CHC-3 Domino Security

Notes/Domino Security

New Links

Secure Email between Lotus Notes and the Outside World (a.k.a. S/MIME revisited). April 2011. This article updates a popular piece I wrote ten years ago about Lotus Notes and S/MIME. It gives detailed instructions for setting up the Domino Certificate Authority (CA) and Verisign digital IDs for secure email between a Notes organization and outside Internet email accounts.

Lotus Protector -- The official Lotus add-on product for both anti-spam and Internet email encryption.

Notes/Domino 8.5 ID Vault, February 2010. Detailed instructions for setting up and using the new ID Vault feature in ND 8.5, written by me.

IBM Lotus Sametime 8 Security Features. This white paper describes the security features of Sametime 8.0 software, including a discussion of authentication and encryption for each of the major functional units of Lotus Sametime.

Secure Access to iNotes with Mobile Connect -- This article is intended for IBM Lotus iNotes 8 customers who want secure, remote access to enterprise Lotus iNotes servers from devices such as personal digital assistants (PDAs), laptops, or workstations that require access outside the bounds of their corporate intranet.

Securing a Domino web server using the new Internet lockout feature. This article describes Internet lockout, in Domino 8, its configuration, and provides a sample that shows how to create a custom login form.

New Security Features in Domino 8. A presentation from Lotusphere.

Articles TOC

ND8

General Administration

Security Principles

Application Security

Email

LDAP

Wireless

Java

Websphere

Sametime

Public key cryptography

Operating system security

Backups

SSL

Programming / APIs

Products TOC

Email Filters (Spam, Virus, Policy)

Privacy / Signatures

System Hardening / Attack Prevention

Domino Admin Tools

Password Management

Group Management

Mobile Solutions

Data Auditing / Tracking

Security Scanners

Compliance / Archiving / Content Management

ND8

Notes/Domino 8.5 ID Vault, February 2010. Detailed instructions for setting up and using the new ID Vault feature in ND 8.5, written by Chuck Connell.

Secure Access to iNotes with Mobile Connect -- This article is intended for IBM Lotus iNotes customers who want secure, remote access to enterprise Lotus iNotes servers from devices such as personal digital assistants (PDAs), laptops, or workstations that require access outside the bounds of their corporate intranet. October 2008 for Domino 8.

New Security Features in Domino 8. A presentation from Lotusphere 2007.

General Administration

Best Practices with IBM Lotus Domino Security (scroll down to 2005 sessions). By Daniel Nashed at Lotusphere 2005. This session provides a set of best practices and tips on securing Domino Servers and Notes Clients. It provides information from OS-level up to Domino application level covering up to date best practices from the field.

Single Sign-on in a Multi-Directory World part 1 and part 2. Learn all about Single Sign-on (SSO) in Notes/Domino from that international man of mystery, Jim Bland. In this two-part series, we examine SSO basics and look at issues that arise in multi-directory, multi-identity environments. September 2005.

Notes.ini entries - searchable database of all notes.ini values including third-party applications.

Notes.ini settings from Developerworks (most admins would find this helpful. A lot of parameters are related to security i.e. session timeouts, adminp parameters, etc).

Notes/Domino Best Practice Checklists. This document is a set of checklists for Notes and Domino best practices. It is designed to provide Notes/Domino administrators, application developers, and IT managers with information needed to ensure a successful Notes/Domino environment. Ten major categories are covered, including performance, sizing, administration, security, upgrade & migration, groups & directories, DWA, C&S, transaction logging, and testing of applications.

Domino Domain Monitoring (DDM) Redpaper. Learn to use DDM for server health checking. The document also addresses pre-DDM versions. Written primarily about ND7 in November 2005.

Domino 7 and 8 Administration, Installation, and Upgrade Guides -- The official documentation.

