IBM®
Skip to main content
    Country/region select      Terms of use
 
 
   
     Home      Products      Services & solutions      Support & downloads      My account     

 
developerWorks
AIX and UNIX
Information Mgmt
Lotus
New to Lotus
Products
How to buy
Downloads
Live demos
Technical library
Training
Support
Forums & community
Events
Rational
Tivoli
WebSphere
Java™ technology
Linux
Open source
SOA and Web services
Web development
XML
My developerWorks
About dW
Submit content
Feedback


Notes/Domino Tutorials


Securing the Domino Environment


Back to Main Menu

Introduction

This Learner-Directed Offering provides additional information about specific security topics covered in the Implementing a Domino Infrastructure R5 and Maintaining a Domino Server Infrastructure R5 courses, with the exception of HTTP and Secured Socket Layer (SSL).

Most of the information contained in this Learner-Directed Offering assumes knowledge of the security-related topics covered in the aforementioned System Administration (Release 5.0) courses; however, this Learner-Directed Offering provides a review of key security concepts.

Securing databases, documents and fields is the job of the application developer and is therefore beyond the scope of this Learner-Directed Offering. For additional information, refer to the Learner-Directed Offering entitled Securing Your Application. The Deploying Domino Applications course covers securing databases as it applies to application deployment. The Application Development curriculum also covers these topics in detail.


Security Layer Review

Network and Domino Firewalls
Isolating a Domino Server to Create a Quasi Firewall

Certificates: The Basis for Domino Security

Notes ID Component Review

Protecting a Domino Server
Accessing a Server through Successful Authentication
Authentication Scenarios
Fortifying Server Security Using Server Restrictions
Bypassing Authentication by Allowing Anonymous Access
Enhancing Server Security by Comparing Public Keys
Protecting the server with Password Checking
Server Security Scenarios

Protecting a Notes Workstation
Password Basics
Automatic Password Protections
Enabling Multiple Passwords
Execution Control Lists (ECLs)
Workstation Security Scenarios

Server Access Scenarios


Security Layer Review

There are several layers at which you can protect your computer environment. These include:

Network: Use network firewalls to protect the network from direct access from other networks and dial-in access via modems.

Domino servers: Protect Domino servers physically by locking them in a room with limited access. Protect servers logically by preventing access to and from specific people, groups, servers, and domains.

Notes workstations: Use passwords and Execution Control Lists (ECLs) to protect Notes workstations.

Databases: Protect databases on the servers with Access Control Lists (ACLs). Use roles and ACL privileges along with ACLs to specify who can perform what kind of action on which documents. To further hide and protect databases, use directory and database link access, the Open Database dialog box, and database encryption.

Documents and fields: Document and field-level security is the job of the application developer.

The following diagram shows the process the user must go through to gain access to data.

Back to Table of Contents

Network and Domino Firewalls

On the Web, the term firewall is used to describe the server which protects your network from the rest of the world. Network protection is managed by limiting access based on IP addresses.

Since Domino sits above the transport layer, it cannot limit which IP addresses have access to a domain. If a Domino administrator carefully implements security, it is possible to limit which named entities access the Domino server. This, in effect, allows administrators to set up an equivalent firewall system using Notes and Domino security.

Isolating a Domino Server to Create a Quasi Firewall
To best protect the Domino domain, isolate a server which will communicate with the outside world from the domain. To do this, either:

  • Certify the server under a different organization certifier ID.
  • Place the server in a different domain.

    For example:


    In addition, physically isolate the server from other servers.

    If this "external" or "public" server is in the same domain as the other company Domino servers, protect the Domino Directory by replicating only the necessary documents to the external server's Domino Directory. For example, replicate only Server documents, select groups, and one Connection document.

    Note: If the server is in a different domain, this is not an issue since the Domino Directory is unique by definition.

    Back to Table of Contents

    Certificates: The Basis for Domino Security

    Certificates and certifier IDs are the basis for security in Domino. The first server setup program creates the organization's certifier ID. Administrators use either the organization's certifier ID or another certifier ID in the organization's ancestral chain of certifiers to create subsequent certifier IDs in the same organization.



    Domino uses the certificates from the certifier IDs to identify entities (users or servers). To do this, the certificate uses an electronic signature from the certifier to associate a user or server's name with a public key.

