Lotus Cranks Up Notes & Domino Security

Beyond new features for general usability and administration, Lotus
Notes/Domino 6 adds lots of functionality specifically geared to security.
Key improvements include a new User Security dialog box, smartcard support,
and, for administrators, the ability to establish antispam filters and
certificate revocation lists (CRLs.)

Shutting out some spam

“The new spam filters (in Notes) look at the DNS address of the sender.
Administrators can also quarantine senders, and have (Notes) e-mail
notifications to senders,” said Tim Kounadis, senior market manager for IBM
Lotus Software at IBM.

For previous releases of Notes/Domino, spam protection was only available
through third-party products such as Eagle Technology’s SpamEraser.

“You can still use SpamEraser with R6, though, and you’ll get even more
anti-spam capabilities,” Kounadis acknowledged. SpamEraser for Notes 6, for
example, lets individual end users as well as administrators manage spam.
You can also keep a log of all blocked e-mail messages.

In contrast, the new spam filters in R6 can be used only by administrators,
and only on an organization-wide basis.

SpamEraser for Notes 6 also contains new content filtering functionality.
If content falls outside of established company policies, the administrator
can reject the spam, not deliver it, stop it, or route the unwanted
messages to the SpamEraser database.

A single box for user security

Notes 6, however, does contain many new features that give end users more
control over individual security. According to Kounadis, the new User
Security dialog box in the Notes 6 client combines the most important
individual security settings in a single, easier-to-use interface.

If the administrator agrees, users can employ the new dialog box to
synchronize Notes and Domino Web/Internet passwords.

Lotus also attempts to make it easier for you to change passwords. Notes
can now be set up to judge new passwords on the basis of length or quality.
If you find it hard to invent a password that meets the requirements, Notes
can automatically generate a password for you.

Also from the dialog box, you can access new certificate management tools;
set up Notes for logging in via smartcard; and view expired keys that might
be helpful in decrypting old mail messages, for instance.

Two-factor authentication

“Smartcards give you two-factor authentication,” points out Craig Roth,
vice president of Web and collaborative strategies at the Meta Group.

If you use the new smartcard option, you won’t be able to access Notes
without “something you have” – the smartcard – as well as “something you
know.” When you remove the card from the reader, you’ll be automatically
logged out of Notes.

It’s possible, too, to lock an ID file so that a special smartcard PIN is
required, instead of the customary Notes password.

So far, though, Lotus has only tested the smartcard feature with Win32
clients, according to the Notes R6 Release Notes.

How to lock your ID file

To lock your ID file, open up the User Security panel and go to the Your
Identity // Your Security pane. Then, either browse to the location of the
PKCS #11 library — installed during smartcard installation — or enter the
path name. (For a GemSafe 3.1 smartcard, for example, you might enter
c:WINNTsystem 32gclib.dll.). Click on the Enable Smartcard Login button
to lock the ID file.

Before locking the ID file, though, you should check with the administrator
to make sure that your ID file is recoverable through ID File Recovery —
and that your ID file isn’t configured for password expiration in either
your person document or the server’s public directory.

RSA & SSL for smartcards

The new option also supports the use of smartcards for RSA mail encryption
and for SSL client authentication to Internet servers.

You can use RSA private keys to sign and decrypt S/MIME mail. To place the
RSA key on the smartcard, open up the Identity // Your Certificates pane in
the User Security panel. Select the Internet Certificate associate with the
private key, and then click on Select Other Actions // Store Private Key.

Many smartcards, though, only support 1024-bit encryption keys. You can
also use the User Security panel to determine the strength of a key. Select
an Internet Certificate, and press that Advanced Details button from the
Your Identity // Your Certificates pane.

Answering those pesky “certificate renewal requests”

In earlier versions of Notes, end users often ran into trouble answering
requests for certificate renewal. When users’ Notes certificates was about
to expire, they were prompted to ask for a new certificate. Many users,
though, didn’t know whom to ask or where to send the request.

The gist of the problem was this. Upon being prompted, the user received a
Mail Certificate Request in which the subject field was filled in, but the
“To” field was left blank.

Lotus tries to fix this in R6 by automatically finding the e-mail address
for the user’s certifier. First, Notes extracts the certifier’s name from
the user name. Notes then performs a name look-up for that certifier. If it
finds an entry, it will check the certifier’s MailAddress Field, and the
LocalAdmin field, to find the address. If the address is missing in both of
those two places, it will go on to check the person record in Domino
Directory, and finally in the LocalAdmin group. Sometimes, though, the
field will stay blank, anyway, officials admit in the Notes 6 Release

Domino administrators: Make your own CRLs

Also in the interests of better certificate handling, the Domino Release 6
Certificate Authority (CA) lets administrators create certificate
revocation lists (CRLs). According to Lotus’s Domino 6 Installation Guide,
Domino can now be set up to publish the CRLs on a regularly scheduled
basis, and to post the CRLs in the CA’s certifier document in the Domino
Directory. So, you can find out whether a certificate is valid before you
go ahead and trust the certificate.

Domino’s Internet Site docs

Domino’s new Internet Site documents support CRLs, too. If SSL has been
enabled on a server, the administrator must turn to Internet site documents
in order to use CRLs for checking the validity of certificates.

The new Internet Site documents feature is meant to make it easier to
manage and configure Internet protocols. Administrators can create a
separate Internet Site document for each of six Internet protocols: http:
IMAP; POP3; SMTP Inbound; LDAP: and IIOP.

Internet Site documents are also required if you want to use WebDAV on a
Domino Web server, or if you’re using a service provider configuration on a

Jacqueline Emigh is a freelance journalist based in New York City. She can
be reached via e-mail at [email protected].

Latest Articles

Follow Us On Social Media

Explore More