Open mail file without password !

We are having a potential security problem with out Lotus Notes server.  I can am able to map a drive to our Notes Server and copy someones mail file to my local PC....I can then double click the file and it opens, without asking for a password. I then have full access to their e-mails! It doesn't matter which mail file I choose.  It happens for all of them !

Any ideas ?
D_CodlingAsked:
Who is Participating?
 
SysExpertCommented:
If you are a New Notes Admin, I would suggest getting the Noes 5 Admin Help file ( should be on the Server in the Doc folder ), and start reading up on security, ACL's, and how a server should be setup.

1) Lock down the server by disallowing/removing all shares except for Administrators.
2) On the server - Enforce consistant ACL's on the database that are critical , the NAB and any other important DB's.

From: SysExpert
                                                            Date: 06/24/2002 07:47AM PST
  Check the ACL's.

               Make sure that the default is No access and the same for anonymous.
               Tighten up the ACL's as needed. This should be done for most databases !


3) Then try making a local copy of the database and see if you can open it.

If you can, then post the ACL settings here, and we will try to resolve your problem.

               I hope this helps !
0
 
SysExpertCommented:
1) Local Access to a mail file will definitely open a loophole.

2) Notes servers Should Not HAVE ANY shares on them Ever !!! Only the Administrative share should be available, and then only to the Administrators !

So get rid of any shares you have defined !!

I hope this helps !

0
 
HemanthaKumarCommented:
I agree with SysExpert on disabling the share. Additionally I would use the notes securitt by which you can ensure that the db is opened by the appropriate person. For that use "Enforce Consistent ACL" in the advanced tab of ACL dialog.

For more info on how and why it is used check this tech note
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=3666C30C9494F161852563FD0053550F

~Hemanth
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
ArunkumarCommented:
WOW !!!

How come the network is so open ?  SysExpert is right !

:-)
0
 
SysExpertCommented:
One other comment.
Check the ACL's.

Make sure that the default is No access and the same for anonymous.
Tighten up the ACL's as needed.

I hope this helps !
0
 
dottleCommented:
HemanthaKumar is correct. In addition to closing the share, on the ACL advanced tab check the "Enforce Consistent ACL".
0
 
D_CodlingAuthor Commented:
OK....In my Lotus Notes Client....select File...Database...Access Control...then select advanced and tick the box which says enforce consistent ACL across all replicas of this database..

Is this correct, because it doesn't work.

I'm new to this so please bare with me
0
 
D_CodlingAuthor Commented:
OK....In my Lotus Notes Client....select File...Database...Access Control...then select advanced and tick the box which says enforce consistent ACL across all replicas of this database..

Is this correct, because it doesn't work.

I'm new to this so please bare with me
0
 
HemanthaKumarCommented:
You are on right path. Now did you copy the database from the server to local by doing a filecopy ? At this point the acl will be enforced and u will not be able to open unless you have proper access in the ACL. If in the ACl, the Default access it set to reader or higher then you will be able to open the database on local using default access. So shut down default access by setting it to NoAccess. Then give the mgr access to the user who will use this db, then test it.

~Hemanth
0
 
Jean Marie GeeraertsApplication EngineerCommented:
A short remark: If you've copied the database before you set the enforce consistent ACL option you will be able to open the database locally.
After the first replication with the server the ACL will also be replicated and you will no longer be able to locally open the database.

To test this do the following:
1. Copy a db without the enforce consistent ACL option set
2. Set the enforce consistent ACL on the server db
3. Start replication on your client, so changes from the server are replicated to your local copy
4. Check if you can still open the local db (if you're not in the ACL you shouldn't)

Files that are copied after the option was set can not be opened locally unless you have proper access.

Regards,
JM
0
 
ArunkumarCommented:
Why should i replicate to read other persons emails.  I will make copies of the db whenever i need to read your emails.... how is that ?

;-)
0
 
Jean Marie GeeraertsApplication EngineerCommented:
No luck there Arun, my mail server is not accessible through any shares and mail files all have a consistent ACL, so you cannot open them locally :-)
0
 
zvonkoCommented:
Hello JM,

Enforce ACL is a security feature first in R6.

I can open any (R4 and R5) Enforce ACL db for you :)

And this fact is clearly stated in any Lotus explanations about Enforce ACL.

Look into Notes Peek: the flag for Enforce ACL is named UniformAccess and occurs two times; in DB header and in the ACL. It is enough to turn it off in the db header.

NotesPeek is here:
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=216F5A5367FD3CF485256797005C2DC7

0
 
SysExpertCommented:
Yes, but that requires some serious hacking.


A normal Notes user would probably never get that far.

Just my 2 cents...

0
 
D_CodlingAuthor Commented:
Points go to SysExpert this time.

Thanks to everyone who has helped me with this problem.
0
 
ArunkumarCommented:
Hi Bro Zvo ???

:-(
Arun.
0
 
Jean Marie GeeraertsApplication EngineerCommented:
Hm, this Notes Peek thing might solve a problem I have here with a database I can't access locally due to an incorrect ACL :-)
BTW, zvonko, thanks for the Workflow course notes!
0
 
zvonkoCommented:
you are welcome :-)

0
 
Jean Marie GeeraertsApplication EngineerCommented:
Okay, at the risk of looking stupid here: How do I use Notes Peek to change this value and disable the enforced ACL?
I can't find anything about updates in the help. Or would I have to do this with an API-call? And if so, how and where?
0
 
zvonkoCommented:
JM, did you receive my zip file with the two executables?

Please do not give them to anybody away :)

0
 
Jean Marie GeeraertsApplication EngineerCommented:
Yep, only didn't get it to work :(
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.