John,
It is very difficult, some would say impossible, to judge one piece of software to be absolutely more secure than another. However, I'll attempt to address your question here. Although Domino and Exchange can both appear very similar in their use and function, they are in fact very different once you "peak under the hood." Exchange is a mail server that implements various groupware and scheduling functions on top of existing email protocols. Domino, on the other hand, is a groupware database system that implements corporate email as a groupware application. When it comes to security, Domino and Exchange have a lot in common. Both suffer from a wide range of security issues, such as susceptibility to buffer overflows, misconfigurations, password attacks, virii, trojan horses, web based security problems and many others. Both servers will be insecure if they are deployed using the default configuration provided "out of the box." Given all this, a better question might be "which one can more easily be secured: Domino or Exchange?" This question doesn't have an easy answer either, but here are a few points to consider: * Lotus Domino has a few more buttons to push and dials to turn than Exchange, so one will probably have a slightly longer initial fixlist for Domino and will also have a slightly steeper learning curve. * Determining whether exchange is secure or not is difficult. I've been looking on and off for a while and have yet to find a good and up-to-date independent Exchange Hardening document. You will probably find that hiring an expert consultant just for this purpose is prohibitively expensive; and won't help you maintain security after the initial engagement. Microsoft does maintain an Exchange security page at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ prodtech/exc10.asp. However, I would *not* recomend relying on this site alone to ensure the security of your installation. * Application Security, Inc. has developed an integrated Lotus Domino security assessment product, called AppDetective for Domino. AppD. for Domino allows you to generate a by server or by network report of every vulnerability possible for a Lotus installation. Utilizing this tool you'll be able to create a quick list of everything you need to do to secure your Domino servers. You will also be able to use the tool to verify the server's security once you are done. Get more information about AppDetective for Domino at http://www.appsecinc.com/products/appdetective/domino. In conclusion, both of these products have security concerns that need to be addressed. Don't be mislead by trying to count vulnerabilities or advisories for both products, instead, ask how much time and effort will be required to secure and installation on your network. Regards, _____________________________________________ Josh Daymont Chief Security Architect Tel: 212-490-6022 Cell: 404-431-4042 Fax: 212-490-6456 E-mail: [EMAIL PROTECTED] Web: www.appsecinc.com Application Security, Inc. - Protection Where it Counts - -----Original Message----- From: Bednar, John [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 2:26 PM To: Security Basics (E-mail) Subject: domino/exchange Hi, quite simply which one is more secure Notes/ Domino Enviornment Outlook/Exchange Enviornment I always hear about the holes and exploit of the Outlook/Exchange , and nothing about Notes/ Domino, does that mean that it is that much more secure ( I know that notes is a database)