    Therefore, a certificate from /World issued to Inga Smith/World means that according to /World, Inga Smith/World has a specific public key that is stored in the certificate.

    Keys in Inga Smith's ID file:


    Domino cross-certification
    Cross-certification allows servers and users with no common ancestral heritage to authenticate.

  • Cross-certification is a two-way process. Both organizations need to cross-certify each other.
  • Cross-certificates can be issued by user and server IDs as well as by certifier IDs.

    Back to Table of Contents

    Notes ID Component Review

    The Notes ID identifies users and servers. It contains information necessary to allow access to data in a domain. Both servers and users have their own unique IDs. Each user/server ID contains:

  • Name and license information
  • Public key
  • Private key
  • Certificates
  • Encryption key(s) (optional)
  • Password (This information is used to encrypt the private key and encryption keys. The password itself is not stored anywhere.)

    Note: The password is used to protect and encrypt the ID file. The other components are used to identify the owner of the ID in order to determine access to resources.

    Back to Table of Contents


    Protecting a Domino Server

    When an entity (either a user or a server) tries to access a Domino server, the server first attempts to verify the identity of the user or server. The entity may be able to access the server if either:

  • It can authenticate with the server.
  • The server is configured to allow anonymous access.

    Accessing a Server through Successful Authentication
    Authentication is the verification process Domino uses to ascertain a user's or server's identity. It is based on certificates. Authentication is successful if users and/or servers share a common certificate. If users or servers each share an authority (the certifier), they trust each other's identity. Authentication is successful if any of the following are true:
  • Hierarchical IDs have a common ancestor.
  • Flat IDs have a certificate in common.
  • Hierarchical to Flat IDs have a certificate in common.
  • Hierarchical IDs without a common ancestor have a cross certificate available.

    Note: This Learner-Directed Offering does not address flat certificates. For more information on flat certificates, refer to Flat names in the Domino 5 Administration Help database.

    How keys identify users and servers during authentication
    Each Notes ID contains public and private keys. A key is a set of numbers that provides access to information and/or data. Domino uses the RSA cryptosystem technology. RSA keys come in pairs: a public and a private key. RSA is an internationally recognized standard for encryption. Each ID file contains two sets of RSA keys:

  • A long public/private key pair used for network authentication and mail encryption within North America, and for International signatures as required by United States crypto restrictions.
  • A short public/private key pair used for encryption when either the sender or recipient holds an International license.

    Public and private keys are used as follows:

    Private key: Available to one owner (person, server, or certifier). Contained in the owner's ID file.
    Public key: Available to everyone. Stored in the owner's ID file and recorded in the Domino Directory.

    Either key can be used to encrypt data, and the other key is used to decrypt the data.

    The authentication process

    Authentication is the process whereby the server and the entity requesting access (the requestor) establish trust — verify each other's identity. The authentication process is illustrated in the following diagram and described below:



    1. When an entity (requestor) wants access to a server, the server generates a random number and sends the number to the requestor along with the server's name, public key, and certificates.

    2. The requestor creates a message using the random number from the server, signs it using the requestor's private key, and sends the signed message back to the server.

    3. The server verifies that the signature is correct by using the certificates to validate the requestor's public key which is used to decrypt the signed message. The server can then verify that the random number contained in the signed message matches the original random number.

    4. This sequence is then repeated in the opposite direction so that the requester can verify that the server is authentic.


    Back to Table of Contents

    Authentication Scenarios
    In both of these scenarios, determine which entities can authenticate. The solutions follow the second scenario.

    Scenario 1

    Scenario 2


    Authentication scenario solutions

    Answer to Scenario 1: Hierarchical IDs have a common ancestor.

    Answer to Scenario 2: Hierarchical IDs without a common ancestor have a cross certificate available.

    Back to Table of Contents

    Fortifying Server Security using Server Restrictions
    Server documents in the Domino Directory contain restrictions used to control access to a server. Server access includes the following:


    Field

    Description

    Only allow server access to users in this Directory
    Yes limits access to only those users listed in the Domino Directory.
    No allows access from users and servers in other domains.

    Access server
    If this field is left blank, there is no access restriction.
    If the group LocalDomainServers is in this field, only servers in the local domain can access the server.

    Not access server
    This field is for explicit restrictions, such as terminations.
    This field takes precedence over the Access server field.