Domino Server Maintenance: Updall, Compact and Fixup. The purpose of this document is to outline the utilities Updall, Compact, and Fixup, and to detail their appropriate use as part of normal maintenance as well as under abnormal circumstances. Ideally, this document will serve as a reference for a Domino System Administrator, providing helpful advice for normal system maintenance as well as for server outages. From IBM Support; covers Domino 6,7,8; updated March 2009.

Decoding ND6 Agents -- Lots of good information about new agent features in 6.x, including changes to agent security. October 2002, but much still applies.

Enabling soft deletions in your Notes mail file -- This tip shows how to enable soft deletions of messages in your Notes mail by configuring the database settings and adding a ($SoftDeletions) view to your mail file. September 2003.

All About AdminP, Part 1 and Part 2 -- These articles examine the components of AdminP, how they work, and how they can make the jobs of Domino administrators easier. The AdminP (short for Administration Process) task works with the Administration Requests database. July 2003.

Creating a Custom Administration Process Request Handler -- AdminP is a server task for automating administrative tasks in the background on a schedule. This article and accompanying example code explain how to create a custom AdminP request handler and deploy it. May 2003.

LotusScript: The NotesAdministrationProcess Class in Notes/Domino 6 -- This article shows how to use the new NotesAdministrationProcess class to create scripts to automate common administration tasks. May 2003.

Security Principles

Domino Security Jumpstart. A presentation from Lotusphere 2007.

Securing an IBM Lotus Domino Web Server. Using a case study, the authors of this article describe some best practices and recommendations from the field for securing an IBM Lotus Domino Web server. November 2006.

ND7 Security Redbook. Discusses specific security and anti-spam enhancements that are new in Notes and Domino 7.0.x. The topics include: custom password policies, support for larger keys in ND7, smartcards, securing Domino Web Access, customizing passwords/certificate expiration, public key checking enhancements, ID recovery enhancements, and SSO configured LTPA tokens. January 2006.

Lotus Security Handbook. This IBM Redbook provides best practices and guidance for building a secure collaboration infrastructure utilizing all IBM Lotus technologies (not just Notes/Domino). Published in April 2004 for 6.x.

Bonding with User Security in ND6 -- Good overview of security features in Notes 6, by Jane Marcus and Cara Haagenson. From Iris Today. Originally written in 9/01, but updated in 10/02.

Roadmap to Lotus Notes/Domino and Internet certifiers -- Having trouble finding your way through all the ins and outs of Notes/Domino and Internet certification issues? Create a Certification Practice Statement (CPS) and use it as a roadmap for your certification processes and policies. This article explains how you can build a CPS and includes a template you can modify and adapt to your own requirements. July 2004.

Becoming Your Own Certificate Authority -- An overview of internal and external certificates, and how to set up the Domino certificate authority, which allows you to create your own digital Internet certificates. October 2002, but still applies.

Overview of Notes/Domino security -- A general introduction to the security features available in Notes and Domino. September 2001, but still applies.

The ABCs of Using the ACL -- Everything you want to know about Notes ACLs, including roles and advanced options. An excellent, thorough article. Written by a cool guy, Rob Slapikoff, in April 1998, but most still applies.

Staying Alert with Execution Control Lists (ECLs) -- A good article about Notes ECLs, written by several folks at Lotus and Iris. Explains the basics, as well as advanced details. December 1999, but the general ideas still apply.

Password Checking (Notes from Lotus Support) -- Password checking adds an additional level of safety to the authentication process. Find out how to set up, administer, and troubleshoot password checking for your servers and users. From Iris Today in 9/01 for R5.

Understanding Password Quality -- Which is a stronger password: six characters including a number or eight characters with mixed case? Discover the details about Domino's password quality scale, the algorithm that calculates it, and administrative considerations, including guidance for users. From Iris Today in 9/01 for R5.

ID and Password Recovery -- The definitive article on this topic, from Iris Today in 11/01 for R5. (Note that the Password Recovery feature has been replaced in ND8.5 by the ID Vault. Old-style Password Recovery still works however.)

