Boost Your Domino Security with BCC DominoProtect

Transcription

Boost Your Domino Security with BCC DominoProtect
Boost Your Domino Security with BCC DominoProtect
Engage 23rd – 24th March 2016
@EngageUG #EngageUG
Boost Your Domino Security
with
BCC Business Collaboration
Company Ltd
Knowledge Centre,
Wyboston Lakes, Wyboston
MK44 3BY, UK
Tel.: +44 20 3290 9224
Fax: +44 20 3808 3006
E-Mail: contact@bcc.biz
Web: www.bcchub.com
Boost Your Domino Security with BCC DominoProtect
Introduction
Arshad Khalid
• Director of Technical Services
• Working with Notes/Domino
since 1998
• Consultant, Project Manager
• IBM Lotus Top Achiever 2009
• IBM Champion 2014, 2015
• @arshad101
Boost Your Domino Security with BCC DominoProtect
Boost Your Domino Security with BCC DominoProtect
Agenda
About BCC
Housekeeping
• Protect the server ID
Fort Knox without backdoors
• Protect the ID Vault
God mode trap
• Protect against misuse of Full Access Administration
Stealth mode trap
• Prevent & track unauthorised changes in real time
Who let the dogs out?
• Logging and rollback
Questions
Boost Your Domino Security with BCC DominoProtect
About BCC
Founded in 1996
IBM Business Partner
Locations: Frankfurt (HQ), Wyboston UK
Implementation Partner: NuAge Technologies, CA
800+ customers
Boost Your Domino Security with BCC DominoProtect
BCC Solutions
Boost Your Domino Security with BCC DominoProtect
Boost Your Domino Security with BCC DominoProtect
Agenda
About BCC
Housekeeping
• Protect the server ID
Fort Knox without backdoors
• Protect the ID Vault
God mode trap
• Protect against misuse of Full Access Administration
Stealth mode trap
• Prevent & track unauthorised changes in real time
Who let the dogs out?
• Logging and rollback
Questions
Boost Your Domino Security with BCC DominoProtect
Why Protect the Server ID?
YES, it makes it easy to reboot the server!
But it IS a dangerous practice to not password protect the
Server ID
An unsecured Server ID is your WEAK SPOT!
But you don’t have to take our word for it…
Boost Your Domino Security with BCC DominoProtect
IBM Says So…
“We understand that most Domino servers are not password-protected to
make unattended reboots simpler, but the vault server's ID file is a key
element in the security of your ID vault”
“..a sophisticated attacker with a vault database and one of the
corresponding server IDs...would have all of the cryptographic information
needed to masquerade as the vault server and decrypt all of the ID files
stored in the vault”
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vaultserver
Boost Your Domino Security with BCC DominoProtect
Paul Mooney Says So…
https://twitter.com/SandraCH/status/428268770793381888
Boost Your Domino Security with BCC DominoProtect
BCC DominoProtect
Protect the Server ID with password(s)
• Assign a random password to the server ID
• Assign multiple passwords fulfilling the “two man rule”
• DominoProtect provides the password at startup
• Facilitates automatic server restart
Boost Your Domino Security with BCC DominoProtect
Demo
Protect the server ID
Boost Your Domino Security with BCC DominoProtect
Boost Your Domino Security with BCC DominoProtect
Agenda
About BCC
Housekeeping
• Protect the server ID
Fort Knox without backdoors
• Protect the ID Vault
God mode trap
• Protect against misuse of Full Access Administration
Stealth mode trap
• Prevent & track unauthorised changes in real time
Who let the dogs out?
• Logging and rollback
Questions
Boost Your Domino Security with BCC DominoProtect
ID Vault: Why secure the ACL?
Anyone with Role
Auditor & Admin Client
is able to download ID
Files from ID Vault
Change ACL?
• Full Access Admins are able
to do this
• Server based Script Agents
Preventing unwanted
changes in ID Vault is
mandatory!
Boost Your Domino Security with BCC DominoProtect
BCC DominoProtect
Protect ACL
• Prevent ACL Change
• Track ACL Changes
• Change request via approval workflow
Boost Your Domino Security with BCC DominoProtect
Demo
Protect the ID Vault
Boost Your Domino Security with BCC DominoProtect
Boost Your Domino Security with BCC DominoProtect
Agenda
About BCC
Housekeeping
• Protect the server ID
Fort Knox without backdoors
• Protect the ID Vault
God mode trap
• Protect against misuse of Full Access Administration
Stealth mode trap
• Prevent & track unauthorised changes in real time
Who let the dogs out?
• Logging and rollback
Questions
Boost Your Domino Security with BCC DominoProtect
Full Access Administration
Can be used to bypass many IBM Domino restrictions
Directly update ACLs
Access sensitive data
Change configuration documents in the Domino Directory
Boost Your Domino Security with BCC DominoProtect
BCC DominoProtect
Disable Full Access Administration
• Via the licence
Field level document security
• Protect specific fields in a document
• Manager, Designer or Editor is not allowed to change secured fields
Change Management
• Request workflows for controlled changes
Boost Your Domino Security with BCC DominoProtect
Boost Your Domino Security with BCC DominoProtect
Agenda
About BCC
Housekeeping
• Protect the server ID
Fort Knox without backdoors
• Protect the ID Vault
God mode trap
• Protect against misuse of Full Access Administration
Stealth mode trap
• Prevent & track unauthorised changes in real time
Who let the dogs out?
• Logging and rollback
Questions
Boost Your Domino Security with BCC DominoProtect
Real time tracking & prevention
Domino logging out of the box is quite basic
Someone with malicious intent could
• Add their name to a group
• Access sensitive data
• Make changes to the data
• Remove themselves from the group
Boost Your Domino Security with BCC DominoProtect
BCC DominoProtect
Protect against unauthorised changes
• Track access to document
• Track modification
• Prevent modification or deletion
• Trigger an email notification
• Start an approval workflow
Boost Your Domino Security with BCC DominoProtect
Demo
Protect against misuse of Full Access Administration
Prevent & track unauthorised changes in real time
Boost Your Domino Security with BCC DominoProtect
Boost Your Domino Security with BCC DominoProtect
Agenda
About BCC
Housekeeping
• Protect the server ID
Fort Knox without backdoors
• Protect the ID Vault
God mode trap
• Protect against misuse of Full Access Administration
Stealth mode trap
• Protect against unauthorised changes in real time
Who let the dogs out?
• Logging and rollback
Questions
Boost Your Domino Security with BCC DominoProtect
Logging and Rollback
Changes made by an interim admin
Changes made by mistake
Not easy to track
Reversing the changes a considerable drain on admin time
and resources
Systems need to be up and running quickly
Boost Your Domino Security with BCC DominoProtect
BCC DominoProtect
Change Management
• Request workflows for controlled changes
• Automated change history and roll back
Detailed monitoring and logging
• Automatic audit proof documentation of all actions related to
protected elements
Boost Your Domino Security with BCC DominoProtect
Demo
Logging and rollback
Boost Your Domino Security with BCC DominoProtect
In summary
An essential extra layer of security for IBM Domino
Prevent and track changes in real time
Protect server IDs with password and start servers
unattended
Safeguard and secure ID Vault & Domino Directory
Prevent misuse of Full Access Admin
Facilitates implementing a “two man rule” via approval
workflow
One click Rollback and recovery
Ensure compliance for corporate governance and legal
regulations
Boost Your Domino Security with BCC DominoProtect
It’s a wrap!
Arshad Khalid
• arshad_khalid@bcc.biz
• @arshad101
BCC
• www.bcchub.com
• @BCC_Ltd
Thank You!