This is a tip from the IBM Connect 2014 session "BP103 : Ready, Aim, Fire: Mastering the Latest in the Administrator’s Arsenal". Speakers Ben Menesi (Ytria) and Kim Greene (Kim Greene Consulting) step through the new features IBM has introduced to Domino from release 8.5.x-9.x.
This tip covers why you should use ID Vault, how to set up protected groups, what settings to tweak to make sure password checking is up and running, how to lock down your server’s ACLs and more.
3. ID Vault
Use it!!!
– Customer scenarios:
• Lost ID because PC crashed, had to go back to original ID on network drive, which
was created under different certifier than current certifier
• Forgotten passwords
• Setting up new users / existing users get new PCs/laptops
- Notes client setup simply pulls ID from vault, no manual handling of ID file
Tip:
– If have multiple OUs, easiest to implement from top OU
Gotcha:
– Doesn’t work in Citrix® environments (yet)
53
Domino
8.5
4. Protected Groups
Prevents accidental deletion of designated “critical” groups
Configured in Directory Profile of the Domino Directory
– Tip: You must edit and save once to become operational
Requires Domino directory to have 9 design
Defaults to LocalDomainAdmins, LocalDomainServers, and OtherDomainServers
54
Domino
9.0
9. Locking down your server’s ACLs
Ensuring that your Domino databases are locked down from the server side can be vital.
– Make sure Anonymous has no access to your databases (especially system databases!)
– Use DominoHunter to gather information from the outside
• You might be surprised what you find!
DominoHunter: open-source PERL script that automates opening and querying standard
databases from the web
– Beware: even if you get satisfying results, you may have databases left open to the web
that this script won’t find!
• It works based on a pre-set list of system databases
• Use syntax: dh.pl –h targetaddress.com –l results.txt
59
11. Locking down your server’s ACLs
Easy to recognize when looking into Domlog.nsf (for v0.9 it records thousands of hits from
the same IP!)
– You can even write an agent to get notified about such attempts / attacks
61
12. Domino server ports
Make sure not to leave ports open that you do not have to
– This will be the number 1 step for any potential outside attack
– Nmap is a great tool to test for open ports:
62
13. Domino server ports
Make sure not to leave ports open that you do not have to
– This is the number 1 step for any attacker
– You can use Nmap to scan for open ports
• DomLog records hit when selecting intense scan
63
14. How to Contact Us
76
@iSeriesDomino
www.linkedin.com/in/kimgreeneconsulting
@BenMenesi
ca.linkedin.com/in/benedekmenesi
Contact – Ben Menesi Contact – Kim Greene
We’d love to hear from you!
kim@kimgreene.comben.menesi@ytria.com