Automation
The dangerous practice of using no password protection for server ID in order to make the server reboot easier is hard to argue to an audit team. DominoProtect protects Server IDs with passwords and allows unattended reboots. A highly secure random password is created for the server ID. Existing passwords can be imported during the set up as well. If the server needs to be rebooted, DominoProtect provides the password automatically, and no manual action is required. If you are using ID vault, IBM strongly recommends password protection for server ID files:
„We understand that most Domino servers are not password-protected to make unattended reboots simpler, but the vault server’s ID file is a key element in the security of your ID vault. A sophisticated attacker with a vault database and one of the corresponding server Ids … would have all of the cryptographic information needed to masquerade as the vault server and decrypt all of the ID files stored in the vault.“
Security Monitoring
DominoProtect tracks all actions occurring to the protected elements, which can be groups, connection or domain documents in your Domino Directory, as well as any type of configuration documents or access control lists (ACLs) on your server. You decide on the level of protection: just monitor the opening or modifying events, or prevent them to happen. DominoProtect provides flexible configuration options for elements to be protected as well as for actions to be processed (e.g. dialog box, e-mail notification). You can setup protection for all relevant documents or specific forms, as well as single fields. The protection covers changes caused by replication as well as manual attempts. DominoProtect tracks or prevents changes in real time which guarantees consistent systems and means no dangerous system failures due to bad configurations. This has a clear advantage over using a scheduled approach, where one can only be informed about changes. The administrators also receive a detailed overview of all security relevant operations in the Domino system.
Change Management
When protection for specific elements is activated, a request based, integrated workflow for the protected configuration objects is enabled. For the creation, editing or deletion of these objects, a change request will be created automatically, with an optional approval cycle and multiple actions to be executed, such as sending an email, processing of agents or the pop-up of dialog boxes. DominoProtect automatically generates a detailed history of the changes, including who performed the change and when it occurred. All changes performed, all rejected change requests, as well as unsuccessful change attempts performed through the Notes Client or the Domino Administrator are recorded (audit trail). DominoProtect provides the complete recovery of a former version of all configuration documents with one click. In the event of an error, a roll-back to a previous version can be made within seconds.