IT Baseline Protection Manual S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access
S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
If a Lotus Domino server is also accessed with a browser, then as well as the other server-related security mechanisms (see S 4.122 Configuration for browser access to Lotus Notes) database-related mechanisms must also be used. This will ensure on the one hand that access to a database is only possible when there is a secure connection between client and server (or one can be established) and on the other hand that access for Web clients can be generally restricted.
The following database-related security mechanisms should be used:
For all databases the setting specifying that SSL (access with HTTPS) is to be used should be enabled in the properties of the relevant database. This is especially important if the server is also configured for unprotected access using HTTP.
If the authentication procedure "User name and password" is used (see S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes), then for every database the maximum access level must be specified in the database authorisations. In particular, through use of the "No Access" access level it is possible to disallow Web access to particular databases. If Web access is the sole access mechanism, then when defining the access level the need to avoid any additional loss of functionality for the users on the Web interface must be borne in mind. In this case generally speaking users must also be given write access as a minimum, so that this access-restricting mechanism cannot be used as such.
Note: the access level "Reader" shown in the figure should not be interpreted as a recommendation for the parameters to be set here. Rather, this value must be determined separately for every database.
Another security-relevant aspect that has to be considered with Web access to Lotus Notes databases is the fact that, if a Domino server can be accessed over the Web interface and authentication using SSL client certificates is used (see S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes), then it is not possible to exclude individual databases from Web access. Instead, authorised users are granted the ACL authorisations entered for them (see also S 4.120 Configuration of access control lists for Lotus Notes databases).
