing).

I can tell you that we're using Organizational Policies, and a few months ago we deleted some of the 'child' policies, rolling everyone back up to a single policy across OU1. But newer users would have (should have) never seen the old Policy structure - but of course both the server version as well as client versions have changed so maybe it'll be worthwhile...

Honestly, I did not think to have the helpdesk check the local NAB, but it was on my list to check next time they get me involved ..

Probably two unrelated things going on, but it seems coincidental that they both just recently started...

Thanks for working with me on this!- something weird is sure afoot!

Apr 28, 2017, 9:06 AM
319 Posts
Hierarchical name length ??

It's still happening - we see it at least a couple times a week.

But it appears that it's only happening for users in 2 specific locations. each location has its own server, so I can't narrow it down to a server - but, since both are in the same city, both locations are using longer hierarchical names than before. As I do a quick count, most old names were below 50 characters, the same user's new hierarchical name might be 69 characters or slightly longer.

The Admin guide indicates the maximum name length is 79 characters, and we're below that, but this seems awful coincidental.

And the fact that the Autosave feature has been broken due to user name length until FP6 seems suspicious also!


FORUM PLAN UPDATE
Date revision: This forum will remain open to new posts and responses until December 1, 2018. (After that date, you will still be able to view and search the forum.) Also, we're taking a second look at the best place to host future conversation. For now, keep using this forum, and stay tuned for more news.