Best Practices for HCL Notes/Domino Security Part 1: The Notes Client
โข
0 likesโข278 views
Recording: http://pan.news/20210316 Abstract: Did you make fast changes to support remote work for your users? Well, you are not alone. A huge number of employees are working from home right now. Still they need access to information stored behind the company firewalls. They also keep much of this data on devices outside of your control, prone to loss and theft. But are businesses ready to operate this way forever? Attention is now shifting to security concerns. Remote work is now evolving from a temporary to a common solution. Nearly all companies are now considering the underlying security risks involved. HCL Notes has the well-earned reputation of being an ironclad platform. It was purpose-built for these scenarios. However, you need to configure it correctly to benefit from its powerful security features. The key question is this: Are you SURE you haven't overlooked something in YOUR environment? We will present the best security measures for Notes clients. Let's make remote work sustainable for 2021 and beyond. The webinar will cover the following topics: - The basics of securing your Notes and Nomad clients - Secure client-server communication over any port (with and without SafeLinx) - Safeguarding data in local replicas - Protecting the client environment from running untrusted code - Staying current with security updates Speaker: Chris Adler
Recommended
Recommended
More Related Content
More from panagenda
More from panagenda (20)
Recently uploaded
Recently uploaded (20)
Best Practices for HCL Notes/Domino Security Part 1: The Notes Client
- 1. Make Your Data Work For You Best Practices for HCL Notes/Domino Security Part 1: The Notes Client 16th March 2021
- 2. Daniel Klas @panagenda Inbound Marketing Coordinator panagenda Christoph Adler @cadler80 Senior Consultant panagenda Join the conversation using #NotesDominoSecurity & @panagenda Speakers
- 3. Agenda 1. Introduction 2. Secure client-server communication over any port (with and without SafeLinx) 3. Safeguarding data in local replicas/databases 4. Protecting the client environment from running untrusted code 5. Staying current with security updates 6. Authentication security
- 5. 1. Introduction โ Available clients โข Available clients โ HCL Notes โ Basic configuration โ HCL Notes โ Standard (incl. Eclipse) โ HCL Notes โ Standard (incl. Eclipse + Admin and/or Designer client) โ HCL Client Application Access โ aka HCAA โ HCL Nomad โ mobile app for Android โ HCL Nomad โ mobile app for iOS/iPadOS โ HCL Nomad Web (beta) โ via Browser โ HCL Verse โ via Browser
- 6. 2. Secure client-server communication โ Client โข NRPC port settings โ NRPC = Notes remote procedure call โ Port 1352 โ Legacy โข LAN0 / COM(.*) / DisabledPorts โ Should be removed โ Port settings in notes.ini โข Ports=TCPIP โข TCPIP = TCP,0,15,0,,45056, โ with encryption only โข TCPIP = TCP,0,15,0,,45088, โ with encryption & compression โข TCPIP = TCP,0,15,0,,12288, โ DEFAULT - without encryption & compression
- 7. 2. Secure client-server communication โ Server โข Legacy/Default port encryption for Notes/Domino โ RC4 128Bit (Rivest Cipher 4) โข Best practice settings for port encryption on Domino server >= 9.0.1 Fix Pack 7 โ AES-GCM 128Bit (Advanced Encryption Standard) โ notes.ini โ PORT_ENC_ADV=84 โข See the following Technote for details and read before you use the parameter: โ https://help.hcltechsw.com/domino/11.0.1/admin/conf_port_enc_adv_r.html
- 8. 2. Secure client-server communication โ mobile app โข HCL Nomad mobile app โ Classic โ NRPC (direct using VPN/Passthrough) โ New โ SSL Tunneling (port 443) using Nomad Proxy aka HCL SafeLinx
- 9. 3. Safeguarding data in local replicas/databases โข Local replicas of (Domino) server databases โ One of the most powerful features of Notes/Domino is โReplicationโ โ Almost every customer has local replicas on some or on all Notes clients (managed and/or unmanaged) โ Local replicas in general should always be encrypted โ Use โStrong Encryptionโ or even better โ128 bit AESโ
- 10. 3. Safeguarding data in local replicas/databases (cont.) โข Access Control List (ACL) of local replicas โ Use the option โEnforce a consistent Access Control Listโ in the ACLโs of your server Application Databases to ensure ACL is identical on all replicas (incl. local).
