Domino Security

"Domino generally knows three authentication and four authorization mechanisms. First the user must be recognized: This can happen with Notes-ID, name/password combination or X.509 certificate. After the user (or server) has been recognized usually three mechanisms come into play: Basic restrictions are defined in the Domino directory, every database has an access control list (ACL), and every Notes user can define execution rights (execution control list, ECL). Additionally it can be defined for every element of a Notes database that may read or change it.

Domino differentiates Notes users from Web users with the latter being assessed as a security risk for a good reason. While establishing the connection a Notes client presents its certificates for identification, a Web browser is anonymous initially. For the ACLs Domino therefore differentiates between -Default- and Anonymous. -Default- describes the rights of a known but not further specified user, Anonymous on the other hand the rights of an unknown user. If a database does not specify rights for Anonymous the rights for -Default- are valid automatically. Another restriction for Web Browser is hidden on the last page of the ACL settings.

Incorrect ACLs
Databases receive their standard ACL from the template they are based on. Just recently Lotus eliminated a flaw that caused passing on the rights of the template instead of using the standards for the database contained in the square brackets. These standard ACLs are sometimes handed out much too casually. For example everybody has authoring rights (-Default-) to the directory that is essential for the security of the Domino installation. Therefore it is possible again and again to find WebSites where the directory can be opened. All it takes is to append the name of the directory to the URL: http://host.com/names.nsf.
Big trouble lies ahead if the hacker is able to access this database. Now all servers, their topology, database names of the mail files and so on are open and the attacker could probably also directly obtain a Notes-ID.

The standard settings for server security are also much too lax. If the administrator does not make any changes everybody is able to browse all of the servers databases (http://host.com/?Open). If the intruder gets hold of the Cert-ID that many administrators keep on their harddisk, he even can set up user doubles because the server generally does not compare the public keys with the address book. And so on. The list of lax settings is infinite. "

Excerpts taken from the article "Security Problems with Lotus Domino" by Volker Weber