PLANNING


Server security

To secure Domino® servers, you allow and prevent user and server access.

You can restrict the activities that users and servers may perform on the server.

Table 1. Tasks
TaskUse
Choose an internal or external Internet certificate authority.Set up a certifier that will be used to issue Internet certificates in your organization.
Cross-certify Notes® user IDs and Domino server and certifier IDs.Allow Notes users and Domino servers in different hierarchically certified organizations to ascertain the identity of users and servers in other Notes organizations.
Allow or deny access to a server.Specify which Notes users, Internet clients, and Domino servers are authorized to access the server.
Allow anonymous server access.Give server access to Notes users and Domino servers outside of the organization without issuing a cross-certificate.
Allow anonymous Internet/Intranet client access.Determine whether Internet/intranet users are allowed to access the server anonymously.
Secure the server with name-and-password authentication.Identify Internet and intranet users accessing the server and control access to applications based on the user name.
Enable session-based authentication.Allow Web browser clients to authenticate and maintain state with the server by using cookies. using session-based name-and-password authentication. Session-based authentication lets administrators provide a customized sign-in form and configure session expiration to log users off the server after a specified period of inactivity. Also provides capability for single single-on between Domino and WebSphere® servers, using the same cookie.
Control the level of authentication for Web clients.Specify the level of refinement that the server should use when searching for names and authenticating Web users.
Limit access to create new databases, replicas, or templates.Allow specified Notes users and Domino servers to create databases and replica databases on the server. Limiting this access avoids a proliferation of databases and replicas on the server.
Control access to a server's network port.Allow specified Notes users and Domino servers to access the server over a port.
Encrypt server's network port.Encrypt data sent from the server's network port to prevent network eavesdropping.
Password protect the server console.Prevent unauthorized users from entering commands at the server console.
Restrict administrator access.Assign different types of administrator access to individuals based on the tasks they need to do on the Domino server.
Restrict server agents.Specify which Notes users and Domino servers are allowed to run which kinds of agents on the server.
Restrict pass-through access.Specify which Notes users and Domino servers can access the server as a pass-through server and specify the destinations they may access.
Restrict server access by browser users running Java™ or JavaScript™ programs.Specify which Web browser users can use Domino ORBs to run Java or JavaScript programs on the server.
Secure the server with TLS.Set up TLS security for Internet/intranet users to authenticate the server, encrypt data, prevent message tampering, and, optionally, authenticate clients. This is mandatory for e-commerce and secure business-to-business messaging.
Set mail router restrictions.Restrict mail routing based on Domino domains, organizations, and organizational units.
Set inbound SMTP restrictions.Restrict inbound mail to prevent Domino from accepting unwanted commercial e-mail.
Use S/MIME.Use S/MIME to encrypt outgoing mail. This is often mandatory for secure business-to-business messaging.
Prevent relaying through MTA. Enhance SMTP router security.
Use file protection documents.Specify who can access files -- for example, HTML, GIF, or JPEG -- on a server's hard drive.
Authenticate Internet clients using a secondary Domino Directory or LDAP directory. Authenticate Web clients who use name-and-password or TLS client authentication in secondary Domino or LDAP Directories marked as "trusted" by your domain.
Authenticate Web clients for a specific realm.Allow Web users to access a certain drive, directory, or file on a Domino server and prevent Domino from prompting users for a name-and-password for different realms.
Locate the server in a secure area.Prevent unauthorized access to unencrypted data and server and certifier IDs that are stored on the server's hard drive.
Secure the server console with a Smartcard.Prevent unauthorized access to the server console by requiring the use of a Smartcard to log in to Domino.
Use a firewall to protect access to a server.Control unauthorized access to a private network from the public Internet.
Restrict access to a server's data directory.Use ACL files to protect server directories by specifying the names of users authorized to access those directories.

Parent topic: Planning security

Related concepts
Setting up an Internet certificate authority
Using cross-certificates to access servers and send secure S/MIME messages
Anonymous Internet and intranet access
Name-and-password authentication for Internet/intranet clients
TLS security
Restricting SMTP inbound routing
Controlling Web browser access to files
Planning security
Customizing access to a Domino server
Overview of Domino security

Related tasks
Setting up Notes user, Domino server, and Internet user access to a Domino server
Setting up anonymous server access for Notes users and Domino servers
Setting up session-based name-and-password authentication
Controlling the level of authentication for Internet clients
Controlling creation of databases, replicas, and templates
Controlling access to a specific server port
Encrypting NRPC communication on a server port
Physically securing the Domino server
Restricting administrator access
Controlling agents and XPages that run on a server
Controlling access to a pass-through server or pass-through destination
Restricting mail routing based on domain, organization, and organizational unit
Encrypting mail
Preventing unauthorized SMTP hosts from using Domino as a relay
Protecting files on a server from Web client access
Directory assistance and client authentication
Restricting access to a server's data directory