Recommendations for deploying tighter ECLs

02 Things you need to know

Client
Recommendations for deploying tighter ECLs

Notes' and Domino's first line of defense against virus attacks is the Execution Control List (ECL). The best way to protect your organization is to deploy and maintain tighter workstation ECLs. To deploy tighter ECLs, your goal is to limit who your trusted signers are. To get to that goal, however, you could ask all your users to turn off all accesses, and encourage them to think about whether it makes sense to give the signer the requested access for every signature dialog they see. This could be a tedious and error-prone task. The procedure described here can streamline this process.

Unless your organization has taken some other proactive steps, such as limiting the number of trustworthy signers and ensuring that clients' ECLs only trust those signers, the first step is to take a close look at your current ECLs. If you already tightly control who has access, there is no need to follow this procedure. If, however, your ECLs seem too wide open, you should follow this procedure and use it as a starting point for managing and maintaining tighter ECLs. This procedure describes how to create a reasonable administration ECL and how to roll out the ECL. It also provides suggestions for maintaining ECLs. You can use this process to create as secure an environment as possible in the shortest amount of time.

There are five sections in this Release Note that cover recommendations for creating tighter ECLs:

Collect information for an Administration ECL
Create the Administration ECL
Rolling out the new Administration ECL
Maintaining ECLs
Other considerations

Collecting information for an Administration ECL
Before you can create an ECL that you can distribute enterprise-wide, you need to identify what people and/or organizations you can trust. Identify a small number of users (perhaps 2-5) who use a broad range of typical Notes applications, then have them complete these steps.

1. Remove all entries from the workstation ECL EXCEPT the following:

All entries in the form */org, where org is a local domain/organization.
-Default-
-No signature-
Lotus Notes Template Development/Lotus Notes

Note: If any of these entries are not listed in the ECLs that are being edited, it means that those entries are not needed. There is no need to add them to the ECL.

2. Record the entries removed so that if those entries were in fact not needed, they can be added with "no access" later in the admin ECL.

3. Make these changes to the remaining entities in the ECL:

For "When signed by"
For "Allowed"

*/org, where org is a local
domain/organization Deselect any selected items. "Default" should have no permissions.

-Default- Deselect any selected items. "Default" should have no permissions.

-No signature- Deselect any selected items. "Default" should have no permissions.

Lotus Notes Template Development/
Lotus Notes Select all items. This entity should have all permissions.

4. For a designated time period (a week should be sufficient), when the "Execution Security Alert" dialog box appears, click "Trust signer," with the following exceptions:

Do not trust any actions with "-No Signature-"
Check with the security administrator before trusting any odd or unfamiliar signatures, or before clicking "Execute once" for templates or applications signed with odd or unfamiliar signatures.

The resulting ECLs for these two users should be significantly larger than what they started with, unless your organization has managed the signing process up front and only uses objects signed by a small number of known trustworthy signers.

Creating the Administration ECL
After the designated time period is complete, the security administrator should use the information in the resulting ECLs to create an updated Administration ECL. The new ECL should be a union of the users' ECLs.

1. From the Domino Directory, choose Actions->Edit Administration ECL.

2. Using the information from the two users' ECLs, make changes to the Administration ECL.

NOTE: Using this method of updating and distributing the ECL, you can't remove entries from individual users' ECLs. You can, however, overwrite entries so that those entries have the correct permissions and essentially undo the permissions previously granted. For example, if there is a particular person that should not have any permissions, you can add that person to the administration ECL with no permissions. Then when the updated ECL is distributed, if that person was originally granted some permissions in any users' ECLs, the updated Administration ECL will overwrite the users' ECLs with the updated permissions.

Rolling out the new Administration ECL
After the Administration ECL has been updated, you must distribute those changes to all users.

For releases 5.0.4 and earlier

1. Make sure the Domino Directory with the ECL changes has replicated throughout the domain.

2. Address a memo to users whose ECLs you want to update.

3. Add a button to the memo that executes this formula:

@RefreshECL (

server

:

database

;

name

)

Where server : database is a text list that specifies the server location and file name of the Notes/Domino directory (NAMES.NSF) that you want to refresh the Administration ECL from; and name is text that specifies the name of the ECL. Specify "" (null) for the unnamed ECL. For example, for the unnamed ECL located in NAMES.NSF on the server SERVER1, the @RefreshECL formula would look like this:

@RefreshECL("server1":"names.nsf";"")

For more information on this @function, see Application Development with Domino Designer.

Note: For MIME-enabled users who lose their active content in mail messages, add the button to a document in a particular Notes database and tell those users to go there to update their ECLs.

5. Mail the memo.

For release 5.0.5

1. Make sure the Domino Directory with the ECL changes has replicated throughout the domain.

2. Address a memo to users whose ECLs you want to update.

3. Describe the purpose of the memo and instruct the users to do the following:

Choose File->Preferences->User Preferences.
Click Security Preferences.
Click Refresh.
Click OK.

Maintaining ECLs
Users might still encounter the "Execution Security Alert" dialog box after the updated ECL is deployed. Make sure that users:

Do not trust any actions with "-No Signature-"
Check with the security administrator before trusting any odd or unfamiliar signatures, or before clicking "Execute once" for templates or applications signed with odd or unfamiliar signatures. The security administrator should investigate those signatures, and if necessary, update and redistribute the administration ECL.

Other considerations
You can create a separate organizational unit specifically for users who must sign templates and applications. Then create an ID in that organizational unit for each of those users. Users who create templates and applications should only use the ids issued through the new organizational unit when signing their templates and applications. The administrative ECL can then trust any user in that special organizational unit, or it can be fine-tuned on a per-user basis, as explained the steps above.

	For "When signed by"	For "Allowed"
	/org, where org* is a local domain/organization	Deselect any selected items. "Default" should have no permissions.
	-Default-	Deselect any selected items. "Default" should have no permissions.
	-No signature-	Deselect any selected items. "Default" should have no permissions.
	Lotus Notes Template Development/ Lotus Notes	Select all items. This entity should have all permissions.