This is a tip from the IBM Connect 2014 session "BP103 : Ready, Aim, Fire: Mastering the Latest in the Administrator’s Arsenal". Speakers Ben Menesi (Ytria) and Kim Greene (Kim Greene Consulting) step through the new features IBM has introduced to Domino from release 8.5.x-9.x. This tip covers why you should use ID Vault, how to set up protected groups, what settings to tweak to make sure password checking is up and running, how to lock down your server’s ACLs and more.

1. © 2014 IBM Corporation
BP103
Ready, Aim, Fire: Mastering
the Latest in the
Administrator’s Arsenal
Kim Greene, Kim Greene Consulting, Inc
Ben Menesi, Ytria

2. 52
Securing Your Servers

3. ID Vault
Use it!!!
– Customer scenarios:
• Lost ID because PC crashed, had to go back to original ID on network drive, which
was created under different certifier than current certifier
• Forgotten passwords
• Setting up new users / existing users get new PCs/laptops
- Notes client setup simply pulls ID from vault, no manual handling of ID file
Tip:
– If have multiple OUs, easiest to implement from top OU
Gotcha:
– Doesn’t work in Citrix® environments (yet)
53
Domino
8.5

4. Protected Groups
Prevents accidental deletion of designated “critical” groups
Configured in Directory Profile of the Domino Directory
– Tip: You must edit and save once to become operational
Requires Domino directory to have 9 design
Defaults to LocalDomainAdmins, LocalDomainServers, and OtherDomainServers
54
Domino
9.0

5. Protected Groups
Open Domino Directory→Actions→Edit Directory Profile
55

6. Protected Groups
Prevent deletion of these groups
56

7. Password Checking
Password checking is crucial for securing IDs
Enable in both Server document and Person document
57
+

8. Internet Password Lockout
Set threshold for Internet password authentication failures for HTTP users
58

9. Locking down your server’s ACLs
Ensuring that your Domino databases are locked down from the server side can be vital.
– Make sure Anonymous has no access to your databases (especially system databases!)
– Use DominoHunter to gather information from the outside
• You might be surprised what you find!
DominoHunter: open-source PERL script that automates opening and querying standard
databases from the web
– Beware: even if you get satisfying results, you may have databases left open to the web
that this script won’t find!
• It works based on a pre-set list of system databases
• Use syntax: dh.pl –h targetaddress.com –l results.txt
59

10. Locking down your server’s ACLs
DominoHunter results
60

11. Locking down your server’s ACLs
Easy to recognize when looking into Domlog.nsf (for v0.9 it records thousands of hits from
the same IP!)
– You can even write an agent to get notified about such attempts / attacks
61

12. Domino server ports
Make sure not to leave ports open that you do not have to
– This will be the number 1 step for any potential outside attack
– Nmap is a great tool to test for open ports:
62

13. Domino server ports
Make sure not to leave ports open that you do not have to
– This is the number 1 step for any attacker
– You can use Nmap to scan for open ports
• DomLog records hit when selecting intense scan
63

14. How to Contact Us
76
@iSeriesDomino
www.linkedin.com/in/kimgreeneconsulting
@BenMenesi
ca.linkedin.com/in/benedekmenesi
Contact – Ben Menesi Contact – Kim Greene
We’d love to hear from you!
kim@kimgreene.comben.menesi@ytria.com

15. 78
Acknowledgements and Disclaimers
© Copyright IBM Corporation 2014. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, and IBM Domino®, IBM Notes Domino®, IBM Notes®, IBM Traveler®, Sametime® LotusScript® are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a
trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be
registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
This slide presentation may contain the following copyrighted, trademarked, and / or restricted terms:
Microsoft®, Windows®, Microsoft Office®, Ytria®, Panagenda®, Visual Basic®, Java®, Perl®, OGSi®, Trust-factory®, Citrix®
Other company, product, or service names may be trademarks or service marks of others.
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither
intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information
contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise
related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or
its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and
performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you
will result in any specific sales, revenue growth or other results.