Notes Encryption: Locks for a Digital World -- An overview of data encryption in general, and Notes encryption specifically. From Iris Today in 6/98 for R4.6. Still lots of valuable information though.

Security Variables from Professor INI -- A roundup of questions about security-related NOTES.INI variables. From Iris Today in 9/01 for R5.

Application Security

Using and Understanding Reader Names fields in IBM Lotus Notes and Domino -- Take advantage of and implement the extremely useful IBM Lotus Notes and Domino security feature, Reader Names fields. Learn how this feature affects replication, agents, and views and how to troubleshoot two common problems with Reader Names fields. January 2007.

Using Field Encryption In Applications -- This article introduces the basic theory of field-level encryption and shows you how to implement it in your Domino applications. From Iris Today in 9/01 for R5.

Designing a Secure Domino App -- A bit dated, but an excellent overview of the basic techniques for creating a secure application. Most of what is discussed still applies today. Written in 6/97 for R4.6.

Creating Expiring Registrations -- This article is a little long-winded, but shows a useful technique for creating user registrations that expire after a set time period. From Iris Today in 3/01.

Netegrity SiteMinder and Domino-based collaborative services -- Want to use Siteminder for single sign-on with Domino, Lotus Team Workplace (QuickPlace), and Lotus Instant Messaging and Web Conferencing (Sametime), but don't know where to start? This article provides you with a roadmap for implementation. December 2003.

EMail

Lotus Protector -- The official Lotus add-on product for both anti-spam and Internet email encryption.

Domino 6 Spam Survival Guide -- I guess this is not technically a security topic, but many IT admins are interested in spam reduction. This IBM Redbook is fairly detailed, covering Domino built-in anti-spam features and third-party products that help with the spam problem. Written in 1/03.

Using Domino SMTP with a DMZ, Part 1 and Part 2 -- An excellent two-part article about setting up secure email topologies. Includes good background, many diagrams, and advanced information. Highly recommended. From Lotus DeveloperWorks in November 2004 for ND6.

Controlling Spam with Advanced Domino SMTP Settings, Part 1 and Part 2 -- An excellent two-part article about effective use of the anti-spam and anti-relay settings in 6.x. Highly recommended. From Lotus DeveloperWorks in October 2004.

Secure Messaging for Domino 6 -- A good overview, with lots of technical details, about email security. Covers secrecy, authenticity, non-repudiation, certificate authorities, and more. Good diagrams and screen shots. Overlaps somewhat with my SMIME article, below, but a bit broader. From Lotus DeveloperWorks in July 2004 for R6.

Enhancing Email Security with S/MIME -- The best article on the Internet. Not really, but this is a piece I wrote about S/MIME and how it provides security for email operations. Also includes background discussion about general cryptography principles. From Iris Today in December 2001 for R5.

Security for Web-Based Email -- A top-notch article from Iris Today. Lots of background information, good diagrams, gory details where needed, etc. A must-read for anyone setting up a serious Domino email system. From February 2001 for R5.

Secure Sockets Layer (SSL)

Setting up SSL for a Domino server. This is a chapter from the general Domino Administration Help, but covers a topic that is frequently confusing to administrators.

Enabling SSL End-to-End on Lotus Workplace -- Learn how to make your Lotus Workplace environment more secure by running it with Secure Sockets Layer (SSL) enabled. March 2004.

Configuring iNotes Web Access with a WebSphere Edge Reverse Proxy Server -- How to support SSL access to e-mail with Domino and iNotes Web Access, using a WebSphere Edge proxy server: This article covers configuring your network to include a DMZ and a reverse proxy server to control access to your servers. Technical level of this article is high. March 2003.

Domino Certification Authority and SSL Certificates -- An IBM redpaper (short redbook) about Domino's implementation of SSL. Written in November 2000.

SSL: It's Not Just for E-Commerce Anymore -- A introduction to SSL and its role within Domino/Notes. From Iris Today in March 1997 for R4.5.