- 11. 4. Protecting the client environment from running untrusted code โข Execution Control List (ECL) โ The ECL takes care that code only gets executed if the โcode signerโ is trusted โ Either a user or admins can put โsigners/usersโ on the ECL โ Using an Administration-ECLor manage the ECL (incl. lock down) is highly recommendedand also ensures that a user cannot add users/Signers to the list โข If a user then gets an โExecution Security Alertโ โ it is a security alert!
- 12. 5. Staying current with security updates โข Do you remember our first slide? โข Available clients โ HCL Notes โ Basic configuration โ HCL Notes โ Standard (incl. Eclipse) โ HCL Notes โ Standard (incl. Eclipse + Admin and/or Designer client) โ HCL Client Application Access โ aka HCAA โ HCL Nomad โ mobile app for Android โ HCL Nomad โ mobile app for iOS/iPadOS โ HCL Nomad Web (beta) โ via Browser โ HCL Verse โ via Browser
- 13. 5. Staying current with security updates (cont.) โข Do you remember our first slide? โข Available clients and latest releases โ HCL Notes 11.0.1 FP2 SHF46 โ Basic configuration โ HCL Notes 11.0.1 FP2 SHF46 โ Standard (incl. Eclipse) โ HCL Notes 11.0.1 FP2 SHF46 โ Standard (incl. Eclipse + Admin and/or Designer client) โ HCL Client Application Access 3.0.3 โ aka HCAA โ HCL Nomad 1.0.15 20210219-1541 โ mobile app for Android โ HCL Nomad 1.0.11โ mobile app for iOS/iPadOS โ HCL Nomad Web (beta) โ via Browser โ HCL Verse 2.0.1 โ via Browser
- 14. 5. Staying current with security updates (cont.) โข More security options โ The newer the version, the more modern and better the security options and features โข Vulnerability โ The older the version, the higher the risk of being vulnerable โ Check out this link (sorted in ascending order by date): https://support.hcltechsw.com/csm?id=kb_search&spa=1&language=en&u_document_type=Security%20B ulletin&kb_category=1ec026dc1b45730083cb86e9cd4bcb24
- 15. 6. Authentication security โข The following may sound silly, but โ PLEASE use ID files protected with passwords โ Use a Security-Policy to force password โข expiration after xx days โข complexity โข Single Sign-On (SSO) may help here โ Comfort combined with security โ Notes Shared Login (NSL) โข https://help.hcltechsw.com/domino/11.0.1/admin/conf_usingnotessharedlogintosuppresspasswordpr ompts_c.html โ Notes Federated Login (NFL) โข https://help.hcltechsw.com/domino/11.0.1/admin/secu_using_security_assertion_markup_language_saml _to_configure_federated_identity_authentication_t.html?hl=federated%2Clogin
- 16. - Commercial break - All the 6 topics and more can be easily covered/solved/managed by
- 17. Daniel Klas @panagenda Inbound Marketing Coordinator panagenda Christoph Adler @cadler80 Senior Consultant panagenda Join the conversation using #NotesDominoSecurity & @panagenda Q & A
- 18. Daniel Klas @panagenda Inbound Marketing Coordinator panagenda Christoph Adler @cadler80 Senior Consultant panagenda Join the conversation using #NotesDominoSecurity & @panagenda Thank you!
- 19. Daniel Klas @panagenda Inbound Marketing Coordinator panagenda Christoph Adler @cadler80 Senior Consultant panagenda Join the conversation using #NotesDominoSecurity & @panagenda Thank you!