Secure a HCL Domino web server running on public internet - Prevent hacking!


HCL Notes and Domino: Tips & Tricks

Secure a HCL Domino web server running on public internet - Prevent hacking 🕵️🔒🛡️

January 9, 2020
By Lance Zakin, HCL CASA, CAAD
Notes and Domino
NotesMail - HCL BP
This article lists 7 steps which will protect your Domino web server from hackers and close vulnerabilities. Some Domino customers have only 1 or 2 of these steps completed which is quite alarming from a security standpoint. If these steps are not performed on your Domino server then an authenticated user with minimal access rights can...

(A) Assume the identify of a Domino administrator, (B) Attain access to all web user credentials including user names, passwords and internet addresses and (C) Attain operating system level access.
1. Prevent unauthorized access to Domino server DBs / mailboxes by identifying security holes in Access Control Lists (ACLs).
    A. Generate ACL reports including expanding nested group ACL entries using the Domino cybersecurity software called HCL Domino Security Tool in the Beacon Award nominated CRUCIAL Notes Tools suite. It helps prevent cyberattack and repair security holes. YouTube video: https://youtu.be/YVf9TONVT5Y
    B. Review the reports to see if any unauthorized users inadvertently have access to each database or mailbox.
    C. Fix ACL issues discovered in reports including any changes required to Domino Directory (DD) person or group documents.

2. Prevent hackers from decrypting hashed Domino web passwords:
    [Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
3. Prevent hackers from displaying all Domino Directory users (i.e. web login user names): This flaw will allow a web authenticated user to see all the Domino Directory users, web login user names and internet addresses. Hackers can attempt to guess passwords or send users phishing emails to attain passwords.
    [Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
4. Prevent hackers from quickly decrypting Domino hashed passwords if they attain access to Domino Directory: Enable stronger Domino web encrypted hash passwords.
    [Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
5. Prevent hackers from guessing Domino web passwords with several repeated attempts: Enable Domino Internet Password Lockout feature. You can give the IT help desk ACL Editor access to unlock users in the "Internet Password Lockout" Notes DB if user's call to get unlocked. Or simple set auto-unlock to 15 minutes. This will help prevent hackers from guessing passwords for users over several attempts.
    [Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
6. Prevent hackers from guessing Domino web passwords using data dictionaries with trivial passwords: Increase Domino web password requirements using a Domino Security policy
    [Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]
7. Prevent hackers from easily guessing simple Domino web login user names: Domino by default allows multiple user names for each user including first name, last name, short name, etc. This potentially allows a user with unique first or last name to be guessed by a hacker. i.e. John, Jill, Smith, Jones
    [Steps and screenshots in this section are hidden. Open a service case for support, or login to authenticate.]


* Domino internal system DBs

[Section is hidden. Open a service case for support, or login to authenticate.]


Reference Sources

[Section is hidden. Open a service case for support, or login to authenticate.]

B
.