Recording: http://pan.news/20210420
Abstract: Servers are the backbone of your IT environment. Their security is paramount to any IT professional. Particularly with remotely accessible servers this becomes a delicate matter. It is a fine line between making it easy for users to do their job, and making it hard for bad actors to find a way in.
Security concerns include the lack of physical security for devices, the use of unsecured networks, the unwanted external availability of internal resources, and unauthorized access from within your own organization.
HCL Domino is a powerful and mature server platform with a wide range of functionalities. While this makes it a good choice for many applications, it also means there are many ways to open yourself up to an attack.
In this webinar, our experts will help you to look at every aspect of securing your Domino environments:
• Learn fundamentals of Domino server security
•Fix issues with the default configuration and avoid common pitfalls
• Provide safe and secure access via Notes client, HTTP, or SMTP
• Set up database access control across your infrastructure
• Protect your servers from internal attacks
• Avoid vulnerabilities by keeping Domino servers and operating system up-to-date
Speaker: Christoph Adler
Optimizing AI for immediate response in Smart CCTV
Best Practices for HCL Notes/Domino Security. Part 2: The Domino Server
1. Make Your Data Work For You
Best Practices for
HCL Notes/Domino Security
Part 2: The Domino Server
20th April 2021
2. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Christoph Adler
@cadler80
Senior Consultant
panagenda
Join the conversation using #NotesDominoSecurity & @panagenda
Speakers
3. Agenda
1. Staying current with (security) updates
2. Domino Server Security Fundamentals (DSSF)
3. SMTP Security Settings (quick and dirty faultless)
4. Bonus: HTTP Security or how to get an A+ rating
4. Make Your Data Work For You
1. Staying current with
(security) updates
5. 1. Staying current with (security) updates
• Current available and supported releases
– Domino 11.0.1 FP3 (April 2021)
• No EOL defined yet
– Domino 10.0.1 FP6 (September 2020)
• No EOL defined yet, BUT “Support Update - List of Exceptions Starting 12/31/2021” here:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085697
– Domino 9.0.1 FP10 IF6 (August 2020)
• No EOL defined yet, BUT “Support Update - List of Exceptions Starting 12/31/2021” here
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085697
8. 1. Staying current with (security) updates (cont.)
• System requirements for Domino 11.0.1 FP3 (OS)
– Microsoft Windows
• Windows Server 2012 R2 - 2019
– Linux
• Red Hat Enterprise Linux (RHEL) Server 7.4+ & 8.x
• SUSE Linux Enterprise Server (SLES) 12.0+ & 15.0+
• CentOS Server 7.4+ (EOL - 2024-06-30) & 8.x (EOL - 2021-12-21)
– IBM AIX
• AIX 7.2 TL1+
– IBMi
• IBM i v7 r2, r3 & r4 (on IBM Power 8 & 9)
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0077033
9. Make Your Data Work For You
2. Domino Server Security
Fundamentals (DSSF)
10. 2. DSSF - Secure client-server communication
• NRPC port settings
– NRPC = Notes remote procedure call
– Port 1352
– Port settings in notes.ini
• Ports=TCPIP
• TCPIP = TCP,0,15,0,,45056,
→ with encryption only
• TCPIP = TCP,0,15,0,,45088,
→ with encryption & compression
• TCPIP = TCP,0,15,0,,12288,
→ DEFAULT - without encryption & compression
11. 2. DSSF - Secure client-server communication (cont.)