SSL Client Authentication -- Excellent article with a detailed description of SSL and specific instructions for setting it up within Domino/Notes. From Iris Today in March 1998 for R4.6.

Trust Yourself: Becoming Your Own Certification Authority -- A companion article to the above, for people interested in this topic. From 1998 for R4.6.

WebSphere

Integrating Domino 6 and WebSphere V5 Express on iSeries -- An IBM Redbook that describes various aspects of integrating these two systems, but particularly security and single sign-on.

Domino and WebSphere Together -- An IBM redbook that explains many issues about using these products together, including security issues.

Lightweight Directory Access Protocol (LDAP)

Lotus Instant Messaging and LDAP directory Interactions -- If you're a large Lotus Instant Messaging site, there's a good chance you also use LDAP for your directory services. Learn how Lotus Instant Messaging interacts with LDAP, and how you can help ensure they work together smoothly. February 2004. LDAP related Notes.ini variables -- This column discusses how to use Notes.ini variables to resolve LDAP related issues. October 2003.

Understanding LDAP -- An IBM redbook that provides a general introduction to this important topic. LDAP is used to store, and look up, information about people in a computer system, and information about people is used in security schemes. Written in 1998.

Wireless

None right now.

Java

Domino Development with Servlets -- An excellent technical article. Lots of coding examples, very recent, well-written -- the whole nine yards. From Iris Today in 2/01.

Executing Java Applets Using Trusted Hosts -- A discussion of running Java within Notes, with general information about Java security also. From Iris Today. Written in 1/97 for R4.5.

Public Key Cryptography

Deploying Public Key Infrastructure -- An IBM redbook that gives an excellent overview of public key technology, how it can be used in security systems, and some of the commercial products that help with PKI.

Operating System Security

None right now.

Backups

Using Tivoli Storage Manager to Back Up Lotus Domino -- Reliable backups should be part of any security policy. This IBM redbook describes how to use the IBM Tivoli product to do that.

Sametime

Sametime Installation and Administration Guides. All versions.

Programming / APIs

Security APIs in Notes/Domino 7.0 -- In this article, we discuss many different features related to the new Notes/Domino 7 Notes encryption/decryption APIs. We describe how business partners and other Notes developers can give their programs the ability to read and create Notes-encrypted and S/MIME-encrypted messages. This article looks at the critical technical and administrative details required to implement these and other Notes/Domino 7 security features. DeveloperWorks, July 05

Email Filters

Lotus Protector -- The official Lotus add-on product for both anti-spam and Internet email encryption.

Symantec Mail Security for Domino provides high-performance, integrated mail protection against virus threats, spam, security risks, and other unwanted content on Domino databases. Enhanced, proactive policy enforcement tools help organizations ease the process of complying with a government mandated or internal policy.

ClearMail enables organizations to control virtually all spam and e-mail-borne viruses in a single product. An added feature of the product limits the size of inbound file attachments. ClearMail takes a very proactive approach to dealing with spam by using a whitelist, or include list, method. With the whitelist, e-mail from any organization or any individual who is on either the organizational whitelist or on an individual's personal whitelist is delivered to the intended recipient's normal Inbox. Mail from individuals who are not on the whitelist is sent to a spam folder for you to check at your leisure.

MailMarshal is an enterprise-level email content security and control product. Content Security is about monitoring and controlling the electronic data entering or leaving an organization. MailMarshal provides server-based solutions to the key issues in this area.

Mail Attender for Lotus Notes is an email administration tool that will empower you with extended capabilities for management of your email system far beyond what is inherently provided by Notes. Mail Attender allows companies to centrally manage and take authority of their mail databases. Mail Attender helps control the growth of your corporate email system, reduces you legal liability exposure, and controls electronic sabotage by enforcing policies, eliminating known virus attachments, and auditing mailbox content.

