S 3.24 Training on the Lotus Notes system architecture for Administrators

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management

In order to be able to administer a Lotus Notes system correctly and securely, it is essential that the responsible Administrators are given proper training. Even minor configuration errors can result in security weaknesses. Examples here are the uncontrolled creation of cross-certificates and incorrect access control lists (ACLs) for databases. For this reason Administrators must be informed about the system architecture of Lotus Notes and in particular about the security mechanisms.

Figure 1 shows in simplified form the general architecture underlying a client/server model. Databases which can be accessed over the Internet through the Lotus Domino Server software are held on the so-called Notes server. Access to the databases by the user is possible with two client programs:

1. Through the original Notes Client which is provided by Lotus Notes as client software. Access here is using the proprietary Notes protocol. The Notes client forwards processing requests to the Domino server which carries out processing on the databases on behalf of the client.

2. Through a browser (Web client). Since the advent of Notes version 4.6 it is also possible to access databases on a Domino server using a normal browser. For this purpose a special Web server module which functions as HTTP server has been provided. The content of the databases is dynamically converted to the HTML format by the so-called HTML engine during access, so as to enable viewing in the browser. The Hyper Text Transfer Protocol (HTTP) is used as transport protocol.

By contrast with the Notes client, local storage of databases (replicas) is not possible with the Web client.

Figure 1: overview of the Lotus Notes architecture

Access control for a Notes server is designed in two stages (see Figure 2) and is based on user authentication using the Notes ID or the Web authentication mechanisms "User name and password" or "SSL certificate". Once a user has been authenticated, if he attempts to access a database on a server, first of all a check is carried out as to whether he is allowed to access the server generally. If this is allowed, then in a second stage the system checks whether the user is allowed to carry out the requested operation on this particular database.

Figure 2: authentication and access control in Lotus Notes

Access to a server can be limited by various mechanisms (see S 4.119 Instituting restrictions on access to Lotus Notes servers). The same applies to the possible restrictions on access to databases (see S 4.120 Configuration of access control lists for Lotus Notes databases). It can be a problem if the restrictions on access to databases are configured so that they presuppose a particular restriction on access to the servers. If the restrictions on access to the servers are changed, it is easy for configuration mistakes to creep in (see example below).

The training given to the Administrators should consider the following aspects and, as a minimum, it should cover the following subjects:

• What options are available for controlling access to servers?

• What options are available for controlling access to databases?

• Using what criteria and in what sequence does Lotus Notes decide whether a user should be granted access to data held in a database?

• How does user authentication work?

• How does authentication using asymmetric cryptographic procedures work?

• What mechanisms for encryption and digital signatures are there and how do these interact with symmetric and asymmetric cryptographic procedures?

• How are certificates for cryptographic keys generated, distributed, administered and used?

• With what procedures can client-server communication (Notes client, Web client) be protected?

• How can high availability of Notes systems be achieved?

• How can data on Notes clients and servers be backed up efficiently?

The subjects listed constitute only a selection of the most important topics, which should be tailored to the particular application and expanded as appropriate.

Example:

A brief account is now provided as to which mechanisms are used to control database access via HTTP without SSL. This process should be explained to the Administrators in order to convey a basic understanding of the manner in which access control operates.

• A user attempts an operation for which access to a database is restricted.

• The server checks whether anonymous access to the server is allowed for the HTTP protocol.

• If anonymous access is allowed, then the following checks take place:

• The server looks for an "Anonymous" entry in the database ACL. If this exists, then the user is granted anonymous access with the privileges that this entails.

• If no "Anonymous" entry exists, the server examines the "-Default-" entry.

• If the "-Default-" entry allows at least read access, then the user is granted anonymous access with the "-Default-" privileges.

• If anonymous access to the server is not permitted and authentication via user name plus password is in place, then the server will request this authentication data via the browser.

• The server checks whether a personal document exists in the Name and Address Book (NAB) for the stated user and compares the user entries (user name and Internet password) with the information held there.

• If the authentication information agrees, then the first entry in the user name field of the personal document is used to identify the user and grant him corresponding access rights via the database ACL.

Even if role separation between administration of the Lotus Notes system and the underlying operating system is in place, the Lotus Notes Administrators should be taught a basic knowledge of the operating system. Otherwise it will be difficult to work together to resolve any problems.

Additional controls:

• Are the Administrators prepared for handling the Notes system and, in particular, are they trained in the security-relevant aspects?