Short Description: Changed the name lookup unauthenticated transaction feature.
The NRPC protocol uses an unauthenticated transaction to look up a user who is not yet authenticated so that the user can fetch their ID file during Notes® setup. This transaction is optionally used when a user is first registered or when a roaming user connects from a new client.
As described in the advisory, it is possible to construct a list of possible user names and attempt to validate them using the unauthenticated name lookup transaction. If the user name exists and the person record contains an ID file, it is possible to download the user ID file. The attacker must then successfully execute a brute force attack on the password in order to use the ID file.
This issue was reported to Quality Engineering as SPR# KEMG6R8JBF and has been fixed in Domino® 7.0.2 and Domino 6.5.5 Fix Pack 2 (FP2). The fix requires setting the "BLOCK_LOOKUPID" variable in the server's notes.ini file. There are two settings available.
If the name lookup unauthenticated transaction finds the requested person but no ID file, the error message is changed from "No ID file found for this user" to "User not found in Directory" so that this transaction cannot be used to verify the validity of a user name in the directory that does not have an ID file. When this is enabled, setup can still fetch ID files and Roaming User can still fetch ID files.
If the name lookup unauthenticated transaction is performed, it will always return "User not found in directory". This completely prevents all the attacks described in this advisory/SPR. However, it also prevents new client setup using ID files in the directory from working. It prevents Roaming User setup from working. This setting can be used if new users are physically given their ID files and Roaming User is never configured to delete local files on exit.
To mitigate risk, administrators should ensure that ID files do not remain in the Domino Directory for extended periods of time or use an alternative method of distributing ID files to new users. Strong initial passwords should be applied if distributing ID files to users via the Domino Directory.
Block_lookupID=1 / 2
There is no kown UI setting for this notes.ini variable. But you can specify this setting in the notes.ini settings tab of the configuration settings document.