    Allow anonymous Notes connections
    Yes indicates that Notes users and Domino servers can anonymously access the server without authenticating.
    No indicates that users and servers must hold a certificate in common capable of authenticating with the server to gain access.

    The following diagram shows the logic in determining user/server access to a server.



    What happens when access levels conflict or coincide?
    If a name appears in both the Access server and Not access server fields, the entry in the Not access server field takes precedence over names entered in the Access server field.

    If a server is configured to allow anonymous access and an entity is listed in the Access Server field, the entity (server or user) is allowed to access the server as the named user or server. Since that entity's identity is known to the server, it is attributed with any additional access or restrictions based on the server or user name.

    Back to Table of Contents

    Procedure: Bypassing Authentication by Allowing Anonymous access
    It is possible to access a server without authenticating. Allowing anonymous access to the server is a convenient way for administrators to allow access to users and servers without requiring ancestral certificates or cross certificates.

    Follow these steps to designate that a server can allow anonymous access.

    Step

    Action

    1

    From Domino Administrator, select the server on which to allow anonymous access.

    2

    Click the Configuration tab > Server section > Current Server Document.

    3

    Click Edit Server.

    4

    Click the Security tab.

    5

    Select Yes in the Allow anonymous Notes connections field, as shown below:


    6

    Click Save and Close.

    7

    Restart the server for the changes to take effect.

    Administrators can allow Anonymous access to a server, and still maintain server access control as follows:

  • Place servers within the network firewall.
  • Limit or restrict passthru access to the server.

    Note: Remember that the scope of this discussion is protecting the server. Once the server is secure, it is the database manager's responsibility to set each database ACL appropriately to control access to databases.

    Back to Table of Contents

    Enhancing Server Security by comparing public keys
    To prevent unauthorized use of an ID, administrators can configure servers so that clients can authenticate with the server only if the public key in the Notes ID matches the public key stored in the Domino Directory.

    Comparing public keys enhances the security inherent in the authentication process. For example:

    If a user loses an ID, the administrator can restore an archived ID and generate a new public key for the ID while retaining the same name and private key. If unauthorized users attempt to use the original ID, they will not be able to access the server because the new public key for the ID will no longer match the public key on the original user ID.

    Users who are not listed in the Domino Directory will not be able to access the server. This secures the server against users from another organization and users who have left the company.

    Note: There is no performance penalty when comparing public keys. Authentication does not take any longer when performing the comparison.

    Additional considerations when using public key comparison
    Flat IDs: The Administration Process copies each server's public key to the Domino Directory. However, you must manually copy the public key from any flat ID to the relevant documents in the Domino Directory because the Administration Process does not address flat IDs.

    Cascading Address Books: Include public keys in the primary Domino Directory. The server will not look in any additional Domino Directories specified in the NOTES.INI file.

    Procedure: Configuring the server to compare public keys

    Follow these steps to enable public key comparison.

    Step

    Action

    1

    From Domino Administrator, select the server on which to enable public key comparison.

    2

    Click the Configuration tab > Server section > Current Server Document.

    3

    Click Edit Server.

    4

    Click the Security tab.

    5

    Select Yes in the Compare Notes public keys against those stored in the Directory field, as shown below:


    6

    Click Save and Close.

    7

    Restart the server for the changes to take effect.

    Back to Table of Contents

    Protecting the server with Password Checking
    Domino provides administrators with the ability to protect servers from unauthorized or fraudulent access using password checking. A server that has password checking enabled verifies the encrypted information in the user's ID file with the encrypted information in the user's Person document.

    Note: If password checking is enabled, users are not required to enter their password more often than they must if password checking is not enabled.

    Procedure: Enabling Password Checking
    The procedure to enable password checking requires the following:

  • All user and server IDs must be hierarchical.
  • The Administration Process must be set up.

    If the Administration process is not set up, you cannot set up password options for multiple users simultaneously. Instead, you must either manually edit the Person documents, or design an agent to modify the Person documents.

    For details about how the Administration Process enables password checking, see Verifying user passwords during authentication in the Domino 5 Administration Help database.

    Follow these steps to enable password checking.


    Step

    Action

    1

    From Domino Administrator, select the server on which to enable password checking.

    2

    Click the People & Groups tab > Domino Directories section > Address Book section > People view.

