Protecting Domino Directory in IBM Lotus Domino Web server deployments
The purpose of this technote is both to remind IBM Lotus Domino Web server customers to review the configuration of Internet-facing Web servers to ensure the are securely configured and to provide a set of reference resources.
Public Web servers are one of the most attacked targets in any enterprise, owing both to their location and to the valuable, exploitable information they contain. Included in that valuable information on the Domino Web server is the Domino Directory. One common mistake is the insecure configuration of the Domino Directory. Below is a list of options to protect Domino Directory when securing a Domino Web server.
|Secure the Domino Web server|
These articles provide an overview, explanation and step-by-step configuration for configuring a Domino Web server:
"Securing an IBM Lotus Domino Web Server"
"Securing an IBM Lotus Domino Web Server: Case Study"
|Protect the Domino Directory|
Lock down the Directory ACL. By default, users must authenticate to the Domino Web server to gain reader access to the Domino Directory. In the ACL, Anonymous is set to "No Access" and Default is set to "Reader", which will force all users to authenticate. Never allow anonymous access to Domino Directory.
|Place the Domino Web server in a DMZ|
Place the Domino Web server in a DMZ, a separate subnetwork where, in the event of compromise, the attacker gains access only to the systems in the DMZ and nothing else. Domino Web servers in the DMZ should communicate with only specified internal systems and only through a firewall. "Configuring iNotes Web Access with a WebSphere Edge Reverse Proxy Server" explains how to set up your Domino Web server so that you can use iNotes to access your Domino mail file through a public browser, and do so in a secure environment. This article uses WebSphere Edge as the reverse proxy server. This article assumes that you are an experienced iNotes administrator and are familiar with Domino and WebSphere Edge server environments.
|Choose a non-Domino Directory for password storage|
"Streamlining Passwords and Achieving SSO for Users on Windows platforms" surveys the features available to reduce the number of passwords needed by your system, with the additional benefit of providing single sign-on for users. Furthermore, many LDAP directories provide different mechanisms for protecting information suitable to differing security requirements. "How Can Domino be set up to work with different LDAP directories" explains how to configure Domino Directory Assistance to use LDAP (instead of Domino Directory) to store information about users.
Since passwords are numerous, difficult to remember and an attractive target for hackers, Domino supports various single sign-on technologies to minimize the use of passwords and, thereby, any representation of them in the directory subsystem, Domino or otherwise. "Single Sign-on in a Multi-Directory World: Part 1" looks at SSO basics and issues arising in a multi-directory, multi-identity environment. Single Sign-on in a Multi-Directory World Part 2 examines case studies and considerations arising in particular environments and configurations.
Administrators may also wish to consider replacing password-based authentication with certificate-based authentication using SSL and client-side certificates. " Domino CA and SSL Certificates" discusses deployment of SSL certificates to obviate the need for passwords.
Passwords are your first line of defense in protecting users, systems and information. Weak passwords can be guessed quickly regardless of how well they or their hashes are protected. Require strong passwords. Administrators can configure a custom password policy for iNotes users in How to Implement a Custom Password Policy for iNotes users.
Apply the more secure Internet password format for all users. Domino offers the choice of three algorithms for storing the Internet password in the Person record. To upgrade existing Person documents, select the Person documents from the view and select Actions -> Upgrade to More Secure Internet Password Format. This action runs an agent to enforce the use of the salted hash. To ensure that the more secure Internet password format is used when creating new Person records, edit the Directory Profile from Actions -> Edit Directory Profile and select "Yes" for the "Use more secure Internet password format" field. This requires Domino 5.0.6 or higher.
To defend against brute force password guessing attacks, see the Domino Administrator Help topic on configuring Internet Password Lockout (3-strikes) to limit the number of allowable attempts at typing a password.
Finally, as a means to limit insider attacks against the password hash in Domino Directory, administrators may Configure XACLs to Protect Internet Password Hash in Domino Directory.
|Messaging Applications||IBM Domino||Security||AIX, AIX 64bit, i5/OS, IBM i, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, Windows 64bit, z/OS||8.5, 8.0, 7.0, 6.5, 6.0|