|
Rob, that is still an insider job if a registered user in our system were to detach an ID file from the NAB. The notes ID is removed after first install. We do not keep them in our NAB. Regardless of that fact you need to have editor rights to detach an id from the NAB. Users only have reader rights in our system with no replicate or print etc. They cannot detach an ID file, using the notes client, cannot copy the address book and cannot download it from the web. Only "trusted" admins can do anything with ID files, and even then there is no id after first install. Any other breach of security is an inside job...................................................... I have a floppy disk that boots a system into NTFS and can hack an Windows SAM database and give me root access to ANY PC or Server. Similar to this hack http://lostpassword.com/windows-xp-2000-nt.htm I always have had reservations about windows security, and the weekly critical updates is a testament to that. As I stated earlier if you are that concerned about notes id security then don't use standard notes IDs. Use secureid or other bio-metric type of security. It is fully supported in Lotus Notes. Sean http://www.bedbathandbeyond.com domino400-request@xxxxxxxxxxxx Sent by: domino400-bounces+seanmurphy=bedbath.com@xxxxxxxxxxxx 03/31/2005 01:00 PM Please respond to domino400@xxxxxxxxxxxx To domino400@xxxxxxxxxxxx cc Subject Domino400 Digest, Vol 3, Issue 57 Send Domino400 mailing list submissions to domino400@xxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://lists.midrange.com/mailman/listinfo/domino400 or, via email, send a message with subject or body 'help' to domino400-request@xxxxxxxxxxxx You can reach the person managing the list at domino400-owner@xxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Domino400 digest..." Today's Topics: 1. Re: Domino ID Files Best Practices (Eric J Waters) ---------------------------------------------------------------------- message: 1 date: Wed, 30 Mar 2005 16:19:23 -0500 from: Eric J Waters <ewaters2@xxxxxxx> subject: Re: Domino ID Files Best Practices AMEN to your comments about a Windows file share for ID files. You would be relaying on Microsoft's security features. We actually have secure database with all ID files. It is protected by Domino directory ACLs (db link so you need to actually find it if you were to try from the OS level), db ACLs, local encryption, enforced ACLs and a database secret key. Very few people have access to this file. Finally, these people do not even have access to the system administrator's ID archives - only management. Security hole is the people you are trusting with this access. I am saying it is completely secure? Nah, just extremely hard to get the data. You really have to want the data. The most secure method would be not to archive IDs and if someone loses theirs.... SOL!!! I do believe if I had access to a primary directory with ID files, I can get the IDs. The only thing preventing me from cracking an ID password is time. Granted a sys admin ID can't get to the file system but it can get to all the mail files if said ID has the ability to enable Full Access Administration. Why would I need OS access if I can delete everything from an Admin client. Again, I am trying to say my way is the best way. Nah, I am just offering my view on best practices. Regards, Eric Waters CSC -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- seanmurphy@bedbat h.com Sent by: To domino400-bounces domino400@xxxxxxxxxxxx +ewaters2=csc.com cc @midrange.com Subject Re: Domino ID Files Best Practices 03/30/2005 02:33 PM Please respond to Lotus Domino on the iSeries / AS400 <domino400@midran ge.com> C +API tool to hack a notes id? LOL..... That tool does a dictionary attack. Nothing special about that. The only thing is special is they bypassed the time-out. http://lostpassword.com/lotus-notes.htm What security does the user ID have to the system? Say an Admin ID? I would be interested in seeing how you can get the NAB off of the server if you do not have access to the server. The owner of all of objects is QNOTES. Kind of hard to get the file to pull the id out of it. I also am using encrypted NABs on my mail servers as well so even if you got the NAB you could not open it with another notes client. The NAB on my servers is not accessible from the web, default and anonymous is NO ACCESS. We don't store IDs there anyway. We store them elsewhere and of course on the PCs with the notes client, such as my admin id on the PC I am using to compose this email. So if you hacked my Windows Laptop then stole my id, would it not be Windows Security that is the issue? The only way to get and ID is via a Microsoft Windows Hack to steal the ID off of a PC. Then run this PASSWARE tool to hack the id password. The answer would be not to use Windows and notes IDs? That would not be practical. Don't keep IDs on computers anywhere? That would not be practical. No networked computers works as well ala "Battle Star Gallactica"???? We all know we can do anything without networking.............. lf you are concerned about notes id security then the answer is to not have the notes IDs stored anywhere, and use a smartcard or biometric id instead of a standard notes id. If your NAB is secured properly it is much safer than on a Windows File Server or on a Windows PC........... Here are some products that add that extra layer of ID security. Notes supports smart cards and Bio-Metic ID systems. ActivCard Gold 2.2 product Gemplus 3.1 product Gemplus 2.0 product Rainbow iKey 2032 product Schlumberger Cyberflex 4 product Sean ------------------------------------------------------ CONFIDENTIALITY NOTICE: This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please permanently delete the original and any copy of any e-mail and any printout thereof. Thank you for your compliance. _______________________________________________ This is the Lotus Domino on the iSeries / AS400 (Domino400) mailing list To post a message email: Domino400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/domino400 or email: Domino400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/domino400. ------------------------------ _______________________________________________ This is the Lotus Domino on the iSeries / AS400 (Domino400) digest list To post a message email: Domino400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/domino400 or email: Domino400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/domino400. End of Domino400 Digest, Vol 3, Issue 57 ****************************************
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.