Why This Topic and Session? This is “A Day in the Life” session filled with information you don’t learn for Certification. Documentation only gets you so far, real life happens fast and security is never tight enough. If you were locked out of your server, would you know how to get back in? 1
In This Session... You will learn how to properly remove people from your domain and a little bit about how to hack into your server You will not learn everything there is to know about Domino security from this session What we learn in Vegas, does not stay in Vegas! 2
What We’ll Cover … The Premise and the Reality Who are You? Are you Sure? Traveler Users Quickr Place/Site Owners Wrap-up 3
The Premises We are all honest and trustworthy Administrators Even the Developers who snuck in here You are not likely to be the first or last Administrator at your employer Everyone does much more today than last year Junior Administrators sometimes make mistakes – Teach or mentor them, do not berate them You run a secured environment You have backups and copies of your ID files You spent huge $$$ on security You are here because you care 4
5 The Reality You are honest, but some employees, well... You inherited a mess! But have the interest to pass along a better world Fires? What fires? – I am transforming my company Junior Administrators? I wish I had any help. Security is handled by someone else or just me Either way it’s your problem if it is Domino-related You have so many copies of ID files, you have ID Vaults for ID Vaults Your security doesn’t secure your Domino server... you do! We are in Las Vegas, don't gamble with your security
6 What We’ll Cover … The Premise and the Reality Who are You? Are you Sure? Traveler Users Quickr Place/Site Owners Wrap-up
7 Warning: Danger Will Robinson! Try these solutions if you have no other choices Backup everything first Document everything Proceed Cautiously OK, Here we go!
8 Identity and Security from the Field Just because you are the Administrator, does not mean you have all the access you deserve Are previous Administrators still in your admin group even after they left the company? Is your boss also an admin? Guess what, you just made his AA an admin also! Does every ID file get the same default password? ACL for your NAB is open to the outside world... with user ID files attached... and a default password?
9 How to Hack Your Server – Generic Ideas Simple to Complex ways Test open nsf(s), especially names.nsf Use LDAP to connect anonymously and obtain details RDP of any sort is your friend and enemy VM? Make sure the host system is secure. Disable Guest everywhere? Maybe not? Try average names, jsmith and then try basic passw0rdpssw0rd Build a Domino server, same name, org, and make an ID... Steal a laptop, power on LOL, login is tied to your Windows login is it? Windows login try... passw0rd. These are the ways of guys on the street, not the FBI
10 How to Hack Your Server As the Administrator Buddy network Floppies, USB, File Shares Take down a server, edit the names.nsf via nlnotes or a local client Can’t take down a server? Recreate your Certifier! Then your ID. See Resources page for links If you did not enable the Enforce ACL across all servers, try a secondary server Lost your ID? Webadmin.nsf, if you enabled it, will get you back in to add others as admins so you can create a new ID. What about you? What would you do?
11 Some Prevention Ideas BUT Not All Encompassing Enable user tracking and look at it occasionally Use a Domino security policy to ensure password uniqueness Template databases (*.ntf) are also a risk. Too often you find them with a default ACL set to Designer or Administrator. Enable Weblogging If you use POP or IMAP make sure you are logging as many details as possible Enable eSMTP and/or TLS which for Domino is Negotiated SSL Encrypt all ports for replication on clients and servers Create a dummy Administrator ID used for emergencies Keep your servers and clients up to date! Now where were we? Right, Who are you? Where are you?
12 Where Are You Found? Open your database catalog or Domain Catalog file and check the ACL lists By Name Have your developers check their workflow apps Find the old Admins still?
13 Old Administrators Haunt You This happens sometimes for longer than expected Their name is everywhere, as a signer on apps, agents, etc. So why not kill them off? You have the tools... What are you afraid of? Stopping applications Crippling servers Possible rogue actions or agents Management finding out
14 Before You Kill the Old Administrator ID Verify YOUR name is properly listed in the Admin groups If none exist, create a universal signer ID file Let developers know you will be removing the old one Let AdminP remove the user and deny them access If they had a mail file, take it offline or archive it Now sit and wait...
