Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Lock down security exposures in your Domino web applications Rob Kirkland Certified Lotus Instructor Consultant Author of “Domino System Administration” Agenda • Authentication - 5 options • ACL settings • Securing views • Securing forms and documents • Vulnerability in Domino URLs • Securing Agents • Important server document fields Authentication: Anonymous access • No user authentication required • Useful for commercial Web sites with information intended for public consumption • Dangerous for restricted Web sites Basic authentication: Name and password access • User submits name and password, which Domino compares to Person document in a Domino directory or to a record in an LDAP directory • Easy to set up and administer. Just create Person and Group documents. • Problem: Name and password cross network as plain text with every URL the user submits Session authentication • As with basic authentication, user submits name and password in plain text – But only submits them once. • User submits cookie after initial authentication • With each reply, server sends user an updated cookie – Maintains transaction state this way • Supports single sign-on too – One login recognized by multiple Domino and Websphere servers Authentication: Server-side SSL • Server submits certificate with public key to user • If user trusts certifier, creates, sends a session key to server, encrypted with server’s public key • All further transmissions of information between user and server are encrypted and validated (signed) with session key • User can authenticate using any method Server-side SSL (cont’d) • Solves problem of user name and password crossing network in plain text. Good! • Increases demand on resources: processor, memory, I/O. – Therefore, should use SSL only when necessary. (Set property in each database.) • Relatively costly to set up and maintain. Authentication: Client-side SSL • User submits certificate with public key to server • If server trusts certifier, compares user’s public key to that stored in Person document in Domino or LDAP directory. • If public keys match, user is authenticated. Client-side SSL (cont’d) • This is the most secure user authentication because a hacker must steal user’s certificate (and know the password) in order to pose as user • Costly and cumbersome to set up and maintain because user must obtain an X.509 certificate from some Certificate Authority and merge it into user’s browser. • Can’t use with session authentication. Bummer! ACLs: Basics • In general: Set ACLs to lowest possible levels – Anonymous: No Access or Reader. Never Author. – Registration DB: Set Anonymous to Depositor. • Set -Default- or Anonymous entries in ACLs of all databases – If there is no Anonymous entry, -Default- is used on the Web – If Anonymous is set, -Default- is ignored on the Web – Use -Default- for Notes clients, and Anonymous for Web browsers ACLs: Privileges • Create documents and Delete documents – Don’t activate if not needed. Don’t get lazy! • Create personal agents, Create folders/views, Create agents – Available to Notes users only, not Web users • Read/Write public documents – Consider using to restrict access to selected database elements. ACLs: Roles • Use ACL roles to refine access to database elements. • You can use roles with the following DB elements: • Framesets • Views • Sections • Outlines • Forms • Readers/Authors fields ACLs: Considerations • Set Maximum Internet Name and Password field (in Advanced) • Create default ACL entries in design templates – Use brackets, e.g.: [Anonymous] • Create File Protection documents to set No Access, Read Only, Read/Write for elements in the Domino file system. – Then create Realm documents to head off user frustration Securing views • Hide views from Web users – Use Hide from Web browsers in Design Document Properties. – Use parentheses to hide view names • Hide views from specific users: – Use Read Access lists • Prevent Web users from guessing view names (by using hard-to-guess names!) Securing views (cont’d) • Use single-category views to limit what portions of a view Web users can see – Embed view in a form or page – Use a formula to define which category of items will display to the Web user Securing views (cont’d) • Block direct (manually entered URL) to views – Use $$ViewTemplate for [viewname] and $$ViewTemplateDefault forms that have no embedded view or $$Viewname field. – When user requests the view, Domino will deliver the form, not the view! • And don’t forget to redirect $DefaultNav and ?ReadViewEntries URLs Securing forms and documents • Use form and document Read Access lists • Use form Compose Access lists • Use Authors fields – Remember, an ACL author can only edit a document if his/her name appears in an Authors field on the document • Use Readers fields – Great security feature! Securing forms and documents (cont’d) • Use Form formulas in views – Defines what form Domino will use to display documents in view – But remember, users can open documents directly if they know a doc’s UNID • Then the Form field controls, not the Form formula • Use Controlled Access sections – To control edit access to items in section Securing forms and document (cont’d) • Use Hide-whens liberally – Hides data from users but not from the server – Especially, hide password fields from unauthorized users • Don’t rely on field encryption – It doesn’t restrict Web users from seeing contents of fields. Lock out unauthorized Domino URLs • Web users who know Domino URL syntax can hack your Web site. • Use redirection to thwart this • Problem areas include: – Certain special identifiers – Certain URL commands Domino URLs (cont’d) • http://….nsf/$DefaultView – Retrieves a database’s default view • http://….nsf/$DefaultForm – Retrieves a database’s default form • How to thwart: – Don’t designate a default form or view – Or create a default view or form that displays a warning message. Domino URLs (cont’d) • http://….nsf/$DefaultNav – Retrieves a list of a database’s views • How to thwart: – Create a Redirection document in Domino Directory – Incoming URL path: /*.nsf/$DefaultNav – Redirect to hacker warning. Domino URLs (cont’d) • http://…/$SearchForm – Retrieves default search form – If DB is FT-indexed, user can search it • How to thwart: – Create a $$Search form or $$SearchTemplateDefault form with a warning or error message Domino URLs (cont’d) • $Help and $About – These retrieve the Help and About documents. – Use hide-whens to hide selected content from Web users, if necessary. – Or don’t create these docs – Or put warning messages on them. Domino URLs (cont’d) • http://…?OpenServer – Lists all Notes databases in the server’s file system – This may be okay for an intranet Web server, but is usually not okay for an Internet Web server. – To block this command, disable in Server document. Set “Allow HTTP clients to browse databases” to “No”. Domino URLs (cont’d) • http://…?ReadViewEntries – Retrieves view in XML format • Permits user to export view contents to a database. – How to thwart: • Create a Redirection document in Domino Directory • Incoming URL path: /*.nsf/*?ReadView* Secure agents • Agents can be invoked from a browser – http://…/agentname?OpenAgent • Browser-invoked agents run with the rights of the agent signer – But invoker must have Reader access to the items on which the agent acts • You can override this – Set agent property “Run Agent as Web user” – You can also hide the agent from Web users Secure agents (cont’d) • If a Web user invokes an agent directly (by entering its URL manually), the HTTP_Referer CGI variable returned with the URL will be blank – Therefore, to prevent Web users invoking agents directly, test for a blank HTTP_Referer variable. – See example code, next slide Secure agents (cont’d) LotusScript Example to Check HTTP_Referer: If Not(Instr(1, Ucase(docContext.HTTP_Referer(0)), Ucase(docContext.Server_Name(0))) > 0) And Not(Instr(1, Ucase(docContext.HTTP_Referer(0)), Ucase(docContext.HTTP_HOST(0))) > 0) Then Print{<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>} Print {<H1>Error</H1>Unauthorized Exception<P><HR>} Print {</BODY></HTML>} Exit Sub End If Slide used courtesy of The View. Copyright 2000 The View. All rights reserved. Some important server document fields • Security tab – Administer the server from a browser – Agent and Java/COM restriction fields • Ports, Internet Ports, Web tab – Authentication options fields • Internet Protocols tabs – DNS lookup • Domino logs host name, not just IP address – Allow HTTP clients to browse databases – Web logging fields • Enable one or none, not both Thank you • Any questions?