Embed Size (px)
Citation preview
© 2011 Wellesley Information Services. All rights reserved.
Breaking and Entering: If You Can Hack It, So Can They
Keith BrooksVanessa Brooks
Why This Topic and Session?
This is “A Day in the Life” session filled with information you don’t learn for Certification.
Documentation only gets you so far, real life happens fast and security is never tight enough.
If you were locked out of your server,
would you know how to get back in?
2
In This Session ...
You will learn how to properly remove people from your domain and a little bit about how to hack into your server
You will not learn everything there is to know about Domino security from this session
What we learn in Vegas, does not stay in Vegas!
3
What We’ll Cover …
• The Premise and the Reality• Who are You? Are you Sure?• Traveler Users• Quickr Place/Site Owners• Wrap-up
4
The Premises
• We are all honest and trustworthy Administrators Even the Developers who snuck in here
• You are not likely to be the first or last Administrator at your employer
• Everyone does much more today than last year• Junior Administrators sometimes make mistakes– Teach or mentor them, do not berate them
• You run a secured environment• You have backups and copies of your ID files• You spent huge $$$ on security
You are here because you care5
6
The Reality
• You are honest, but some employees, well ...• You inherited a mess!
But have the interest to pass along a better world• Fires? What fires?– I am transforming my company
• Junior Administrators? I wish I had any help.• Security is handled by someone else or just me
Either way it’s your problem if it is Domino-related• You have so many copies of ID files, you have ID Vaults for ID Vaults• Your security doesn’t secure your Domino server ... you do!
We are in Las Vegas, don't gamble with your security
7
What We’ll Cover …
• The Premise and the Reality• Who are You? Are you Sure?• Traveler Users• Quickr Place/Site Owners• Wrap-up
8
Warning: Danger Will Robinson!
• Try these solutions if you have no other choices• Backup everything first• Document everything• Proceed Cautiously
OK, Here we go!
9
Identity and Security from the Field
• Just because you are the Administrator, does not mean you have all the access you deserve
• Are previous Administrators still in your admin group even after they left the company?
• Is your boss also an admin? Guess what, you just made his AA an admin also!
• Does every ID file get the same default password?• ACL for your NAB is open to the outside world ... with user ID files
attached• ... and a default password?
10
How to Hack Your Server – Generic Ideas
• Simple to Complex ways• Test open nsf(s), especially names.nsf• Use LDAP to connect anonymously and obtain details• RDP of any sort is your friend and enemy• VM? Make sure the host system is secure.• Disable Guest everywhere? Maybe not?• Try average names, jsmith and then try basic passw0rd• Build a Domino server, same name, org, and make an ID ...• Steal a laptop, power on LOL, login is tied to your Windows login
is it? Windows login try ... passw0rd.
These are the ways of guys on the street, not the FBI
11
How to Hack Your Server As the Administrator
• Buddy network• Floppies, USB, File Shares• Take down a server, edit the names.nsf via nlnotes or a local
client• Can’t take down a server? Recreate your Certifier! Then your ID.
See Resources page for links• If you did not enable the Enforce ACL across all servers, try a
secondary server• Lost your ID? Webadmin.nsf, if you enabled it, will get you back in
to add others as admins so you can create a new ID.
What about you? What would you do?
12
Some Prevention Ideas BUT Not All Encompassing
• Enable user tracking and look at it occasionally• Use a Domino security policy to ensure password uniqueness• Template databases (*.ntf) are also a risk. Too often you find them
with a default ACL set to Designer or Administrator.• Enable Weblogging• If you use POP or IMAP make sure you are logging as many details
as possible• Enable eSMTP and/or TLS which for Domino is Negotiated SSL• Encrypt all ports for replication on clients and servers• Create a dummy Administrator ID used for emergencies• Keep your servers and clients up to date!
Now where were we? Right, Who are you? Where are you?
13
Where Are You Found?
• Open your database catalog or Domain Catalog file and check the ACL lists By Name
• Have your developers check their workflow apps• Find the old Admins still?
14
Old Administrators Haunt You
• This happens sometimes for longer than expected• Their name is everywhere, as a signer on apps, agents, etc.• So why not kill them off?• You have the tools ...
What are you afraid of?• Stopping applications• Crippling servers• Possible rogue actions or agents• Management finding out
15
Before You Kill the Old Administrator ID
• Verify YOUR name is properly listed in the Admin groups• If none exist, create a universal signer ID file• Let developers know you will be removing the old one• Let AdminP remove the user and deny them access• If they had a mail file, take it offline or archive it• Now sit and wait ...
16
After You Kill the Old Administrator ID
• Calls will come in within an hour if anything gets crippled• The next morning is the 1st test• The following Monday is the 2nd test• The 1st of the next month is the 3rd test• The 1st day of the next quarter is the 4th test• January 1 or whatever day you get
back to work is the last test
17
Expired Administrator ID
• This happens more often than anyone lets on After all, would you tell people?