15 After You Kill the Old Administrator ID Calls will come in within an hour if anything gets crippled The next morning is the 1 st test The following Monday is the 2 nd test The 1 st of the next month is the 3 rd test The 1 st day of the next quarter is the 4 th test January 1 or whatever day you get back to work is the last test
16 Expired Administrator ID This happens more often than anyone lets on After all, would you tell people? What do you do when you are the only Admin? 1) Change the server date to before the expiration date or 2) If you still have it, open nlnotes.exe on the server (no longer installed with R8 servers) * Open the NAB to the People list Find the user Click Actions-Recertify Selected People Select the Certifier Set a date down the road a bit * =nlnotes.exe is really not recommended to use unless it is REALLY in need
17 How Do You Prevent This for the Future? 1) If the certificates have not already been recertified prior to this point, the user will not be allowed to access the server until this is done 2) If the certificates were recertified prior to this but the user happens to be using an outdated ID file, the server will automatically update the certificates on the ID
18 What We’ll Cover … The Premise and the Reality Who are You? Are you Sure? Traveler Users Quickr Place/Site Owners Wrap-up
19 Lotus Notes Traveler Security Hole or Sliced Bread Traveler is the greatest thing IBM has created On the other hand, you now have CEOs that have... Really... Important... Data... that they keep on their phones! The overhead to set it up can be high The security can be as well How do you know who is really synching? Have you ever thought about this? Do you know how to delete users from Traveler?
20 Lotus Notes Traveler – Killing a User From the Domino Administrator client, click the Messaging tab, and click the Mail tab Expand the IBM Lotus Notes Traveler Section Click on the Device Security view Select the device Do one of the following: To deny access to the device, select the Deny Access action To re-enable access to a device that has been denied access, select the Clear Wipe/Allow Access action
21 To Completely Remove Traveler Users Check in the Administration Client Messaging – Mail Only on the Traveler server Or check in the lotustraveler.nsf In the Domino\data directory From a Server Console: tell traveler security delete * tell traveler delete * Traveler users inactive for longer than 1 month will be cleaned up by the database automatically
22 Verifying the Traveler User Was Deleted The previous steps should completely remove the user, but if you want to verify it: Open the LotusTraveler.nsf file and verify that there are no entries for the user Open the ntsclcache.nsf file and verify that there are no entries for the user The Traveler service should be restarted for all deletes to be displayed properly From the Server Console: Restart task traveler Personally I prefer to shut tasks down fully using quit Any Remote Wipe commands must be cleared before the entries can be deleted
23 What We’ll Cover … The Premise and the Reality Who are You? Are you Sure? Traveler Users Quickr Place/Site Owners Wrap-up
24 Quickr Details, in Case You Did Not Know Quickr is a hybrid of Notes NSF files and Web content You may be the Admin, but you will learn fast you are really an EMT Just because someone owns a site doesn’t mean the site is deleted when they leave the company Spend the time upfront and the management of Quickr will be much easier on the back end Removing users? Let’s do it!
25 Quickr Issues When Removing Users * Covered in my other session here on Quickr Was the user an Administrator of any Sites/Places? Have you enabled the notes.ini setting for AdminP to remove users?* Windows ® : extmgr_addins=nqpcmextmgr AIX ® : extmgr_addins=libqpcmextmgr_r.a Linux ® : extmgr_addins=libqpcmextmgr.so Was the user a Domino Administrator? Check the qpconfig.xml for the Super User reference* What about Placebots if you edited Qpconfig.xml?* What about the group “QuickPlaceAdministratorsSUGroup”?
26 Quickr Sites Survive Quickr can handle the owner of the site getting deleted Although one may think there will be problems, there isn’t You as the Admin can always fix it How? By using the Super User account
27 Quickr Server Super User to the Rescue You can give super user access only to an external user or group Offline functionality is not supported when accessing a server as a super user You can use the qpconfig.xml file to control super user access from a browser You can use theQuickPlaceAdministratorsSUGroup in the Domino Directory to control super user access from a Lotus Notes client Place managers automatically have super user access to the places they manage, and can give additional users super user access to those places
28 What We’ll Cover … The Premise and the Reality Who are You? Are you Sure? Traveler Users Quickr Place/Site Owners Wrap-up
29 Resources How to Manually Recertify an Expired ID Technote #1087566 www.ibm.com/support/docview.wss?uid=swg21087566 Deleting a User from Lotus Notes Traveler: LNT8521 www.lotus.com/ldd/dominowiki.nsf/dx/Deleting_a_user_from_L otus_Notes_Traveler_LNT8521 What to Do When a Certifier ID Is Stolen, Lost or Compromised Technote #1087149 www.ibm.com/support/docview.wss?uid=swg21087149
7 Key Points to Take Home AdminP is your friend if you take care of it properly Never presume a listed individual is deleted until you see it done Users may be gone but their email can live forever Log files are your friend... just keep them small Quickr integrates with AdminP which I strongly advise you set up When you need to kill a user, wipe their phone BEFORE deleting them from everything else Keep your servers and clients up to date!
31 Your Turn! How to contact me: Keith Brooks email@example.com