1/13/2020 HCL - Notes Domino Tips and Tricks: Secure a Domino web server running on the public internet

ublic internet - Prevent hacking - HCL BP Notes…

Secure a Domino web server running on public internet - Prevent hacking!

Software tools for

HCL Notes and Domino
Crucial Notes tools Better, stronger, faster productivity
you need to succeed for Domino administration and development
Experience you can trust Chat now Search

.
EN - English

HCL Notes and Domino: Tips & Tricks

Secure a Domino web server running on public internet - Prevent hacking

January 9, 2020
This article lists 6 steps which will protect your Domino web server from hackers and close
By Lance Zakin, HCL vulnerabilities. Some Domino customers have only 1 or 2 of these steps completed which
CASA, CAAD is quite alarming from a security standpoint. If these steps are not performed on your
Notes and Domino
HCL BP NotesMail Domino server then an authenticated user with minimal access rights can...

(A) Assume the identify of a Domino administrator, (B) Attain access to all web user credentials including user names,
passwords and internet addresses and (C) Attain operating system level access.

1. Prevent hackers from decrypting hashed Domino web passwords:

A. Web autheticated hackers with minimal access

Cross-site request forgery (CSRF) vulnerability in webadmin.nsf (aka Domino Web Administrator) in Domino 9.0 and 8.5
(and most likely 11 and 10) allow remote authenticated users to hijack the authentication of unspecified victims via unknown
vectors, as well as, operating system level access.
ACTION REQUIRED: Delete webadmin.nsf from all Domino web servers.

B. Notes ID autheticated hackers with minimal access

ACTION REQUIRED:
a. Open HCL DD (names.nsf). Click File - Application - Access Control List - Advanced, then select "Enforce a consistent
Access..." as seen below. Click "Enable Extended Access" as seen below, then click OK - OK - OK.
b. Click File - Application - Access Control List, then "Extended Access" button a seen below.
c. In the Target pane, select the root [ /] and click "Add" button - Default.
d. Select "Default" in the Access List pane.
e. Click "Form and Field Access" button. The Form and Field dialog box appears.
f. Select "Person" In the Forms list box. Leave the Access settings for Forms blank.
g. Select "HTTPPassword" in the Fields list box and select "Deny" for Read and Write access. Select "dspHTTPPassword"
(it it exists) in the Fields list box and select "Deny" for Read and Write access. Click OK.
h. In the Target pane, select the root [ /] and click "Add" button - Self. Select "The container and descendants" for Scope of
Target field. Select "Allow" for all access options.
i. In the Target pane, select the root [ /] and click "Add" button - Name. Click the person icon, then select the name of your
Servers group, then click "Add" button. Select the name of your Domino administrator group, then click "Add" button. Click
OK.
i.e. LocalDomainSerers, LocalDomainAdmins
j. Select, for example, LocalDomainServers, then select "The container and descendants" for Scope of Target field. Select
"Allow" for all access options.
https://www.notesmail.com/home.nsf/tip20200109?openpage&fbclid=IwAR38pIucmlGQ2n7L3IfqeJWlgHq4TaXmmWCVOGSipXqruveCrL0N46G5… 1/4
1/13/2020 HCL - Notes Domino Tips and Tricks: Secure a Domino web server running on the public internet - Prevent hacking - HCL BP Notes…
k. Select, for example, LocalDomainAdmins, then select "The container and descendants" for Scope of Target field. Select
"Allow" for all access options.
l. Click OK - OK

Note: If Anonymous access was previously defined in the access list, it should be set up to deny read and write access to
HTTPPassword and dspHTTPPassword (if it appears) fields in the Person form.
Note: Once xACLs are enabled for a Domino Directory, LDAP anonymous access is not controlled by the list of fields in the
All Server Configuration document. Since the default xACL setting for Anonymous is "No Access," once xACLs are enabled
all anonymous LDAP searches will fail.

