Lotus Notes FAQ Visit Our Sponsor!

How would you secure a Domino server?

This is what KEY Enterprise Solutions normally recommends for its clients:

* Put the Domino server in a separate organization in case some of your databases have */org in the ACL, then cross certify the Domino server with internal servers
* Put a password on the Notes server ID in case someone manages to steal it off your site
* Encrypt all databases w/ the Notes server ID in case someone manages to steal your databases
* Set all databases to enforce local security in case someone manages to get the database and the server ID
* Turn off database browsing for web clients so people can't reach databases you didn't mean to publish
* Set all databases to Default No Access so only validated people can get into databases
* Activate SSL (whether self-certified or Verisign) to secure your network traffic to web clients
* Turn on network encryption when Notes clients talk to the Domino server over the Internet
* Protect all views you don't want accessed because web users can use the 3PaneUI parameter to see all your database views.
* If you are using the Domino server as a Notes server, put files you don't want Web users to access in a directory with a DirLink and disable Domino's DirLink support to allow Notes users to use the DirLinks but not Web users.

Also from GroupAware:
* Name your databases and URL's carefully. If users manage to go over hidden link or manage to browse your system, they may be able to guess what you are planning from URL names.

Applies to Notes Versions: 4
Last Modified: September 8, 1999