IBM Lotus Domino Web server security: Internet Lockdown Features

Source: Internet
Author: User
Tags configuration settings ldap

Internet password locking allows administrators to set a threshold for the Internet password authentication failures of Lotus Domino application users, including Lotus Domino Web Access. When a user fails to log on in a preset logon count, the user is locked out, helping to prevent a user's Internet account from being subjected to brute-force cracking and dictionary attacks. Information about authentication failures and locks is stored in an Internet lockout application that allows an administrator to clear the failed record and unlock the user account.

Note, however, that this feature does not deal with denial of service (DoS) attacks. A DoS attack is a malicious user who prevents legitimate users from using the service. For Internet password locking, an attacker could intentionally make a logon failure, preventing legitimate Internet users from logging on to the Lotus Domino server.

There are some limitations to the use of Internet password locking:

Internet password locking can only be used in WEB access. Other Internet protocols and services are not currently supported, such as LDAP, POP, IMAP, Diiop, IBM Lotus QuickPlace? and IBM Lotus Sametime? However, if the password used for authentication is stored in the LDAP server, Internet password locking can also be used in Web access.

If you are using the DSAPI filter, can you use the Internet locking feature because the DSAPI filter can bypass Lotus Notes? and Domino authentication.

For single sign-on (SSO), a Lotus Domino server with Internet password lockout characteristics must be a server that emits a single sign-on key. What if you need to get a key from another place, such as another Lotus Domino server or IBM WebSphere? Server), the SSO token is typically available only on a Lotus Domino server, even if Internet password locking is enabled.

Configure Internet Lockdown

The Lotus Domino server does not have Internet lockdown enabled by default. In this section, we describe the steps to enable Internet lockdown on a Lotus Domino server.

To enable Internet Internet lockdown through configuration settings, follow these steps:

1. Open Lotus Domino Directory on the Lotus Notes client.

2. Click Configuration-servers-configuration.

3. Edit the default server configuration document or the personal server configuration document.

4. Click the Security tab.

o change the option enforce Internet password lockout to Yes.

o Set the log. Locks and failures are recorded in the log.

o Sets the default maximum number of attempts.

Specifies the maximum number of times that they can try the password before locking the user. The default value is 5. When a user is locked out, the user's account must be unlocked before the user's settings are used.

If the user uses a different value for the setting in their policy, the value overrides the value set in the server configuration document.

5. Set the default lockout expiration period.

Specifies the length of time the lock is enforced. Locks expire after a specified period of time. The user's account is automatically unlocked the next time they try to log on. In addition, all attempts to fail have been cleared.

Note: If the value of this setting is 0, the lock will not expire automatically, so the lock must be unlocked manually.

6. Set the default maximum attempt interval.

Specifies the length of time that a failed password attempt was saved in the locked database before a successful authentication cleanup failed password attempt. The default value is 24 hours.

This setting does not apply to users who are locked out. If the user is locked out, the only way to clear the failed attempt to unlock the account is to manually dismiss the Internet lockout database or wait for the lock to expire.

Note: If this value is set to 0, a user who has not been locked out will clear all failed password attempts for that user once they have successfully logged in.

1. Save and close.

2. Restart Lotus Domino server.

You can also use security policy to configure Internet lockdown. If you use this method, an administrator can only implement Internet locks on a subset of users. Note that security policies can override the server's Internet lockdown settings.

To enable Internet lockdown through security policy, follow these steps:

1. Open Lotus Domino Directory.

2. Click Configuration-policies-settings.

3. Open security Policy. If it does not exist, a new security policy is created.

4. Click the Password Management tab and enter the values shown in Figure 2:

O will the option Override the Server ' s Internet lockout settings? Set to Yes.

o Set the option Maximum tries allowed to 5.

o Set the option lockout expiration to 60 minutes.

o Set the option Maximum tries Interval to 1 days.

o Set all settings to enforce.

More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/Servers/web/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.