BCC Blog

Most people are aware of what a Domino server does - it holds all of the databases and therefore access to pretty much everything. And each server has a server ID. Protecting a server ID with a password works in much the same way that protecting a computer or account with an ID works. In this case, the server ID password is individual to the server itself, rather than the user, but access to that password is limited to a finite number of people with administrator authority.

If you have used IBM Notes for any length of time as an end user, you no doubt have come to the point of frustration trying to find that seldom used but all important app or database tile. Or worse, clicked on a tile only to find it is no longer functional because the database moved or the app is no longer supported.

Similarly, application development and maintenance can be a challenge if it is left up to the end user to find, install and manage apps and databases.

Written by Arshad Khalid

If you are an existing IBM® Domino™ customer you may not realise that you are entitled to use IBM® Connections™ Profiles and Files with IBM Domino.

For customers who are not familiar with IBM Connections why would this entitlement be of interest or benefit to you?

The entitlement gives access to two of the main features from IBM Connections – Files and Profiles.

Think of Profiles as an extension of your address book so that you can find and discover the expertise you need. For large organisations and those with hierarchy you can check the report-to-chain, find additional information on the reporting structure and find people in the same team or with the same manager etc.

Most people are aware of what a Domino server does - it holds all of the databases and therefore access to pretty much everything. And each server has a server ID. Protecting a server ID with a password works in much the same way that protecting a computer or account with an ID works. In this case, the server ID password is individual to the server itself, rather than the user, but access to that password is limited to a finite number of people with administrator authority.

I communicate with organisations all over the world on a day-to-day basis. A lot of the companies I speak to have very large IBM Domino environments, especially government and financial institutions are dealing with the same issues.
They have very large legacy environments that run on closed networks, hundreds of IBM Domino servers but not a lot of administrators.
They are directed to patch servers more frequently (weekly vs monthly) and get told that they have to better protect their server IDs and to further separate and control administrator actions.

This is easier said than done!

CHALLENGE Number 1

Automation

The dangerous practice of using no password protection for server ID in order to make the server reboot easier is hard to argue to an audit team. DominoProtect protects Server IDs with passwords and allows unattended reboots. A highly secure random password is created for the server ID. Existing passwords can be imported during the set up as well. If the server needs to be rebooted, DominoProtect provides the password automatically, and no manual action is required. If you are using ID vault, IBM strongly recommends password protection for server ID files:
„We understand that most Domino servers are not password-protected to make unattended reboots simpler, but the vault server’s ID file is a key element in the security of your ID vault. A sophisticated attacker with a vault database and one of the corresponding server Ids … would have all of the cryptographic information needed to masquerade as the vault server and decrypt all of the ID files stored in the vault.“ 

Introduction

Native Notes and Domino provide limited capabilities in supporting the complex processes of user, group or database administration. Skilled staff with high access level is forced to carry out large number of single-step administrative tasks, document them manually, and play the “telephone game” with users and requesters. Also, the standard Domino administration processes do not meet increasing security and compliance requirements.