The world is changing. We are in the midst of a shifting IT landscape and can’t wait to enjoy the latest achievements. But during all this euphoria, we must not forget our security. In this case, the security of our HCL Notes environment. In order to give our users the possibility to work as safely as possible in pandemic times, many decisions had to be made quickly.
As a responsible IT department, one knows about the dangers. You know many basics, but it is a good idea to keep an eye out for best practices. In the first part of our security special, we’ll help you take a closer look at the top 5 areas of HCL Notes.
1. Network Traffic / Port Settings in notes.ini
Usually external connections are encrypted. If you want to encrypt, you only need to configure this on one side (client or server). In contrast to compression, where both sides need to be configured identically (server & client). This can be done in the Notes client via the UI or alternatively via the notes.ini.
However, not all encryption is the same. The standard in Notes and Domino has seen better days. To ensure a high encryption level additional parameters and key variations can be configured starting with Notes and Domino 9.0.1 FP7 and higher.
More information about network traffic can be found in our second part of this series on HCL Domino security.
2. Safeguarding Data in Local Replicas/Databases
Especially in times of home office it is important to encrypt databases, as employees are not necessarily in the secure office network. While it used to be possible to choose between different levels of encryption, anything below the “Strong Encryption” level is not recommended.
As of HCL Notes 11.0.1. it is even possible to additionally switch on 128-bit AES. However, this has to be done manually and cannot be set as default. Another disadvantage could be that on weaker devices the time factor plays a role. Since a particularly high security level could cause delays for the end user in this case.
Generally speaking, a well-maintained ACL (Access Control List) with an appropriate assignment of roles and rights helps.
3. Applications (Code)
As soon as it comes to the ECL (Execution Control List) we realized again and again how casually it is treated. It is usually poorly maintained or not maintained at all, even though it performs an essential function for your Notes security.
Theoretically anyone can develop and install code for Notes/Domino. Therefore, it is important to distribute server-side permissions or to define certain rules that prohibit code variants or sources. This also helps to avoid confusion for the end user. For example, the ECL can also be set to lockdown status. Unauthorized code can thus no longer be released and executed by the user.
4. Security Breaches
What happens when something goes wrong? Although Notes/Domino customers are very relaxed about this and a stable solution is used, a considerable security breach has been detected in recent months.
It has been shown that the same rules apply to Notes as to most other software products. It helps to apply patches in a timely manner. Just as it helps to make regular updates, so that in case of emergency a critical security patch can be applied quickly.
5. Authentication Security
How do we log in? IDs must have passwords, even if it’s not always convenient. Expiration dates are also important – not only for Windows, but also for Notes. Password complexity is an important element of this. There must be a good balance between enough complexity for security and usability for the end user. Experience has shown that excessive complexity leads to the password being kept as a Post-it after all.
To make it easier for the end user, SSO (single sign-on) capabilities can be used. However, it should not be the old and soon outdated Windows service (ClientSingleLogin). HCL decided to remove that old SSO method with Notes V12. More sensible, and more recommended, is NSL (Notes Shared Login). This can also be easily used in Citrix environments (from version 11.0.1 FP1 on).
Regardless of what you choose, you should keep in mind that changing the above SSO mechanisms will require a reinstallation of the Notes client.