Server security
To secure Domino® servers, you allow and prevent user and server access.
You can restrict the activities that users and servers may perform on the server.
| Task |
Use |
|---|---|
| Choose an internal or external Internet certificate authority. |
Set up a certifier that will be used to issue Internet certificates in your organization. |
| Cross-certify Notes® user IDs and Domino® server and certifier IDs. |
Allow Notes® users and Domino® servers in different hierarchically certified organizations to ascertain the identity of users and servers in other Notes® organizations. |
| Allow or deny access to a server. |
Specify which Notes® users, Internet clients, and Domino® servers are authorized to access the server. |
| Allow anonymous server access. |
Give server access to Notes® users and Domino® servers outside of the organization without issuing a cross-certificate. |
| Allow anonymous Internet/Intranet client access. |
Determine whether Internet/intranet users are allowed to access the server anonymously. |
| Secure the server with name-and-password authentication. |
Identify Internet and intranet users accessing the server and control access to applications based on the user name. |
| Enable session-based authentication. |
Allow Web browser clients to authenticate and maintain state with the server by using cookies. using session-based name-and-password authentication. Session-based authentication lets administrators provide a customized sign-in form and configure session expiration to log users off the server after a specified period of inactivity. Also provides capability for single single-on between Domino® and WebSphere® servers, using the same cookie. |
| Control the level of authentication for Web clients. |
Specify the level of refinement that the server should use when searching for names and authenticating Web users. |
| Limit access to create new databases, replicas, or templates. |
Allow specified Notes® users and Domino® servers to create databases and replica databases on the server. Limiting this access avoids a proliferation of databases and replicas on the server. |
| Control access to a server's network port. |
Allow specified Notes® users and Domino® servers to access the server over a port. |
| Encrypt server's network port. |
Encrypt data sent from the server's network port to prevent network eavesdropping. |
| Password protect the server console. |
Prevent unauthorized users from entering commands at the server console. |
| Restrict administrator access. |
Assign different types of administrator access to individuals based on the tasks they need to do on the Domino® server. |
| Restrict server agents. |
Specify which Notes® users and Domino® servers are allowed to run which kinds of agents on the server. |
| Restrict pass-through access. |
Specify which Notes® users and Domino® servers can access the server as a pass-through server and specify the destinations they may access. |
| Restrict server access by browser users running Java™ or JavaScript™ programs. |
Specify which Web browser users can use Domino® ORBs to run Java™ or JavaScript™ programs on the server. |
| Secure the server with TLS. |
Set up TLS security for Internet/intranet users to authenticate the server, encrypt data, prevent message tampering, and, optionally, authenticate clients. This is mandatory for e-commerce and secure business-to-business messaging. |
| Set mail router restrictions. |
Restrict mail routing based on Domino® domains, organizations, and organizational units. |
| Set inbound SMTP restrictions. |
Restrict inbound mail to prevent Domino® from accepting unwanted commercial e-mail. |
| Use S/MIME. |
Use S/MIME to encrypt outgoing mail. This is often mandatory for secure business-to-business messaging. |
| Prevent relaying through MTA. |
Enhance SMTP router security. |
| Use file protection documents. |
Specify who can access files -- for example, HTML, GIF, or JPEG -- on a server's hard drive. |
| Authenticate Internet clients using a secondary Domino® Directory or LDAP directory. |
Authenticate Web clients who use name-and-password or TLS client authentication in secondary Domino® or LDAP Directories marked as "trusted" by your domain. |
| Authenticate Web clients for a specific realm. |
Allow Web users to access a certain drive, directory, or file on a Domino® server and prevent Domino® from prompting users for a name-and-password for different realms. |
| Locate the server in a secure area. |
Prevent unauthorized access to unencrypted data and server and certifier IDs that are stored on the server's hard drive. |
| Secure the server console with a Smartcard. |
Prevent unauthorized access to the server console by requiring the use of a Smartcard to log in to Domino®. |
| Use a firewall to protect access to a server. |
Control unauthorized access to a private network from the public Internet. |
| Restrict access to a server's data directory. |
Use ACL files to protect server directories by specifying the names of users authorized to access those directories. |