tag:blogger.com,1999:blog-8994561579739999989.post1283734777792459749..comments2024-02-28T10:15:50.335+02:00Comments on Lotus Evangelist: Breaking into Domino? Have ideas?Keith Brookshttp://www.blogger.com/profile/11107190540208956954noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-8994561579739999989.post-30773654630329255322011-03-26T18:18:22.561+02:002011-03-26T18:18:22.561+02:00Send the user a button which he should click on to...Send the user a button which he should click on to open a website. Add a code to the button which will change his mailfile ACL (if he has manager access) and then open the website.<br /><br />This works if there is no ECL in place ;-).Bernd Websterhttp://www.lntoolbox.comnoreply@blogger.comtag:blogger.com,1999:blog-8994561579739999989.post-10876562113305242752011-03-23T18:32:29.016+02:002011-03-23T18:32:29.016+02:00Template databases (*.ntf) are also a risk. Too of...Template databases (*.ntf) are also a risk. Too often you find them with a default ACL set to "Desinger". And actually if you allow your users to be "Manager" on any server-database then they can turn it into a template and name it anyway they like, even "StdR85Mail". And when the designer-task runs at night this could cause some trouble ...Hynek Kobelkanoreply@blogger.comtag:blogger.com,1999:blog-8994561579739999989.post-83584466386447748252011-03-23T09:57:37.753+02:002011-03-23T09:57:37.753+02:00Version identification is one I look at. With tha...Version identification is one I look at. With that you can then identify possible issues to work around / exploit.<br /><br />So basic things like telnet to port 25, 80 etc. Hide the typical responses (ie. ESMTP Service (Lotus Domino Release 8.5.2FP1))Michaelhttp://www.mickstokes.comnoreply@blogger.comtag:blogger.com,1999:blog-8994561579739999989.post-15633724397873998412011-03-23T04:57:07.344+02:002011-03-23T04:57:07.344+02:00Insider threat: sniffing basic authentication and ...Insider threat: sniffing basic authentication and session authentication passwords on internet ports that don't force SSL connections.Richard Schwartzhttp://www.poweroftheschwartz.comnoreply@blogger.comtag:blogger.com,1999:blog-8994561579739999989.post-21452262178661525272011-03-22T23:55:47.647+02:002011-03-22T23:55:47.647+02:00a couple of obvious things.
1)
a)make sure user...a couple of obvious things.<br />1) <br /> a)make sure user ids expire within a reasonable period of time.(2 years for full time employees)<br /> b) always create a contractor OU and make their IDs expire on a 90 day(or less) cycle.<br /><br />2) Enable user tracking, and look at it occasionally. Make note of the users who never login or who haven't logged in a long time. Check with HR/user manager and delete those inactive accounts. (bonus: you can which user need training and have avoided using the system)<br /><br />3) Use the Domino security policy to ensure password uniqueness. <br /><br />4) use the database catalogue and look at which databases have -default- as manager.Alexnoreply@blogger.comtag:blogger.com,1999:blog-8994561579739999989.post-20496617242929134232011-03-22T22:53:36.003+02:002011-03-22T22:53:36.003+02:00@tlbriley I do that too all the time, don't al...@tlbriley I do that too all the time, don't always get far but at least I secured another environment that wasn't so some admin didn't get yelled at.<br /><br />@d2k yep, the basics are important. I had a great email from someone that had good input too. <br />See social media works.Keith Brookshttps://www.blogger.com/profile/11107190540208956954noreply@blogger.comtag:blogger.com,1999:blog-8994561579739999989.post-33259121318347117952011-03-22T21:22:56.243+02:002011-03-22T21:22:56.243+02:00You wouldn't believe how many domino sites I&#...You wouldn't believe how many domino sites I've gained access to the NAB by appending "names.nsf" to the URL, then when challenged, entering a username of "admin" and a password of "password".<br /><br />Since I'm not "known", I always pass the info on to a prominent member of our circle so that he can inform the offending site administrator that the site has "issues".Timothy Brileyhttps://www.blogger.com/profile/18288401161165456683noreply@blogger.comtag:blogger.com,1999:blog-8994561579739999989.post-67894908445879524562011-03-22T20:35:46.100+02:002011-03-22T20:35:46.100+02:00Pff, the obvious ones. Make sure names.nsf and cat...Pff, the obvious ones. Make sure names.nsf and catalog.nsf aren't open, enforce acl's on all portsDennis van Remortelhttps://www.blogger.com/profile/00888179981045514438noreply@blogger.com