2. Prevent hackers from displaying all Domino Directory users (i.e. web login user names): This flaw will allow a web
authenticated user to see all the Domino Directory users, web login user names and internet addresses. Hackers can attempt to
guess passwords or send users phishing emails to attain passwords.
ACTION REQUIRED: Open HCL DD (names.nsf). Click File - Application - Access Control List - Advanced, then set Maximum
Internet and Password to: No Access. Click OK button. Optionally, for even tighter security check all 25 internal Domino systems
DBs (*see list below) and set Maximum Internet and Password to: No Access

Note: Are any of your Domino web apps using client side web technologies which make calls to web addresses (URLs) with
"names.nsf"? You might want to verify with your web app development team before making this change. i.e. Ajax calls to
names.nsf

3. Prevent hackers from quickly decrypting Domino hashed passwords if they attain access to Domino Directory: Enable
stronger Domino web encrypted hash passwords.
ACTION REQUIRED:

A. Open HCL DD. Click Actions - Edit Directory Profile. Change "Use more secure Internet Passwords" field to Yes with
highest Domino release option as seen in example below. Click Save & Close button. Restart Domino server software.

B. Force user to change password on next web login. Edit user's person record in HCL DD. Click Administration tab, then
select Yes in "Force user to change..." field as seen below. Click Save & Close button. NOTE: You can also create a simple
Formula agent which changes this value for all selected users. i.e. FIELD HTTPPasswordForceChange := "1";

4. Prevent hackers from guessing Domino web passwords with several repeated attempts: Enable Domino Internet
Password Lockout feature. You can give the IT help desk ACL Editor access to unlock uses in the "Internet Password Lockout"
Notes DB if user's call to get unlocked. Or simple set auto-unlock to 15 minutes. This will help prevent hackers from guessing
passwords for users over several attempts.
ACTION REQUIRED: Create the Domino "Internet Password Lockout" DB (inetlockout.nsf) using the template in the Domino data
server root folder. Edit the Domino web server configuration record, then click the Security tab and changes settings as seen in the
example below. Click Save & Close button. Restart Domino HTTP server task.

https://www.notesmail.com/home.nsf/tip20200109?openpage&fbclid=IwAR38pIucmlGQ2n7L3IfqeJWlgHq4TaXmmWCVOGSipXqruveCrL0N46G5… 2/4
1/13/2020 HCL - Notes Domino Tips and Tricks: Secure a Domino web server running on the public internet - Prevent hacking - HCL BP Notes…

5. Prevent hackers from guessing Domino web passwords using data dictionaries with trivial passwords: Increase
Domino web password requirements using a Domino Security policy
ACTION REQUIRED:

A. Create or edit existing Domino Security policy. Open HCL DD, then click Configurations - Servers - Policies. Create or
edit a Security policy. Click Password Management tab. Change "Required Password Quality" field, for example, to 13
(password quality scale table can bee seen in reference sources link below). Click Save & Close button.

B. Force user to change password on next web login. Edit user's person record in HCL DD. Click Administration tab, then
select Yes in "Force user to change..." field as seen below and click Save & Close button. Click Save & Close button.
NOTE: You can also create a simple Formula agent which changes this value for all selected users. NOTE: You can also
create a simple Formula agent which changes this value for all selected users. i.e. FIELD HTTPPasswordForceChange :=
"1";

6. Prevent hackers from easily guessing simple Domino web login user names: Domino by default allows multiple user
names for each user including first name, last name, short name, etc. This potentially allows a user with unique first or last name
to be guessed by a hacker. i.e. John, Jill, Smith, Jones
ACTION REQUIRED: Open HCL DD and edit Domino web server record. Click Security tab, then change the "Internet
Authentication" field to "Fewer name variations..." as seen below.