McAfee GroupShield-Domino delivers native virus protection at the Notes server. Offering both real-time and on-demand scanning for both viruses and malicious code, such as Lotus Script and Button Bombs, GroupShield provides full and comprehensive protection for Lotus Notes & Domino environments.

Security Scanners

Rapid7's NeXpose is a vulnerability assesment scanner which tests for all vulnerabilities that have been identified in Lotus Domino as well as hundreds of vulnerabilities on other platforms such as MS, Unix and RDBMS. Some of these vulnerabilities allow the execution of arbitrary commands on the Domino server that can compromise an entire network while other may allow unimpeded access to passwords from the Domino Directory. Continuous, real-time updates ensure that your environment always has the latest vulnerability and exposure definitions. And, with a rate of less than 1% false positive reporting you spend less time investigating false alerts.

AppDetective for Lotus Domino is a network-based, penetration testing/vulnerability assessment scanner that locates and assesses the security strength of Domino installations within your network. Armed with a revolutionary security methodology together with an extensive knowledgebase of vulnerabilities, AppDetective for Lotus Domino will locate, examine, report, and help fix your security holes and misconfigurations at your command.

Password Management

Web Set Password is an enterprise solution that allows end-users to securely set and synchronize their passwords directly from a Web browser. With Web Set Password, companies are able to secure the password authentication process without increasing Help Desk calls. Web Set Password synchronizes HTTP, NT and LDAP passwords and Notes ID files. It includes security and auditing functionality such as password quality, expiration, history, 3-strikes, last login, and dictionary look-up of unacceptable words.

Password Management Utility from Atlantic Decisions helps ease maintenance of HTTP passwords for Domino. PMU is especially useful for allowing users to manage their own Internet passwords securely. The utility includes password creation rules, to prevent users from creating weak or obvious passwords. In addition, PMU hides passwords from system administrators, to remove a potential security exposure that often exists.

Authentication Lock-out System from Innovative Ideas Unlimited, Inc. is a lock-out system developed for the US Department of Defense. The Authentication Lock-out System locks user names and/or IP addresses after a number of failed attempts are made to access the Domino HTTP Server, thwarting brute force hacking attempts. A control document allows customization of the number of acceptable user failures before locking and error messages are presented to users. Organizations can customize the module settings to unlock a user ID/address on a scheduled interval or require it to be unlocked manually by an administrator or supervisor. The system maintains a log of any user IDs and/or IP addresses that have been locked and also those that have been reinstated.

Tivoli SecureWay Policy Director -- With the expansion of Web-based Intranets and Internet resources, Policy Director provides a single integrated solution to meet your e-business security needs. Tivoli SecureWay Policy Director is a complete Web Single Sign On solution for heterogeneous Web environments including Lotus Domino. It enables browser users to login once to gain access to a variety of authorized Web Sites and Web applications.

System Hardening / Attack Prevention

SecureDomino from TimeToAct offers the following functionalities: 1) Protection against brute-force attacks through blocking of IPs and blocking of individual accounts. 2) Protection against smart-force attacks through blocking of URLs like $DefaultNav, $DefaultView etc. 3) Protection of Domino servers through limiting http-access to singular directories or databases. 4) Automatic authentication of users through their IP-address without username and password.

Group Management

Cassetica GroupManager allows for the efficient management of Lotus Notes groups via delegation of tasks to end-users. Benefits include: easy and complete management of Lotus Notes groups; reduction of Lotus Notes administrator and/or help desk time; historical audit trail of all group modifications; delegation of group management to end-users; distribution of group approval and administration by server.

Auditing / Tracking

Database Activity - Four separate utilities that monitor database user activity by analyzing the user activity log in one or more Notes databases.

Extracomm SecurTrac -- SecurTrac is a Domino native add-on module that enhances the security of Domino applications and e-mail systems. SecurTrac is designed to provide detailed audit tracking throughout the life-cycle of electronic document activities or e-mail, and also provide intrusion alerts notifying system administrators of detected hacking.

