Lotus Cranks Up Notes & Domino Security
Beyond new features for general usability and administration, Lotus Notes/Domino 6 adds lots of functionality specifically geared to security. Key improvements include a new User Security dialog box, smartcard support, and, for administrators, the ability to establish antispam filters and certificate revocation lists (CRLs.)
Shutting out some spam
"The new spam filters (in Notes) look at the DNS address of the sender. Administrators can also quarantine senders, and have (Notes) e-mail notifications to senders," said Tim Kounadis, senior market manager for IBM Lotus Software at IBM.
For previous releases of Notes/Domino, spam protection was only available through third-party products such as Eagle Technology's SpamEraser.
"You can still use SpamEraser with R6, though, and you'll get even more anti-spam capabilities," Kounadis acknowledged. SpamEraser for Notes 6, for example, lets individual end users as well as administrators manage spam. You can also keep a log of all blocked e-mail messages.
In contrast, the new spam filters in R6 can be used only by administrators, and only on an organization-wide basis.
SpamEraser for Notes 6 also contains new content filtering functionality. If content falls outside of established company policies, the administrator can reject the spam, not deliver it, stop it, or route the unwanted messages to the SpamEraser database.
A single box for user security
Notes 6, however, does contain many new features that give end users more control over individual security. According to Kounadis, the new User Security dialog box in the Notes 6 client combines the most important individual security settings in a single, easier-to-use interface.
If the administrator agrees, users can employ the new dialog box to synchronize Notes and Domino Web/Internet passwords.
Lotus also attempts to make it easier for you to change passwords. Notes can now be set up to judge new passwords on the basis of length or quality. If you find it hard to invent a password that meets the requirements, Notes can automatically generate a password for you.
Also from the dialog box, you can access new certificate management tools; set up Notes for logging in via smartcard; and view expired keys that might be helpful in decrypting old mail messages, for instance.
"Smartcards give you two-factor authentication," points out Craig Roth, vice president of Web and collaborative strategies at the Meta Group.
If you use the new smartcard option, you won't be able to access Notes without "something you have" - the smartcard - as well as "something you know." When you remove the card from the reader, you'll be automatically logged out of Notes.
It's possible, too, to lock an ID file so that a special smartcard PIN is required, instead of the customary Notes password.
So far, though, Lotus has only tested the smartcard feature with Win32 clients, according to the Notes R6 Release Notes.
How to lock your ID file
To lock your ID file, open up the User Security panel and go to the Your Identity // Your Security pane. Then, either browse to the location of the PKCS #11 library -- installed during smartcard installation -- or enter the path name. (For a GemSafe 3.1 smartcard, for example, you might enter c:\\WINNT\system 32\gclib.dll.). Click on the Enable Smartcard Login button to lock the ID file.
Before locking the ID file, though, you should check with the administrator to make sure that your ID file is recoverable through ID File Recovery -- and that your ID file isn't configured for password expiration in either your person document or the server's public directory.
RSA & SSL for smartcards
The new option also supports the use of smartcards for RSA mail encryption and for SSL client authentication to Internet servers.
You can use RSA private keys to sign and decrypt S/MIME mail. To place the RSA key on the smartcard, open up the Identity // Your Certificates pane in the User Security panel. Select the Internet Certificate associate with the private key, and then click on Select Other Actions // Store Private Key.
Many smartcards, though, only support 1024-bit encryption keys. You can also use the User Security panel to determine the strength of a key. Select an Internet Certificate, and press that Advanced Details button from the Your Identity // Your Certificates pane.
Answering those pesky "certificate renewal requests"
In earlier versions of Notes, end users often ran into trouble answering requests for certificate renewal. When users' Notes certificates was about to expire, they were prompted to ask for a new certificate. Many users, though, didn't know whom to ask or where to send the request.
The gist of the problem was this. Upon being prompted, the user received a Mail Certificate Request in which the subject field was filled in, but the "To" field was left blank.
Lotus tries to fix this in R6 by automatically finding the e-mail address for the user's certifier. First, Notes extracts the certifier's name from the user name. Notes then performs a name look-up for that certifier. If it finds an entry, it will check the certifier's MailAddress Field, and the LocalAdmin field, to find the address. If the address is missing in both of those two places, it will go on to check the person record in Domino Directory, and finally in the LocalAdmin group. Sometimes, though, the field will stay blank, anyway, officials admit in the Notes 6 Release Notes.
Domino administrators: Make your own CRLs
Also in the interests of better certificate handling, the Domino Release 6 Certificate Authority (CA) lets administrators create certificate revocation lists (CRLs). According to Lotus's Domino 6 Installation Guide, Domino can now be set up to publish the CRLs on a regularly scheduled basis, and to post the CRLs in the CA's certifier document in the Domino Directory. So, you can find out whether a certificate is valid before you go ahead and trust the certificate.
Domino's Internet Site docs
Domino's new Internet Site documents support CRLs, too. If SSL has been enabled on a server, the administrator must turn to Internet site documents in order to use CRLs for checking the validity of certificates.
The new Internet Site documents feature is meant to make it easier to manage and configure Internet protocols. Administrators can create a separate Internet Site document for each of six Internet protocols: http: IMAP; POP3; SMTP Inbound; LDAP: and IIOP.
Internet Site documents are also required if you want to use WebDAV on a Domino Web server, or if you're using a service provider configuration on a server.
Jacqueline Emigh is a freelance journalist based in New York City. She can be reached via e-mail at JacquelineEmigh2@aol.com.