    3

    Select the Person documents for which to enable password checking.

    4

    Choose Actions > Set Password Fields, and click Yes to continue.

    5

    Select Check password as shown below:


    6

    (Optional) Enter a Required change interval to indicate the number of days users have to enter a new password.

    7

    (Optional) Enter a Grace period to indicate how frequently users must change their passwords before being locked out from the server that check passwords.

    8

    Click OK.

    9

    Click the Configuration tab > Server section > Current Server Document.

    10

    Click Edit Server.

    11

    Click the Security tab.

    12

    Select Enabled in the Check passwords on Notes IDs field, as shown below:


    13

    Click Save and Close.

    14

    Restart the server for the changes to take effect.

    The Process of checking passwords
    After the administrator enables password checking for users and the server, the following occurs:
    1. The first time the user authenticates with the server, the client uses the user's private key and password to generate a public/private key pair and stores the new key pair in the user's ID file.
    2. The server also stores a digest of the new public key in the Password digest field in the user's Person document.
    3. Each time the user authenticates with this server, the server sends the value stored in the Password Digest field from that user's Person document to the client.
    4. The client then sends back to the server the corresponding public key and a signature signed by the corresponding private key.
    5. The server then verifies that the public key provided matches the digest of the corresponding public key in the user's Person document and that the signature is valid.

    Caution: If an ID is stolen and the thief knows and changes the password, when the thief authenticates with the server, the fraudulent information is stored in the password digest field in the user's Person document. The valid user will not be able to authenticate with the server.
    To address this issue, the administrator must delete the fraudulent value in the Password digest field to lockout the thief, then have the valid user authenticate with the server to store the correct information in the Person document.

    Back to Table of Contents

    Server Security Scenarios
    The following scenarios ask questions to test understanding of the security mechanisms available to protect the server.

    Scenario 1: Preventing access from people using stolen IDs
    Which security mechanisms should be put into place to prevent thieves from using a stolen ID to gain access to servers?

    Answer: Administrators should take the following action:
    1. Enable public key comparison on the servers.
    2. Generate a new public key for any users whose ID was stolen.
    3. Enable password checking on the servers.
    4. Instruct users whose IDs were stolen to change their password.

    Scenario 2: Preventing access by employees who have left the company
    Which security mechanisms should be put into place to prevent employees who have left the company from gaining access to servers?

    Answer: Create a group, such as DenyAcess, and include this group in the Not access server field in the Server document for each server in your domain.

    Scenario 3: Granting access to as server by any Notes users
    Which security mechanism should be in place on a public server to which any Notes users should be allowed access?

    Answer: Set the Allow anonymous Notes connections field to Yes on the Security tab in the Server document.

    Back to Table of Contents

    Protecting a Notes Workstation

    Password basics
    A password is an alphanumeric string of up to 63 characters. It is used to access the ID file on the workstation which, in turn, is used to permit or deny access to a server or server-based database.

    When users enter a password, Notes decrypts the user's private key using the typed password as a key. If a user enters the wrong password, the checksum fails, and the decrypted result is random junk.

    When users change passwords, they must first provide the old password which is used to decrypt the encrypted information contained in the ID. The new password is then used to re-encrypt the ID file.

    Administrators can set up ID file backup and recovery. Using this tool, administrators can recover a backup copy of the ID file if users lose the ID file or forget the passwords. The Implementing a Domino Infrastructure course covers this topic in more detail.

    Password tips for users
    Clear Passwords: As a general practice, users and administrators should clear their user information by pressing F5 each time they leave their workstation. This clears the ID password information from memory. The next person who attempts to access the Notes desktop will be required to enter the password to gain access with the current ID.

    Lock the ID: Choose File > Tools > User Preferences; Basics. Fill in the Lock ID after field to lock the ID file after a specified number of minutes of inactivity. This provides additional security if a user forgets to clear the password.

    Back to Table of Contents

    Automatic Password Protections
    Passwords have a built-in time-delay mechanism to deter password-guessing programs. When a user types the correct password stored in the ID, Domino permits almost immediate access. However, if a user enters the wrong password, Domino delays the time it takes to be able to proceed. Each time the user enters the wrong password, the time delay increases substantially.

