Important Notice: If you are using your Domino Server as an LDAP Directory for Connections and/or Sametime do not continue with the steps described further down.
If your Domino Server is exposed to the Internet, make sure that the Domino Directory or the “Names.nsf” database cannot be accessed via Web Browser, or at least certain fields which can be used to get the hash values of the Internet Passwords.
A while ago, we got contacted by a customer who found out that his Domino Servers are vulnerable to a certain exploit which allows an attacker to extract the hash values of HTTP Passwords, of every user in the Domino Directory. The mentioned vulnerability is documented as “CVE-2005-2428”, you can read all the details of the exploit in the article bellow:
https://www.exploit-db.com/exploits/39495
EDIT: In a response to my post, Sven Hasselbach also wrote a post on his blog. It is very informative and detailed, he added Information I missed, so I would strongly urge you to read it. Furthermore the I would also like to add the comment from Christoph Stöttner:
I haven’t checked the authentication, but you can’t use LDAP any more (Softerra will present: The user has insufficient access rights!)! So even when Connections or Sametime User can authenticate (please double check), TDI will not read or update any user account, even worse with default settings in Connections TDISOL all your profiles get deactivated!
The mentioned vulnerability is from 2016! So nothing new. To get the hashes the attacker already need to have a valid login (or allowed anonymous access to your names)! Then he can grab the hashes. Afaik with “Use more secure internet passwords” and “Yes – Password verification compatible with Notes/Domino release 8.01 or greater” it’s not that easy to decrypt the hashes.
I think a way more important is proper ACL, a well-configured security tab in the server document and “Enforce server access settings: Yes” for all used protocols.
As described in the article, you could remedy this by hiding $dspHTTPPassword and HTTPPassword or, you could “block” the access to names.nsf via Web Browser completely. The only reliable way I could find, with the help of Roberto Boccadoro, to do this on Domino would be to set the following property:
I tested this in few environments, with SPNEGO and Web Federated Login enabled, and I could find no issues.
Thoughts about HCL Connections, Domino and Sametime 
Feel free to correct me if I am wrong, but under normal circumstances the access to the names.nsf is restricted by default, because “Anonymous” is set to “No access”. So, the “exposed data” to the web are the informations which would be accessible for all users when using the Notes client.
LikeLike
If you enable that setting in the ACL, can users still authenticate via HTTP password?
LikeLiked by 1 person
Yes, they can.
LikeLike
Feel free to correct me if I am wrong, but under normal circumstances the access to the names.nsf is restricted by default, because “Anonymous” is set to “No access”. So, the “exposed data” to the web are the informations which would be accessible for all users when using the Notes client.
LikeLike
I haven’t checked the authentication, but you can’t use LDAP any more (Softerra will present: The user has insufficient access rights!)! So even when Connections or Sametime User can authenticate (please double check), TDI will not read or update any user account, even worse with default settings in Connections TDISOL all your profiles get deactivated!
The mentioned vulnerability is from 2016! So nothing new. To get the hashes the attacker already need to have a valid login (or allowed anonymous access to your names)! Then he can grab the hashes. Afaik with “Use more secure internet passwords” and “Yes – Password verification compatible with Notes/Domino release 8.01 or greater” it’s not that easy to decrypt the hashes.
I think a way more important is proper ACL, a well-configured security tab in the server document and “Enforce server access settings: Yes” for all used protocols.
LikeLiked by 1 person
Thank you Christoph, I will add the comment in the post.
LikeLike
[…] are still awaiting moderation (tried two times hours ago, but no luck), I have decided to answer to this post from Milan in my […]
LikeLiked by 1 person
Sorry, I was busy and had not seen your comment right away. I will add the link of your Blog post to my entry…
LikeLike
I think this is one of the most important info for me.
And i’m glad reading your article. But should remark on few general
things, The web site style is ideal, the articles is
really nice : D. Good job, cheers
LikeLiked by 1 person