Response to L0pht's security concerns
Lotus is aware that L0pht has issued a valuable alert about a Domino security administration issue involving the domcfg.nsf database. As reported, this isn't a problem with Domino as much as a problem with Domino configurations on individual sites. We at Lotus are committed to making it easy for users to secure their servers, and our documentation encourages users and administrators to implement the precautions necessary for keeping their servers secure.
The simple step that all administrators should take to avoid this particular issue is to change the default ACL of the domcfg.nsf database.
- From the Notes server administrator client, select the domcfg database
- From the File menu, choose Database-Access Control
- check both the "-Default-" and "Anonymous" database ACL entries
- change both entries to "No Access" or "Reader" as appropriate.
We appreciate L0pht's concern and attention to this matter, as well as their help in alerting our user community to the important security checks they should make. To address these issues, we are evaluating changes in default security settings and in administration features to make it easier for administrators to handle this problem.
As L0pht points out, even sites that have done an otherwise thorough job of setting ACLs sometimes overlook this critical database. Domino 4.6A and 4.61 already address this by setting the default access for a newly-created domcfg.nsf to reader, not designer. The next feature release of Domino will take further steps to address site-wide ACL management.
For more information, head to the Lotus Internet Security Zone.