* Domino internal system DBs

1. admin4.nsf
2. catalog.nsf
3. cdc.nsf (Condensed Domino Directory if exists - might be another filename)
4. certlog.nsf
5. cerrtsrv.nsf (Server Certificate Administration if exists - might be another filename)
6. cldbdir.nsf
7. clubusy.nsf
8. da.nsf (Director Assistance if exists - might be another filename)
9. ddm.nsf
10. domcfg.nsf
11. domlog.nsf (Domino Log if exists - might be another filename; ignore if web logs writing to OS text files)
12. edc.nsf (Extended Domino Directory if exists - might be another filename)
13. events4.nsf
14. idvault.nsf (ID Vault if exists)
15. inetlockout.nsf (Internet Lockouts if exists - might be another filename)
16. log.nsf
17. LotusTraveler.nsf (HCL Traveler if exists - might be another filename)
18. names.nsf
https://www.notesmail.com/home.nsf/tip20200109?openpage&fbclid=IwAR38pIucmlGQ2n7L3IfqeJWlgHq4TaXmmWCVOGSipXqruveCrL0N46G5… 3/4
1/13/2020 HCL - Notes Domino Tips and Tricks: Secure a Domino web server running on the public internet - Prevent hacking - HCL BP Notes…

19. password.nsf (Password Recovery generic mailbox - might be another filename)

20. reports.nsf (Reports Database if exists - might be another filename)
21. resource.nsf
22. schema.nsf
23. smupgrade.nsf (SmartUpgrade Kits if exists - might be another filename)
24. statrep.nsf
25. xnames.nsf (External / Secondary Domino Directory if exists - might be another filename)

Reference Sources

HCL Domino password quality scale

When creating passwords for user, server, or certifier IDs, you need to understand the criteria by which Domino measures
password strength and security. Domino measures this criteria according to the level assigned on its password quality scale. The
scale assigns a minimum level of quality to the password on an ID file. Domino bases the password quality on the number and
variety of characters in the password.

Securing Internet passwords for HCL Domino Server

Internet passwords can be subject to attacks by malicious sources. However, there are measures you can take to make Internet
passwords more secure.

Server security for HCL Domino

To secure Domino servers, you allow and prevent user and server access. You can restrict the activities that users and servers
may perform on the server.

Overview of HCL Domino security

This section describes security features, including execution control lists, IDs, and SSL. Setting up security for your organization is
a critical task. Your security infrastructure is critical for protecting your organization's IT resources and assets. As an administrator,
you need to give careful consideration to your organization's security requirements before you set up any servers or users. Up-
front planning pays off later in minimizing the risks of compromised security.

Securing a HCL Domino Web server

Many customers use Domino for their intranet or Internet sites. Securing the Domino server in these environments is very
important to ensure both the integrity of the data and the availability of the Web site, especially on the Internet.

Securing a HCL Domino Web Server: A case study

Many customers use Domino in their intranet or Internet Web sites. Securing a Domino server in these environments is important
to ensure integrity of data and availability of the Web site, especially on the Internet. Our previous developerWorks article,
"Securing a Domino Web Server" discussed the Domino security model and how to secure a Web server with respect to Web
authentication, server security, and data security. In this article, you learn the specific configurations and settings to implement
these features, using a recent customer case study. This article assumes that you are an experienced Domino system
administrator.

Securing a HCL Domino Web server: Using the new Internet lockout feature
Internet password lockout lets administrators set a threshold value for Internet password authentication failures for users of
Domino applications, including Domino Web Access. This lockout helps to prevent brute force and dictionary attacks on user
Internet accounts by locking out any user who fails to log in within a preset number of attempts. Information about authentication
failures and lockouts is maintained in the Internet Lockout application, where the administrator can clear failures and unlock user
accounts.

Thousands of companies use our software

for better, stronger, faster Domino
administration and Notes development

SHARE THIS BOOKMARK

Home | Services | Products | Downloads | News | About us | Contact | Jobs | Tips & Tricks

© 1997-2020 IVE Technologies LLC (dba NotesMail) | Privacy | IBM, Notes, Domino are registered trademarks of IBM Corp. | Powered by HCL Domino and CMS HCL
NBP

https://www.notesmail.com/home.nsf/tip20200109?openpage&fbclid=IwAR38pIucmlGQ2n7L3IfqeJWlgHq4TaXmmWCVOGSipXqruveCrL0N46G5… 4/4