D_Codling
asked on
Open mail file without password !
We are having a potential security problem with out Lotus Notes server. I can am able to map a drive to our Notes Server and copy someones mail file to my local PC....I can then double click the file and it opens, without asking for a password. I then have full access to their e-mails! It doesn't matter which mail file I choose. It happens for all of them !
Any ideas ?
Any ideas ?
I agree with SysExpert on disabling the share. Additionally I would use the notes securitt by which you can ensure that the db is opened by the appropriate person. For that use "Enforce Consistent ACL" in the advanced tab of ACL dialog.
For more info on how and why it is used check this tech note
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=3666C30C9494F161852563FD0053550F
~Hemanth
For more info on how and why it is used check this tech note
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=3666C30C9494F161852563FD0053550F
~Hemanth
WOW !!!
How come the network is so open ? SysExpert is right !
:-)
How come the network is so open ? SysExpert is right !
:-)
One other comment.
Check the ACL's.
Make sure that the default is No access and the same for anonymous.
Tighten up the ACL's as needed.
I hope this helps !
Check the ACL's.
Make sure that the default is No access and the same for anonymous.
Tighten up the ACL's as needed.
I hope this helps !
HemanthaKumar is correct. In addition to closing the share, on the ACL advanced tab check the "Enforce Consistent ACL".
ASKER
OK....In my Lotus Notes Client....select File...Database...Access Control...then select advanced and tick the box which says enforce consistent ACL across all replicas of this database..
Is this correct, because it doesn't work.
I'm new to this so please bare with me
Is this correct, because it doesn't work.
I'm new to this so please bare with me
ASKER
OK....In my Lotus Notes Client....select File...Database...Access Control...then select advanced and tick the box which says enforce consistent ACL across all replicas of this database..
Is this correct, because it doesn't work.
I'm new to this so please bare with me
Is this correct, because it doesn't work.
I'm new to this so please bare with me
You are on right path. Now did you copy the database from the server to local by doing a filecopy ? At this point the acl will be enforced and u will not be able to open unless you have proper access in the ACL. If in the ACl, the Default access it set to reader or higher then you will be able to open the database on local using default access. So shut down default access by setting it to NoAccess. Then give the mgr access to the user who will use this db, then test it.
~Hemanth
~Hemanth
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A short remark: If you've copied the database before you set the enforce consistent ACL option you will be able to open the database locally.
After the first replication with the server the ACL will also be replicated and you will no longer be able to locally open the database.
To test this do the following:
1. Copy a db without the enforce consistent ACL option set
2. Set the enforce consistent ACL on the server db
3. Start replication on your client, so changes from the server are replicated to your local copy
4. Check if you can still open the local db (if you're not in the ACL you shouldn't)
Files that are copied after the option was set can not be opened locally unless you have proper access.
Regards,
JM
After the first replication with the server the ACL will also be replicated and you will no longer be able to locally open the database.
To test this do the following:
1. Copy a db without the enforce consistent ACL option set
2. Set the enforce consistent ACL on the server db
3. Start replication on your client, so changes from the server are replicated to your local copy
4. Check if you can still open the local db (if you're not in the ACL you shouldn't)
Files that are copied after the option was set can not be opened locally unless you have proper access.
Regards,
JM
Why should i replicate to read other persons emails. I will make copies of the db whenever i need to read your emails.... how is that ?
;-)
;-)
No luck there Arun, my mail server is not accessible through any shares and mail files all have a consistent ACL, so you cannot open them locally :-)
Hello JM,
Enforce ACL is a security feature first in R6.
I can open any (R4 and R5) Enforce ACL db for you :)
And this fact is clearly stated in any Lotus explanations about Enforce ACL.
Look into Notes Peek: the flag for Enforce ACL is named UniformAccess and occurs two times; in DB header and in the ACL. It is enough to turn it off in the db header.
NotesPeek is here:
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=216F5A5367FD3CF485256797005C2DC7
Enforce ACL is a security feature first in R6.
I can open any (R4 and R5) Enforce ACL db for you :)
And this fact is clearly stated in any Lotus explanations about Enforce ACL.
Look into Notes Peek: the flag for Enforce ACL is named UniformAccess and occurs two times; in DB header and in the ACL. It is enough to turn it off in the db header.
NotesPeek is here:
http://www-1.ibm.com/support/manager.wss?rs=475&rt=0&org=sims&doc=216F5A5367FD3CF485256797005C2DC7
Yes, but that requires some serious hacking.
A normal Notes user would probably never get that far.
Just my 2 cents...
A normal Notes user would probably never get that far.
Just my 2 cents...
ASKER
Points go to SysExpert this time.
Thanks to everyone who has helped me with this problem.
Thanks to everyone who has helped me with this problem.
Hi Bro Zvo ???
:-(
Arun.
:-(
Arun.
Hm, this Notes Peek thing might solve a problem I have here with a database I can't access locally due to an incorrect ACL :-)
BTW, zvonko, thanks for the Workflow course notes!
BTW, zvonko, thanks for the Workflow course notes!
you are welcome :-)
Okay, at the risk of looking stupid here: How do I use Notes Peek to change this value and disable the enforced ACL?
I can't find anything about updates in the help. Or would I have to do this with an API-call? And if so, how and where?
I can't find anything about updates in the help. Or would I have to do this with an API-call? And if so, how and where?
JM, did you receive my zip file with the two executables?
Please do not give them to anybody away :)
Please do not give them to anybody away :)
Yep, only didn't get it to work :(
2) Notes servers Should Not HAVE ANY shares on them Ever !!! Only the Administrative share should be available, and then only to the Administrators !
So get rid of any shares you have defined !!
I hope this helps !