Home
Securing
This section describes security features, including execution control lists, IDs, and TLS.
Server access for Notes® users, Internet users, and Domino® servers
To control user and server access to other servers, Domino® uses the settings you specify on the Security tab in the Server document as well as the rules of validation and authentication. If a server validates and authenticates the Notes® user, Internet user, or server, and the settings in the Server document allow access, the user or server is allowed access to the server.
Customizing access to a Domino® server
After you set up basic access for HCL Notes® users and HCL Domino® servers, you can customize access to restrict specific users and servers to specific activities.
Denying Notes® users access to all servers in a domain
To deny Notes® users access to all servers in a domain, lock out their user IDs and enable password checking. When locked-out users try to access the server, Domino® tries to verify the passwords they enter by comparing them against those stored in Person documents. Domino denies the users access because their IDs are locked out.

Securing
This section describes security features, including execution control lists, IDs, and TLS.
- Overview of Domino security
  Setting up security for your organization is a critical task. Your security infrastructure is critical for protecting your organization's IT resources and assets. As an administrator, you need to give careful consideration to your organization's security requirements before you set up any servers or users. Up-front planning pays off later in minimizing the risks of compromised security.
- Server access for Notes® users, Internet users, and Domino® servers
  To control user and server access to other servers, Domino® uses the settings you specify on the Security tab in the Server document as well as the rules of validation and authentication. If a server validates and authenticates the Notes® user, Internet user, or server, and the settings in the Server document allow access, the user or server is allowed access to the server.
  - Setting up Notes® user, Domino® server, and Internet user access to a Domino® server
    You can specify Notes® users and Domino® servers that are allowed to access the server, as well as users who access the server using Internet protocols (HTTP, IMAP, LDAP, POP3). If your system uses multiple Domino Directories, Domino searches only the first Domino Directory specified in the Names setting in the NOTES.INI file for Notes users. If you have enabled the server access settings for Internet protocols, you can also specify users from secondary Domino directories and external LDAP directories in the Allow or Deny access lists.
  - Customizing access to a Domino® server
    After you set up basic access for HCL Notes® users and HCL Domino® servers, you can customize access to restrict specific users and servers to specific activities.
    - Denying Notes® users access to all servers in a domain
      To deny Notes® users access to all servers in a domain, lock out their user IDs and enable password checking. When locked-out users try to access the server, Domino® tries to verify the passwords they enter by comparing them against those stored in Person documents. Domino denies the users access because their IDs are locked out.
    - Restricting administrator access
      You can specify various access levels for different types of administrators in your organization. For example, you may want to give only a few people 'system administrator' access, while all of the administrators on your team are designated as database administrators.
    - Comparing public key values
      The signatures on user and server certificates exchanged during authentication are always checked. You can enable an additional level of verification for public keys, by having the value of the key passed in the certificates checked against the value of the key listed in the HCL Domino® Directory. It is possible for users to authenticate with a server, but have a mismatch between the value of the public keys in their certificates and what is listed for them in the Domino Directory.
    - Setting up anonymous server access for Notes® users and Domino® servers
      When a server is set up for anonymous access, Notes® users and Domino® servers do not need a valid certificate to access the server, since the server does not validate or authenticate them. Use anonymous access to allow users and servers outside your organization to access a server without first obtaining a certificate for the organization. You can also set up anonymous access for Internet/intranet users.
    - Controlling access to a specific server port
      Use a port access list to allow or deny HCL Notes® user and HCL Domino® server access to a specific network port. If you use a port access list and a server access list, users and servers must be listed on both to gain access to the server.
    - Controlling creation of databases, replicas, and templates
      To manage available disk space, control which users and servers are allowed to create databases and replicas on a server. If your system uses multiple Domino® Directories, HCL Domino searches only the first Domino Directory specified in the Names setting in the NOTES.INI file.
    - Controlling the use of headline monitors
      Notes® users can set up their headlines to search server databases automatically for items of interest. You can control which users can or cannot access this server for headlines. This task applies toHCL Notes users only.
    - Controlling access to a pass-through server or pass-through destination
      A pass-through server allows users and servers to use a pass-through connection to connect to another server. The server to which users connect is called a pass-through destination. You can control which users and servers can access a pass-through server and pass-through destination.
    - Controlling agents and XPages that run on a server
