Are you a pro in Domino server admin? Or perhaps you're just getting your teeth into it?
In either case, we've collected five common pitfalls (and their remedies) in Domino security that everyone should be aware of:
A sophisticated attacker with a vault database and one of the corresponding server IDs would have all of the cryptographic information needed to masquerade as the vault server and decrypt all of the ID files stored in the vault.
Industry experts such as Paul Mooney and IBM itself strongly recommend to stop the dangerous practice of using no password protection for the server ID in order to make the server reboot easier. With DominoProtect you get the security and automation: it manages the passwords and provides them automatically during a reboot.
2. God mode trap
Full Access Administration can be used to bypass many IBM Domino security restrictions, e.g. for directly updating ACLs and accessing sensitive data or for changing configuration documents in the Domino Directory.
With DominoProtect you can deactivate Full Admin Adminstration and hence restrict actions carried out through these privileges. You can also choose to prevent changes to the FullAdmin field in Server document or subject them to approval workflow to comply with the two-man rule.
3. Fort Knox without backdoors
The ID Vault role "Auditor" allows anyone to download & decrypt every user ID in the ID Vault.
To prevent the misuse of this role, the ACL of the ID vault database needs to be protected against unauthorized changes. With DominoProtect you can setup an approval process for ACL changes and so keep control over any changes or even attempts to make changes.
4. Who let the dogs out?
Configuration changes by an interim administrator can not be tracked or rolled back easily. Finding out what changes were made and getting your system up and running again is a considerable drain on admin time and resources.
DominoProtect provides the complete logging and recovery for all configuration changes. In the event of an error, an immediate rollback to a previous version can be done with just one click.
5. Stealth mode trap
Out of the box, Domino provides a basic logging mechanism. So someone could enter their name to an important group document and remove it after accessing some sensitive data without leaving much a of trail.
Let's say, you want to have a track record of access and changes to the "All Admin Group". With DominoProtect you can setup a protection rule which can even limit changes down to the level of the "Members" field. So any changes or attempts would be tracked, trigger a notification and ideally start an approval workflow for processing the changes - all in real-time!
Find out more about DominoProtect or get in touch with us. Next chance to see it live is at Engage by BLUG in Breda, Netherlands!