An interesting couple of days reverse-engineering Lotus Domino AdminP Calls.

It transpires that a number of these calls require that the request be signed by the domain administration server (the server listed as the admin server for the domain directory) in order to authenticate these requests.

Which is good.

However, I think I should explicity state that it would be a *good idea* for all to understand that this of course leads to a vector for malicious code. Specifically, if you allow any old fool to write scheduled agents into a database, and replicate that database onto the admin server, then you are inviting yourself into a world of pain.

I would advise all that the admin server should not normally have user-written applications placed on it - someone with a *lot* of time and experience on their hands might try to hand-craft adminP requests in a scheduled agent, and start harming your environment.

Now - is this a security loophole ? I dont think so. Running unaudited or untested agents on *any* scheduled service on *any* server is a bad idea - whether Domino or otherwise, or admin server or otherwise. Should the domino "adminP" interface be more secure ? Well, perhaps. However, there's so much stuff that links into that, it'd be difficult to do. Should Lotus publish an "API" for the AdminP interface that increases the security of this subprocess ? In my humble opinion, yes, but I cant imagine in my wildest dreams that that will happen soon. Its' not happened since AdminP was created a *long* time ago, and the amount of folks who wish to use that interface is small (in comparison with the userbase). I can imagine that resources are being better spent in improving more mainstream parts of Domino. (and long may it be so!)

I thought it would be useful to explicity state the case that you should *not* allow scheduled agents on your admin server that you have not explicity "blessed"... Increasing security on your admin4.nsf database might also be a good idea.

(No, I'm not going to outline more of the reasoning for this, for obvious reasons).