Rob, that is still an insider job if a registered user in our system were 
to detach an ID file from the NAB.

The notes ID is removed after first install. We do not keep them in our 
NAB.

Regardless of that fact you need to have editor rights to detach an id 
from the NAB.

Users only have reader rights in our system with no replicate or print 
etc.  They cannot detach an ID file, using the notes client, cannot 
copy the address book and cannot download it from the web. 

Only "trusted" admins can do anything with ID files, and even then there 
is no id after first install.

Any other breach of security is an inside 
job......................................................

I have a floppy disk that boots a system into NTFS and  can hack an 
Windows SAM database and give me root access to ANY PC or Server. 

Similar to this hack    http://lostpassword.com/windows-xp-2000-nt.htm

I always have had reservations about windows security, and the weekly 
critical updates is a testament to that. 

As I stated earlier if you are that concerned about notes id security then 
don't use standard notes IDs.
Use secureid  or other bio-metric type of security.  It is fully supported 
in Lotus Notes. 

Sean 



http://www.bedbathandbeyond.com



domino400-request@xxxxxxxxxxxx 
Sent by: domino400-bounces+seanmurphy=bedbath.com@xxxxxxxxxxxx
03/31/2005 01:00 PM
Please respond to
domino400@xxxxxxxxxxxx


To
domino400@xxxxxxxxxxxx
cc

Subject
Domino400 Digest, Vol 3, Issue 57






Send Domino400 mailing list submissions to
                 domino400@xxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
                 http://lists.midrange.com/mailman/listinfo/domino400
or, via email, send a message with subject or body 'help' to
                 domino400-request@xxxxxxxxxxxx

You can reach the person managing the list at
                 domino400-owner@xxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Domino400 digest..."


Today's Topics:

   1. Re: Domino ID Files Best Practices (Eric J Waters)


----------------------------------------------------------------------

message: 1
date: Wed, 30 Mar 2005 16:19:23 -0500
from: Eric J Waters <ewaters2@xxxxxxx>
subject: Re: Domino ID Files Best Practices





AMEN to your comments about a Windows file share for ID files.  You would
be relaying on Microsoft's security features.

We actually have secure database with all ID files.  It is protected by
Domino directory ACLs (db link so you need to actually find it if you were
to try from the OS level), db ACLs, local encryption, enforced ACLs and a
database secret key.  Very few people have access to this file.  Finally,
these people do not even have access to the system administrator's ID
archives - only management.  Security hole is the people you are trusting
with this access.

I am saying it is completely secure?  Nah, just extremely hard to get the
data.  You really have to want the data.  The most secure method would be
not to archive IDs and if someone loses theirs.... SOL!!!

I do believe if I had access to a primary directory with ID files, I can
get the IDs.  The only thing preventing me from cracking an ID password is
time.  Granted a sys admin ID can't get to the file system but it can get
to all the mail files if said ID has the ability to enable Full Access
Administration.  Why would I need OS access if I can delete everything 
from
an Admin client.

Again, I am trying to say my way is the best way.  Nah, I am just offering
my view on best practices.

Regards,
Eric Waters
CSC


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit 
written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




 
             seanmurphy@bedbat 
             h.com 
             Sent by:                                                   To 

             domino400-bounces         domino400@xxxxxxxxxxxx 
             +ewaters2=csc.com                                          cc 

             @midrange.com 
                                                                   Subject 

                                       Re: Domino ID Files Best Practices 
             03/30/2005 02:33 
             PM 
 
 
             Please respond to 
              Lotus Domino on 
               the iSeries / 
                   AS400 
             <domino400@midran 
                  ge.com> 
 
 








C +API tool to hack a notes id? LOL.....  That tool does a dictionary
attack.

Nothing special about that. The only thing is special is they bypassed the
time-out.

http://lostpassword.com/lotus-notes.htm

What security does the user ID have to the system? Say an Admin ID?

I would be interested in seeing how you can get the NAB off of the server
if you do not have access to the server.
The owner of all of objects is QNOTES. Kind of hard to get the file to 
pull
the id out of it. I also am using encrypted NABs
on my mail servers as well so even if you got the NAB you could not open 
it
with another notes client.

The NAB on my servers is not accessible from the web,  default and
anonymous is NO ACCESS. We don't store IDs there anyway.
We store them elsewhere and of course on the PCs with the notes client,
such as my admin id on the PC I am using to
compose this email. So if you hacked my Windows Laptop then stole my id,
would it not be Windows Security that is the issue?
The only way to get and ID  is via a Microsoft Windows Hack to steal the 
ID
off of a PC. Then run this PASSWARE tool
to hack the id password.

The answer would be not to use Windows and notes IDs? That would not be
practical.

Don't keep IDs on computers anywhere? That would not be practical.

No networked computers works as well ala "Battle Star Gallactica"????  We
all know we can do anything without networking..............

lf you are concerned about notes id security then the  answer is to not
have the notes IDs stored anywhere, and use a smartcard or biometric id
instead of a standard notes id. If your NAB is secured properly it is much
safer than on a Windows File Server or on a Windows PC...........

Here are some products that add that extra layer of ID security. Notes
supports smart cards and Bio-Metic ID systems.

ActivCard Gold 2.2 product
Gemplus 3.1 product
Gemplus 2.0 product
Rainbow iKey 2032 product
Schlumberger Cyberflex 4 product

Sean
------------------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail, and any attachments thereto, is
intended only for use by the addressee(s) named herein and may contain
confidential information.  If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution or
copying of this e-mail, and any attachments thereto, is strictly
prohibited.  If you have received this e-mail in error, please permanently
delete the original and any copy of any e-mail and any printout thereof.
Thank you for your compliance.

_______________________________________________
This is the Lotus Domino on the iSeries / AS400 (Domino400) mailing list
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.





------------------------------

_______________________________________________
This is the Lotus Domino on the iSeries / AS400 (Domino400) digest list
To post a message email: Domino400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/domino400
or email: Domino400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/domino400.



End of Domino400 Digest, Vol 3, Issue 57
****************************************


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.