Using xACLs to secure Internet passwords

One way to secure Internet passwords is to use Extended ACLs, or xACLs, to control access based on levels in the naming hierarchy, and at the form and field level. For passwords stored in the Domino® Directory, administrators can set up xACLs to limit access to Internet passwords to the users themselves, for accessing their own passwords, and to administrators, for allowing administrative changes to passwords.

Procedure

  1. First, enable extended access for the Domino® Directory:
    1. Open the database, and choose File > Application > Access Control.
    2. Make sure you have Manager access in the database ACL.
    3. Click Advanced, and then select Enable Extended Access.
    4. Click Yes to continue when prompted: Enabling extended access control enforces additional security checking. See Domino Administrator Help for more details. Do you want to continue?
    5. If the advanced database ACL option Enforce a consistent Access Control List across all replicas is not yet enabled, you are prompted Consistent access control must be enabled first. Do you want to enable it now? Click Yes.
    6. Click OK at the prompt If more than one administrator manages extended access control for this database, enable document locking on the database to avoid conflicts.
    7. Click OK in the Access Control List dialog box.
    8. When the message Enabling extended access control restrictions. This may take a while. displays, click OK.
  2. Next, set up the extended access to secure Internet passwords:
    1. Open the database, and choose File > Application > Access Control.
    2. Click Extended Access. The Extended Access dialog box appears.
    3. In the Target pane, select the root [ /] and click Add.
    4. In the Access List pane, select Default.
    5. Click Form and Field Access. The Form and Field dialog box appears.
    6. In the Forms list box, select Person. Leave the access settings for Forms blank.
    7. In the Fields list box, select the HTTPPassword form.
    8. In the access settings of the field HTTPPassword, select Deny for both the Read and Write parameters.
    9. In the Person form, repeat this process in the access settings for the field dspHttpPassword (if it appears).
    10. Click Ok.
    11. Back in the Extended Access dialog box, click the Add button.
    12. Select Self.
    13. In the Access List pane, select Self.
    14. Click Form and Field Access. The Form and Field dialog box appears.
    15. In the Forms list box, select Person. Leave the access settings for Forms blank.
    16. In the Fields list box, select the HTTPPassword form.
    17. In the access settings of the HTTPPassword field , select Allow for both the Read and Write parameters and click OK.
    18. In the Person form, repeat this process in the access settings for the field dspHttpPassword (if it appears).
    19. Click Ok.
    20. Back in the Extended Access dialog box, click on the Add button.
    21. Select Name.
    22. In the Add User dialog box, select the local administrators group, for example "LocalDomainAdmins" and click OK.
    23. In the Access List pane, select the local administrators group you just added.
    24. Click Form and Field Access. The Form and Field dialog box appears.
    25. In the Forms list box, select Person. Leave the access settings for Forms blank.
    26. In the Fields list box, select HTTPPassword form.
    27. In the access settings of the HTTPPassword field , select Allow for both the Read and Write parameters and click OK.
    28. In the Person form, repeat this process in the access settings for the field dspHttpPassword (if it appears).
    29. Repeat steps 2t to 2ab for the local servers group, for example "LocalDomainServers," and any administrative group or person account who must access the users internet password.
      Table 1. Access List entries in the Person form
      Access List entry Read Access setting Write Access setting
      Self Allow Allow
      [Local administrators group] Allow Allow
      [Local servers group] Allow Allow
      Default Deny Deny
    Note:
    • If Anonymous access was previously defined in the access list, it should be set up to deny read and write access to HTTPPassword and dspHTTPPassword (if it appears) fields in the Person form.
    • Once xACLs are enabled for a Domino® Directory, LDAP anonymous access is not controlled by the list of fields in the All Server Configuration document. Since the default xACL setting for Anonymous is "No Access," once xACLs are enabled all anonymous LDAP searches will fail.
    • When xACL is set and you copy a Person Document via "Copy to Personal Address Book" in names.nsf, those contacts do NOT sync to the mail file and you cannot edit the resulting local contact.