Solved

Lotus Notes Administrator Reading Users Email Inappropriately

Posted on 2004-04-02
29
777 Views
Last Modified: 2013-12-18
I am not an IT Professional, but I need to investigate whether or not a Lotus Notes Administrator for a site with 700 users is inappropriately reading their email.  Does Notes create an amdinistrator activity log or something similar that would document the actions of an administrator?  
0
Comment
Question by:JSmith103161
  • 12
  • 8
  • 4
  • +3
29 Comments
 
LVL 14

Expert Comment

by:p_partha
ID: 10747483
On the Mail DB right click, then Database Properties select the info tab(I tab) and click on the User Activity button this will list all people who have accessed documents in the DB. But remember tehse results are not that much reliable

Best wishes in finding if he is really a culprit...

0
 
LVL 5

Expert Comment

by:pgloor
ID: 10747523
Sorry, there is nothing that specifically tracks each single activity of an Administrator in a way to definitely judge whether an Administrator has inappropriately read some users email.

Each copy (or replica) of a database keeps an activity log.  You can check this in the database properties under Information > Activity > Details. If activity logging is enabled for a database, access to that database will be logged.

However, based on the information in the activity log it will be difficult to judge wether an Administrator has actually read emails or not. An agent signed by the Administrator can also produce entries for the Administrator in the activity log, even he/she never interactvly opened the database for reading mails.

In addition each mail is routed thru a mail router database. For an Administrator it will be easy to temporarely stop mail routing and read the emails waiting for delivery in the mail router box.

Sometimes, to get his/her job done, it's even necessary for an Administrator to read emails (at least headers and subjects) to analyze and solve email problems (especially when it comes to spam and virus attacks).  Personally, if I need to read mail content (more than headers and subjects) for any reason, I always inform the user.

Because the Administrator is in a key position (often underestimated) it's very important to have an Administrator you can trust.

Peter
0
 

Author Comment

by:JSmith103161
ID: 10747764
Thanks, for the info.  I stumbled upon the info tab in database properties, but wasn't sure if that would log an Administrator reading files.

We have a lot of confidence in the Admin., but questions about the back-up.  I know the Admin. needs to read emails in order to do their jobs, but some comments made by the back-up have lead to suspicions about his reading activity.

So, it sounds like Notes doesn't have a reliable way to document the security of email, even if we tried to set it up that way?

Is anyone aware of Lotus or third party applications to do this?  We're ready to move to Notes 6, would that help?

This reminds me of Ronald Reagan's famous quoute about arms verification with the Soviets, "trust but verify."
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10747818
Someone must have uttered: "Don't trust but thrust". My mail has never been accessible by Administrators, I just kicked them out of the ACL.

Admin (scorned): "Can't do anything for you if something goes wrong". My reply: "Thanks, I know, and I'm willing to take that risk".
0
 
LVL 19

Expert Comment

by:madheeswar
ID: 10754806
Sjef is right.

Remove admin from ur ACL.
0
 
LVL 4

Expert Comment

by:sreeser
ID: 10763955
Actually that isn't foolproof because an admin can pull up nlnotes.exe on the server and access mail locally.  No trail as the id is the server id.

You can remove the admin server and local server group from the ACL for the admin server you have to go to the advanced tab and select None for Administration server.  

But i suspect your admin will have a **** fit on this because then the adminprocess can't run on it. And I haven't tried but i suspect the Before new mail arrives agent wont run (r6) since that runs in the router.  Not sure what else might not work.  Design Updall Compact? probably these are ok cause they are external executables?

So if you really want to lock them out... change the logon for the server OS so that  they cant log in.  Make sure someone knows what it is!!!!!!!!!!!! Maybe a third party (HR rep? ) that is always there when some one is logged in directly on the server.  But don't be surprised if your admin walks (I wouldn't want to deal with all that) .. good ones are still much harder to find then developers. And thats one thing thats hard to outsource.
0
 
LVL 4

Expert Comment

by:sreeser
ID: 10763962
Oh yeah

There is always encryption!
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10764010
Use a Linux (non-Windows) server: no nlnotes.exe! Anyway, only a good administrator or one who reads EE will know how to use nlnotes. I forgot, but does he have to close down the server before he can use nlnotes locally? It's an illusion to fully protect yourself from being attacked by "pirates". He'll have to go at great length to read the mail if he's not present in the ACL.

