S 4.116 Secure installation of Lotus Notes/Domino

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The prerequisite for the secure installation of Lotus Notes/Domino is the planning of the general conditions for its use, described in S 2.206 Planning the use of Lotus Notes/Domino. After that, the Lotus Notes/Domino components are installed on the relevant servers and clients. For this purpose, secure installation procedures as well as the protection of the installation environment and the installation media taking the respective protection requirements into account must be specified and complied with.

It is useful to distinguish between installation procedures for the new installation of the entire Lotus Notes/Domino platform and installation procedures for adaptations (software upgrades, patches) and migrations.

New installation

For a new installation of Lotus Notes/Domino, the following aspects must be taken into account from a security perspective:

• The installation procedures to be complied with for a new installation must be specified and documented. Here, general regulations regarding the procedures as well as specific regulations regarding the installation of servers, server services and clients must be specified. The general regulations include, for example, defining the responsibilities for initiating and performing new installations, release and control procedures for the installation procedure itself and the required configurations (e.g. two-person-rule) as well as regulations on the release for production.
• If general regulations regarding the installation procedures are already available, they can be referred to. In this case, however, the particular features of the Lotus Notes/Domino platform must be supplemented.
• The installation procedure for a new installation must ensure that there is adequate documentation of the installation process and sufficiently fine logging of the critical substeps. This documentation is required not only to detect manipulations of the components installed, but also for troubleshooting purposes.
• If automated installation procedures are used, a detailed documentation of the used parameters, scripts etc. must be prepared. Suitable testing and release both of the installation packages and of the components installed must be established.
• The installation procedure must ensure that only authorised administrators can access the installed directory and file structures via the operating system or administrative tools after the installation has been completed. For this purpose, the right structures must be adapted accordingly.
• It must be ensured that only authorised administrators and maintenance technicians have physical access to the Domino servers, also during the installation.
• Selection of the appropriate basic installation: Since a Domino server can be used in various ways, it must be taken into account during the installation that the most suitable basic installation for the intended application scenario is selected. Thus, it is for instance possible to choose from the predefined installations: Domino Utility Server (without messaging services, intended as mere application server), Domino Messaging Server (without application services, intended as mere messaging server) and Domino Enterprise Server (all services). Via the Customize Domino Server installation option, a fine adaptation of the basic installation can be made. The selection of the appropriate basic installation and the fine adaptation to the intended application scenario in particular is the prerequisite for a secure configuration and hardening.

Upgrades and migrations

Upgrade refers to a mere software adaptation, i.e. a change of the releases of the Lotus Notes/Domino software or individual components of the software in use including the components which were bought in addition or developed individually for the Lotus Notes/Domino platform.

Migration is considered to be both a software adaptation with changes of the user data inventories (for example for format changes of the databases, changes to the databases used, data cleansing and consolidations) and changing from another platform for email and collaboration to the Lotus Notes/Domino platform.

For upgrades and migrations of Lotus Notes/Domino, the following aspects must be taken into account from a security perspective:

• The installation procedures to be complied with for upgrades and migrations must be specified and documented.
• For upgrades, procedures representing changed (simplified) versions of the procedure applicable to the new installation can be used.
• For migrations, additional focus must be on ensuring the defined availability, confidentiality and integrity of the user data.
• Major upgrades and migrations can be carried out in several stages for the Lotus Notes/Domino platform. Thus, both a partial update of closed domains (e.g. for groups or organisations with several different locations) and a layer-oriented procedure are possible, for which, for example, first the update of the clients and subsequently the update of the server components are performed. All stage-oriented procedures involve the risk of incompatibilities between components of the old and new release inventories and must be therefore planned very carefully taking the corresponding recommendations of the manufacturer into account. Fallback strategies must be provided in each case.
• It must be taken into consideration that the rights of the installed directory and file structures must be adapted following upgrades and migrations to ensure that only the authorised administrators have access to the Lotus Notes/Domino elements installed on the operating system.
• An evaluation of the changed properties of the new releases, especially of the mechanisms in the environment of the replication and the push mechanisms for policies towards the clients, is required to avoid undesired side effects following a migration which are only then noticed by the users.

Protection of the installation environment and installation media

In general, the installation environments and installation media must be protected against manipulation prior to or during the installation process (see S 4.177 Assuring the integrity and authenticity of software packages). This also applies in particular to the installation of Lotus Notes/Domino components.

