SearchDomino.com June 6, 2001 Admin Tip: Chuck Connell's Security Feature ================================================= Sponsored By: ANTIVIRUS FOR LOTUS NOTES BY TREND MICRO ================================================= MYTH: Lotus Notes servers don't get infected with viruses FACT: Viruses do infect Lotus Notes and Domino servers ANOTHER FACT: Trend Micro provides a best-of-breed antivirus solution for Lotus Notes and Domino servers. DOWNLOAD Trend ScanMail for Lotus Notes NOW at http://www.antivirus.com/banners/tracking.asp?si=14&bi=228&ul=/products/smln ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================= A NOTE FROM THE EDITOR: The searchDomino.com weekly Administrator tips will feature one tip per month dedicated to security issues, featuring expert security advice from Chuck Connell, president of CHC-3 Consulting (www.chc-3.com), a consultancy that helps organizations with all aspects of Domino and Notes. If you have a specific security topic that you'd like Chuck to cover or comments about a tip, email me us at [EMAIL PROTECTED], or pose a security question to Chuck Connell in Ask the Experts section: http://searchdomino.techtarget.com/ateQuestion/0,289624,sid4_tax287305,00.html Feature Admin Security Tip: Expiring Passwords In Notes One of the most effective security policies for any computing organization is required password changes. Without this policy, people often keep the same password for years. We're all lazy, (especially busy computer users), so why change passwords if you don't have to? Unfortunately, in its basic form, the Notes ID mechanism has no way to enforce password changes. Each ID file has its own password, which the server never knows, so password changes cannot be enforced for all users. Fortunately, beginning with R4.5 of Domino and Notes, there is a way to require users to change passwords, and the changes will be enforced by the server. But first, here's a list of some advantages of making password changes a requirement: 1) The most obvious benefit is that user passwords will change more frequently. If a nefarious person learns someone else's password, that knowledge only will help them for a limited period of time. 2) Users will not be allowed to reset their password to a previous password. Domino stores the last 50 passwords that a user had and disallows their re-use. 3) As a side benefit, the Domino password management mechanism solves the problem of stolen ID files. If someone does get a copy of your ID file, you can force an immediate password change. When someone tries to use the stolen ID, they will be challenged for the new password, which they will not know. (Note: This entire discussion applies to Notes clients access to Domino servers, not to Web browser access to Domino.) HOW TO SET UP PASSWORD EXPIRATION: 1) Make sure the Admin Process is running on the Domino server. You can verify this by typing SHOW TASKS at the server console. If it is not running, add AdminP to the ServerTasks line in the Notes.ini file. 2) Enable password checking on the server. In the Domino Administrator program, go to Configuration / Server / All Server Documents. Edit the configuration document for the server you are using, then go to the Security tab. Enable the option marked "Check Passwords on Notes IDs". 3) Enable password checking for each person. In the Domino Administrator program, go to People & Groups / People. Edit the person document(s) you want. Go to the Administration tab. Set "Required Change Interval" to the number of days between password changes. Set "Grace Period" to the number of days (after a password expires) during which the user is still allowed to use their old password. That's it! You have added a significant layer of security to your Domino/Notes system. ---Chuck Connell www.chc-3.com ------------------------------------------------- SECURITY QUESTIONS AND ANSWERS: Here are some questions posed to me during my recent "Live Expert Q&A chat" session about security on searchDomino.com, but was unable to answer during the chat due to time constraints. You can pose more questions on searchDomino.com at http://searchdomino.techtarget.com/ateQuestion/0,289624,sid4_tax287305,00.html Question: What security concept combinations make for the most secure for the least amount of effort/maintenance, e.g. session-based authentication with SSL? Answer: For Notes client access, standard IDs and Notes certificates are very secure if used correctly. For web client access, Internet passwords added to the Domino NAB work well. Also set Default and Anonymous to No Access in all your databases. And only allow access to people listed in the NAB. If you do all this, you have a pretty tight system. If you are concerned about people listening in on web traffic and stealing information from network packets, then add server-side SSL also. Question: If you use servlets or cookies to store web-users' IDs for single sign-on solutions, how do you avoid breaking the Domino security model? Answer: Don't ever store passwords anywhere. In a disk file, within program code on a servlet, or in a cookie. Just say NO to this practice. ================================================= ------------------------------------------------- JUNE'S NEW TIP PRIZE! ------------------------------------------------- Will you be sporting the Secret Agent Man Digital watch? This watch isn't just a watch, it's a high-tech digital device that has everything you'd ever want in a watch and more. Some of the innovative features include: *Storage of up to 100 internet/email addresses, phone numbers or other memos *3 alarms *Self-adjusting calendar *Water resistance up to 100 meters *Optional vertical or horizontal display *Random message feature with 45 preprogrammed greetings *A retail value of $200. Submit an Administrator tip in June, and let's see if you can be the latest Secret Agent Man. http://searchdomino.techtarget.com/tipsContest/0,289488,sid4_prz546242_cts546237,00.html MAY TIP WINNERS: Congratulations to searchDomino's May Tip winner, Lothar Mueller, for his developer tip. Lothar submitted "Change Agents from PRIVATE to SHARED and vice versa" and won a Razor Extreme Scooter. Lothar will be entered into searchDomino's Hall of Fame and Dog Pound. Congratulations and a big round of applause to our runners-up too! 1st Runner-up: Angie Schottmuller for "Alternate view row colors on the Web"; 2nd Runner-up: Ginger Solano for "Rebuiling your bookmarks to match your desktop" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================= NEWLY POSTED ADMINISTRATOR TIPS: ================================================= We posted 2 new administrator tips last week. Thanks for all your tips and keep them coming! Address Book category: http://searchdomino.techtarget.com/tipsIndex/0,289482,sid4_tax283821_alpD_idx0,00.html [1] Private views - how to get them STMP category: http://searchdomino.techtarget.com/tipsIndex/0,289482,sid4_tax283829_alpD_idx0,00.html [1] Connection error from host IP address ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================= FEATURED BOOK: ================================================= Lotus Domino administration in a nutshell By Greg Neilson Domino is one of the most effective platforms for developing and deploying e-business applications, allowing new communities of developers to enjoy its collaborative capabilities. With over 55 million seats worldwide, Domino already provided a strong foundation for messaging and web applications, and the release of R5 builds on that to make Domino easier to use than ever before. http://www.digitalguru.com/dgstore/product.asp?sku=1565927176&dept%5Fid=288&ac%5Fid=60&accountnumber=&couponnumber ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================= Disclaimer: Our tips services and online tips exchange are a way for you to learn from other IT professionals and share technical advice and expertise with your peers. Techtarget.com provides the infrastructure to facilitate this sharing of information. However, we can't guarantee the accuracy and validity of the material submitted. You agree that your use of the searchDomino.com tips services and your reliance on any questions, answers, information or other materials received through searchDomino.com will be at your own risk. ================================================= NOTIFY US WITH FEEDBACK ================================================= Send us your tips feedback! Cast your vote and send us your tips comments. If you have vital code information or other comments you'd like to add to one of our online tips, send your comments to [EMAIL PROTECTED], and we'll add your User Feedback to the online tip! ================================================= If you would like to sponsor this or any techtarget newsletter, please contact Gabrielle DeRussy at [EMAIL PROTECTED] ================================================= If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchDomino.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
