Security Considerations for Deploying Notes Plugins

IBM Notes and plugins go together like eggs and bacon or hamburgers and French fries. Sure, you can have one without the other, but the combination is so much more enjoyable! After all, IBM Notes is a great product with a lot of wonderful features, but the options are nearly limitless when you start deploying plugins and widgets. But I would caution you to keep a close eye on the security considerations when deploying plugins, starting with how you choose to deploy and install them.

MSI (Microsoft Installer) format

Probably the easiest way to deploy plugins on Microsoft Windows desktops, at least from an end user perspective, is to package them in an MSI executable and distribute them via internal email or file server. There is additional complexity for the plugin creator to get it packaged in this format, and the end users must be running Windows and have permission to install software, so this may not even be an option for your organization. But if it is, consider the risk of a malicious MSI file being introduced to your network either from outside or a disgruntled insider. You must have clear and enforceable policies around where end users may obtain MSI's and tight controls over which are appropriate to install.

Publicly available libraries

The Internet has plenty of sources for Notes plugins to do all sorts of really cool whiz-bang stuff. And probably 95% of it is genuinely good, produced and shared by someone with the purest of intentions. But we all know there is that other element that will try to use any means possible to drop a bit of code anywhere in an attempt to breach security. If you allow your users to install plugins without any controls or restrictions on its source and content, you will eventually have a bad experience from it. At an absolute minimum, do not allow installation of unsigned jar files! This should even apply to internally developed plugins!

Inappropriate changes to Notes environment

If the decision of what to install and how to install it is left to the end user, there are a number of possible scenarios that could occur, including changing notes.ini settings or Security and Location settings in ways that may weaken or bypass security controlsyou have established. This may be incidental as the user tries to work through a plugin that is not installing properly, or directed by a nefarious plugin author. Either way, the results could be disastrous!

Recommendations

Some steps that can be taken to help secure your environment, especially as it relates to deploying plugins.

• Clear and controlled Desktop Setting policy
• Only allow installation of signed plugins
• Set widget specific controls, including permissible update site controls
• Ideally, implement a tool that not only locks down the Notes client configuration, but automates the installation of plugins, controlled by Notes Admins and as directed by your company's security governance body

We must remain ever vigilant in securing our corporate and customer data, regardless of your industry. Plugins are useful, but they are also powerful, and warrant a real plan, not just a passing glance.

 Need help with your Notes environment?