A quick way to uncover (and fill) security holes on Domino servers using aclEZ

One of the nicest things about aclEZ‘s grouping grid interface is that is that it allows you sort and filter live information on all the Lotus Notes database ACLs on a server (even for databases that aren’t included in the catalog.nsf file). Here’s a simple-yet-practical application of this feature:

To start you need to load all your ACL entries in aclEZ’s grid:

Then you drag the ‘Access’ column header to the ‘grouping area’ –this will re-group the grid by levels of access
(i.e. No Access; Depositor; Reader; Author; Editor; or Manager)

Next, drag the Name’ column header to the grouping area as well…

Now you can expand or collapse the groupings with the [+] and [-] buttons to quickly see precisely who has what access.

In the example below, you can see that the default access was set to manager for a number of databases on the server–a potential security hole that’s certainly worth looking into further!

If you want to fix any questionable ACL settings, here’s a quick way to do it:

1) Select the names in question

2) Update the settings in attributes panel

3) The entries that you’ve changed will be marked with an icon in the Status column of the grid.

The changes won’t go live until you…

4) …click Ctrl+S (or File>Apply Changes) to apply the changes to the server.

That’s all there is to it.

Tip: aclEZ supports Full Access Administration. If you are listed as a full access administrator, it’s often helpful to enable this feature by clicking Options>Full Access Administration when following the steps listed in this post.

Finding and fixing ACL security holes with only the Lotus Notes client and the Domino Administrator can often take a great deal of time and effort.

You could start by looking at the catalog.nsf, but the catalog will fall short in a number of ways. For instance, it won’t supply you with live data; it won’t allow you to group or organize the ACL entry settings in any meaningful way; it’s won’t allow you to directly edit entries; and perhaps most importantly, it won’t contain every database on your server.

This means that without aclEZ, you’d likely have to spend a lot of time going though the ACLs one-by-one in the Domino Administrator client. And yes, that means dealing with the modal Access Control dialog. And in the event you want to modify entries for several ACLs at once, the Manage Multiple ACLs dialog gives you no indication of the current status of your selection and forces you to ‘go blind.’