Transcript Lock down security exposures in your Domino web

Lock down security exposures in
your Domino web applications
Rob Kirkland
Certified Lotus Instructor
Consultant
Author of “Domino System Administration”
Agenda
• Authentication - 5 options
• ACL settings
• Securing views
• Securing forms and documents
• Vulnerability in Domino URLs
• Securing Agents
• Important server document fields
Authentication: Anonymous
access
• No user authentication required
• Useful for commercial Web sites with
information intended for public
consumption
• Dangerous for restricted Web sites
Basic authentication:
Name and password access
• User submits name and password, which Domino
compares to Person document in a Domino
directory or to a record in an LDAP directory
• Easy to set up and administer. Just create Person
and Group documents.
• Problem: Name and password cross network as
plain text with every URL the user submits
Session authentication
• As with basic authentication, user submits name
and password in plain text
– But only submits them once.
• User submits cookie after initial authentication
• With each reply, server sends user an updated
cookie
– Maintains transaction state this way
• Supports single sign-on too
– One login recognized by multiple Domino and
Websphere servers
Authentication: Server-side SSL
• Server submits certificate with public key to user
• If user trusts certifier, creates, sends a session key
to server, encrypted with server’s public key
• All further transmissions of information between
user and server are encrypted and validated
(signed) with session key
• User can authenticate using any method
Server-side SSL (cont’d)
• Solves problem of user name and password
crossing network in plain text. Good!
• Increases demand on resources: processor,
memory, I/O.
– Therefore, should use SSL only when
necessary. (Set property in each database.)
• Relatively costly to set up and maintain.
Authentication: Client-side SSL
• User submits certificate with public key to
server
• If server trusts certifier, compares user’s
public key to that stored in Person
document in Domino or LDAP directory.
• If public keys match, user is authenticated.
Client-side SSL (cont’d)
• This is the most secure user authentication because
a hacker must steal user’s certificate (and know
the password) in order to pose as user
• Costly and cumbersome to set up and maintain
because user must obtain an X.509 certificate from
some Certificate Authority and merge it into user’s
browser.
• Can’t use with session authentication. Bummer!
ACLs: Basics
• In general: Set ACLs to lowest possible levels
– Anonymous: No Access or Reader. Never Author.
– Registration DB: Set Anonymous to Depositor.
• Set -Default- or Anonymous entries in ACLs of all
databases
– If there is no Anonymous entry, -Default- is used on the
Web
– If Anonymous is set, -Default- is ignored on the Web
– Use -Default- for Notes clients, and Anonymous for
Web browsers
ACLs: Privileges
• Create documents and Delete documents
– Don’t activate if not needed. Don’t get lazy!
• Create personal agents, Create
folders/views, Create agents
– Available to Notes users only, not Web users
• Read/Write public documents
– Consider using to restrict access to selected
database elements.
ACLs: Roles
• Use ACL roles to refine access to database
elements.
• You can use roles with the following DB
elements:
• Framesets
• Views
• Sections
• Outlines
• Forms
• Readers/Authors fields
ACLs: Considerations
• Set Maximum Internet Name and Password field
(in Advanced)
• Create default ACL entries in design templates
– Use brackets, e.g.: [Anonymous]
• Create File Protection documents to set No
Access, Read Only, Read/Write for elements in the
Domino file system.
– Then create Realm documents to head off user
frustration
Securing views
• Hide views from Web users
– Use Hide from Web browsers in Design
Document Properties.
– Use parentheses to hide view names
• Hide views from specific users:
– Use Read Access lists
• Prevent Web users from guessing view
names (by using hard-to-guess names!)
Securing views (cont’d)
• Use single-category views to limit what
portions of a view Web users can see
– Embed view in a form or page
– Use a formula to define which category of
items will display to the Web user
Securing views (cont’d)
• Block direct (manually entered URL) to
views
– Use $$ViewTemplate for [viewname] and
$$ViewTemplateDefault forms that have no
embedded view or $$Viewname field.
– When user requests the view, Domino will
deliver the form, not the view!
