|
|
| [back to "Staying alert with Execution Control Lists"]
ECL access option risk levels
There are tradeoffs between user convenience (fewer execution security alerts) and tighter security. The tables below categorize the level of risk associated with each workstation security action for two signature policy scenarios.
Very stringent signature policy
Here is an example of a conservative ECL policy, which ensures fairly strong security with higher likelihood of ECL alerts.
| Action | Risk | Default | No Signature | Lotus Notes Template Development/Lotus Notes | */Organization | */OU/Organization
(where * corresponds to trusted users) |
| Access to the file system | High | Do not allow | Do not allow | Allow | Do not allow | Do not allow |
| Access to the current database* | High | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Access to environment variables | Low | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Access to non-Notes data | Medium | Do not allow | Do not allow | Allow | Do not allow | Allow |
Access to external code
(such as Notes LSX or API programs) | High | Do not allow | Do not allow | Allow | Do not allow | Do not allow |
Access to external programs
(such as non-Notes programs) | High | Do not allow | Do not allow | Allow | Do not allow | Do not allow |
| Ability to send mail | High | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Ability to read other databases | Medium | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Ability to modify other databases | Medium-High | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Ability to export data | Medium | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Access to Workstation Security ECL | High | Do not allow | Do not allow | Allow | Do not allow | Allow |
*Access to current database includes both read and write access. This can be risky in the context of a user's mail file. Use caution when assigning this privilege to users. However, if a consistent signing policy does not exist, not allowing access to current database will generate a large number of Execution Security Alerts.
Less conservative signature policy
Here is an example of ECL that minimizes execution control alerts while mitigating only the most severe risks.
| Action | Risk | Default | No Signature | Lotus Notes Template Development/Lotus Notes | */Organization | */OU/Organization
(where OU corresponds to trusted users) |
| Access to the file system | High | Do not allow | Do not allow | Allow | Do not allow | Do not allow |
| Access to the current database* | High | Do not allow | Do not allow | Allow | Allow* | Allow* |
| Access to environment variables | Low | Allow | Do not allow | Allow | Allow | Allow |
| Access to non-Notes data | Medium | Do not allow | Do not allow | Allow | Allow | Allow |
Access to external code
(such as Notes LSX or API programs) | High | Do not allow | Do not allow | Allow | Do not allow | Allow |
Access to external programs
(such as non-Notes programs) | High | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Ability to send mail | High | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Ability to read other databases | Medium | Allow | Do not allow | Allow | Allow | Allow |
| Ability to modify other databases | Medium-High | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Ability to export data | Medium | Do not allow | Do not allow | Allow | Do not allow | Allow |
| Access to Workstation Security ECL | High | Do not allow | Do not allow | Allow | Do not allow | Allow |
*Access to current database includes both read and write access. This can be risky in the context of a user's mail file. Use caution when assigning this privilege to users. However, if a consistent signing policy does not exist, not allowing access to current database will generate an increased number of Execution Security Alerts.
|
 | |
|