© 2014 IBM Corporation

BP103Ready, Aim, Fire: Mastering the Latest in the Administrator’s Arsenal

Kim Greene, Kim Greene Consulting, Inc

Ben Menesi, Ytria

52

Securing Your Servers

ID Vault

� Use it!!!– Customer scenarios:

• Lost ID because PC crashed, had to go back to original ID on network drive, which was created under different certifier than current certifier

• Forgotten passwords• Setting up new users / existing users get new PCs/laptops

- Notes client setup simply pulls ID from vault, no manual handling of ID file

� Tip:– If have multiple OUs, easiest to implement from top OU

� Gotcha:– Doesn’t work in Citrix® environments (yet)

53

Domino 8.5

Protected Groups

� Prevents accidental deletion of designated “critical” groups

� Configured in Directory Profile of the Domino Directory– Tip: You must edit and save once to become operational

� Requires Domino directory to have 9 design

� Defaults to LocalDomainAdmins, LocalDomainServers, and OtherDomainServers

54

Domino 9.0

Protected Groups

� Open Domino Directory→Actions→Edit Directory Profile

55

Protected Groups

� Prevent deletion of these groups

56

Password Checking

� Password checking is crucial for securing IDs

� Enable in both Server document and Person document

57

+

Internet Password Lockout

� Set threshold for Internet password authentication failures for HTTP users

58

Locking down your server’s ACLs

� Ensuring that your Domino databases are locked down from the server side can be vital. – Make sure Anonymous has no access to your databases (especially system databases!) – Use DominoHunter to gather information from the outside

• You might be surprised what you find!

� DominoHunter: open-source PERL script that automates opening and querying standard databases from the web

– Beware: even if you get satisfying results, you may have databases left open to the web that this script won’t find!

• It works based on a pre-set list of system databases• Use syntax: dh.pl –h targetaddress.com –l results.txt

59

Locking down your server’s ACLs

� DominoHunter results

60

Locking down your server’s ACLs

� Easy to recognize when looking into Domlog.nsf (for v0.9 it records thousands of hits from the same IP!)

– You can even write an agent to get notified about such attempts / attacks

61

Domino server ports

� Make sure not to leave ports open that you do not have to– This will be the number 1 step for any potential outside attack– Nmap is a great tool to test for open ports:

62

Domino server ports

� Make sure not to leave ports open that you do not have to– This is the number 1 step for any attacker – You can use Nmap to scan for open ports

• DomLog records hit when selecting intense scan

63

How to Contact Us

76

@iSeriesDomino

www.linkedin.com/in/kimgreeneconsulting

@BenMenesi

ca.linkedin.com/in/benedekmenesi

Contact – Ben Menesi Contact – Kim Greene

� We’d love to hear from you!

kim@kimgreene.comben.menesi@ytria.com

78

Acknowledgements and Disclaimers

© Copyright IBM Corporation 2014. All rights reserved.

� U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

� IBM, the IBM logo, ibm.com, and IBM Domino®, IBM Notes Domino®, IBM Notes®, IBM Traveler®, Sametime® LotusScript® are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

This slide presentation may contain the following copyrighted, trademarked, and / or restricted terms:

Microsoft®, Windows®, Microsoft Office®, Ytria®, Panagenda®, Visual Basic®, Java®, Perl®, OGSi®, Trust-factory®, Citrix®

Other company, product, or service names may be trademarks or service marks of others.

Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.

The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.