Security of IBM Lotus Domino Web Server-Internet lock feature

Security of IBM Lotus Domino Web Server-Internet lock feature

Internet password locking allows administrators to set a threshold for failed Internet password verification for Lotus Domino application users, including Lotus Domino Web Access. When a user fails to log on within the preset number of Logon times, the user is locked to help prevent the user's Internet account from brute force cracking and dictionary attacks. The authentication failure and lock information are stored in the Internet Lockout application. The administrator can clear the failure records and unlock the user account.

However, you must note that this feature cannot deal with DoS attacks. DoS attacks prevent malicious users from using services. When the Internet password is locked, attackers may deliberately create logon failures to prevent legal Internet users from logging on to the Lotus Domino server.

There are some restrictions on the use of the Internet password lock:

• You can only use an Internet password to lock your website. Other Internet protocols and services, such as LDAP, POP, IMAP, DIIOP, IBM Lotus QuickPlace? And IBM Lotus Sametime ?. However, if the password used for authentication is stored in the LDAP server, you can also use the Internet password to lock the server during Web access.

• If you are using the DSAPI filter, you may not be able to use the Internet lock feature because the DSAPI filter can bypass Lotus Notes? And Domino authentication.

• For Single Sign-On SSO), the Lotus Domino Server that enables the Internet password lock feature must be the server that issues the single sign-on key. If you need to obtain the key from another address, such as another Lotus Domino Server or IBM WebSphere? Server), The SSO token is generally valid only on the Lotus Domino Server, even if the Internet password lock is enabled.

ConfigurationInternetLock

The Lotus Domino server does not enable Internet lock by default. This section describes how to enable Internet lock on the Lotus Domino server.

To enable Internet lock through configuration settings, follow these steps:

1. Open the Lotus Domino Directory on the Lotus Notes client.

2. click Configuration-Servers-Configuration.

3. Edit the default server configuration document or personal server configuration document.

4. Click the security tab.

O change Enforce Internet password lockout to yes.

O set logs. Logging locks and failures.

O sets the default maximum number of attempts.

Specifies the maximum number of times a user can try a password before locking the user. The default value is 5. After a user is locked, the user's account must be unlocked before the new value is used for the user's settings.
If you use different values for this setting in the policy, the value will overwrite the value set in the server configuration document.

5. Set the default lock expiration time.
Specifies the length of time for locking. After the specified time is exceeded, the lock will expire. The user's account is automatically unlocked upon the next login attempt. In addition, pay off all attempts except failed.
Note:If the value of this setting is 0, the lock will not automatically expire. Therefore, you must manually unlock the lock.

6. Set the default maximum Retry Interval.
Specify the length of time for failed password attempts to be stored in the locked database before successful password attempts are cleared. The default value is 24 hours.
This setting is not applicable to locked users. If the user is locked, the only way to clear the failed attempt and unlock the account is to manually unlock the account in the Internet Lockout database, or wait for the lock to expire.
Note:If this value is set to 0, all failed password attempts of the user will be cleared once the user is successfully logged on.

650) this. width = 650; "title =" clip_image002 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; margin: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" clip_image002 "src =" http://www.bkjia.com/uploads/allimg/131228/060S52147-0.jpg "height =" 325 "/>

1. Save and close.

2. Restart the Lotus Domino server.

You can also use security policies to configure Internet locking. If you use this method, the administrator can only implement Internet locking for some users. Note that the security policy can overwrite the server's Internet lock settings.

To enable Internet lock through security policies, follow these steps:

1. Open Lotus Domino Directory.

2. click Configuration-Policies-Settings.

3. Open the security policy. If not, a new security policy is created.

4. Click the Password Management tab and enter the values shown in Figure 2:

O Override Server's Internet Lockout settings? Set to yes.

O set the option Maximum Tries Allowed to 5.

O set the Lockout Expiration option to 60 minutes.

O set the Maximum Tries Interval option to one day.

O set all settings to Enforce.

650) this. width = 650; "title =" clip_image004 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; margin: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" clip_image004 "src =" http://www.bkjia.com/uploads/allimg/131228/060S53H7-1.jpg "height =" 345 "/>

After the security settings are configured, you can apply the policy to the policy, and then apply the policy to individual users or organizational units.

The inetlockout. nsf database also allows the Administrator to track which user is locked. The Administrator also has the right to unlock the user. Figure 4 shows the information in the Internet-locked database. This database can also record all user logon failure events. This function is useful when the security administrator detects password theft attempts.

650) this. width = 650; "title =" clip_image006 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; margin: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" clip_image006 "src =" http://www.bkjia.com/uploads/allimg/131228/060S5LL-2.jpg "height =" 304 "/>

For example, we first perform the test by two users. Through the web mailbox test, we found that the verification failed and was locked when the zhangsann user entered the wrong password five times.

650) this. width = 650; "title =" clip_image008 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; border-left: 0px; padding-top: 0px; padding-left: 0px; padding-right: 0px; "border =" 0 "alt =" clip_image008 "src =" http://www.bkjia.com/uploads/allimg/131228/060S555P-3.jpg "height =" 248 "/>

If you need to log on again, you need to delete the zhangsan user from the locked user database to re-log on and reset the password. This will not take effect unless it is deleted from the locked status)

This article from "Gao Wenlong" blog, please be sure to keep this source http://gaowenlong.blog.51cto.com/451336/1296193