Protecting Directories on a Web Server

The Domino web server is still powerful (never mind the current POODLE and SHA-2 talks and fixes) and offers the easily ability to control access via File Protections Documents. Groups and users can be listed allowing or blocking access to files and directories served by the Domino web server.
Web Site File Protection

Since .nsf files already have their own access controls, these File Protections extend to files such as HTML, JPEG, and GIF that you can enforce file protection for that browser users can access. As an additional bonus, you can also set restrictions to web asset directories.

You can read my entire article on protecting directories on a web server over at SocialBizUg as part of my monthly Sys Admin Tips newsletter you should subscribe to.
    for this posting

    On Tuesday, October 28th, 2014   by Chris Miller        

Domino Migration Utility - where did you go?

IBM announced and demonstrated the Domino Migration Utility back at IBM Connect 2013. This tool was designed to move Microsoft Exchange users into IBM Domino. Apparently it was rebranded and not made available free to the public. It is a paid service only.
 IBM Domino Onboarding Manager

Today someone asked about the Domino Migration Utility in a Skype chat looking for updated information on it or how to download/install it.  After some digging online I found that back in June 2013 IBM stated in the Notes and Domino Forum the following:
The development work is taking longer than planned.  We are beta testing in conjunction with paid consulting engagements, and iterating on some code, but it will be later in the year before we can consider a release.  Thanks for checking in.

Someone asks the same question again on the same thread in July 2014 to no response. I found a few other random threads with the same result.  That is where it things changed.

Apparently the Domino Migration Utility was rebranded to the IBM Domino Onboarding Manager and used to move users to the cloud service. It runs as a Java Application on Windows only (expected) and can move users/groups from Active Directory to Domino. It will grab email, calendars and contacts from Exchange and move those over as well.

This Domino Migration Utility was to replace the older tools that were built in when installing the client as optional components. It was to provide greater function and ease of migration including date ranges and multiple thread capability for moving more than a single user at once..

There are some limitations around mail rules, shared calendars, Tasks and Exchange Public Folders which I expect.  O tools really move everything from one mail system to another.  Fidelity is hard enough without adding in specific features.

Unfortunately, this does not help those companies trying to migrate internally. Here is where the tool sits right now for those looking for it. Does anyone need an want this utility for your organization? Maybe enough responses can get IBM to look at opening this tool up to everyone.
    for this posting

    On Monday, October 27th, 2014   by Chris Miller        

Vulnerability Management for Dummies - free ebook offer

My readers have the opportunity to get Vulnerability Management for Dummies for free.  With all the current talks of POODLE, this came along at the right time.  Over 60 pages of entry level information.
Vulnerability Management for Dummies

Vulnerability Management for Dummies  covers a lot of ground quickly
As someone responsible for network security within your organization, you need to understand how to prevent attacks and eliminate network weaknesses that leave your business exposed and at risk.

Vulnerability Management for Dummies
 arms you with the facts and shows you how to implement a successful Vulnerability Management program. Whether your network consists of just a handful of computers or thousands of servers distributed around the world, this 5-part book will help:
  • Explain the critical need for Vulnerability Management (VM)
  • Detail the essential best-practice steps of a successful VM Program
  • Outline the various VM Solutions - including the pros & cons of each
  • Highlight the award-winning QualysGuard VM solution
  • Provide a 10-point checklist for removing vulnerabilities from your key resources
Get you hands on Vulnerability Management for Dummies right now. It is yours free for a limited time.
    for this posting

    On Thursday, October 23rd, 2014   by Chris Miller        

What is the POODLE vulnerability - back to basics

As we fight to fix the POODLE vulnerability in all systems, we should know what it is. POODLE stands for Padding Oracle on Downgraded Legacy Encryption . In simpler terms it exploits an older form of encryption your browser may use to communicate with servers.
As long as both the server and the client (web browser) support SSL 3.0, the attacker can force a downgrade in the protocol, so even if your browser tries to use TLS, it ends up being forced to use SSL instead. The only answer is for either side or both sides to remove support for SSL, removing the possibility of being downgraded.

So if an attacker can force your browser down to the older SSL 3.0 then they could cause some problems.  While vendors are hurriedly trying to patch their software, pretty much everyone was still supporting SSL 3.0 on their servers and of course your browsers do too. The only true solution is for both the web servers and the browsers to remove support for SSL 3.0 and force everything to TLS (transport layer security).

You can temporarily disable SSL 3.0 (and prior) in your own browsers for the time being.  Just be warned that if a site you frequentdoe not for some reason support TLS then you cannot get a secure connection once you do this.  Firefox will be making an update in late November under version 34 that removes SSL 3.0.  For now you can manually add a SSL Version Control extension to assist.

Google Chrome can be adjusted by simply changing your shortcut to force TLS as the minimal SSL connectivity.  They will have a Chrome update soon that will address it for the end users.

Lastly Internet Explorer (IE) has a manual way fix you can do today. I could not find a date yet on when they will update to fix the problem but in your Advanced tab and the Security section you can simply click to disable older SSL and make sure TLS is enabled for connections.
    for this posting

    On Thursday, October 23rd, 2014   by Chris Miller        

IBM addresses Poodle and SHA-2 issues in new technotes

IBM has addressed SHA-2 support and the Poodle vulnerability for IBM Domino in new technotes that were released. Here are the links and info.
Technote #1418982 titled Planned SHA-2 deliveries for IBM Domino 9.1
SHA-2 support for Domino 9.x is planned to be delivered over the next several weeks via an Interim Fix.

Technote #1687167 titled How is IBM Domino impacted by the Poodle attack?
IBM intends to release Domino server Interim Fixes over the next several weeks that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to mitigate against POODLE. Implementing TLS 1.0 will allow browsers to still connect to Domino after they have been changed to address the POODLE attack, and Domino will protect against browsers that have been compromised by POODLE. 
IBM will provide Interim Fixes

As you can see IBM will be making interim fixes that will need to be applied to your infrastructure. This includes HTTP traffic for XPages, Traveler, IBM Connections and everything else.  Many bloggers have info on what the impacts are unpatched.
    for this posting

    On Tuesday, October 21st, 2014   by Chris Miller