The Domino® security model

The Domino® security model is based on the premise of protecting resources, such as the Domino® server itself, databases, workstation data, and documents. The resources, or objects, that are being protected are set up to define the rights of users to access and change the object. Information about access rights and privileges are stored with each protected resource. Thus, a given user or server may have different sets of access rights, depending on the resources to which that user or server requires access.

The following includes brief descriptions of the various resources that you need to protect in a Domino® environment. Some of the topics are not specific to Domino® security, but are included here in the interest of thoroughness.

Physical security

Physically securing servers and databases is equally as important as preventing unauthorized user and server access. It is the first line of defense against unauthorized or malicious users, by preventing them from having direct access to your Domino® servers. Therefore, we strongly recommend that you locate all Domino® servers in a ventilated, secure area, such as a locked room. If servers are not physically secure, unauthorized users might circumvent security features -- for example, ACL settings -- and access applications directly on the server, use the operating system to copy or delete files, or physically damage the server hardware itself.

Physical network security concerns should also include disaster planning and recovery.

Operating system security

Unauthorized or malicious users often take advantage of operating system vulnerabilities. As a system administrator, you should safeguard the operating system on which your Domino® server runs. For example, you should limit administrator login/rights, disable FTP (on NT), and avoid the use of mapped directory links to file servers or shared NAS server for Domino® servers. Stay informed about your operating system of choice, and keep current with security updates and patches.

Network security

The goal for securing your network is to prevent unauthorized users from gaining access to servers, users, and data. Physical network security is beyond the scope of this book, but you must set it up before you set up Notes® and Domino® connection security. Physical network security is established through the use of devices -- such as filtering routers, firewalls, and proxy servers -- that enable network connections for various network services (such as LDAP, POP3, FTP, and STMP) that you want to provide for your users. Network connection security access is also controlled using these devices, as you can define what connections can be accessed, and who is authorized to used them.

Properly configured, these devices prevent unauthorized users from:

  • Breaking through into the network and accessing the server via the operating system and its native services (such as file sharing).
  • Impersonating an authorized Notes® user
  • Eavesdropping on the network to collect data

Server security

The Domino® server is the most critical resource to secure and is the first level of security that Domino® enforces after a user or server gains access to the server on the network. You can specify which users and servers have access to the server and restrict activities on the server -- for example, you can restrict who can create new replicas and use pass-through connections.

You can also restrict and define administrator access, by delegating access based on the administrator duties and tasks. For example, you can enable access to operating system commands through the server console for system administrators, and grant database access to those administrators who are responsible for maintaining Domino® databases.

If you set up servers for Internet/intranet access, you should set up SSL and name-and-password authentication to secure network data transmitted over the network and to authenticate servers and clients.

ID security

A Notes® or Domino® ID uniquely identifies a user or server. Domino® uses the information contained in IDs to control the access that users and servers have to other servers and applications. One of the responsibilities of the administrator is to protect IDs and make sure that unauthorized users do not use them to gain access to the Domino® environment.

Some sites may require multiple administrators to enter passwords before gaining access to a certifier or server ID file. This prevents one person from controlling an ID. In such cases, each administrator should ensure each password is secure to prevent unauthorized access to the ID file.

You can also secure Notes® user IDs with Smartcards. Smartcards reduce the threat of user ID theft, as a user who has a Smartcard needs their user ID, their Smartcard, and their Smartcard PIN to access Notes®.

For more information on Smartcards, see HCL Notes® Help.

Application security

Once users and servers gain access to a Domino® server, you can use the database access control list (ACL) to restrict access that specific users and servers have to individual Domino® applications on the server. In addition, to provide data privacy, encrypt the database with an ID so unauthorized users cannot access a locally stored copy of the database, sign or encrypt mail messages users send and receive, and sign the database or template to protect workstations from formulas.

Application design element security

Although users may have access to an application, they may not have access to specific design elements in the application -- for example, forms, views, and folders. When designing a Domino® application, an application developer can use access lists and special fields to restrict access to specific design elements.

Workstation data security

Notes® users may keep and use important applications and information on their workstations. This information can be protected through the use of an execution control lists (ECL), which defines the access that active content from other users has to the user workstation.