Lock down security exposures in your Domino web
Download
Report
Transcript Lock down security exposures in your Domino web
Lock down security exposures in
your Domino web applications
Rob Kirkland
Certified Lotus Instructor
Consultant
Author of “Domino System Administration”
Agenda
• Authentication - 5 options
• ACL settings
• Securing views
• Securing forms and documents
• Vulnerability in Domino URLs
• Securing Agents
• Important server document fields
Authentication: Anonymous
access
• No user authentication required
• Useful for commercial Web sites with
information intended for public
consumption
• Dangerous for restricted Web sites
Basic authentication:
Name and password access
• User submits name and password, which Domino
compares to Person document in a Domino
directory or to a record in an LDAP directory
• Easy to set up and administer. Just create Person
and Group documents.
• Problem: Name and password cross network as
plain text with every URL the user submits
Session authentication
• As with basic authentication, user submits name
and password in plain text
– But only submits them once.
• User submits cookie after initial authentication
• With each reply, server sends user an updated
cookie
– Maintains transaction state this way
• Supports single sign-on too
– One login recognized by multiple Domino and
Websphere servers
Authentication: Server-side SSL
• Server submits certificate with public key to user
• If user trusts certifier, creates, sends a session key
to server, encrypted with server’s public key
• All further transmissions of information between
user and server are encrypted and validated
(signed) with session key
• User can authenticate using any method
Server-side SSL (cont’d)
• Solves problem of user name and password
crossing network in plain text. Good!
• Increases demand on resources: processor,
memory, I/O.
– Therefore, should use SSL only when
necessary. (Set property in each database.)
• Relatively costly to set up and maintain.
Authentication: Client-side SSL
• User submits certificate with public key to
server
• If server trusts certifier, compares user’s
public key to that stored in Person
document in Domino or LDAP directory.
• If public keys match, user is authenticated.
Client-side SSL (cont’d)
• This is the most secure user authentication because
a hacker must steal user’s certificate (and know
the password) in order to pose as user
• Costly and cumbersome to set up and maintain
because user must obtain an X.509 certificate from
some Certificate Authority and merge it into user’s
browser.
• Can’t use with session authentication. Bummer!
ACLs: Basics
• In general: Set ACLs to lowest possible levels
– Anonymous: No Access or Reader. Never Author.
– Registration DB: Set Anonymous to Depositor.
• Set -Default- or Anonymous entries in ACLs of all
databases
– If there is no Anonymous entry, -Default- is used on the
Web
– If Anonymous is set, -Default- is ignored on the Web
– Use -Default- for Notes clients, and Anonymous for
Web browsers
ACLs: Privileges
• Create documents and Delete documents
– Don’t activate if not needed. Don’t get lazy!
• Create personal agents, Create
folders/views, Create agents
– Available to Notes users only, not Web users
• Read/Write public documents
– Consider using to restrict access to selected
database elements.
ACLs: Roles
• Use ACL roles to refine access to database
elements.
• You can use roles with the following DB
elements:
• Framesets
• Views
• Sections
• Outlines
• Forms
• Readers/Authors fields
ACLs: Considerations
• Set Maximum Internet Name and Password field
(in Advanced)
• Create default ACL entries in design templates
– Use brackets, e.g.: [Anonymous]
• Create File Protection documents to set No
Access, Read Only, Read/Write for elements in the
Domino file system.
– Then create Realm documents to head off user
frustration
Securing views
• Hide views from Web users
– Use Hide from Web browsers in Design
Document Properties.
– Use parentheses to hide view names
• Hide views from specific users:
– Use Read Access lists
• Prevent Web users from guessing view
names (by using hard-to-guess names!)
Securing views (cont’d)
• Use single-category views to limit what
portions of a view Web users can see
– Embed view in a form or page
– Use a formula to define which category of
items will display to the Web user
Securing views (cont’d)
• Block direct (manually entered URL) to
views
– Use $$ViewTemplate for [viewname] and
$$ViewTemplateDefault forms that have no
embedded view or $$Viewname field.
– When user requests the view, Domino will
deliver the form, not the view!
