S 5.5 Lotus Notes / Domino
Description
Lotus Notes is described as Groupware platform or also as Collaboration platform. These terms describe an increasingly complex software with a focus on communication, collaboration, and information management. In this, the scope covers the level of work groups or projects up to cross-organisation dimensions.
The present module deals with the core items of the Lotus product range: the Lotus Domino server and the diverse Lotus Notes clients. The module focuses on the releases 8.0.x and 8.5.x, with many considerations also being applicable to previous releases.
Along with an appropriate protection of the infrastructure required for operating the Lotus Notes/Domino platform (premises, specific infrastructure for the servers, hardware, network components), the operating systems used below the Domino and Notes components must also be protected in accordance with IT-Grundschutz.
If further components are used for operating the Lotus Notes/Domino platform, such as DB2 databases, this must be taken into consideration when designing the information system and the corresponding IT-Grundschutz modules (in this case module S 5.7 Databases) must be applied.
Threat scenario
The following typical threats to the IT-Grundschutz of Lotus Notes/Domino are assumed:
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.2 | Insufficient knowledge of rules and procedures |
| T 2.4 | Insufficient monitoring of security safeguards |
| T 2.7 | Unauthorised use of rights |
| T 2.19 | Inadequate key management for encryption |
| T 2.26 | Lack of, or inadequate, test and release procedures |
| T 2.28 | Violation of copyright |
| T 2.37 | Uncontrolled usage of communications lines |
| T 2.38 | Lack of, or inadequate, implementation of database security mechanisms |
| T 2.40 | Complexity of database access |
| T 2.103 | Insufficient training of employees |
| T 2.105 | Violation of statutory regulations and contractual agreements |
Human Error
| T 3.1 | Loss of data confidentiality or integrity as a result of user error |
| T 3.9 | Improper IT system administration |
| T 3.43 | Inappropriate handling of passwords |
| T 3.45 | Inadequate checking of the identity of communication partners |
| T 3.46 | Incorrect configuration of a Lotus Domino server |
| T 3.80 | Errors during synchronisation of databases |
| T 3.113 | Incorrect configuration of a Lotus Notes client or an external client with access to Lotus Domino |
Technical Failure
| T 4.22 | Software vulnerabilities or errors |
| T 4.26 | Failure of a database |
| T 4.28 | Loss of data in a database |
| T 4.30 | Loss of database integrity/consistency |
| T 4.32 | Failure to dispatch a message |
| T 4.35 | Insecure cryptographic algorithms |
| T 4.47 | Obsolescence of cryptomethods |
| T 4.52 | Loss of data when using a portable device |
Deliberate Acts
| T 5.2 | Manipulation of information or software |
| T 5.7 | Line tapping |
| T 5.8 | Manipulation of lines |
| T 5.10 | Abuse of remote maintenance ports |
| T 5.19 | Abuse of user rights |
| T 5.20 | Misuse of administrator rights |
| T 5.22 | Theft of a mobile IT system |
| T 5.27 | Repudiation of a message |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.83 | Compromising cryptographic keys |
| T 5.84 | Forged certificates |
| T 5.85 | Loss of integrity of information that should be protected |
| T 5.90 | Manipulation of address books and distribution lists |
| T 5.100 | Abuse of active contents on access to Lotus Notes/Domino |
| T 5.101 | Hacking Lotus Notes/Domino |
Method recommendation
In order to secure the information system under consideration, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
In order to securely operate Lotus Notes/Domino, the modules for the IT infrastructure used must be implemented initially, including the operating systems, modules for used security components such as S 3.1 Security gateway (Firewall) and S 1.6 Protection against malware. However, module M 5.3 Groupware containing general recommendations for the general protection of Groupware systems also must be applied.
The present module does not deal with all technical options of the Lotus Notes/Domino platform in detail in order to not to go beyond the scope of IT-Grundschutz. For example, clustering on application level is not dealt with in detail which can be used as a measure for securing the availability for high and very high protection requirements regarding availability.
A series of safeguards must be implemented to successfully configure a server, starting with the design and installation and continuing through operation and disposal of the server. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following.
Planning and Design
Safeguard S 3.87 Introduction to Lotus Notes/Domino is recommended as an introduction and should be considered first. It contains an overview of the structure of a Notes system and the associated terminology.