Sjef :)
0
 
LVL 4

Expert Comment

by:sreeser
ID: 10764099
I'll take that as a compliment :)

There is a psuedo 6 Client with Wine on Linux now apparently.  

No you dont have to close it down its just a Lite client.

And you are correct removal from the ACL will most likely discourage him.  

But if you want to be the only one to see the stuff encryption is probably the best defense.
0
 
LVL 4

Expert Comment

by:sreeser
ID: 10764129
Oh on the original topic... you could try bringing up the database in his client.. If he was reading stuff he may have forgotten to go back and mark all documents unread.  I don't believe that even if you delete the icon that you purge the unread marks ... but then again I never really understood the inner guts of unreadmarks or really have much faith in them for that matter.  But if you go and find that he has some read and some unread in the mail file in question I would consider that actionable.  But I am not a lawyer just a nerd!  lol

off topic
Sjef  could you take a look at my question about printing... posted on Friday?  I really need to figure it out.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10764211
Looking for more compliments, eh? But with encryption you're not entirely right: full database encryption only works on a local database, and mail encryption is normally to be activated by the sender. You can also (see Admin Help) modify the Person document and set it to encrypt all incoming mail. Where? In the Person document? And who has access to that document? Ah, the Admin, right, how nice. Anyway, if he's really good ;) he will be able to duplicate mails that enter the server's mail queue, so they will be sent to his own mail as well. Without being logged of course.

This is suddenly becoming a discussion on how to read anybody's mail database as an administrator. We're just inches away from breaking down an nsf-file...  

Bottom line of the story: Admin remuneration should be (more than) adequate.
0
 
LVL 4

Expert Comment

by:sreeser
ID: 10764221
I have a thought... set a honeypot

I posted this for another question but it works here too...

add this to the queryclose event if he accesses the actual document it will record it.. put something juicy in there and see if he opens it.  GOTCHA  It will execute in the back end and he'll never see it. But you will have his user name on that email.

whats that ???? entrapment???? there you go again with the legal questions.... lol

Dim doc As NotesDocument
Set doc = source.Document
doc.rStatus = doc.rStatus+Evaluate({@Name([cn]; @UserName)})    
Call doc.Save(1, 0)

0
 
LVL 4

Expert Comment

by:sreeser
ID: 10764278
>This is suddenly becoming a discussion on how to read anybody's mail database as
>an administrator. We're just inches away from breaking down an nsf-file...  

An interesting topic but perhaps here is not the place :)
 or the time because its time for bed!

0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10764444
It's noon here! Just when it's getting interesting they leave. Well, have a good night's rest.

About the honeypot. There was a topic the other day about the PostOpen and QueryClose of a database, to be used for logging who gains access and when. The same approach may be adopted for this purpose. And there is a whole lot that can be logged ;)

I think it was an off-line discussion with Partha, can't find it here. The QueryClose is ALWAYS executed, even when the user exits Notes. You can try to build in some logging.

Another honeypot: make some other manager send this manager a mail in which something great is announced, e.g. a huge yearly bonus for all personnel. If someone read the mail illegally, you'll know!!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:sreeser
ID: 10766978
About the other topic, I know I am the one that posted the code for it  
:D
http://www.experts-exchange.com/Applications/Email/Lotus_Notes/Q_20941998.html

As for the code to add tothe QueryClose:
Dim doc As NotesDocument
Set doc = source.Document
doc.rStatus = doc.rStatus+Evaluate({@Name([cn]; @UserName)})    
Call doc.Save(1, 0)

its the same code with a minor mod so the entry in rstatus doesnt get overwritten (not neccessary for the other use.
Originally: doc.rStatus = Evaluate({@Name([cn]; @UserName)})

I also came up with a way to use documentcollection and stampall which is very slick but actually is noticble in the lag when executed which surprised me.... since it writes directly to disk bypassing both front and back end.  But I have to give Rocky Oliver his props for his blog... I couldnt figure out how to get a doccollection of just the one doc but you will have to go to the other post to see how I did it. :) No rest for the weary have to get going to my clients.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10767192
It had a familiar twang somewhere...
0
 
LVL 14

Expert Comment

by:p_partha
ID: 10769977
Sreeser,
Sjef was talking abt this post
http://oldlook.experts-exchange.com:8080/Applications/Email/Lotus_Notes/Q_20920986.html

We discussed this offline also...