NotesTracker provides a new way for you to gather and examine usage information for your Lotus Notes/Domino applications, Whether the databases are accessed via a Notes Client or a web browser, you can view the application usage information at any time in a common format, via familiar Notes views that present the database activity in many useful ways. NotesTracker has a broad range of possible uses and should be of interest to management, developers, administrators and others in your organization.

Privacy / Signatures

Lotus Protector -- The official Lotus add-on product for both anti-spam and Internet email encryption.

Entelligence Messaging Server ("EMS") from Entrust, is an email security solution that makes it easier to communicate securely with external business partners and customers. The Messaging Server email security software is shipped as a hardware appliance and delivers standards-based email encryption capabilities in a comprehensive platform. This email security solution is easy to deploy and maintain for organizations that communicate sensitive or regulated information (both inside and outside their organization) via email.

Mobile Solutions

Blackberry Enterprise Server for IBM Lotus Domino -- The BlackBerry Enterprise Solution provides a complete wireless platform that allows organizations to extend the benefits of their Domino messaging and collaboration applications to mobile professionals. BlackBerry Enterprise Server software is an important element of the BlackBerry Enterprise Solution. It is designed to provide IT departments with simplified management and centralized control of wireless devices in a secure, scalable and flexible architecture.

Compliance / Archiving / Content Management

ReduceMail Pro Journal is a journal management and audit system that enhances native Lotus Notes R6, 7, and 8 journal functionality. It helps extract Lotus Notes mail for specific users and groups from the Lotus Domino journal and adds it to Journal Extract databases. It then searches those Journal Extracts for specific content. This helps the administrator in monitoring all incoming and outgoing mail regardless of how large the Lotus Notes mail journal becomes.

ReduceMail Pro Audit is a Lotus Notes mail search utility that allows the Lotus Notes Administrator to conduct real-time searches of server-based Lotus Notes mail files and corresponding server-based archives (ReduceMail Pro archives or Lotus Domino archives). ReduceMail Pro Audit helps automate the location of pertinent content to support responses to subpoenas, FOIA requests, and internal audits and investigations. Search results can be removed, copied to an audit database, or moved to a specific mailfolder for later review.

ReduceMail Pro e-Discovery is a repeatable Lotus Notes search and retrieval e-discovery tool which allows any organization with Lotus Notes mail to locate relevant documents within the Lotus Notes email datastore at any time for any purpose. It allows in-house lawyers to simply and cheaply review company email prior to utilizing outside counsel in an easily repeatable process. At any time, for any reason, company lawyers can search an individual’s Lotus Notes mail file for particular content, copy the results into a database and export those results to outside counsel for review.

Mail Attender for Lotus Notes -- Mail Attender provides comprehensive functionality that allows companies to archive, manage, and discover content in their Lotus Notes email. Management is executed from a central location. Mail Attender for Notes allows you to: archive messages and attachments from Notes mail files; locate documents for the archive based on keyword, age, size, type, etc; apply archiving rules to all users and/or servers or to specific users and/or servers; compliance archiving from Notes journal; automatic retention within archive databases; single instance duplicate emails or attachments; and many other operations.

Domino Administration Tools

PowerTools - 73 administrative tools for Notes / Domino to help you monitor and manage ACLs, agents, attachments, database properties, dead mail, groups, large mail files (and large attachments), LOG.NSF, mail files, orphan documents, reader and author names fields, replication, replication or save conflict documents, SMTP work queues, templates, and more.

ScanEZ – Similar to the well-known Notespeek, but with update capabilities. Browse any designs, documents, profiles, conflicts, deletion stubs in a database; see replication results before you replicate databases; fix replication conflicts; find the differences between documents; edit any document(s) directly as you see them; manage the ACL; change a document UNID; debug databases; control data integrity; check security; correct data; control hidden data; find problem documents; and many other database support features.

About This Page

This page was originally a separate web site DominoSecurity.org. I have merged it under my general site.