Wednesday, August 6, 2008

SnTT - xACL - Secure that Domino Directory!

Domino Directory security is one of those things that I just have always taken for granted I guess. Did the "Actions -> Upgrade to More Secure Internet Password Format" option. Set the ACL entry of Anonymous to "No Access". Set the default so users can edit their own password information and everything else that should be hidden from prying eyes, is, right?
And as I had found out on a recent security audit, not everything is hidden from prying eyes.

The firm hired to do an all systems security audit pinged me pretty good by showing an easily accessible back door to gaining passwords from the Dom Dir to run through a decrypter to access the accounts. Again, this is something that was done with a registered user account on my Domino domain, so accessing the directory anonymously was still blocked.
1. Open a web browser and run to http://servername/names.nsf
2. Authenticate with the server.
3. While logged into the database via a web browser, open a person document. Any one will do.
4. Now in the frame that shows the person documents information, right mouse click and select, "View Page Source" or "View Source", depending on what browser you are using.
5. Now scroll on down the text window until you find a line that contains information like this:
"HTTPPassword" type="hidden" value="(gibberish)">
6. Now, if you see nothing in the "value="( )">" area, then you are already using the Extended ACL feature and you can stop reading this blog entry. Might I suggest something from the links list on the left side to continue your reading? But if you see any encrypted password information in between the parenthesis, then you need to keep reading.

A feature available in the Domino Directory, one that I've never really seen get much attention, is the Extended ACL, or xACL. This gives that extra layer of "lock down" that is needed to secure items all the was down to the field level. Now rather then type out all of the steps on how to do it, click here to read document #1244808 entitled "Configuring xACLs to protect Internet Password fields in the Domino Directory". Also, if you are using anonymous LDAP lookups, then these steps will break that. Once you have secured using the xACL, then follow the steps listed in your Domino Administrator help file in section entitled
"Converting the default anonymous access settings to database ACL and extended ACL settings."
With these steps in place, the hackers are going to need to find another way of breaking into your stuff!


Rob McDonagh said...

Good to find somebody else using the xACL. Almost every admin I meet is scared of it. Cool xACL tricks like this one might make a good session at a conference, you know.

We've used it to hide person and group docs in a cascaded (well, DA'd, but you're not a n00b, you know what I mean) directory, while still allowing resource reservation to work. It's a bit tricky to get the right setup at first, but it works like a charm, and those cascaded directories don't even show up as a possible directory when addressing mail. Way cool.

And then there's the real security issue, as you pointed out, where the xACL lets you fix something that could have been a serious issue - in about 10 minutes.

nick wall said...

Just followed your advice and implemented this. It's one of those things that has been on the list, but never got round too. It really did only take a few minutes to configure. Thanks!