SearchDomino.com August 1, 2001 Admin Tip: Data Encryption and more security scanners ================================================= SPONSORED BY: VSI, An Esker Company ================================================= LOTUS NOTES ENDORSED FAX SOLUTION FOR THE ENTERPRISE Upgrade from Fax for Domino and save 70% on faxing Automate fax within your Enterprise and fax from any application VSI-FAX for Notes offers: Significant savings on fax labor costs, Easy Notes-based administration, & a simple and affordable upgrade Learn how to upgrade from FxD or SAVE on faxing, order a free kit Today! http://www.vsi.com/notesfax ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================= CONTENTS: [1] Chuck Connell's Security Tip [2] searchDomino.com's News Poll [3] Ask the Security Expert [4] Recently posted Admin tips ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Feature Tip: Data Encryption and more security scanners The searchDomino.com weekly Administrator tips feature one tip per month dedicated to security issues, featuring expert security advice from Chuck Connell, president of CHC-3 Consulting (www.chc-3.com), a consultancy that helps organizations with all aspects of Domino and Notes. If you have a specific security topic that you'd like Chuck to cover or comments about a tip, email us at [EMAIL PROTECTED], or pose a security question to Chuck Connell in Ask the Experts section: http://searchdomino.techtarget.com/ateQuestion/0,289624,sid4_tax287305,00.html This month's security tip has two parts a follow-up to last month's tip about security scanners; and a discussion about the two types of data encryption. Special thanks to Frederic Dahm at Lotus Switzerland, for pointing out that this is often confusing to people. 1.) A DOMINO-SPECIFIC SECURITY SCANNER A Domino security scanner looks specifically for databases and URLs that are often vulnerable on Domino-based Web sites. For example, it is well known that some Domino servers allow anyone to issue the ?Open URL and browse a list of all databases on the server. Also, any knowledgeable cracker knows that Domino servers contain a log.nsf file, which contains all sorts of valuable information about the contents and activities of the server. A Domino security scanner looks for these known problems and reports which exist on your server or Web site. Before taking you to a Domino security scanner, I want to repeat last month's warning: *** You should only use security scanners on your own servers and Web sites. Breaking this rule is bad ethics, possibly illegal, and will get you kicked off many Internet service providers. *** The best Domino scanner I have seen is called DomiLock, and it is located here: http://domilockbeta.2y.net/ DomiLock attempts to open a long list of common databases on your Domino Web server, and reports on those that it was able to open. The resulting report shows clearly in red which databases it could open, and in green those databases that it attempted to open but could not. If any readers know about other useful Domino security scanners, please let me know and I will include them in future tips. 2.) TRAFFIC ENCRYPTION VERSUS STORAGE ENCRYPTION I have received several questions about "encrypting e-mail messages" or "encrypting Web mail." These terms can mean two different things: Protection of the mail data as it is moving over the Internet wires; or Protection of the mail message after it reaches its destination and is stored there. "Protection of mail data as it is moving over the Internet wires" is sometimes called traffic encryption, and its purpose is to prevent someone from eavesdropping on your message as it moves past them on the way from you to the intended receiver (or on its way from a sender to you). The most common method for traffic encryption is SSL. Its purpose is to hide data as it moves from point A to point B. SSL is limited however, in that once the data reaches the receiver, it is no longer encrypted. If you want to prevent someone else at the your company from reading your email messages (once they are in your mailbox), you need to encrypt the data where it is stored. There are several ways to do this, including S/MIME, Domino local database encryption, and Domino field-level encryption. The choice depends on just what you are trying to accomplish. As you are planning the security strategy for your organization, be aware of this distinction. Do you want to hide your data as it moves through some wires, or do you want to hide the data once it gets somewhere? Often you want to do both. --- Chuck Connell ================================================= ------------------------------------------------- NEWS POLL ------------------------------------------------- CAST YOUR VOTE IN OUR NEWS POLL Lotus' latest layoffs: What do they mean to you? Vote now at: http://searchdomino.techtarget.com/poll ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================= ------------------------------------------------- ASK THE SECURITY EXPERT: ------------------------------------------------- Here are some security questions presented to Chuck Connell on searchdomino's Ask the Expert forum. Pose a security question to Chuck here: http://searchdomino.techtarget.com/ateQuestion/0,289624,sid4_tax287305,00.html Question: My company is concerned because Administrators always have access to the different individual ID's. This way they can contact everyone's mail. Password checking isn't an option either since they can disable password checking for this person temporarily so they can access the mail-file again. Is there any waterproof way of securing the mail-files while still letting the administrators do their work? Answer: This issue has been raised before including on the Administrators discussion forum on SearchDomino. The problem is the definition of "trust." If you give administrator's access to everyone's ID file, everyone's password, and full access to the administration console, then you are trusting these people to do the right thing. So, of course these people could do something malicious or destructive. I am not sure of a good solution to this problem. The old DEC VMS operating system had a good solution. There were many different "privileges" that an administrator could have. Therefore, you could give someone the ability to just do backups, for example, but nothing else. Alternatively, just start the system, but nothing else. Unfortunately, Domino doesn't have something like this. I would love to hear from any readers who know a solution (or partial solution) to this problem. How do you give Domino admin people the power they need to do their jobs, but prevent (or at least track) their ability to do harm? Question: My clients need to view their mail from a Notes client and via a web browser. They need to read and send their encrypted mail. What is involved in setting up this environment? Answer: The standard Domino mail template (MAIL50.NTF) will do this. You can access mail from either a Notes client or a web browser. For encrypted mail traffic over the web, turn on server-side SLL. ================================================= RECENTLY POSTED ADMINISTRATOR TIPS: ================================================= We posted 3 new administrator tips last week. Thanks for all your tips and keep them coming! Desktop category: http://searchdomino.techtarget.com/tipsIndex/0,289482,sid4_tax283823_alpD_idx0,00.html [1] kMan.exe (Lotus Notes process killer) Smart Icons category: http://searchdomino.techtarget.com/tipsIndex/0,289482,sid4_tax283828_alpD_idx0,00.html [1] All apps from Notes SmartIcons [2] Add mail file icon from NAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================= FEATURED BOOK: ================================================= Secrets and Lies: Digital Security in a Networked World By Bruce Schneier Internationally recognized computer security expert Bruce Schneier offers a practical, straightforward guide to achieving security throughout computer networks. Schneier uses his extensive field experience with his own clients to dispel the myths that often mislead IT managers as they try to build secure systems. This practical guide provides readers with a better understanding of why protecting information is harder in the digital world, what they need to know to protect digital information, how to assess business and corporate security needs, and much more. http://www.digitalguru.com/dgstore/product.asp?sku=0471253111&dept%5Fid=284&ac%5Fid=60 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================= Disclaimer: Our tips services and online tips exchange are a way for you to learn from other IT professionals and share technical advice and expertise with your peers. Techtarget.com provides the infrastructure to facilitate this sharing of information. However, we can't guarantee the accuracy and validity of the material submitted. You agree that your use of the searchDomino.com tips services and your reliance on any questions, answers, information or other materials received through searchDomino.com will be at your own risk. ================================================= NOTIFY US WITH FEEDBACK ================================================= If you have a specific security topic that you'd like Chuck to cover or comments about a tip, email us at [EMAIL PROTECTED] ================================================= If you would like to sponsor this or any techtarget newsletter, please contact Gabrielle DeRussy at [EMAIL PROTECTED] ================================================= If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchDomino.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.