Solved

Open mail file without password !

Posted on 2002-06-24
21
221 Views
Last Modified: 2013-12-18
We are having a potential security problem with out Lotus Notes server.  I can am able to map a drive to our Notes Server and copy someones mail file to my local PC....I can then double click the file and it opens, without asking for a password. I then have full access to their e-mails! It doesn't matter which mail file I choose.  It happens for all of them !

Any ideas ?
0
Comment
Question by:D_Codling
  • 5
  • 4
  • 3
  • +4
21 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 7103784
1) Local Access to a mail file will definitely open a loophole.

2) Notes servers Should Not HAVE ANY shares on them Ever !!! Only the Administrative share should be available, and then only to the Administrators !

So get rid of any shares you have defined !!

I hope this helps !

0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 7103934
I agree with SysExpert on disabling the share. Additionally I would use the notes securitt by which you can ensure that the db is opened by the appropriate person. For that use "Enforce Consistent ACL" in the advanced tab of ACL dialog.

For more info on how and why it is used check this tech note
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=3666C30C9494F161852563FD0053550F

~Hemanth
0
 
LVL 9

Expert Comment

by:Arunkumar
ID: 7103947
WOW !!!

How come the network is so open ?  SysExpert is right !

:-)
0
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

 
LVL 63

Expert Comment

by:SysExpert
ID: 7104082
One other comment.
Check the ACL's.

Make sure that the default is No access and the same for anonymous.
Tighten up the ACL's as needed.

I hope this helps !
0
 

Expert Comment

by:dottle
ID: 7106623
HemanthaKumar is correct. In addition to closing the share, on the ACL advanced tab check the "Enforce Consistent ACL".
0
 

Author Comment

by:D_Codling
ID: 7107109
OK....In my Lotus Notes Client....select File...Database...Access Control...then select advanced and tick the box which says enforce consistent ACL across all replicas of this database..

Is this correct, because it doesn't work.

I'm new to this so please bare with me
0
 

Author Comment

by:D_Codling
ID: 7107123
OK....In my Lotus Notes Client....select File...Database...Access Control...then select advanced and tick the box which says enforce consistent ACL across all replicas of this database..

Is this correct, because it doesn't work.

I'm new to this so please bare with me
0
 
LVL 24

Expert Comment

by:HemanthaKumar
ID: 7108347
You are on right path. Now did you copy the database from the server to local by doing a filecopy ? At this point the acl will be enforced and u will not be able to open unless you have proper access in the ACL. If in the ACl, the Default access it set to reader or higher then you will be able to open the database on local using default access. So shut down default access by setting it to NoAccess. Then give the mgr access to the user who will use this db, then test it.

~Hemanth
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 200 total points
ID: 7109360
If you are a New Notes Admin, I would suggest getting the Noes 5 Admin Help file ( should be on the Server in the Doc folder ), and start reading up on security, ACL's, and how a server should be setup.

1) Lock down the server by disallowing/removing all shares except for Administrators.
2) On the server - Enforce consistant ACL's on the database that are critical , the NAB and any other important DB's.

From: SysExpert
                                                            Date: 06/24/2002 07:47AM PST
  Check the ACL's.

               Make sure that the default is No access and the same for anonymous.
               Tighten up the ACL's as needed. This should be done for most databases !


3) Then try making a local copy of the database and see if you can open it.

If you can, then post the ACL settings here, and we will try to resolve your problem.

               I hope this helps !
0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7109764
A short remark: If you've copied the database before you set the enforce consistent ACL option you will be able to open the database locally.
After the first replication with the server the ACL will also be replicated and you will no longer be able to locally open the database.

To test this do the following:
1. Copy a db without the enforce consistent ACL option set
2. Set the enforce consistent ACL on the server db
3. Start replication on your client, so changes from the server are replicated to your local copy
4. Check if you can still open the local db (if you're not in the ACL you shouldn't)

Files that are copied after the option was set can not be opened locally unless you have proper access.

Regards,
JM
0
 
LVL 9

Expert Comment

by:Arunkumar
ID: 7110104
Why should i replicate to read other persons emails.  I will make copies of the db whenever i need to read your emails.... how is that ?

;-)
0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7110511
No luck there Arun, my mail server is not accessible through any shares and mail files all have a consistent ACL, so you cannot open them locally :-)
0
 
LVL 10

Expert Comment

by:zvonko
ID: 7117391
Hello JM,

Enforce ACL is a security feature first in R6.

I can open any (R4 and R5) Enforce ACL db for you :)

And this fact is clearly stated in any Lotus explanations about Enforce ACL.

Look into Notes Peek: the flag for Enforce ACL is named UniformAccess and occurs two times; in DB header and in the ACL. It is enough to turn it off in the db header.

NotesPeek is here:
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=216F5A5367FD3CF485256797005C2DC7

0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7119517
Yes, but that requires some serious hacking.


A normal Notes user would probably never get that far.

Just my 2 cents...

0
 

Author Comment

by:D_Codling
ID: 7120095
Points go to SysExpert this time.

Thanks to everyone who has helped me with this problem.
0
 
LVL 9

Expert Comment

by:Arunkumar
ID: 7120667
Hi Bro Zvo ???

:-(
Arun.
0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7121152
Hm, this Notes Peek thing might solve a problem I have here with a database I can't access locally due to an incorrect ACL :-)
BTW, zvonko, thanks for the Workflow course notes!
0
 
LVL 10

Expert Comment

by:zvonko
ID: 7121176
you are welcome :-)

0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7121563
Okay, at the risk of looking stupid here: How do I use Notes Peek to change this value and disable the enforced ACL?
I can't find anything about updates in the help. Or would I have to do this with an API-call? And if so, how and where?
0
 
LVL 10

Expert Comment

by:zvonko
ID: 7123142
JM, did you receive my zip file with the two executables?

Please do not give them to anybody away :)

0
 
LVL 8

Expert Comment

by:Jean Marie Geeraerts
ID: 7123838
Yep, only didn't get it to work :(
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question