HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Add a new idea Subscribe
Status Needs Review
Workspace Notes
Created by Guest
Created on Apr 16, 2025

RELATED IDEAS

Critical Security Risk Due to COM Access to NSF Files

Dear HCL Domino Team:

We have encountered a potential critical security risk while using IBM/HCL Notes and Domino, and hereby submit our feedback and request for your attention:

COM Interface Allows Access to NSF Data, Bypassing Notes Client UI and Permissions

Currently, the COM interface provided by Domino (such as Lotus.NotesSession) can be invoked by external applications such as Excel VBA, VBScript, PowerShell, Python, HTA, .NET, etc., allowing them to connect to the Notes client and directly access data from .NSF files.

This type of connection introduces the following issues:

  1. Bypasses business logic control in forms (such as validation code in QueryOpen, QuerySave)

  2. Does not trigger Notes UI, making it hard to detect and easily becomes a data exfiltration backdoor

  3. Can be used in unauthorized automated scripts to export sensitive data in bulk

  4. Current security mechanisms (ACL, Notes ID password) do not effectively block local access once the client is logged in

Current Management Difficulties

  • COM CLSID registration on local machines is difficult to block based on specific usage scenarios using GPO alone.

  • Even if VBA macros are disabled, external languages (like PowerShell) can still be used.

  • Notes COM DLLs do not support fine-grained permission control (no ACL or client-level permission management)

Suggested Actions for HCL Domino

  1. Provide a configuration option to disable Notes COM services (e.g., via Notes.INI parameters)

  2. Add NotesSession.IsCOMClient property to identify the source of the connection

  3. Strengthen ACL and password verification in the COM startup process

  4. Add a warning in the developer documentation, advising enterprise users to disable or block COM usage

  5. Support recommendations for controlling usage with Microsoft AppLocker or WDAC in the next version

While this issue pertains to advanced use cases, many enterprise environments still use Excel or Python for automation. Without proper management, this becomes a security vulnerability. We kindly request that your team addresses this risk and provides a practical solution to prevent it.

Thank you for your ongoing commitment to Domino security.

Best regards,

Goodman Chu 2025/04/16

  • Attach files
      Drop here to upload
    Copyright © 2023 HCL Technologies Limited