Partha
0
 
LVL 4

Expert Comment

by:sreeser
ID: 10770117
Well I think that is almost always true that query close always executes.. what if you crash the server or pull out the rug using nsd?  Interesting theoreticals but I digress.

I still like going to his machine and seeing if the unread marks are all intact on the suspected peeped mailfile.  Muuuahhahahhaha
0
 
LVL 4

Expert Comment

by:sreeser
ID: 10770126
Can't help it I have this urge to nail this guy for some unknown reason... GOD I HAVE NO LIFE
0
 
LVL 14

Expert Comment

by:p_partha
ID: 10770163
very funny.. sometimes I also become Little "DEVILISH".......


Partha
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10772652
I put a Continue= false in a db's QueryClose, trying to prove Partha wrong. It was fun, couldn't stop Notes anymore! What happens is that ...   Gnagnagna! Find out for yourselves, and have fun.

By the way, is the original author still interested in our ramblings?
0
 

Author Comment

by:JSmith103161
ID: 10774114
I have followed this closely.  It appears that without administrative rights to Notes, the best we can do is try a "non-technical honey pot."

I don't know that we're prepared to go to his desk top and have him bring up others email to observe the "read" or "unread" marks.

We have all the trust in the world in our Administrator, it's the backup Admin. that gives us pause.

If IBMers bother to follow this site, I would say that I am amazed that Notes doesn't have a better audit trail for administrators.  While that also may not be fool proof, I would think it would be valuable to people like our primary admin. in further demonstrating their integrity.

0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10774230
And who will be responsible for the administration of the audit trail? ;)

There actually IS an audit trail (see database properties, i, User Detail), but if someone hides behind something/one else, you'll never know, will you?
0
 
LVL 4

Accepted Solution

by:
sreeser earned 500 total points
ID: 10777072
You could add the queryclose code to your email without admin rights but you would need to access it through a designer client, users have manager rights to thier mail files :)  If you get the good admin to add it to the template though (secretly) ... you will have the audit trail you are seeking of any ID that is used to open a piece of mail.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 10781798
Stan, how 'bout that! Now you're the sole beneficiary. You were right in another Questio here: life's a female dog ;)
0
 

Author Comment

by:JSmith103161
ID: 10782642
Us, the unitiated, expect the systems as complex as Notes would be capable of spitting out an unalterable log of the Admin actions as a safeguard to be reviewed by somebody, I don't know who.  Which leads to the next quandry.  What the heck are the help desk staff getting into when they use Netware's remote control features?
0
 
LVL 4

Expert Comment

by:sreeser
ID: 10785555
LOL I do think this was a group effort, so the author can feel free to distribute points around if they see fit.  

As for the remote control, you aren't only right about netware ( something I try to avoid) but about the concept in general

WHO DO WE GIVE THE MOST CRITICAL POWER OVER OUR DATA?

There are many clients I have that trust me significantly... some more than they trust many of their own staff!!  Most of my clients have no compunction leaving me to "lock up"  and quite a few I permanently have keys/access that many employees don't ( I like to feel that trust is rightly earned)  But I have also been called in to shut out rouge employees on termination that had more access then perhaps they should and can see how every quickly trust can mushroom into a cloud of fear and regret.
0
 

Author Comment

by:JSmith103161
ID: 10785613
Sorry about the points thing.  My first question.  I think there is a lot more suspicion then there is any really cause for.

I'm just dealing with an issue and looking for ways to ensure our primary Admin. doesn't get discouraged or tarnished.

0
 
LVL 4

Expert Comment

by:sreeser
ID: 10786063
I wasn't saying that specifically to your instance, just a general thought about who really controls the data in general in organizations. For the most part it is not something thought about a lot until something catstrophic happens.  

Just a bit of digression, sorry didnt mean to make you feel singled out.. just that we really entrust some valuable assets to our data infrastructure and by extention those that adminster it.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

For users on the Lotus Notes 8 Standard client, this article provides information on checking the Java Heap size and adjusting it to half of your system RAM in attempt to get the Lotus Notes 8.x Standard client to run faster.  I've had to exercise t…
You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now