      You can control the types of agents and XPages that users can run on a server. The fields in this section are organized hierarchically with regard to privileges. For example, Sign or run unrestricted methods and operations has the highest level of privilege and Run Simple and Formula agents has the lowest. A user or group name in one list automatically receives the rights of the lists beneath. Therefore a name has to be entered in only one list, which then gives that user the highest rights.
    - Controlling Web browser access to files
      You can use File Protection documents and Web realms to control Internet/intranet access to files on the servers.
    - Restricting access to a server's data directory
      By default, any Notes® user who can access a server can access the server's entire data directory. You can restrict Notes user access to a server's data directory or a subdirectory of the data directory by defining an access list, or ACL file, for it. ACL files are an option for protecting server directories, and contain the names of users authorized to access those directories.
    - Physically securing the Domino® server
      Physically securing servers and databases is just as important as preventing unauthorized user and server access. Therefore, locate all Domino® servers in a ventilated, secure area, such as a locked room. If servers are not secure, unauthorized users might circumvent security features -- for example, ACL settings -- access applications on the server, use the operating system to copy or delete files, and physically damage the server hardware itself.
  - Validation and authentication for Notes® and Domino®
    Whenever a Notes® client or Domino® server attempts to communicate with a Domino server to replicate, route mail, or to access a database, two security procedures use information from the client or server ID to verify that the client or server is legitimate. Validation establishes trust of the client's public key. If validation occurs successfully, authentication begins. Authentication verifies user identity, and uses the public and private keys of both the client and the server in a challenge/response interaction.
- The database access control list
  Every .NSF database has an access control list (ACL) that specifies the level of access that users and servers have to that database. Although the names of access levels are the same for users and servers, those assigned to users determine the tasks that they can perform in a database, while those assigned to servers determine what information within the database the servers can replicate. Only someone with Manager access can create or modify the ACL.
- Domino® server and Notes® user IDs
  Domino® uses ID files to identify users and to control access to servers. Every Domino server, Notes® certifier, and Notes user must have an ID.
- The execution control list
  You use an execution control list (ECL) to configure workstation data security. An ECL protects user workstations against active content from unknown or suspect sources, and can be configured to limit the action of any active content that does run on workstations.
- Domino® server-based certification authority
  You can set up a Domino® certifier that uses the CA process server task to manage and process certificate requests. The CA process runs as a process on Domino servers that are used to issue certificates. When you set up a Notes® or Internet certifier, you link it to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.
- TLS security
  Transport Layer Security (TLS) is a security protocol that provides communications privacy and authentication for Domino® server tasks that operate over TCP/IP.
- TLS and S/MIME for clients
  Clients can use a Domino® certificate authority (CA) application or a third-party CA to obtain certificates for secure TLS and S/MIME communication.
- Encryption
  Encryption protects data from unauthorized access.
- Web-based authentication
  Define and set up authentication methods for web users, for example through basic password authentication, passkeys, time-based one-time password, or single sign-on.
- Using Domino as an OIDC provider
  The Domino HTTP task can act as an OIDC identity provider. This feature allows administrators to leverage their existing Domino HTTP authentication experience -- including passkeys, TOTP, custom domcfg login forms, and external identity providers -- to authenticate end users with applications, servers, and services that support OIDC.
- Using a credential store to store credentials
  A Domino® server can use a credential store application as a secure artifact repository. Examples of secure artifacts include authentication credentials and security keys.
- History of supported key sizes in Notes and Domino
  Understand the RSA key sizes supported by Notes® and Domino® from past releases to the current release.

Denying Notes® users access to all servers in a domain

To deny Notes® users access to all servers in a domain, lock out their user IDs and enable password checking. When locked-out users try to access the server, Domino® tries to verify the passwords they enter by comparing them against those stored in Person documents. Domino® denies the users access because their IDs are locked out.

Before you begin

Make sure that the Administration Process is set up and that you have Editor access in the ACL of the Domino® Directory.

About this task

This procedure applies only to Notes® users. It does not apply to Internet users attempting to access a Domino® server.

It is better to lock out user IDs than to add a group to the Not access server field. Using ID lockout ensures that users cannot view a list of names that have been denied server access.

Note: You cannot use both a policy and a Person document to enable ID lockout. Policy settings always supersede any settings in Person documents.

Procedure

From the Domino® Administrator, click the People & Groups tab, and select the Person documents of users to whom you want to deny access.
Select Actions > Set Password Fields, and then click Yes when prompted to continue.
In the Check Notes password field, select Lockout ID, and then click OK.