Using Internet password lockout

Internet password lockout lets administrators set a threshold value for Internet password authentication failures for Domino® Web and Domino® Web Access users.

About this task

Internet lockout helps to prevent brute force and dictionary attacks on user Internet accounts by locking out any user who fails to log in within a preset number of attempts. Information about authentication failures and lockouts are maintained in the Internet Lockout application, where the administrator can respectively clear failures and unlock user accounts.

By default, lockouts are enforced for users in the Domino directory. Starting with HCL Domino® 12, optionally, you can also enforce lockouts for users who are not in the directory according to IP addresses. If you enable this option, you can optionally require that to access a server, IP addresses with X-Forwarded-For headers must be included in a trusted proxies list in the Server document.

It should be noted that the Internet lockout feature is subject to Denial of Service (DoS) attacks. A DoS attack is one in which malicious users explicitly prevent legitimate users of a service from using that service. In the case of Internet password lockout, legitimate Internet users could be prevented from logging in to a Domino® server by attackers who intentionally make failed log in attempts.

You may not be able to leverage the functionality of the Internet lockout feature if custom DSAPI filters are in use, as the DSAPI filter is a way to bypass Notes/Domino authentication.

For single sign-on, the Domino® server on which the Internet password lockout feature is enabled must also be the server that issues the single sign-on key. If this key is retrieved from another source (another Domino® server or WebSphere® server), the SSO token will always be valid on the Domino® server, regardless if Internet password locking is enabled.

You enable Internet password lockout in the server configuration settings document. This allows administrators to turn on the Internet Lockout feature across multiple servers.

It is recommended that the Server document option Fewer name variations with higher security is enabled. This minimizes the problem of ambiguous names. Domino® supports logging in to the Web server with a short form of the user name (if the password is correct), even though the short name may match two or more people in the directory. Incorrect logins that occur when a user types in an ambiguous name will result in a failure for each ambiguous match, because there is no way to tell which user was trying to log in. Furthermore, failure attempts being cleared using the lockout expiration settings occur only for the user whose username and password successfully match.

To enable internet password lockout, complete the following steps.

Procedure

  1. In the Domino® Administrator, click Configuration > Server > Configurations. Open the configuration settings document for the server for which you want to enable Internet password lockout.
  2. Click Security. You have three options for the setting Enforce Internet Password Lockout:
    • Yes - the server enforces Internet password lockout. This option must be enabled for any Internet password lockout functionality to work.
    • No - the server does not enforce Internet password lockout.
    • (Blank) - If this setting remains blank, than the Enforce option is not necessarily disabled, but instead allows another server Configuration doc (perhaps one that applies to all servers) to determine whether Internet password locking is enabled for this server.
      Note: If Internet password lockout is not enforced in the Server document, any other Internet lockout settings, such as those in a policy document, are disabled.
  3. Optional: If you selected Yes in the previous step, complete these steps if you also want to enforce lockout for users who are not in the Domino directory:
    1. Select Also enforce lockout based on IP address.
    2. Optional: If you want a login failure for a user in the directory to also count as a failure for the originating IP address in the Internet Lockout database, select Count user name failures also as IP address failures. When not selected, the login failure is counted as a failure for the user name only.
  4. Configure the following settings:
    Table 1. Internet password lockout settings
    Setting Specify
    Log Settings You can choose the type of events that you want to log on the console and in DDM. User name and IP address are also logged.
    • If Lockouts is enabled, both the events in which a user has been locked out and events in which a user tries to authenticate but is already locked out are logged. This is enabled by default.
    • If Failures is enabled, any failed authentication attempt is logged. The IP address and user name of the client trying to authenticate are also included in the log.
    Default Maximum Tries Allowed Specify the maximum number of bad password attempts allowed before the user is locked out. The default is 5. Once the user is locked, the user must be unlocked before any new values for this setting are in effect for that user.

    If a user has a different value for the setting in their user policy, it overrides the one set in the server configuration document.

    Note: If this value is 0, unlimited password attempts are allowed.
    Default Lockout Expiration Specify the period of time for which a lockout is enforced. After the specified time period expires, the user account is automatically unlocked when the user next tries to authenticate. In addition, all failure attempts are cleared.
    Note: If this value is 0, the lockout will not expire automatically. The account must be unlocked manually.
    Default Maximum Tries Interval Specify the length of time failed password attempts are retained in the lockout database before they can be cleared by a successful authentication. The default value is 24 hours.

    This does not apply to users who are locked out. If a user is locked out, the only thing that can clear failure attempts and unlock the account is to do so manually, in the Internet Lockout database, or when Lockout Expiration occurs.

    Note: If this value is 0, every successful login, for a given user who is not locked out, clears all failed password attempts by that user.
    Note: With the exception of the log settings, the options described previously can also be specified in a user policy. This might be useful if an administrator only wants to enforce Internet password lockout for a subset of users in an organization. In this case, these settings can be established for that group.
  5. Optional: If you selected Also enforce lockout based on IP address in Step 3, complete the following steps if you want an incoming HTTP request with an X-Forwarded-For header to be validated only if the IP address for the incoming TCP connection and the IP address for each proxy in the header are included in a trusted proxies list.
    1. In the Domino directory, open the Server document for a server on which to enable the setting.
    2. Select the Internet Protocols > HTTP tab.
    3. In the Trusted Proxies section, select Enable trusted proxies.
    4. Click Edit List and specify a comma-separated list of IP addresses to allow. Include IP addresses for incoming TCP connections and the IP addresses in X-Forwarded-For headers.