Recording: http://pan.news/20210316
Abstract: Did you make fast changes to support remote work for your users? Well, you are not alone. A huge number of employees are working from home right now. Still they need access to information stored behind the company firewalls. They also keep much of this data on devices outside of your control, prone to loss and theft.
But are businesses ready to operate this way forever? Attention is now shifting to security concerns. Remote work is now evolving from a temporary to a common solution. Nearly all companies are now considering the underlying security risks involved.
HCL Notes has the well-earned reputation of being an ironclad platform. It was purpose-built for these scenarios. However, you need to configure it correctly to benefit from its powerful security features.
The key question is this: Are you SURE you haven't overlooked something in YOUR environment?
We will present the best security measures for Notes clients. Let's make remote work sustainable for 2021 and beyond. The webinar will cover the following topics:
- The basics of securing your Notes and Nomad clients
- Secure client-server communication over any port (with and without SafeLinx)
- Safeguarding data in local replicas
- Protecting the client environment from running untrusted code
- Staying current with security updates
Speaker: Chris Adler
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
ย
Best Practices for HCL Notes/Domino Security Part 1: The Notes Client
1. Make Your Data Work For You
Best Practices for HCL Notes/Domino Security
Part 1: The Notes Client
16th March 2021
2. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Christoph Adler
@cadler80
Senior Consultant
panagenda
Join the conversation using #NotesDominoSecurity & @panagenda
Speakers
3. Agenda
1. Introduction
2. Secure client-server communication over any port (with and without SafeLinx)
3. Safeguarding data in local replicas/databases
4. Protecting the client environment from running untrusted code
5. Staying current with security updates
6. Authentication security
4.
5. 1. Introduction โ Available clients
โข Available clients
โ HCL Notes โ Basic configuration
โ HCL Notes โ Standard (incl. Eclipse)
โ HCL Notes โ Standard (incl. Eclipse + Admin and/or Designer client)
โ HCL Client Application Access โ aka HCAA
โ HCL Nomad โ mobile app for Android
โ HCL Nomad โ mobile app for iOS/iPadOS
โ HCL Nomad Web (beta) โ via Browser
โ HCL Verse โ via Browser
6. 2. Secure client-server communication โ Client
โข NRPC port settings
โ NRPC = Notes remote procedure call
โ Port 1352
โ Legacy
โข LAN0 / COM(.*) / DisabledPorts
โ Should be removed
โ Port settings in notes.ini
โข Ports=TCPIP
โข TCPIP = TCP,0,15,0,,45056,
โ with encryption only
โข TCPIP = TCP,0,15,0,,45088,
โ with encryption & compression
โข TCPIP = TCP,0,15,0,,12288,
โ DEFAULT - without encryption & compression
7. 2. Secure client-server communication โ Server
โข Legacy/Default port encryption for Notes/Domino
โ RC4 128Bit (Rivest Cipher 4)
โข Best practice settings for port encryption on Domino server >= 9.0.1 Fix Pack 7
โ AES-GCM 128Bit (Advanced Encryption Standard)
โ notes.ini โ PORT_ENC_ADV=84
โข See the following Technote for details and read before you use the parameter:
โ https://help.hcltechsw.com/domino/11.0.1/admin/conf_port_enc_adv_r.html
8. 2. Secure client-server communication โ mobile app
โข HCL Nomad mobile app
โ Classic โ NRPC (direct using VPN/Passthrough)
โ New โ SSL Tunneling (port 443) using Nomad Proxy aka HCL SafeLinx
9. 3. Safeguarding data in local replicas/databases
โข Local replicas of (Domino) server databases
โ One of the most powerful features of Notes/Domino is โReplicationโ
โ Almost every customer has local replicas on some or on all Notes clients
(managed and/or unmanaged)
โ Local replicas in general should always be encrypted
โ Use โStrong Encryptionโ or even better โ128 bit AESโ
10. 3. Safeguarding data in local replicas/databases (cont.)
โข Access Control List (ACL) of local replicas
โ Use the option โEnforce a consistent Access Control Listโ in the ACLโs of your server Application
Databases to ensure ACL is identical on all replicas (incl. local).
11. 4. Protecting the client environment from running untrusted code
โข Execution Control List (ECL)
โ The ECL takes care that code only gets executed if the โcode signerโ is trusted
โ Either a user or admins can put โsigners/usersโ on the ECL
โ Using an Administration-ECLor manage the ECL (incl. lock down) is highly recommendedand also
ensures that a user cannot add users/Signers to the list
โข If a user then gets an โExecution Security Alertโ โ it is a security alert!
12. 5. Staying current with security updates
โข Do you remember our first slide?
โข Available clients
โ HCL Notes โ Basic configuration
โ HCL Notes โ Standard (incl. Eclipse)
โ HCL Notes โ Standard (incl. Eclipse + Admin and/or Designer client)
โ HCL Client Application Access โ aka HCAA
โ HCL Nomad โ mobile app for Android
โ HCL Nomad โ mobile app for iOS/iPadOS
โ HCL Nomad Web (beta) โ via Browser
โ HCL Verse โ via Browser
13. 5. Staying current with security updates (cont.)
โข Do you remember our first slide?
โข Available clients and latest releases
โ HCL Notes 11.0.1 FP2 SHF46 โ Basic configuration
โ HCL Notes 11.0.1 FP2 SHF46 โ Standard (incl. Eclipse)
โ HCL Notes 11.0.1 FP2 SHF46 โ Standard (incl. Eclipse + Admin and/or Designer client)
โ HCL Client Application Access 3.0.3 โ aka HCAA
โ HCL Nomad 1.0.15 20210219-1541 โ mobile app for Android
โ HCL Nomad 1.0.11โ mobile app for iOS/iPadOS
โ HCL Nomad Web (beta) โ via Browser
โ HCL Verse 2.0.1 โ via Browser
14. 5. Staying current with security updates (cont.)
โข More security options
โ The newer the version, the more modern and better the security options and features
โข Vulnerability
โ The older the version, the higher the risk of being vulnerable
โ Check out this link (sorted in ascending order by date):
https://support.hcltechsw.com/csm?id=kb_search&spa=1&language=en&u_document_type=Security%20B
ulletin&kb_category=1ec026dc1b45730083cb86e9cd4bcb24
15. 6. Authentication security
โข The following may sound silly, but
โ PLEASE use ID files protected with passwords
โ Use a Security-Policy to force password
โข expiration after xx days
โข complexity
โข Single Sign-On (SSO) may help here
โ Comfort combined with security
โ Notes Shared Login (NSL)
โข https://help.hcltechsw.com/domino/11.0.1/admin/conf_usingnotessharedlogintosuppresspasswordpr
ompts_c.html
โ Notes Federated Login (NFL)
โข https://help.hcltechsw.com/domino/11.0.1/admin/secu_using_security_assertion_markup_language_saml
_to_configure_federated_identity_authentication_t.html?hl=federated%2Clogin
16. - Commercial break -
All the 6 topics and more can be easily covered/solved/managed by
17. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Christoph Adler
@cadler80
Senior Consultant
panagenda
Join the conversation using #NotesDominoSecurity & @panagenda
Q & A
18. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Christoph Adler
@cadler80
Senior Consultant
panagenda
Join the conversation using #NotesDominoSecurity & @panagenda
Thank you!
19. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Christoph Adler
@cadler80
Senior Consultant
panagenda
Join the conversation using #NotesDominoSecurity & @panagenda
Thank you!