Blog

Our News/Articles/Opinions/Technotes from the world of HCL Digital Solutions

Domino Public key checking – Do it.

Posted on | by Cormac McCarthy

HCL are really on top of their game on security and so is Domino. You may have recently seen a blog I did for HCL on HCL Domino v12: The 4 New Security Features You’ve Been Waiting for

However it is really important not to assume that your environment is completely secure. This blog today is more back to the fundamentals of Domino security and one setting in particular.

I complete health checks and security audits of environments all the time. On most environments where Domino People have not been before there is one setting that is consistently overlooked. It’s on the Security Tab of your Server document. “Compare public keys“. It’s usually left blank.

Don’t do this.

One of things that makes Domino great is that Certificates are baked into everything. You can’t get away from them. But that doesn’t mean you can leave everything at default and it will be perfectly secure.

If you don’t have public key checking turned on it means anyone on your LAN could spoof your org cert, and register ANY user or server on your domain and get access to your server over port 1352. That would be bad. If you do turn it on, it means the public key of the ID (either server or user) connecting to the Domino server is compared against the key in the Domino directory. Simple and effective security.

What I’d usually advise if it isn’t turned on is to change the setting “Log public key mismatches” initially to “Log key mistmatches for Notes users and Domino servers listed in trusted directories only”

Like any setting on the Security tab of the Server document you’re going to want to reboot the Domino server for the setting to take effect. Then monitor the security events view of your log.nsf for alerts for key mismatches. Many of these will innocent. For example a user using the wrong version of an ID. But it’s important you know about these and resolve. If anything is logged as “informational” it means it’ll be ok once you’ve enforced public key checking.

When you’re happy you’ve resolved any of these then change the “Compare public keys” setting to “Enforce key checking for Notes users and Domino servers listed in trusted directories only”

Again reboot Domino. You’ve just tightened the security on your server drastically. If you don’t have it turned on, please do it now.

Cormac McCarthyDomino People Ltd

This image has an empty alt attribute; its file name is image.png

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>