Boost Your Domino Security with BCC DominoProtect
Transcription
Boost Your Domino Security with BCC DominoProtect
Boost Your Domino Security with BCC DominoProtect Engage 23rd – 24th March 2016 @EngageUG #EngageUG Boost Your Domino Security with BCC Business Collaboration Company Ltd Knowledge Centre, Wyboston Lakes, Wyboston MK44 3BY, UK Tel.: +44 20 3290 9224 Fax: +44 20 3808 3006 E-Mail: contact@bcc.biz Web: www.bcchub.com Boost Your Domino Security with BCC DominoProtect Introduction Arshad Khalid • Director of Technical Services • Working with Notes/Domino since 1998 • Consultant, Project Manager • IBM Lotus Top Achiever 2009 • IBM Champion 2014, 2015 • @arshad101 Boost Your Domino Security with BCC DominoProtect Boost Your Domino Security with BCC DominoProtect Agenda About BCC Housekeeping • Protect the server ID Fort Knox without backdoors • Protect the ID Vault God mode trap • Protect against misuse of Full Access Administration Stealth mode trap • Prevent & track unauthorised changes in real time Who let the dogs out? • Logging and rollback Questions Boost Your Domino Security with BCC DominoProtect About BCC Founded in 1996 IBM Business Partner Locations: Frankfurt (HQ), Wyboston UK Implementation Partner: NuAge Technologies, CA 800+ customers Boost Your Domino Security with BCC DominoProtect BCC Solutions Boost Your Domino Security with BCC DominoProtect Boost Your Domino Security with BCC DominoProtect Agenda About BCC Housekeeping • Protect the server ID Fort Knox without backdoors • Protect the ID Vault God mode trap • Protect against misuse of Full Access Administration Stealth mode trap • Prevent & track unauthorised changes in real time Who let the dogs out? • Logging and rollback Questions Boost Your Domino Security with BCC DominoProtect Why Protect the Server ID? YES, it makes it easy to reboot the server! But it IS a dangerous practice to not password protect the Server ID An unsecured Server ID is your WEAK SPOT! But you don’t have to take our word for it… Boost Your Domino Security with BCC DominoProtect IBM Says So… “We understand that most Domino servers are not password-protected to make unattended reboots simpler, but the vault server's ID file is a key element in the security of your ID vault” “..a sophisticated attacker with a vault database and one of the corresponding server IDs...would have all of the cryptographic information needed to masquerade as the vault server and decrypt all of the ID files stored in the vault” http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vaultserver Boost Your Domino Security with BCC DominoProtect Paul Mooney Says So… https://twitter.com/SandraCH/status/428268770793381888 Boost Your Domino Security with BCC DominoProtect BCC DominoProtect Protect the Server ID with password(s) • Assign a random password to the server ID • Assign multiple passwords fulfilling the “two man rule” • DominoProtect provides the password at startup • Facilitates automatic server restart Boost Your Domino Security with BCC DominoProtect Demo Protect the server ID Boost Your Domino Security with BCC DominoProtect Boost Your Domino Security with BCC DominoProtect Agenda About BCC Housekeeping • Protect the server ID Fort Knox without backdoors • Protect the ID Vault God mode trap • Protect against misuse of Full Access Administration Stealth mode trap • Prevent & track unauthorised changes in real time Who let the dogs out? • Logging and rollback Questions Boost Your Domino Security with BCC DominoProtect ID Vault: Why secure the ACL? Anyone with Role Auditor & Admin Client is able to download ID Files from ID Vault Change ACL? • Full Access Admins are able to do this • Server based Script Agents Preventing unwanted changes in ID Vault is mandatory! Boost Your Domino Security with BCC DominoProtect BCC DominoProtect Protect ACL • Prevent ACL Change • Track ACL Changes • Change request via approval workflow Boost Your Domino Security with BCC DominoProtect Demo Protect the ID Vault Boost Your Domino Security with BCC DominoProtect Boost Your Domino Security with BCC DominoProtect Agenda About BCC Housekeeping • Protect the server ID Fort Knox without backdoors • Protect the ID Vault God mode trap • Protect against misuse of Full Access Administration Stealth mode trap • Prevent & track unauthorised changes in real time Who let the dogs out? • Logging and rollback Questions Boost Your Domino Security with BCC DominoProtect Full Access Administration Can be used to bypass many IBM Domino restrictions Directly update ACLs Access sensitive data Change configuration documents in the Domino Directory Boost Your Domino Security with BCC DominoProtect BCC DominoProtect Disable Full Access Administration • Via the licence Field level document security • Protect specific fields in a document • Manager, Designer or Editor is not allowed to change secured fields Change Management • Request workflows for controlled changes Boost Your Domino Security with BCC DominoProtect Boost Your Domino Security with BCC DominoProtect Agenda About BCC Housekeeping • Protect the server ID Fort Knox without backdoors • Protect the ID Vault God mode trap • Protect against misuse of Full Access Administration Stealth mode trap • Prevent & track unauthorised changes in real time Who let the dogs out? • Logging and rollback Questions Boost Your Domino Security with BCC DominoProtect Real time tracking & prevention Domino logging out of the box is quite basic Someone with malicious intent could • Add their name to a group • Access sensitive data • Make changes to the data • Remove themselves from the group Boost Your Domino Security with BCC DominoProtect BCC DominoProtect Protect against unauthorised changes • Track access to document • Track modification • Prevent modification or deletion • Trigger an email notification • Start an approval workflow Boost Your Domino Security with BCC DominoProtect Demo Protect against misuse of Full Access Administration Prevent & track unauthorised changes in real time Boost Your Domino Security with BCC DominoProtect Boost Your Domino Security with BCC DominoProtect Agenda About BCC Housekeeping • Protect the server ID Fort Knox without backdoors • Protect the ID Vault God mode trap • Protect against misuse of Full Access Administration Stealth mode trap • Protect against unauthorised changes in real time Who let the dogs out? • Logging and rollback Questions Boost Your Domino Security with BCC DominoProtect Logging and Rollback Changes made by an interim admin Changes made by mistake Not easy to track Reversing the changes a considerable drain on admin time and resources Systems need to be up and running quickly Boost Your Domino Security with BCC DominoProtect BCC DominoProtect Change Management • Request workflows for controlled changes • Automated change history and roll back Detailed monitoring and logging • Automatic audit proof documentation of all actions related to protected elements Boost Your Domino Security with BCC DominoProtect Demo Logging and rollback Boost Your Domino Security with BCC DominoProtect In summary An essential extra layer of security for IBM Domino Prevent and track changes in real time Protect server IDs with password and start servers unattended Safeguard and secure ID Vault & Domino Directory Prevent misuse of Full Access Admin Facilitates implementing a “two man rule” via approval workflow One click Rollback and recovery Ensure compliance for corporate governance and legal regulations Boost Your Domino Security with BCC DominoProtect It’s a wrap! Arshad Khalid • arshad_khalid@bcc.biz • @arshad101 BCC • www.bcchub.com • @BCC_Ltd Thank You!