• And don’t forget to redirect $DefaultNav
and ?ReadViewEntries URLs
Securing forms and documents
• Use form and document Read Access lists
• Use form Compose Access lists
• Use Authors fields
– Remember, an ACL author can only edit a
document if his/her name appears in an Authors
field on the document
• Use Readers fields
– Great security feature!
Securing forms and documents
(cont’d)
• Use Form formulas in views
– Defines what form Domino will use to display
documents in view
– But remember, users can open documents
directly if they know a doc’s UNID
• Then the Form field controls, not the Form formula
• Use Controlled Access sections
– To control edit access to items in section
Securing forms and document
(cont’d)
• Use Hide-whens liberally
– Hides data from users but not from the server
– Especially, hide password fields from
unauthorized users
• Don’t rely on field encryption
– It doesn’t restrict Web users from seeing
contents of fields.
Lock out unauthorized
Domino URLs
• Web users who know Domino URL syntax
can hack your Web site.
• Use redirection to thwart this
• Problem areas include:
– Certain special identifiers
– Certain URL commands
Domino URLs (cont’d)
• http://….nsf/$DefaultView
– Retrieves a database’s default view
• http://….nsf/$DefaultForm
– Retrieves a database’s default form
• How to thwart:
– Don’t designate a default form or view
– Or create a default view or form that displays a
warning message.
Domino URLs (cont’d)
• http://….nsf/$DefaultNav
– Retrieves a list of a database’s views
• How to thwart:
– Create a Redirection document in Domino
Directory
– Incoming URL path: /*.nsf/$DefaultNav
– Redirect to hacker warning.
Domino URLs (cont’d)
• http://…/$SearchForm
– Retrieves default search form
– If DB is FT-indexed, user can search it
• How to thwart:
– Create a $$Search form or
$$SearchTemplateDefault form with a warning
or error message
Domino URLs (cont’d)
• $Help and $About
– These retrieve the Help and About documents.
– Use hide-whens to hide selected content from
Web users, if necessary.
– Or don’t create these docs
– Or put warning messages on them.
Domino URLs (cont’d)
• http://…?OpenServer
– Lists all Notes databases in the server’s file
system
– This may be okay for an intranet Web server,
but is usually not okay for an Internet Web
server.
– To block this command, disable in Server
document. Set “Allow HTTP clients to browse
databases” to “No”.
Domino URLs (cont’d)
• http://…?ReadViewEntries
– Retrieves view in XML format
• Permits user to export view contents to a database.
– How to thwart:
• Create a Redirection document in Domino Directory
• Incoming URL path: /*.nsf/*?ReadView*
Secure agents
• Agents can be invoked from a browser
– http://…/agentname?OpenAgent
• Browser-invoked agents run with the rights of the
agent signer
– But invoker must have Reader access to the items on
which the agent acts
• You can override this
– Set agent property “Run Agent as Web user”
– You can also hide the agent from Web users
Secure agents (cont’d)
• If a Web user invokes an agent directly (by
entering its URL manually), the
HTTP_Referer CGI variable returned with
the URL will be blank
– Therefore, to prevent Web users invoking
agents directly, test for a blank HTTP_Referer
variable.
– See example code, next slide
Secure agents (cont’d)
LotusScript Example to Check HTTP_Referer:
If Not(Instr(1, Ucase(docContext.HTTP_Referer(0)),
Ucase(docContext.Server_Name(0))) > 0) And Not(Instr(1,
Ucase(docContext.HTTP_Referer(0)),
Ucase(docContext.HTTP_HOST(0))) > 0) Then
Print{<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>}
Print {<H1>Error</H1>Unauthorized Exception<P><HR>}
Print {</BODY></HTML>}
Exit Sub
End If
Slide used courtesy of The View. Copyright 2000 The View. All rights reserved.
Some important server document fields
• Security tab
– Administer the server from a browser
– Agent and Java/COM restriction fields
• Ports, Internet Ports, Web tab
– Authentication options fields
• Internet Protocols tabs
– DNS lookup
• Domino logs host name, not just IP address
– Allow HTTP clients to browse databases
– Web logging fields
• Enable one or none, not both
Thank you
• Any questions?