Server security

To secure Domino® servers, you allow and prevent user and server access.

You can restrict the activities that users and servers may perform on the server.

Table 1. Tasks

Task

Use

Choose an internal or external Internet certificate authority.

Set up a certifier that will be used to issue Internet certificates in your organization.

Cross-certify Notes® user IDs and Domino® server and certifier IDs.

Allow Notes® users and Domino® servers in different hierarchically certified organizations to ascertain the identity of users and servers in other Notes® organizations.

Allow or deny access to a server.

Specify which Notes® users, Internet clients, and Domino® servers are authorized to access the server.

Allow anonymous server access.

Give server access to Notes® users and Domino® servers outside of the organization without issuing a cross-certificate.

Allow anonymous Internet/Intranet client access.

Determine whether Internet/intranet users are allowed to access the server anonymously.

Secure the server with name-and-password authentication.

Identify Internet and intranet users accessing the server and control access to applications based on the user name.

Enable session-based authentication.

Allow Web browser clients to authenticate and maintain state with the server by using cookies. using session-based name-and-password authentication. Session-based authentication lets administrators provide a customized sign-in form and configure session expiration to log users off the server after a specified period of inactivity. Also provides capability for single single-on between Domino® and WebSphere® servers, using the same cookie.

Control the level of authentication for Web clients.

Specify the level of refinement that the server should use when searching for names and authenticating Web users.

Limit access to create new databases, replicas, or templates.

Allow specified Notes® users and Domino® servers to create databases and replica databases on the server. Limiting this access avoids a proliferation of databases and replicas on the server.

Control access to a server's network port.

Allow specified Notes® users and Domino® servers to access the server over a port.

Encrypt server's network port.

Encrypt data sent from the server's network port to prevent network eavesdropping.

Password protect the server console.

Prevent unauthorized users from entering commands at the server console.

Restrict administrator access.

Assign different types of administrator access to individuals based on the tasks they need to do on the Domino® server.

Restrict server agents.

Specify which Notes® users and Domino® servers are allowed to run which kinds of agents on the server.

Restrict pass-through access.

Specify which Notes® users and Domino® servers can access the server as a pass-through server and specify the destinations they may access.

Restrict server access by browser users running Java or JavaScript programs.

Specify which Web browser users can use Domino® ORBs to run Java or JavaScript programs on the server.

Secure the server with TLS.

Set up TLS security for Internet/intranet users to authenticate the server, encrypt data, prevent message tampering, and, optionally, authenticate clients. This is mandatory for e-commerce and secure business-to-business messaging.

Set mail router restrictions.

Restrict mail routing based on Domino® domains, organizations, and organizational units.

Set inbound SMTP restrictions.

Restrict inbound mail to prevent Domino® from accepting unwanted commercial e-mail.

Use S/MIME.

Use S/MIME to encrypt outgoing mail. This is often mandatory for secure business-to-business messaging.

Prevent relaying through MTA.

Enhance SMTP router security.

Use file protection documents.

Specify who can access files -- for example, HTML, GIF, or JPEG -- on a server's hard drive.

Authenticate Internet clients using a secondary Domino® Directory or LDAP directory.

Authenticate Web clients who use name-and-password or TLS client authentication in secondary Domino® or LDAP Directories marked as "trusted" by your domain.

Authenticate Web clients for a specific realm.

Allow Web users to access a certain drive, directory, or file on a Domino® server and prevent Domino® from prompting users for a name-and-password for different realms.

Locate the server in a secure area.

Prevent unauthorized access to unencrypted data and server and certifier IDs that are stored on the server's hard drive.

Secure the server console with a Smartcard.

Prevent unauthorized access to the server console by requiring the use of a Smartcard to log in to Domino®.

Use a firewall to protect access to a server.

Control unauthorized access to a private network from the public Internet.

Restrict access to a server's data directory.

Use ACL files to protect server directories by specifying the names of users authorized to access those directories.