Don´t Forget to register for “API Crash Course for LotusScript Developers” on 21st of February

The next Session “API Crash Course for LotusScript Developers”, as a part of “Domino Tech School” series, is scheduled for 21st February, just in two days. So if you are interested in LotusScript, make sure to register.

Advertisements

Domino Tech School

Domino Tech School is a series of webinars concentrated around Domino V10. It has been announced on January 8th this year. Since than there were two sessions, “Domino Query Language” and “Upgrading to Domino V10: Best Practices”. If you have missed one of these two Sessions, don´t worry, you can still watch the recording, but you still have to register.

All of the Sessions were great so far, I like how fast the recording is available, minutes after the Webcast is finished. And it contains useful Information for everyone, Developers and Administrators. So make sure you check it out.

Make sure that the “Names.nsf” cannot be accessed via Internet!

Important Notice: If you are using your Domino Server as an LDAP Directory for Connections and/or Sametime do not continue with the steps described further down.


If your Domino Server is exposed to the Internet, make sure that the Domino Directory or the “Names.nsf” database cannot be accessed via Web Browser, or at least certain fields which can be used to get the hash values of the Internet Passwords.

A while ago, we got contacted by a customer who found out that his Domino Servers are vulnerable to a certain exploit which allows an attacker to extract the hash values of HTTP Passwords, of every user in the Domino Directory. The mentioned vulnerability is documented as “CVE-2005-2428”, you can read all the details of the exploit in the article bellow:

https://www.exploit-db.com/exploits/39495

EDIT: In a response to my post, Sven Hasselbach also wrote a post on his blog. It is very informative and detailed, he added Information I missed, so I would strongly urge you to read it. Furthermore the I would also like to add the comment from Christoph Stöttner:

I haven’t checked the authentication, but you can’t use LDAP any more (Softerra will present: The user has insufficient access rights!)! So even when Connections or Sametime User can authenticate (please double check), TDI will not read or update any user account, even worse with default settings in Connections TDISOL all your profiles get deactivated!

The mentioned vulnerability is from 2016! So nothing new. To get the hashes the attacker already need to have a valid login (or allowed anonymous access to your names)! Then he can grab the hashes. Afaik with “Use more secure internet passwords” and “Yes – Password verification compatible with Notes/Domino release 8.01 or greater” it’s not that easy to decrypt the hashes.

I think a way more important is proper ACL, a well-configured security tab in the server document and “Enforce server access settings: Yes” for all used protocols.

As described in the article, you could remedy this by hiding $dspHTTPPassword and HTTPPassword or, you could “block” the access to names.nsf via Web Browser completely. The only reliable way I could find, with the help of Roberto Boccadoro, to do this on Domino would be to set the following property:

I tested this in few environments, with SPNEGO and Web Federated Login enabled, and I could find no issues.

Directory Integration – IBM Domino & Microsoft Active Directory – Questionnaire

Many customers I have encountered are using tools to integrate Domino and Active Directory with each other in some form. Being that as simple as synchronizing some User Document fields using LDAP or some more problematic processes as synchronizing passwords. Some would like to have a “full” Integration with Active Directory and some would like to keep the two directories as separated as possible.

Going forward to Domino v11, IBM and HCL are thinking about a more native and subtle integration with Active Directory and the best thing about it is that everyone can express their opinion by completing the following Questionnaire:

https://epwt-www.mybluemix.net/software/support/trial/cst/forms/nomination.wss?id=5711

    So, please let the Product Management know how you feel about Directory Integration. All you need is an IBM ID, if you do not have it already, you can create one here:

https://www.ibm.com/account/reg/us-en/signup?formid=urx-19776

IBM Watson Workspace – Meeting a dreadful End as of February 28th

Don´t forget that the Watson Workspace will not be available from 28th of February, the Service is being “deprecated”. If you were using Watson Workspace extensively and you have some information you want to keep, then I suggest downloading it before the service goes offline. You can do that via tool provided by IBM:

https://help.workspace.ibm.com/hc/en-us/articles/360015543614

The first contact I had with the software was at the Connect 2016, back then, it was called “Project Toscana” and me and my colleagues were excited about it. Since the product has been officially released, I have used Watson Workspace daily, it became one of the main platforms to exchange Information with my customers, and my customers loved it. To that extension that we stopped using all other Applications (Skype, TeamViewer…). I liked the Simplicity and the integrated AI capabilities a lot.

IBM Connections Plug-in for Microsoft Outlook – End of Support

There was a lot of speculation recently what happened with “IBM Connections Plug-in for Microsoft Outlook”, it was removed from the Solution Catalog without any Information prior to the removal.

Now it is official, yesterday an official article was published stating that the Plug-in will not be available for download in the Solution Catalog. You will still be able to get it by opening a Case in the IBM Support Portal, until December 31, 2019, bug fixes and security Updates will also be available until this time. For more Information take a look at the official article:

https://www-01.ibm.com/support/docview.wss?uid=ibm10869556&myns=swglotus&mynp=OCSSYGQH&mync=E&cm_sp=swglotus--OCSSYGQH--E

I liked this plug-in and it is a mystery to me why it got removed…