IBM Support

Ask the Experts Q&A session: Managing Domino - Securing your Domino Server - 27 May 2014



IBM hosted an Ask the Experts Q&A session on May 27, 2014. The topic was "Managing Domino - Securing your Domino Server." Brandon Kutsch gave a short demo and he was joined by several other members of the Domino Support and Development teams for Q&A.


Audio Replay

Securing your Domino Server - Ask the Experts - 27 May 2014.mp3Securing your Domino Server - Ask the Experts - 27 May 2014.mp3
  • 32:14 minutes long
  • Q&A starts at 9:30

This session's demo covered three different strategies to restrict access over iNotes. You can use them concurrently or pick and choose.

#1 - Denying a Deny Access Group access thru the port by enforcing server access settings.

#2 - Changing some properties on the mail file. The "Maximum name and password in ACL"; the database property "Don't allow URL open";

#3 - Edit Person document directly and remove the Internet Password
    *Note: This last strategy won't work if your users are authenticating over an across an external address book like over LDAP or some external authentication model. But if you control how they log in, you control the Person document, you can modify it to change their name or change their Internet password to keep them from authenticating.

Q. Is there an easy way to expire the Notes User's Internet password every 90 days and then, can the user change it without I/T assistance?
Via policy you can sync the Notes password with Internet password, so that Security policies used for Notes users essentially get applied to Web access as well.

Q. What about passwords on Server IDs or securing Domino using HTTPS? I have heard that best practices are to have a password on all server IDs.
  • As far as best practice with having a password on all server IDs, it is typical for us to NOT have a password on server IDs. When I say that I think about when we have customers who are in an environment where they're logging into Domino as a Windows service. In order for that to work, you can't have a password on the Server ID. So it is common for us to not have a password on Server IDs.
  • There are a range of options:
    • Option 1: You can have a Server ID, as mentioned, without a password on it, which facilitates automated reboot. In many cases, that server also has environmental security, somehow the server is physically secure to compensate for that.
    • Option 2: You could have a Server ID with a password. Yes, that's a good thing but it makes automated restart difficult.
    • Option 3: There's an option to protect your Server ID with a SmartCard. For instructions for protecting the with a SmartCard, see the following article "Securing your Notes ID vault server "

Q. We want to change the password on a User's ID file. Can we force a user to change their password on next logon (logging in via the Notes client)? Other than via a policy, because of the time involved.
- You should be able to use a policy to force a user to change their password on next login. No ways other than via the Policy. There's always ways you could speed up the timing. You could force replication, you could probably have a password reset done. 5 minutes to create the policy, apply it to the user and force replication.

- Another option is if you are using ID Vault, there's the Reset Password option in there. You could reset the password from the Vault perspective. The next time the user does log in they would have to change the password because the Admin changed it to something random usually.

Q. Is there a way that you can not have a password and ensure any other extra measure of security? Or if you have a password on your server and your Domino box freezes or panics/crashes, is it always going to wait to for you to put in a password? Is there any other way to do that ?
Not really a way around that unless you had some sort of batch file that detected all this neat stuff and put in the password for you.

Q. Is there any way to have any sort of notification when the server goes down?
You can use DDM and Events4.nsf and create a probe that will go out and test for any Domino server to make sure it is up and running. And if it's not it could contact you. You could set it to each particular type of experience whether it's a crash or hang and you could choose the type of notification (text, phone call, page, email somebody else).

Q. For DDM, would you have to configure it on one server and then replicate it out so that if one is down the DDM on the other server could cover it? What's the best practice there?
- DDM is the Domino domain monitoring. So you configure everything in one location and, yes, those changes have to replicate out. But you could control that by specifying whether you want to monitor only one server or all servers in your environment. So with one document, with one change, you can control pretty much your entire set of Domino servers.

- DDM is more of the this is what's going on. Events4 is where you can configure the type of notification you want. For more information, refer to the following Help topics:

- We also have a Server Health Monitor that you might want to look at as well. Server Health Check.
  • Health Check (from the IBM Redbooks: Optimizing Lotus Domino Administration)

Q. Is Domino Configuration Tuner still supported?
- Yes.
About Ask the Expert Q&A sessions
Ask the Expert Q&A sessions is a new program where the main focus is having technical experts answer your questions. Additional topics in the Managing Domino series include:

Original publication date


Document information

More support for: IBM Domino

Software version: 8.5.3, 9.0, 9.0.1

Operating system(s): Windows

Reference #: 7041956

Modified date: 27 May 2014

Translate this page: