AMEN to your comments about a Windows file share for ID files.  You would
be relaying on Microsoft's security features.

We actually have secure database with all ID files.  It is protected by
Domino directory ACLs (db link so you need to actually find it if you were
to try from the OS level), db ACLs, local encryption, enforced ACLs and a
database secret key.  Very few people have access to this file.  Finally,
these people do not even have access to the system administrator's ID
archives - only management.  Security hole is the people you are trusting
with this access.

I am saying it is completely secure?  Nah, just extremely hard to get the
data.  You really have to want the data.  The most secure method would be
not to archive IDs and if someone loses theirs.... SOL!!!

I do believe if I had access to a primary directory with ID files, I can
get the IDs.  The only thing preventing me from cracking an ID password is
time.  Granted a sys admin ID can't get to the file system but it can get
to all the mail files if said ID has the ability to enable Full Access
Administration.  Why would I need OS access if I can delete everything from
an Admin client.

Again, I am trying to say my way is the best way.  Nah, I am just offering
my view on best practices.

Regards,
Eric Waters
CSC


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




                                                                           
             seanmurphy@bedbat                                             
             h.com                                                         
             Sent by:                                                   To 
             domino400-bounces         domino400@xxxxxxxxxxxx              
             +ewaters2=csc.com                                          cc 
             @midrange.com                                                 
                                                                   Subject 
                                       Re: Domino ID Files Best Practices  
             03/30/2005 02:33                                              
             PM                                                            
                                                                           
                                                                           
             Please respond to                                             
              Lotus Domino on                                              
               the iSeries /                                               
                   AS400                                                   
             <domino400@midran                                             
                  ge.com>                                                  
                                                                           
                                                                           








C +API tool to hack a notes id? LOL.....  That tool does a dictionary
attack.

Nothing special about that. The only thing is special is they bypassed the
time-out.

http://lostpassword.com/lotus-notes.htm

What security does the user ID have to the system? Say an Admin ID?

I would be interested in seeing how you can get the NAB off of the server
if you do not have access to the server.
The owner of all of objects is QNOTES. Kind of hard to get the file to pull
the id out of it. I also am using encrypted NABs
on my mail servers as well so even if you got the NAB you could not open it
with another notes client.

The NAB on my servers is not accessible from the web,  default and
anonymous is NO ACCESS. We don't store IDs there anyway.
We store them elsewhere and of course on the PCs with the notes client,
such as my admin id on the PC I am using to
compose this email. So if you hacked my Windows Laptop then stole my id,
would it not be Windows Security that is the issue?
The only way to get and ID  is via a Microsoft Windows Hack to steal the ID
off of a PC. Then run this PASSWARE tool
to hack the id password.

The answer would be not to use Windows and notes IDs? That would not be
practical.

Don't keep IDs on computers anywhere? That would not be practical.

No networked computers works as well ala "Battle Star Gallactica"????  We
all know we can do anything without networking..............

lf you are concerned about notes id security then the  answer is to not
have the notes IDs stored anywhere, and use a smartcard or biometric id
instead of a standard notes id. If your NAB is secured properly it is much
safer than on a Windows File Server or on a Windows PC...........

Here are some products that add that extra layer of ID security. Notes
supports smart cards and Bio-Metic ID systems.

ActivCard Gold 2.2 product
Gemplus 3.1 product
Gemplus 2.0 product
Rainbow iKey 2032 product
Schlumberger Cyberflex 4 product

Sean
------------------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail, and any attachments thereto, is
intended only for use by the addressee(s) named herein and may contain
confidential information.  If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution or
copying of this e-mail, and any attachments thereto, is strictly
prohibited.  If you have received this e-mail in error, please permanently
delete the original and any copy of any e-mail and any printout thereof.
Thank you for your compliance.

_______________________________________________
This is the Lotus Domino on the iSeries / AS400 (Domino400) mailing list
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.