Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Securing names.nsf over internet

Posted on 2004-09-28
8
Medium Priority
?
1,650 Views
Last Modified: 2013-12-18
I'm using Notes webmail over the internet. I've noticed that if I explicitly point to the dominoaddress book <http://mailserver/names.nsf> I can access the names.nsf without having to authenticate.

I've compared my ACL with another internet domino server (which prompts for authentication if I try to access the names.nsf) and the acl settings appear similar ie default access is reader and max. internet user access is 'author'

Is there some other parameter besides the ACL that I need to modify in order to secure my address book?
0
Comment
Question by:isltt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 300 total points
ID: 12171038
This is prolly an R5 server. R6 will by default protect a lot more.

You need to set Anonymous to No Access in the ACL. That'll do. Check for the real differences between the two databases.
0
 
LVL 9

Assisted Solution

by:HappyFunBall
HappyFunBall earned 450 total points
ID: 12171044
Your ACL settings should be more secured.

Set both your default and anonymous user access to NO ACCESS immediately
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 12172249
Umm, -Default- should NOT be No Access, because that will lock out regular Notes users as well.  If this server is the internal user's mail (or application) server, or the names.nsf on this server replicates with the names.nsf for the mail (or applications) server, then -Default- would normally be Author, or perhaps Reader.

If you are afraid to allow any access under -Default-, then what you need to do is add a mixed group named */CERTNAME with Author (or Reader) access, where CERTNAME is the name of the root Notes certifier that you use.  If you have flat names, you can't do that, and if you have multiple root certifiers, you will need to put each in this way.  Then, you will need to make sure that internet-only users who authenticate but should not have access to names.nsf are registered without the /CERTNAME as their names.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Assisted Solution

by:schubemk
schubemk earned 450 total points
ID: 12172988
Check your ACL for a user called "Anonymous".  He should be set to "No Access" on names.nsf.  If he's not there, add him.   Also make sure that entry is in log.nsf.  When we do security audits, the next place we go after names.nsf to harvest user names, database names, and server names  is log.nsf.
0
 
LVL 9

Expert Comment

by:HappyFunBall
ID: 12173112
Qwaletee -

Setting -Default- to "No Access" prevents anyone not explicitly included in the ACL from accessing the database.  It doesn't "lock out regular Notes users".  If you then give a group of all company users "Reader" access, you'll be fine.
0
 
LVL 19

Expert Comment

by:RanjeetRain
ID: 12173253
I have two recommendations (one worth one cent exactly)

(1) Anonymous
     (a) If you don't already have it, add it.
     (b) Set it to 'No access'
          There is a complete logic behind it. I can explain.

(2) Set the maximum Internet access to 'Read', untill you want your authenticated people to make changes to it from over Internet (a less common scenario).
0
 
LVL 19

Expert Comment

by:RanjeetRain
ID: 12173275
Oh, a lot has been said already :)
0
 
LVL 19

Accepted Solution

by:
RanjeetRain earned 300 total points
ID: 12173440
May be you can read this and you would come to know most of the things you should do.

http://www-10.lotus.com/ldd/lbytes.nsf/0/f668d51aaa7db800852568480071482f?OpenDocument#Controlling%20Access%20to%20the%20Web%20Ser
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question