    Domino's anti-spoofing mechanism makes it difficult to steal a user's password by writing a password-capturing program that resembles the password prompt dialog box. This mechanism creates a unique icon, which resembles a hieroglyphics pattern when the user types a password.

    Back to Table of Contents

    Procedure: Enabling Multiple Passwords
    Administrators can set up Notes IDs to require multiple passwords. Multiple passwords provide tighter security for certifier ID files by preventing any single person from accessing them. This can dissuade an individual from absconding with the certifier ID. Typically, servers are locked in a secure room, therefore, they would not require multiple passwords for security. Additionally, a password on the server ID prevents an administrator from restarting the server remotely using Domino Administrator.

    An ID can have a maximum of eight passwords. The administrator can determine the number of correct passwords required to use the ID. For example, it is possible to assign up to eight passwords to an ID, yet require only a subset of the assigned number for access.

    Follow these steps to enable multiple passwords.


    Step

    Action

    1

    From Domino Administrator, click the Configuration tab.

    2

    Choose Tools > Certification > Edit Multiple passwords.

    3

    Select the ID to change, and click Open.

    4

    Enter the ID's password, and click OK.

    5

    Enter the number of password's required to access the ID.

    6

    Enter the Authorized user name and New password, then retype the password in the Confirm password field as shown below:


    7

    Click Add to include this authorized user and password in the ID file.

    8

    Instruct the next administrator to repeat steps 6 and 7 to add another authorized user and password to the ID file.

    9

    Click OK.

    Note: Any password assigned to an ID before authorized passwords are assigned, are no longer valid.

    For more on how to set up multiple passwords, see Password-protection for Notes and Domino IDs in the Domino 5 Administration Help database.

    Back to Table of Contents

    Execution Control Lists (ECLs)
    Execution Control Lists (ECLs) limit programs that other users create from performing actions on the file system and databases.

    Every design element in a database is signed using a Notes ID. Notes looks at the signature to determine whether the ECL allows a specific action, such as access to a database or the file system. For example, ECLs can warn users against executing programs from users outside the organization that might sabotage their work. If there is no signature associated with the action (for example, a user sends a mail message containing an action button, but does not sign the message), Notes uses the default ECL access.

    Each workstation includes a default ECL. Administrators can choose whether or not users can update their own ECL. If administrators allow users to manage their workstation ECL, users can access the settings in File >Tools > User Preferences; Basics panel; Security Options button.


    Procedure: Editing the Administration ECL
    The Administration ECL in the Domino Directory is used to:

  • Establish the default ECL for new workstations.
  • Add Notes ID names used to sign documents.
  • Allow or deny users the ability to modify their ECL.

    Follow these steps to edit the Administration ECL in the Domino Directory.


    Step

    Action

    1

    From Domino Administrator, select the server to administer.

    2

    Click the Configuration tab > Server section > All Server Documents view.

    3

    Click inside the Server document window, and choose Actions > Edit Administration ECL. The following figure shows the Administration ECL dialog box.


    4

    Select either Workstation security, Java applet security or JavaScript security to select access.

    5

    Click Add, enter a hierarchical name, and click OK.

    6

    Check the appropriate access levels for the selected name.

    7

    Click OK when done.

    Note: The Administration ECL is used as the default ECL for all new workstations that are set up. To update the ECLs on existing workstations, send an e-mail message to users, and include a button to click that will update the workstation ECL. For more information on updating existing workstation ECLs, see Sending a memo to users to update their ECLs in the Domino 5 Administration Help database. This topic is covered in more detail in the Deploying Domino Applications course.

    ECL Considerations
    Even if the ECL restrictions are stringent and the user is not allowed to modify the workstation ECL, the ECL does not prevent users from executing programs if they choose. However, users do receive the following warning:



    Back to Table of Contents

    Workstation Security Scenarios

    Scenario 1: Protecting shared workstations

    Some workstations in your company are shared by more than one Notes user. Which tools would be appropriate to use to protect a shared workstation?

    Answer: Users at a shared workstation should always do the following:

  • Clear their password before leaving the workstation.
  • Enter a short interval in the Lock ID after field under User Preferences in the event that the user forgets to clear the password.

    Scenario 2: Rolling out custom applications

    Your company has a group of application developers that design the company's applications. Which tools would be appropriate to ensure that all employees grant the appropriate access to use the company's applications?