• Legacy/Default port encryption for Notes/Domino (up to 11.0.1)
– RC4 128Bit (Rivest Cipher 4)
– Use notes.ini entry LOG_AUTHENTICATION=1 to see this on the console:
– Starting with HCL Domino v12 the new default is → AES-GCM 256Bit
• Best practice settings for port encryption on Domino server >= 9.0.1 Fix Pack 7
– notes.ini → PORT_ENC_ADV=84 (AES-GCM 128Bit)
• See the following Technote for details and read before you use
the parameter:
– https://help.hcltechsw.com/domino/11.0.1/admin/conf_port_enc_adv_r.html
12. 2. DSSF – Take care about webadmin.nsf
• You can either
– Remove the webadmin.nsf from all your servers
OR
– You must take care of the ACL
• This DB will no longer be distributed with Domino v12 and higher
13. 2. DSSF – ACL (Anonymous & -Default- entries)
• ACL (Access Control List)
– -Default- access will be granted/used for every authenticated user which is not part of ACL (either
directly or using a group or wildcard entry)
– Anonymous access will be granted/used for every non-authenticated user (web access)
– If there is no Anonymous entry in the ACL, Domino will automatically use the -Default- entry for non-
authenticated users
– See the following two links to get more information:
https://help.hcltechsw.com/domino/11.0.0/conf_anonymousinternetintranetaccess_c.html
https://help.hcltechsw.com/domino/11.0.0/conf_validationandauthenticationforinternetintranetclien_c.ht
ml?hl=anonymous%2Cacl
15. 2. DSSF – Server Document → Internet Ports
• Be aware of open and non-used ports (disable them)
– Example: If you don’t want to use the HTTP/LDAP/SMTP/IMAP/POP3/DIIOP service on a server, ensure
that those ports are disabled in the Server Document(s)
16. 2. DSSF – Server Document → Internet Ports (cont.)
17. 2. DSSF – SSL/TLS (X.509) is not optional!
• Ensure that you always use secured connections from/to your Domino Servers
(including internal connections)
– The following link will help you to set up SSL on Domino servers:
https://help.hcltechsw.com/domino/11.0.1/admin/conf_settingupsslonadominoserver_t.html
18. 2. DSSF – SSL/TLS (X.509) is not optional! (cont.)
20. Make Your Data Work For You
3. SMTP Security Settings
(quick and dirty faultless)
21. 3. SMTP Security Settings (quick and dirty faultless)
a) SMTP Port settings (Server document)
– Inbound → only “Enabled”
– Outbound → “Enabled” & “Negotiated TLS/SSL”
22. 3. SMTP Security Settings (quick and dirty faultless) (cont.)
b) SMTP Port settings (Configuration document) - Inbound
− Inbound → “TLS/SSL negotiated over TCP/IP port” → “Enabled”
23. 3. SMTP Security Settings (quick and dirty faultless) (cont.)
c) SMTP Relay security (Configuration document)
24. 3. SMTP Security Settings (quick and dirty faultless) (cont.)
c) SMTP Inbound security (Configuration document)
25. 3. SMTP Security Settings (quick and dirty faultless) (cont.)
• What about non-encrypted connections (outbound only)?
– You can configure fallback to non-TLS using the following notes.ini entry:
RouterFallbackNonTLS=1
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0079251
• Verify if sender == authenticated user (optional)
– You can configure this using the following notes.ini entry:
SMTPVerifyAuthenticatedSender=1
https://ds_infolib.hcltechsw.com/ldd/dominowiki.nsf/dx/SMTPVerifyAuthenticatedSender
26. Make Your Data Work For You
4. Bonus: HTTP Security
or how to get an A+ rating
28. 4. Bonus: HTTP Security or how to get an A+ rating (cont.)
a) Always use the latest available version of Domino (incl. FPs)
– Domino 11.0.1 FP3
– Domino 10.0.1 FP6
– Domino 9.0.1 FP10 IF6
b) Disable outdated SSL/TLS protocols using the following notes.ini entries:
– SSL_Disable_TLS10=1
→ TLS 1.0 will automatically give you a B rating (since Jan. 2020)
– DISABLE_SSLV3=1
→ this should not be needed any longer, since SSL v3 should be disabled by default
29. 4. Bonus: HTTP Security or how to get an A+ rating (cont.)
c) Select only the modern SSL ciphers (see screenshot) in your
– Server Document(s)
– Web Site Document(s)
30. 4. Bonus: HTTP Security or how to get an A+ rating (cont.)
d) Configure the HTTP Strict Transport Security (HSTS) using the following notes.ini
entries (or using Web Site Document if used):
– HTTP_HSTS_INCLUDE_SUBDOMAINS=1
– HTTP_HSTS_MAX_AGE=31536000
See here:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0074868
31. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Christoph Adler
@cadler80
Senior Consultant
panagenda
Join the conversation using #NotesDominoSecurity & @panagenda
Q & A
32. Daniel Klas
@panagenda
Inbound Marketing Coordinator
panagenda
Christoph Adler
@cadler80
Senior Consultant
panagenda
Join the conversation using #NotesDominoSecurity & @panagenda
Q & A