Commonly used procedures are for example the separation of the servers on which the installations are performed from the network and the universal use of original media of the manufacturer secured in terms of security for the installation. Since this, however, is related to increased administrative effort and since this is often not the established practice in large organisations and with the providers in particular, alternative security safeguards can be used. For software which is not obtained on original media, but via electronic channels from the manufacturer (e.g. download, automatic software update by the manufacturer, email etc.), an installation procedure containing an adequate integrity check of the software must be established in each case. The quality of the mechanisms used, for example the hashes used for the protection of integrity, must take the protection requirements of the component to be installed into account.

For Lotus Notes/Domino, the manufacturer offers the possibility of obtaining the software electronically via http download by using a special download applet (Download Director). The latter option offers a higher level of security and meets the requirements of the common criteria for software downloads according to the manufacturer's specifications. Since there is no transparent mechanism offered by the manufacturer for the integrity check of individual components, safeguards to ensure that the download cannot be compromised should be taken if Lotus Notes/Domino has high or very high protection requirements. It must be ensured that there is no other access (no administrative access either) to the target directory/target drive during the download and that the integrity is protected using corresponding hashes after the download has been completely successfully.

If central storage locations for installation media are used within the organisation (installation drives, installation servers), adequate protection corresponding to the protection requirements of the media must be provided for them. Among other things, this includes corresponding safeguards for access protection, protection of integrity and ensuring availability. If technically feasible and possible from an administration point of view, the installation drives and installation servers must only be released for a limited period of time for installation processes.

Critical processes during installation, upgrades and migrations

For the installation of the Lotus Domino server, the processes for the generation of essential technical elements of the domain and certificate hierarchy are critical, since the compromising of these elements might result in the compromising of all Domino/Notes security mechanisms. The following aspects must be taken into account from a security perspective:

• The Notes IDs generated in this context (certifier ID, server IDs, administrator IDs) must be assigned complex access passwords.
• These Notes IDs should not be stored in the name and address book, but in files held in reserve by operating system security mechanisms (e.g. operating system access restrictions) and additional security components (e.g. host-based IDS) in a protected manner.
• If an automatic start of the Domino server is intended, the server ID must not have password protection and must therefore be protected against unauthorised access using operating system access protection mechanisms and corresponding monitoring.
• The procedure to be complied with for the installation of the certificate hierarchy elements must be carried out according to the concept regarding the Lotus Notes/Domino domain and certificate hierarchy (see S 2.207 Security concept for Lotus Notes/Domino). For example, this may also require a two-person-rule for using the certifier ID with corresponding protection requirements of Lotus Notes/Domino so that the certifier ID must be protected using an appropriate multiple password in this case.
• It must be taken into consideration that the technical elements of the certificate hierarchy do not only have a direct impact on the corresponding protection objectives of Lotus Notes/Domino with regard to integrity and confidentiality, but also with respect to availability. For all important IDs (certifier ID, server ID, administrator ID), backup copies to be stored separately from the system and protected against access must be provided.

Use of the extended access control (xACL)

In version 6 and higher, Lotus Notes/Domino offers the possibility to install extended ACLs (xACLs) for a Domino Directory or an Extended Directory Catalogue. The additional access protection options implemented using the xACLs allow, for example, the delegation of administrative tasks, restricted to organisational units and further protection on the field level for NRPC, HTTP, LDAP, POP3 and IMAP accesses. Thus, the reading of password hashes via HTTP access to personal documents in the names.nsf, for instance, can be avoided. The Technote 1244808 of the manufacturer describes the required steps.

For all Lotus Notes/Domino systems with high or very high protection requirements regarding confidentiality or integrity, the use of the xACLs must be planned and implemented. Activating the xACLs, the entry of the ANONYMOUS group in the ACLs is automatically set to NO ACCESS.

If no xACLs are used, the ANONYMOUS group must be set to NO ACCESS by default for the Domino installation. If anonymous access is permitted for individual databases, this must be released explicitly on the database level.

Review questions:

• Are defined and documented installation procedures for new installations, upgrades and migrations of client- and server-side components (Lotus Notes and Lotus Domino) available?
• Is the installation process (also upgrades and migrations) logged and documented according to the defined procedures and are the installation documentation and installation logs backed up or archived?
• Are detailed specifications available for all mentioned critical processes during installation, upgrade and migration?
• Is it ensured that only the administrators involved have access to the corresponding directories and resources during installation, upgrade or migration?
• Are the installation environments and installation media protected against manipulation prior to or during the installation process?
• Was it evaluated whether the use of the extended access control (xACL) is justified and is it used when there are corresponding protection requirements?
• If no extended access control is used, was the ANONYMOUS group set to NO ACCESS during the Domino installation?