Solved

Open mail file without password !

Posted on 2002-06-24
21
218 Views
Last Modified: 2013-12-18
We are having a potential security problem with out Lotus Notes server.  I can am able to map a drive to our Notes Server and copy someones mail file to my local PC....I can then double click the file and it opens, without asking for a password. I then have full access to their e-mails! It doesn't matter which mail file I choose.  It happens for all of them !

Any ideas ?
0
Comment
Question by:D_Codling
  • 5
  • 4
  • 3
  • +4
21 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 7103784
1) Local Access to a mail file will definitely open a loophole.

2) Notes servers Should Not HAVE ANY shares on them Ever !!! Only the Administrative share should be available, and then only to the Administrators !

So get rid of any shares you have defined !!

I hope this helps !

0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 7103934
I agree with SysExpert on disabling the share. Additionally I would use the notes securitt by which you can ensure that the db is opened by the appropriate person. For that use "Enforce Consistent ACL" in the advanced tab of ACL dialog.

For more info on how and why it is used check this tech note
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=3666C30C9494F161852563FD0053550F

~Hemanth
0
 
LVL 9

Expert Comment

by:Arunkumar
ID: 7103947
WOW !!!

How come the network is so open ?  SysExpert is right !

:-)
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7104082
One other comment.
Check the ACL's.

Make sure that the default is No access and the same for anonymous.
Tighten up the ACL's as needed.

I hope this helps !
0
 

Expert Comment

by:dottle
ID: 7106623
HemanthaKumar is correct. In addition to closing the share, on the ACL advanced tab check the "Enforce Consistent ACL".
0
 

Author Comment

by:D_Codling
ID: 7107109
OK....In my Lotus Notes Client....select File...Database...Access Control...then select advanced and tick the box which says enforce consistent ACL across all replicas of this database..

Is this correct, because it doesn't work.

I'm new to this so please bare with me
0
 

Author Comment

by:D_Codling
ID: 7107123
OK....In my Lotus Notes Client....select File...Database...Access Control...then select advanced and tick the box which says enforce consistent ACL across all replicas of this database..

Is this correct, because it doesn't work.

I'm new to this so please bare with me
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 7108347
You are on right path. Now did you copy the database from the server to local by doing a filecopy ? At this point the acl will be enforced and u will not be able to open unless you have proper access in the ACL. If in the ACl, the Default access it set to reader or higher then you will be able to open the database on local using default access. So shut down default access by setting it to NoAccess. Then give the mgr access to the user who will use this db, then test it.

~Hemanth
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 200 total points
ID: 7109360
If you are a New Notes Admin, I would suggest getting the Noes 5 Admin Help file ( should be on the Server in the Doc folder ), and start reading up on security, ACL's, and how a server should be setup.

1) Lock down the server by disallowing/removing all shares except for Administrators.
2) On the server - Enforce consistant ACL's on the database that are critical , the NAB and any other important DB's.

From: SysExpert
                                                            Date: 06/24/2002 07:47AM PST
  Check the ACL's.

               Make sure that the default is No access and the same for anonymous.
               Tighten up the ACL's as needed. This should be done for most databases !


3) Then try making a local copy of the database and see if you can open it.

If you can, then post the ACL settings here, and we will try to resolve your problem.

               I hope this helps !
0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7109764
A short remark: If you've copied the database before you set the enforce consistent ACL option you will be able to open the database locally.
After the first replication with the server the ACL will also be replicated and you will no longer be able to locally open the database.

To test this do the following:
1. Copy a db without the enforce consistent ACL option set
2. Set the enforce consistent ACL on the server db
3. Start replication on your client, so changes from the server are replicated to your local copy
4. Check if you can still open the local db (if you're not in the ACL you shouldn't)

Files that are copied after the option was set can not be opened locally unless you have proper access.

Regards,
JM
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:Arunkumar
ID: 7110104
Why should i replicate to read other persons emails.  I will make copies of the db whenever i need to read your emails.... how is that ?

;-)
0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7110511
No luck there Arun, my mail server is not accessible through any shares and mail files all have a consistent ACL, so you cannot open them locally :-)
0
 
LVL 10

Expert Comment

by:zvonko
ID: 7117391
Hello JM,

Enforce ACL is a security feature first in R6.

I can open any (R4 and R5) Enforce ACL db for you :)

And this fact is clearly stated in any Lotus explanations about Enforce ACL.

Look into Notes Peek: the flag for Enforce ACL is named UniformAccess and occurs two times; in DB header and in the ACL. It is enough to turn it off in the db header.

NotesPeek is here:
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=216F5A5367FD3CF485256797005C2DC7

0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7119517
Yes, but that requires some serious hacking.


A normal Notes user would probably never get that far.

Just my 2 cents...

0
 

Author Comment

by:D_Codling
ID: 7120095
Points go to SysExpert this time.

Thanks to everyone who has helped me with this problem.
0
 
LVL 9

Expert Comment

by:Arunkumar
ID: 7120667
Hi Bro Zvo ???

:-(
Arun.
0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7121152
Hm, this Notes Peek thing might solve a problem I have here with a database I can't access locally due to an incorrect ACL :-)
BTW, zvonko, thanks for the Workflow course notes!
0
 
LVL 10

Expert Comment

by:zvonko
ID: 7121176
you are welcome :-)

0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7121563
Okay, at the risk of looking stupid here: How do I use Notes Peek to change this value and disable the enforced ACL?
I can't find anything about updates in the help. Or would I have to do this with an API-call? And if so, how and where?
0
 
LVL 10

Expert Comment

by:zvonko
ID: 7123142
JM, did you receive my zip file with the two executables?

Please do not give them to anybody away :)

0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7123838
Yep, only didn't get it to work :(
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

For Desktop Techs: How to retain a user's Notes configuration data when swapping out the end user's computer. (Assuming that you are not upgrading to a completely different version of Notes client) All you need to do is: 1) install Notes o…
IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now