• What do you do when you are the only Admin?
1) Change the server date to before the expiration date or
2) If you still have it, open nlnotes.exe on the server (no longer installed with R8 servers) * Open the NAB to the People list Find the user Click Actions-Recertify Selected People Select the Certifier Set a date down the road a bit
* =nlnotes.exe is really not recommended to use unless it is REALLY in need
18
How Do You Prevent This for the Future?
1) If the certificates have not already been recertified prior to this point, the user will not be allowed to access the server until this is done
2) If the certificates were recertified prior to this but the user happens to be using an outdated ID file, the server will automatically update the certificates on the ID
19
What We’ll Cover …
• The Premise and the Reality• Who are You? Are you Sure?• Traveler Users• Quickr Place/Site Owners• Wrap-up
20
Lotus Notes Traveler Security Hole or Sliced Bread
• Traveler is the greatest thing IBM has created• On the other hand, you now have CEOs that have ... Really ...
Important ... Data ... that they keep on their phones!• The overhead to set it up can be high• The security can be as well• How do you know who is really synching?• Have you ever thought about this?• Do you know how to delete users from Traveler?
21
Lotus Notes Traveler – Killing a User
• From the Domino Administrator client, click the Messaging tab, and click the Mail tab
• Expand the IBM Lotus Notes Traveler Section• Click on the Device Security view• Select the device
• Do one of the following: To deny access to the device, select the Deny Access action To re-enable access to a device that has been denied access,
select the Clear Wipe/Allow Access action
22
To Completely Remove Traveler Users
• Check in the Administration Client Messaging – Mail
Only on the Traveler server• Or check in the lotustraveler.nsf
In the Domino\data directory
• From a Server Console: tell traveler security delete * <user> tell traveler delete * <user>
• Traveler users inactive for longer than 1 month will be cleaned up by the database automatically
23
Verifying the Traveler User Was Deleted
• The previous steps should completely remove the user, but if you want to verify it: Open the LotusTraveler.nsf file and verify that there are no
entries for the user Open the ntsclcache.nsf file and verify that there are no entries
for the user The Traveler service should be restarted for all deletes to be
displayed properly From the Server Console: Restart task traveler Personally I prefer to shut tasks down fully using quit Any Remote Wipe commands must be cleared before the
entries can be deleted
24
What We’ll Cover …
• The Premise and the Reality• Who are You? Are you Sure?• Traveler Users• Quickr Place/Site Owners• Wrap-up
25
Quickr Details, in Case You Did Not Know
• Quickr is a hybrid of Notes NSF files and Web content• You may be the Admin, but you will learn fast you are really an
EMT• Just because someone owns a site doesn’t mean the site is
deleted when they leave the company• Spend the time upfront and the management of Quickr will be
much easier on the back end• Removing users? Let’s do it!
26
Quickr Issues When Removing Users
* Covered in my other session here on Quickr
• Was the user an Administrator of any Sites/Places?• Have you enabled the notes.ini setting for AdminP to remove
users?* Windows®: extmgr_addins=nqpcmextmgr AIX®: extmgr_addins=libqpcmextmgr_r.a Linux®: extmgr_addins=libqpcmextmgr.so
• Was the user a Domino Administrator? Check the qpconfig.xml for the Super User reference* What about Placebots if you edited Qpconfig.xml?*
• What about the group “QuickPlaceAdministratorsSUGroup”?
27
Quickr Sites Survive
• Quickr can handle the owner of the site getting deleted
• Although one may think there will be problems, there isn’t You as the Admin can always fix it
• How? By using the Super User account
28
Quickr Server Super User to the Rescue
• You can give super user access only to an external user or group• Offline functionality is not supported when accessing a server as
a super user• You can use the qpconfig.xml file to control super user access
from a browser • You can use theQuickPlaceAdministratorsSUGroup in the Domino
Directory to control super user access from a Lotus Notes client• Place managers automatically have super user access to the
places they manage, and can give additional users super user access to those places
29
What We’ll Cover …
• The Premise and the Reality• Who are You? Are you Sure?• Traveler Users• Quickr Place/Site Owners• Wrap-up
30
Resources
• How to Manually Recertify an Expired ID Technote #1087566
www.ibm.com/support/docview.wss?uid=swg21087566• Deleting a User from Lotus Notes Traveler: LNT8521
www.lotus.com/ldd/dominowiki.nsf/dx/Deleting_a_user_from_Lotus_Notes_Traveler_LNT8521
• What to Do When a Certifier ID Is Stolen, Lost or Compromised Technote #1087149
www.ibm.com/support/docview.wss?uid=swg21087149
7 Key Points to Take Home
• AdminP is your friend if you take care of it properly• Never presume a listed individual is deleted until you see it done• Users may be gone but their email can live forever• Log files are your friend ... just keep them small• Quickr integrates with AdminP which I strongly
advise you set up• When you need to kill a user, wipe their phone
BEFORE deleting them from everything else• Keep your servers and clients up to date!
