SecureDomino:
Authentication and Intrusion Prevention for Lotus Domino

By extending authentication options beyond the Domino Directory, SecureDomino allows a broader usage of Domino servers.

SecureDomino enhances data security and helps to enforce Sarbanes-Oxley compliance. Domino servers with activated HTTP task are protected by preventing unauthorized users from gaining access.

Lotus Domino authentication has several shortcomings:

• Even with the Domino Directory Assistance and the Active Directory Synchronization users must still handle multiple passwords.
• Domino does not log authentication successfully and failed attempts efficiently.
• Domino does not support IP-based authentication.
• Domino does not allow the definition of log-on hours

• LDAP Authentication (new in R6!)
  Authenticate against Microsoft or any other LDAP directory and thus eliminate the need for users to remember multiple passwords.
• Authentication Logging (new in R6!)
  Log sign-in attempts (either all, successful only or failed attempts only) for analysis, documentation and user-information.
• IP-based Authentication
  Identify and authenticate users (and proxies) through their IP-address automatically.
• Log-on Hours Definition
  Restrict signing in, e.g.: restrict log-in to business days and hours from 8am to 5pm.

Lotus Notes and Domino offer extensive and mature security architecture. Nevertheless, a Domino server in the Intra-, Extra- or Internet is exposed to many risks:

• Browser clients can endlessly attempt to sign in to a Domino Server. Retrieving a user's password is just a matter of time.
• Hackers can access sensitive data or cause a heavy server load by simply using hacking tools provided in the internet (Brute Force Attacks, Denial-of-Service).
• URL´s like $DefaultNav and $DefaultView often reveal much more information than intended.
• Loading the HTTP-server task makes all database accessible through browser-clients, not just the desired ones.

• Prevent Brute-Force Hacking and Password Guessing Attempts
  Effective protection against hacking and denial of service-attacks through HTTP lockout. IPs and user accounts are locked after a number of failed attempts. Unlock on a scheduled interval or have administrators unlock manually.
• Forgotten Password Handling
  Users may request new http passwords and have them send to their Notes-mail accounts.
• Access Restrictions
  Restrict http-access with white- and black-lists to directories and databases. Have all other databases accessed through Lotus Notes clients only.
• Redirection
  Create redirections for custom and unwanted URL-commands like $$DefaultNav, $$DefaultView, %%Source%%. Works even with unicode characters.

• is widely tested and implemented by corporations (including IBM) and governments around the world.
• is a DSAPI-filter and can simply be plugged into any Domino server
• can be installed within minutes
• does not does require any modifications to the Domino directory or even a new Domino directory
• does not slow down the Domino server
• does not write into the Domino directory
• even works with strong password encryption
• is available on all relevant Domino platforms (Windows, Linux, AIX, Sun OS, others on request)

Platforms
SecureDomino is available for the following platforms:

• Windows NT/2000/2003
• Linux
• AIX
• Sun Solaris / Risc on request
• iSeries and zSeries on request

SecureDomino R6 requires a Domino R6 (or higher) server.