As businesses keep adapting to the pandemic reality of remote work, which for some is here to stay for the foreseeable future, they begin focusing more on security concerns. It’s a fine line between helping employees accessing company data remotely from behind the company’s firewalls and preventing bad actors from getting in. Other issues arise as well: data stored on personal devices which might get lost or stolen, or the use of unsecured networks, just to name a few.
Despite being a full-fledged and mature solution, and offering a wide range of functionalities, HCL Domino is still a server platform, and servers are still open to attacks. In the second part of our security special, we’ll take a look at the best security measures for your Domino Server.
1. Keeping up with Security Updates
Staying up to date with the most recent releases, and by extension the newest security updates, is a battle half-won regarding security. There is more at stake than missing out on the newest features, using older versions can compromise the security of your IT landscape.
As of June 2021, the newest supported version of Domino is 12. There are two other supported ones from 2020, but even these already have support exceptions. There is also a Notes/Domino just right around the corner…
2. Domino Server Security Fundamentals (DSSF)
As mentioned in the first part of this series, the TCP/IP settings are an important part of the DSSF. In the Domino world, servers talk not only to clients but also to other servers.
Notes and Domino use the NRPC service, which stands for Notes remote procedure call. You can configure the required NRPC settings either on the administrator client or in the notes.ini. Depending on how you have your Notes set up and on where your users are, you might want to encrypt and/or compress the connection; using the TCP/IP port without any encryption at all is not recommended. If you use Notes and Domino 12 on both sides, you have strong encryption settings enabled by default.
The take-away message here is that security is exponentially increased by having a) an encrypted database and b) a protected server ID.
3. SMTP Security Settings (Quick and
Attackers, whether external or internal, often exploit commands such as help or verify to scout your SMTP server configuration for weak spots. But that’s not all: External or even internal intruders can get hold of your SMTP server and turn it into a relay spam “machine”. That is why it is so important to configure the SMTP settings correctly in both server and configuration documents. Some examples:
- Port settings (inbound and outbound)
- Relay security settings
- Inbound security settings
Bonus: HTTP Security or How to Get an A+ Rating
You can put your webserver to the test at SSL Labs. The numerical scores of the checks range from 0 to 100, and the grades from F to A+. You can check out a more in-depth server rating guide here.
While the thought of a rating per se might sound trivial, these matter because they reflect the security level of your server. Landing on a rating below A+ shows you there is still room for improvement. So how can you ace this test and get an immaculate A+ Rating? Here’s a sneak peek at some of the recommended settings:
- Have the latest Domino update installed
- Disable outdated SSL/TLS protocols
- Use only modern SSL ciphers
- Configure the appropriate HTTP Strict Transport Security settings in notes.ini
More about your HCL Notes security
Webinar 1 – Client Security
You can listen to details about the technical implementation in Notes in our webinar with my colleague, HCL Ambassador, and Senior Consultant, Christoph Adler. Still got questions? Let us know by leaving a comment.
Webinar 2 – Server Security
In the second part of our series, we will focus on the Domino Server. Register now and ask your questions live in the webinar about: “State of the Art Security for your HCL Domino Environments”.