Oh, I'm not arguing with the potential for abuse.  That's why we haven't
done it that way here for five or six years.  I was just trying to clarify
that the ID in question was legitimate -- your message implied that you
thought it was not.  The last time I spent any serious time studying this
particular feature, there were some features that made it more secure, if
implemented correctly.

The primary problem with using this particular method of distributing new
IDs, from a security standpoint, is that you cannot use a default password.
We use a default password process here, so we never store the ID in the
address book.  If you want to store the ID in the address book, you can
(should?) create a random and reasonably complex password for it.  In fact,
if you have means of communicating the password to the user securely, you
can avoid the scenario whereby anyone but the end user has access to the ID
by having them configure their own client.  The theory, as I understand it,
is that this (implemented correctly) is less of a security hole than the
other method because not even the PC technician that set it up has the
information necessary to log in as the user.

I'm under the impression that the ID is removed from NAB once it is
downloaded to the client.  It seems like I successfully tested that here,
but like I said, it's been years.  Someone once told me, also, that the
attached ID files are accessible to a limited audience -- namely, managers
of the NAB and the owner of the person document (ie, the person whose ID we
are discussing) -- however, I have never tested that since it is irrelevant
for me here.  If that's true, it seems relatively secure -- as long as it's
not stored with a password that everyone knows.

Anyway, I don't know your environment, but for ours, the ID-in-the-NAB has
been labelled a "bad thing" and we never store the ID there.  If you are
using default passwords, I would recommend you do the same.  Which means,
of course, changing the default settings in the Register Person dialog.

Patrick

domino400-bounces+ptrapp=nex-tech.com@xxxxxxxxxxxx wrote on 07/12/2005
03:49:49 PM:

> Thanks for the responses.
>
> This response from Robert Laing sounds like exactly what happens during
> the install.
>
> <Snip>
>
> If an ID exists in the NAB, during the install the client will detach the
> ID file from the NAB and save it locally with the default name of user.id
> -- the password associated with this ID would be the password assigned
> when
> the user was created.
>
> If an ID does not exist in the NAB, an ID file must be provided when the
> client initially connects to the server.  If no ID file is provided
during
> installation, there can be no connection to the server.
>
> <End Snip>
>
> Patrick - I'm thinking this is the first time it's happened. It hasn't
> been brought to my attention before.
>
> I guess there is a 'security' hole here since any user's mail file could
> be 'configured', and the user.id file imported from the NAB with a
default
> password (from the user registration) can be used to access the mail
file.
>
> Regards, Jerry
>
> Gerald Kern
> IBM Certified AS/400 RPG IV Developer & RPG IV Programmer
> MIS Project Leader, Lotus Notes/Domino Administrator
> The Toledo Clinic, Inc.
> 4235 Secor Road
> Toledo, OH 43623-4299
> Phone 419-479-5535
> gkern@xxxxxxxxxxxxxxxx
> *****
> This email message, including any attachments, is for the sole use
> of the intended recipient(s) and may contain confidential and
> privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient,
> please contact the sender by reply email and destroy all copies of
> the original message._______________________________________________
> This is the Lotus Domino on the iSeries / AS400 (Domino400) mailing list
> To post a message email: Domino400@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/domino400
> or email: Domino400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/domino400.
>


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.