If the decision to use a Notes system has been made, then the use of the Notes system must be planned and designed. The aspects to take into account during the planning and design phases can be found in safeguard S 2.206 Planning the use of Lotus Notes/Domino. Simultaneously, a security policy must be drawn up (see S 2.207 Security concept for Lotus Notes/Domino) implementing the already existing security policies in the context of Lotus Notes on the one hand, and defining Notes-specific amendments on the other hand.
The security components used in the IT of the organisation must be taken into consideration and incorporated into the concept. Information on the interaction of a Lotus Notes/Domino environment with existing security components can be found in safeguard S 2.492 Integration of the Lotus Notes/Domino environment into the existing security infrastructure.
Purchasing
Upon completion of the conceptional planning work and after having defined the procurement criteria for a Notes system, a suitable licence model should be selected depending on the number of selected components (see S 2.494 Selection of suitable components for the infrastructure of a Lotus Notes/Domino environment). In this, safeguard S 2.493 Licence management and licencing aspects regarding procurement for Lotus Notes/Domino provides support.
Implementation
Once the preliminary organisational and planning tasks have been completed, the Notes system can be installed. The installation can only be considered complete once the Notes systems have been transferred to a secure state (see S 4.116 Secure installation of Lotus Notes/Domino). Safeguard S 4.429 Secure configuration of Lotus Notes/Domino must be adhered to during the following configuration phase.
Operation
A Notes system is generally subject to constant change. Therefore, security-relevant configuration parameters must be adapted continuously. In addition, the security in a client-server-based system also depends on the security of all sub-systems.
General recommendations for operation (including application development and application integration with Lotus Notes/Domino) are included in S 4.128 Secure operation of the Lotus Notes/Domino environment. In order to be able to react promptly to arising problems, the safeguards S 4.132 Monitoring the Lotus Notes/Domino environment and S 4.427 Security-relevant logging and evaluating for Lotus Notes/Domino should be taken into consideration.
Disposal
If the decision to discontinue operation of a Lotus Notes/Domino environment is made, all important information must be transferred to the successor system and the remaining data must be deleted securely afterwards. However, there are also some items to take into account even when only part of a Lotus Notes/Domino environment must be disposed of and these items are illustrated in detail in safeguard S 2.495 Disposal of Lotus Notes/Domino components.
Contingency Planning
Along with the normal operation of a Lotus Notes/Domino environment, emergency operation also must be taken into consideration and the persons in charge must draw up a corresponding contingency plan (see S 6.73 Contingency planning and emergency drills for the Lotus Notes/Domino environment).
The bundle of safeguards to be used for the "Lotus Notes/Domino" module is presented in the following:
Planning and design
| S 2.206 | (A) | Planning the use of Lotus Notes/Domino |
| S 2.207 | (A) | Security concept for Lotus Notes/Domino |
| S 2.492 | (B) | Integration of the Lotus Notes/Domino environment into the existing security infrastructure |
| S 3.87 | (W) | Introduction in Lotus Notes/Domino |
Purchasing
| S 2.493 | (W) | Licence management and licencing aspects regarding procurement for Lotus Notes/Domino |
| S 2.494 | (B) | Selection of suitable components for the infrastructure of a Lotus Notes/Domino environment |
Implementation
| S 3.88 | (B) | Training courses for Lotus Notes/Domino for specific target groups |
| S 4.116 | (A) | Secure installation of Lotus Notes/Domino |
| S 4.429 | (A) | Secure configuration of Lotus Notes/Domino |
Operation
| S 4.128 | (A) | Secure operation of the Lotus Notes/Domino environment |
| S 4.132 | (C) | Monitoring the Lotus Notes/Domino environment |
| S 4.426 | (C) | Archiving for the Lotus Notes/Domino environment |
| S 4.427 | (C) | Security-relevant logging and evaluating for Lotus Notes/Domino |
| S 4.428 | (C) | Audit of the Lotus Notes/Domino environment |
Disposal
| S 2.495 | (C) | Disposal of Lotus Notes/Domino components |
Contingency Planning
| S 6.73 | (B) | Contingency planning and emergency drills for the Lotus Notes/Domino environment |