Tuesday, 22 May 2018

Using the Internet Password Lockout Feature on a Domino Web Server

In my recent role as Domino Administrator I picked up a number of tasks including the Internet Password Lockout feature on our Domino Web Server. Internet Password Lockout gives the Domino Administrators the opportunity to set a threshold value for Internet Password authentication failures for users of Lotus Domino applications including Lotus Domino Web Access. This lockout helps to prevent brute force and dictionary attacks on user Internet accounts by locking out any user who fails to log in within a preset number of attempts. Information about authentication failures and lockouts is maintained in the Internet Lockout application where the administrator can clear failures and unlock user accounts.
It should be noted that this feature is subject to Denial of Service (DoS) attacks. A DoS attack is one in which malicious users explicitly prevent legitimate users of a service from using that service. In the case of Internet password lockout, legitimate Internet users could be prevented from logging in to a Domino server by attackers who intentionally make failed log in attempts. Internet password lockout has no affect on Domino Off-Line Services (DOLS).

Below a brief description of the configuration and activation of the Internet Password Locket feature on a Domino server.

Configuring Internet Password Lockout on a Domino Server
Internet Password Lockout is not enabled by default on a Lotus Domino server. To enable the Internet Password Lockout using the configuration settings document you can follow the steps below.

Open Lotus Domino Directory with the Lotus Notes client.
Click Configuration - Servers - Configuration.
Edit the default server configuration document or an individual server configuration document.
Click the security tab.
Change the option Enforce Internet password lockout to yes.

Set the log settings. Log both lockouts and failures.
Set the default maximum tries.
Specify the maximum number of bad password attempts allowed before users are locked out. The default value is 5. After a user is locked out, the user account must be unlocked before any new values for this setting are in effect for that user.
Set the default lockout expiration.
Specify the period of time for which a lockout is enforced. After the specified time period expires, the user account is automatically unlocked when the user next tries to authenticate. In addition, all failure attempts are cleared.

NOTE: If this value is 0, the lockout does not expire automatically. The account must be unlocked manually.
Set the default maximum tries interval.

Specify the length of time failed password attempts are retained in the lockout database before they can be cleared by a successful authentication. The default value is 24 hours.
NOTE: If this value is 0, every successful login, for a given user who is not locked out, clears all failed password attempts by that user.
Save and close.
Restart the Lotus Domino server.

After these settings are configured, an inetlockout.nsf database is created. This database records and tracks locked-out users and failed logins. Replicate this database between Web-enabled servers to ensure that locked-out users remain locked out for the entire infrastructure. The inetlockout.nsf database is created from the inetlockout.ntf database template. All users should be listed as having no access to the database. By default, the Internet Lockout database ACL allows manager access only to the Admin Group. Default and anonymous are denied access. However, the database ACL can be modified to provide users and groups access to view and unlock users. Only Internet password administrators should be able to access this database.
The inetlockout.nsf database also allows administrators to track which users have been locked out. Administrators have the option of unlocking the users as well. Figure 4 shows the information available in the Internet lockout database. This database can also record all user login failures. This fact can be useful when security administrators try to detect password hacking attempts.

For more information see Securing an IBM Lotus Domino Web server: Using the new Internet lockout feature.

No comments:

Post a Comment