I read Paul Robichaux's description of how to immediately disable access to an Exchange mailbox which got me thinking.

 

A brief summary for those that didn't follow the link - if you have someone who's leaving very quickly - being escorted off site by security, one presumes - then to remove their access to their mail on an Exchange Server you'll need to do the following:

1. Disable the mailbox
2. Set the send quota for the user to 0
3. Move the mailbox to a new information store

If you don't do these steps and someone still has Outlook open, then they may still have access for up to two hours after you disable them.

(Note that two hours is probably a worst case timescale, but still worth remembering.)

 

So, what do we do to remove access for a Domino user?

1. Add the user to a Deny Access Group (which will prevent them accessing their mailbox and sending email)
2. On the user's home server (and cluster servers if used), check for connections and drop them
3. Remove access for webmail/applications as appropriate.

Total delay?  Probably about an hour, depending on the environment.

 

And note that we're talking about removing access, not restricting - the difference (in this context) is that we want to drop active connections too, rather than just change the access allowed for future connections.

 

So why the difference between the two products?

Well, Exchange Server is using tokens from a central directory, whereas Domino Server creates its access tokens using a local directory. (Yes, you could use a Configuration Only directory in Domino.  But I've never seen one on a live production mail server...)

 

This is why Exchange Server may preserve access to up to two hours - the security tokens from Active Directory have an expiry date which is designed to make sure that the Active Directory server isn't overwhelmed with requests for new tokens, but at the same time security isn't too lax.

Domino's method of distributing the Directory means that whilst it likely also uses tokens internally, they're easier to update as any query stays on the same machine.  Plus both the Notes client and Domino Server cache such information, which is why you need to drop (destroy) needing to drop the user's connection.

So even if you edit the deny access group on a central hub server rather than their home mail server, you're a replication and a drop user command away from it taking effect within minutes.

 

It's worth noting that Domino has, for a long time, allowed you to see who has a connected Notes client and drop them - and this is what allows Domino to be faster in removing access.

 

By contrast, the Exchange Server evidently has a token for access at the Information Store level, which can only be cleared by moving the mailbox to a new information store (database).  That's their closest equivalent of "drop user", which will clear the cached token.

But the advantage of the Exchange "centralise everything" design is that once access to their mailbox is gone, you're done - other services such as webmail, Windows Mobile devices etc should also stop their access because they're effectively just proxies for access to that one store of information.

 

Whereas Domino's distributed design means that you'll need to make sure that the change occurs where it's needed.  If you need to remove access on a webmail server, then that Deny Access Group change needs to be replicated before it'll happen.  And the same applies to sessions on application servers, and systems like Quickr/SameTime/Domino.Doc.  Users can access many different stores, some of which are just replicas of each other, so stopping all access in a large environment can require a little more work.

 

(For both Exchange and Domino, third party access products like BlackBerries have their own arrangements to disable accounts and devices, so I'm skipping those.)

 

To my mind, the advantage to Domino's distributed design is that in this case it's more intuitive. Unless you're thinking about tokens, it's easy to assume that denying access to a mailbox does just that, immediately.  The other advantage is that you have fewer single points of failure, so your systems are more resilient.  If someone accidentally deletes something in the Directory or a database somewhere, then if you act quickly you may find a replica elsewhere you can use rather than have to go back to your backups...

 

The more I think about this scenario of denying a user access immediately, the more interesting it becomes as it reveals the differences between Domino and Exchange.  But it also makes me wonder about other systems - how many other applications using Active Directory or other centralised LDAP systems are going to behave this way?

How easy is it for someone in a position of power to remove valuable data even after the business believes they have had their access disabled, due to this kind of caching?

How many businesses are aware of these issues, and have the procedures - or staff with the wherewithal - to deal with them?

 

And when Domino gets LDAP Directory Integration in Release 9 or Release 10, will we still be able to list and drop those users like normal Domino/Notes users?

 

So many questions...

 

And you'd have thought removing someone's access should be just a tick in a box, that took immediate effect!

 

The power supply on my home machine died, which is why I've been absent.

I did buy a netbook to tide me over - it's lovely, but in all the fuss I completely forgot to drop back here and blog about it

 

ETA: Note that I bought the Netbook because I wasn't sure that it was only the PSU that had died, as described in a comment on this entry.  Sorry if that caused any confusion!

 

The netbook is an Acer Aspire One - the 120Gb mechanical HDD version, not the SSD version.  A great little device, which really fills a niche between my phone (for email and comms on the go, but not for any extended use) and my PC (which is about as portable as a bedside cabinet).  It runs Linux, but I've replaced the shipped distribution with the Ubuntu Netbook Remix, which is an utterly fantastic bit of software - more on that later!

It only has 512Mb of RAM, but that doesn't seem to matter.  It's fine for most things you'd use it for - but I must admit I've got a 1Gb stick of RAM for it, as it was only 15 quid!

(15 quid for a gig of RAM.  How times have changed...)

 

Anyway, my PC is back up and running now, so hopefully I'll remember to blog more in future.  Or I could just start blogging from work, but I don't want to do that as it's too distracting!

 

In the Notes/Domino world, there are some well-known "bad words" that you don't mention in polite company.

