Physically securing the Domino® server

Physically securing servers and databases is just as important as preventing unauthorized user and server access. Therefore, locate all Domino® servers in a ventilated, secure area, such as a locked room. If servers are not secure, unauthorized users might circumvent security features -- for example, ACL settings -- access applications on the server, use the operating system to copy or delete files, and physically damage the server hardware itself.

About this task

To ensure maximum physical security for servers, do one or more of the following:

  • Use the server without a mouse, and keep the keyboard locked.
  • Password-protect the server ID. If an ID uses a password, you must manually restart the server rather than restart it automatically. To restart the server, you must know the server password.
  • Use the Set Secure command to password-protect the console and restrict what can be done while the server is running.
  • Use the Local Security option to encrypt databases on the server with the server ID. Then people at the server can access databases only if they have access to the server ID that was used to encrypt the databases.
  • Use operating system features to secure data files and lock keyboard access. For more information, see your operating system documentation.

Securing the server console with a Smartcard

About this task

Notes® users can use a Smartcard with their User ID to log in to Notes®. Smartcard use requires the installation of a Smartcard reader on the user's computer, along with the Smartcard software and drivers. The advantage of using a Smartcard with Notes® is that the Smartcard locks User ID. Logging into Notes® with a Smartcard requires the Smartcard, the User ID, and the user's Smartcard PIN.

Administrators can take advantage of Smartcard security to physically secure the Domino® server console. In this case the administrator would be locking the Server ID with the Smartcard. Before you begin complete the following tasks:

  • Have the Domino® server workstation on, but do not launch the Domino® server software.
  • Modify the Domino® server's NOTES.INI file to include a variable, PKCS11_Library=, that points to the Smartcard PKCS#11 file. This file will be loaded during Smartcard installation. For example:

    PKCS11_Library=C:\Program Files\Schlumberger\Smart Cards and Terminals\Common Files\slbck.dll

For more information about how Notes® users set up Smartcards, see the topic about enabling Smartcards for Notes® login in the HCL Notes® Help.

CAUTION: If you do not modify the server's NOTES.INI file to include the PKCS11_Library variable, when you try to launch the Domino® server, it will shut down and return a Login aborted by user error.

Procedure

  1. On the Domino® server workstation, install a Smartcard reader and Smartcard driver files.
  2. On a Notes® client workstation, install a Smartcard reader and the same Smartcard driver files as you installed on the Domino® server. This workstation will be used to configure the Smartcard for the server.
  3. Copy the SERVER.ID from the Domino® server onto a memory device. Insert the device into the Notes® workstation.
  4. Launch the Notes® client with a User ID from the domain for which the server has a certificate.
  5. Place the Smartcard designated for the server into the card reader of the Notes® client. If required, enter the Smartcard PIN.
  6. Click File > Security > Switch ID to switch to the copy of the SERVER.ID file.
  7. Do the following to enable the SERVER.ID file for the associated Smartcard
    1. Click File > Security > User Security, and enter the password for the SERVER.ID.
    2. Click Smartcard Options.
    3. Click Enable Smartcard Login.
    4. Enter password (if needed) and the Smartcard PIN. After approximately 10 to 15 seconds, the Smartcard will be configured for the SERVER.ID file.
  8. Copy the Smartcard-enabled SERVER.ID file back to the server's Domino\data directory.
  9. Place the Smartcard in the Domino® server card reader, and launch Domino®.
  10. At the server command console, enter the Smartcard PIN when prompted and Domino® will launch.