• And don’t forget to redirect $DefaultNav
and ?ReadViewEntries URLs
Securing forms and documents
• Use form and document Read Access lists
• Use form Compose Access lists
• Use Authors fields
– Remember, an ACL author can only edit a
document if his/her name appears in an Authors
field on the document
• Use Readers fields
– Great security feature!
Securing forms and documents
(cont’d)
• Use Form formulas in views
– Defines what form Domino will use to display
documents in view
– But remember, users can open documents
directly if they know a doc’s UNID
• Then the Form field controls, not the Form formula
• Use Controlled Access sections
– To control edit access to items in section
Securing forms and document
(cont’d)
• Use Hide-whens liberally
– Hides data from users but not from the server
– Especially, hide password fields from
unauthorized users
• Don’t rely on field encryption
– It doesn’t restrict Web users from seeing
contents of fields.
Lock out unauthorized
Domino URLs
• Web users who know Domino URL syntax
can hack your Web site.
• Use redirection to thwart this
• Problem areas include:
– Certain special identifiers
– Certain URL commands
Domino URLs (cont’d)
• http://….nsf/$DefaultView
– Retrieves a database’s default view
• http://….nsf/$DefaultForm
– Retrieves a database’s default form
• How to thwart:
– Don’t designate a default form or view
– Or create a default view or form that displays a
warning message.
Domino URLs (cont’d)
• http://….nsf/$DefaultNav
– Retrieves a list of a database’s views
• How to thwart:
– Create a Redirection document in Domino
Directory
– Incoming URL path: /*.nsf/$DefaultNav
– Redirect to hacker warning.
Domino URLs (cont’d)
• http://…/$SearchForm
– Retrieves default search form
– If DB is FT-indexed, user can search it
• How to thwart:
– Create a $$Search form or
$$SearchTemplateDefault form with a warning
or error message
Domino URLs (cont’d)
• $Help and $About
– These retrieve the Help and About documents.
– Use hide-whens to hide selected content from
Web users, if necessary.
– Or don’t create these docs
– Or put warning messages on them.
Domino URLs (cont’d)
• http://…?OpenServer
– Lists all Notes databases in the server’s file
system
– This may be okay for an intranet Web server,
but is usually not okay for an Internet Web
server.
– To block this command, disable in Server
document. Set “Allow HTTP clients to browse
databases” to “No”.
Domino URLs (cont’d)
• http://…?ReadViewEntries
– Retrieves view in XML format
• Permits user to export view contents to a database.
– How to thwart:
• Create a Redirection document in Domino Directory
• Incoming URL path: /*.nsf/*?ReadView*
Secure agents
• Agents can be invoked from a browser
– http://…/agentname?OpenAgent
• Browser-invoked agents run with the rights of the
agent signer
– But invoker must have Reader access to the items on
which the agent acts
• You can override this
– Set agent property “Run Agent as Web user”
– You can also hide the agent from Web users
Secure agents (cont’d)
• If a Web user invokes an agent directly (by
entering its URL manually), the
HTTP_Referer CGI variable returned with
the URL will be blank
– Therefore, to prevent Web users invoking
agents directly, test for a blank HTTP_Referer
variable.
– See example code, next slide
Secure agents (cont’d)
LotusScript Example to Check HTTP_Referer:
If Not(Instr(1, Ucase(docContext.HTTP_Referer(0)),
Ucase(docContext.Server_Name(0))) > 0) And Not(Instr(1,
Ucase(docContext.HTTP_Referer(0)),
Ucase(docContext.HTTP_HOST(0))) > 0) Then
Print{<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>}
Print {<H1>Error</H1>Unauthorized Exception<P><HR>}
Print {</BODY></HTML>}
Exit Sub
End If
Slide used courtesy of The View. Copyright 2000 The View. All rights reserved.
Some important server document fields
• Security tab
– Administer the server from a browser
– Agent and Java/COM restriction fields
• Ports, Internet Ports, Web tab
– Authentication options fields
• Internet Protocols tabs
– DNS lookup
• Domino logs host name, not just IP address
– Allow HTTP clients to browse databases
– Web logging fields
• Enable one or none, not both
Thank you
• Any questions?