HCL are really on top of their game on security and so is Domino. You may have recently seen a blog I did for HCL on HCL Domino v12: The 4 New Security Features You’ve Been Waiting for
However it is really important not to assume that your environment is completely secure. This blog today is more back to the fundamentals of Domino security and one setting in particular.
I complete health checks and security audits of environments all the time. On most environments where Domino People have not been before there is one setting that is consistently overlooked. It’s on the Security Tab of your Server document. “Compare public keys“. It’s usually left blank.
Don’t do this.
One of things that makes Domino great is that Certificates are baked into everything. You can’t get away from them. But that doesn’t mean you can leave everything at default and it will be perfectly secure.
If you don’t have public key checking turned on it means anyone on your LAN could spoof your org cert, and register ANY user or server on your domain and get access to your server over port 1352. That would be bad. If you do turn it on, it means the public key of the ID (either server or user) connecting to the Domino server is compared against the key in the Domino directory. Simple and effective security.
What I’d usually advise if it isn’t turned on is to change the setting “Log public key mismatches” initially to “Log key mistmatches for Notes users and Domino servers listed in trusted directories only”
Like any setting on the Security tab of the Server document you’re going to want to reboot the Domino server for the setting to take effect. Then monitor the security events view of your log.nsf for alerts for key mismatches. Many of these will innocent. For example a user using the wrong version of an ID. But it’s important you know about these and resolve. If anything is logged as “informational” it means it’ll be ok once you’ve enforced public key checking.
When you’re happy you’ve resolved any of these then change the “Compare public keys” setting to “Enforce key checking for Notes users and Domino servers listed in trusted directories only”
Again reboot Domino. You’ve just tightened the security on your server drastically. If you don’t have it turned on, please do it now.
Cormac McCarthy – Domino People Ltd
Michel Morin says:
How is this supposed to work with servers across different Domino Domains where the server ID’s have been created with the same Certifiers, we have copied server documents from Domain B into Domain A and vice versa so that both servers can communicate, which work very well but seems to frustrate HCL support.
Cormac McCarthy says:
Hi Michel,
Your set up is not particularly best practice – cross certification is (exponentially) better than copying and pasting server documents. You’ll run into clunky problems at various points when you try to implement new functionality with a set up like you have. (key rollover etc will be a mess).
Either way though. You can test public key checking yourself and see the results by turning on logging before enforcement.
Thanks,
Cormac
Michel Morin says:
I have tried cross certification and it did not change anything, I was still seeing the “no public key found in directory” message on the console, if you have link to provided I would appreciate it. I would like to mention that both my servers are in the same OU regardless of being in different Domino Domains.
Cormac McCarthy says:
Hi Michel,
Thanks – I hear what you’re saying.
What I am saying is it’s anticipated you may have issues the way you are set any set of workarounds are going to be clunky at best.
It is implicit in different domino domains that you will have different organisations otherwise there is no (security) reason to have them in separate domino domains in the first place. It’s the equivalent in an Active Directory world of setting up an Explict DMZ outside of the LAN AD, and importing in all the objects and credentials from LAN. It’s so far for best practice a workaround to get stuff like public key checking working just doesn’t make sense to me. As much as it may be a bit of a transition – either moving to the same domain/same organisation or different organisation different domain is the only thing I would advise here.
Thanks,
Cormac