    Answer: Add the application developers' names to the Administration ECL, granting them all access. Then, send a memo to users to refresh the workstation ECL.

    Scenario 3: Protecting IDs

    On which of the following IDs would it be appropriate to require multiple passwords?

  • Organization certifier ID
  • Organizational unit certifier ID
  • Server ID
  • User ID

    Answer: Organization and organizational unit certifier IDs. It is typically unnecessary to require multiple passwords for server and user IDs.


    Back to Table of Contents

    Server Access Scenarios

    In each of the following scenarios, the administrator must perform a series of tasks in order to allow the appropriate access. Read the scenario and identify the decisions the administrator must make and the actions to take. The answers follow the second scenario.

    Scenario 1: Connecting Servers in Two Domains for Mail Routing
    There are two Domino domains: World and Earth. Each domain wants to connect to the other for mail routing purposes only. The servers are set up as follows:

  • World's server (PTMail01/SVR/World) has been designated as the company's external server.
  • Earth' server (PreSales/SVR/Earth) has been designated as the external server for Earth.



    From a security perspective, what should the administrator consider and do to connect the servers in these two domains for mail routing?

    Scenario 2: Connecting Servers in Two Domains for Database Access
    A consultant, Charlie Doucette/Saturn/Planet, needs to communicate with servers in the World Domain. World has many servers, all of which are identified in their own organizational unit, /SVR/World.

    The relationship between the companies, Planet and World, is such that Charlie should be allowed to assist in the development of any database. How should security be set up? Are there any database security issues you can spot?

    Scenario Solutions

    Answer to Scenario 1: Connecting Two Domains for Mail Routing
    To connect servers in the World and Earth Domains for mail routing only, the administrators at each site should complete the following tasks.

    1. Since there is no evidence that their hierarchical names have any ancestors in common, servers in the World and Earth domains should cross-certify. Cross certify World and Earth at the Server ID level, as follows:
    • Cross-certificate for PTMail01/SVR/World issued by PreSales/SVR/Earth is stored in Earth's Domino Directory.
    • Cross-certificate for PreSales/SVR/Earth issued by PTMail01/SVR/World is stored in World's Domino Directory.


    The administrator should consider future communications, such as whether or not another server in the World Domain will need to communicate with another server in the Earth Domain, and what the certification model for that domain is. The best practice is to issue a cross-certificate on the Server ID level to provide the highest protection in the organization.

    2. Modify the Server Access lists in each server's Server document to ensure that the servers will be granted access to each other.

    3. Create a Connection document in each domain's Domino Directory:
    • PTMail01/SVR/World calls and routes mail to PreSales/SVR/Earth; stored in World's Domino Directory.
    • PreSales/SVR/Earth calls and routes mail to PTMail01/SVR/World; stored in Earth's Domino Directory.

    4. Ensure the default Access Control List (ACL) on MAIL.BOX is Depositor. This allows the router for both servers to place mail in the file.

    5. Add each server's name to the group designated for other domains, such as OtherDomainServers.

    Answer to Scenario 2: Connecting Two Domains for Database Access
    Security between the World and Planet domains would best be configured as follows:

    1. The most secure option is to cross-certify Charlie and the OU for World's servers. This allows Charlie to work from his own workstation; however, his ID would be the only one allowed to communicate with World's servers. Others certified by /Saturn/Planet would not be able to authenticate. Cross-certify as follows:

    • Cross-certificate for Charlie Doucette/Saturn/Planet issued by /SVR/World stored in World's Domino Directory.
    • Cross-certificate for /SVR/World issued by Charlie Doucette/Saturn/Planet stored in Charlie Doucette's Personal Address Book.

    Note: If replication between servers is necessary, Charlie's server would have to be cross certified with the OU for World's servers.

    2. Update the Server Access lists for World's servers to allow Charlie (and the server) access to:
    • The server
    • (Optional) Create new databases
    • (Optional) Create replica databases
    • (Optional) Run restricted, unrestricted and/or personal agents

    Note: Make sure that the Only allow server access to users in this Directory is set to No on the servers that Charlie needs to access. Otherwise, create a Person document for Charlie Doucette.

    3. Update the ACLs for the databases on which Charlie will work to allow Charlie to make changes. The database administrator may decide to provide such access by means of a group.

    Back to Table of Contents

    •     About IBM      Privacy      Contact