 

We have a contractor leaving soon, and he's a lovely guy.  But we were joking about how he'd be remembered, and I said this:

"We plan to blame you for everything once you're gone. In fact, I think you'd be surprised at how senior - and busy - you were in your time with the company."

 

When reporting that to some friends, some seemed to think I was unnecessarily cutting when I said that.

(I can be quite cutting sometimes, bordering on rude, but usually only when in search of a cheap laugh.  Which I curiously - and in some company solely - think justifies it.)

 

Now, the folks who were there when it was said took no issue with it.  It was a sting, yes - but a well intentioned one.

 

But later, I really skirted with offending those same people.

How?

Like this:

"You'll always be remembered here. Specifically, we'll remember you as the guy that installed GroupShield on our servers...

Even the lighter-hearted didn't know quite whether to laugh at that one or not...  There was a palpable silence over the group for a moment.

 

It's funny, how offence is determined by social context.  I crossed a line, but not the one that most people would assume...

 

Vowe and Andrew Pollack have drawn parallels between Vista and Notes 8.

Whilst both can perform slowly on lower end hardware, and whilst both had later service releases that are claimed to improve performance, I think that the comparison is stretched.

Here's my responses to Andrew's points:

• Point 1: People asked for a better Notes interface, AND asked for a better Mac client, AND asked for a Linux client. The Eclipse platform was the best way to deliver this as quickly as possible. We did ask for Notes 8, and I can't see how Notes 8 could have been done without Eclipse.
• Point 2: Notes 8 has added what people wanted, and will add even more in future. Superior extendibility, composite applications, and it's all going to be multi-platform.
• Point 3: If you're hitting issues with integration between the Eclipse and Notes code, then they're bugs. Report them - they are highly likely to be fixed!
• Point 4: To do the same things, users can install the Basic client. No further comment.
• Point 5: Apple would have done it better. OK, even Andrew admits that Apple's got nothing on Notes (or any other messaging/groupware stack), so this point is moot and I'm not going to make a big deal of it.

The Notes situation is not a good parallel with Vista, simply because the Notes Basic client option exists.

Feel you didn't ask for any of the new things and are getting a raw deal? Run Notes Basic. It's there, and it's free - the same license covers both.

Now, downgrading your OS is a whole different matter. Not all versions of Vista come with "downgrade rights" that allow you to use the same license for XP.

And there are some obvious places where the parallel with Vista breaks completely:

• Notes ONLY has compatibility issues forwards - not backwards! Vista can't say that. Again, if you have a backwards compatibility issue with a Notes application in Notes 8, get it logged as a bug with IBM...
• Notes has a strong, regular release cycle which is delivering improvements. Vista had problems, and Microsoft's solution was to either silence or quiet acknowledgement, with no real commitment to a timescale for fixes. Service Pack 1 arrived when they felt like shipping it. Domino/Notes has a long standing tradition of multiple releases per year, and those releases often deliver improvements - new features AND bug fixes. Notes Release 8.0.2 delivers speed increases and Notes UltraLite. And that was openly discussed, with timescales - it's almost a polar opposite to the Vista Service Pack 1 experience.
• The shifts within the Notes client architecture are strategic. Yes, they're major - but they're necessary for its long-term health. The underlying architecture was fine, but the client interface layers needed major work if they were to be modernised. Compare this with Vista, which had major compatibility issues due to architectural changes required due to poor architecture - which generated a lot more work for vendors writing software on the Windows platform. Notes 8 didn't require any such changes.

No matter which was I look at it, when I compare Notes 8 with Vista, it's not Vista that wins. Vista has had much bigger issues, and much harder ones to handle. And it has no option on its roadmap but to tough it out and hope that they get fixed as and when Microsoft feel like it.

Notes 8 != Vista

(Now that I've said that, I'll return to my blogging retirement again.)

Every larger organisation has strict rules on how to keep your IT services secure.

You know the one - "don't tell your password to anyone else", "don't let anyone else use your account", and all that.

And it usually seems as though nobody pays attention to them.

Remember that story about the death threat sent via mail that I posted here?

Well, it turns out that the email account it was sent from was being used by someone else. The owner of the account has, rightly but unfortunately, been fired.

She's a home worker, and the machine she was using for her work was also used by at least one other person. The other person - brother? husband? - has even posted a rambling confession.

After all these years of trying to get people to behave in a secure manner, people can still lose their jobs over the simplest of security requirements.

I find that both disappointing and disheartening.

In a world of VPNs, Blackberries, and other systems connecting us ever more to the corporate network regardless of distance, people need to be much more vigilant about their security.

Perhaps things are changing too fast. I doubt this is the first job lost to a basic security breach, and I also doubt it will be the last. Even worse, I doubt any of the others will even get any media coverage.

Maybe the technology is changing too quickly for people to cope?

When I first wrote about the death threat, I asked a question in the title - a lack of training, or a lack of intelligence?

I think the answer comes from Grandpa Simpson:

Joe Friday: Freeze! FBI! The jig is up.
Abe Simpson: All right, I admit it! I am the Lindbergh baby! Wah! Wah! Goo-goo! I miss my fly-fly dada.
Joe Friday: Are you trying to stall us, or are you just senile?
Grandpa Simpson: A little from column A, a little from column B...

A little from both columns indeed...

	Articles
	Blog entries
	Comments