Securing Your Domino Web Server: How I Protect HCL Notes Domino Vital database from web access user

#NotesDomino #LotusNotes #DominoForever

Hello, allow me to introduce myself as a Freelance Notes Domino Developer and Administrator with over 20 years of experience in managing Notes Domino servers and creating Notes Client and Domino Web applications. In this post, I will share valuable advice and tips on securing your vital databases, including names.nsf, ddm.nsf, catalog.nsf, and more, to prevent unauthorized web user access.

One of the vital and important databases or applications on the Domino Server is names.nsf. However, securing names.nsf to protect user data and server configurations from unauthorized access is crucial.

First things first, you need to ensure that “anonymous” access is disabled and set to “no access” in the ACL (Access Control List) for vital databases.

ACL set Anonymous to “No Access”

By default, granting HTTP access to your users, such as accessing iNotes, Verse (web mail access), or Traveler (mobile access), allows them to navigate through your Domino Server.

If your users have in-depth knowledge of the Notes Domino Server, they can explore critical databases such as names.nsf, ddm.nsf, admin4.nsf, log.nsf, domlog.nsf, domcfg.nsf, and others. These databases/applications contain vital information.

Default Notes Database launching When opened in a browser.

However, it’s crucial to be aware of the default settings, particularly the launching database setting for a “database opened in a browser,” which is set to “Use Notes launch option.” This default configuration can potentially introduce security vulnerabilities.

Assuming your Domino Server hostname is http://www.example.com, let’s take a moment to understand the importance of securing your server. To illustrate, try opening the following address in a web browser: http://www.example.com/names.nsf. The resulting view will be similar to the image depicted below:

Default view of the names.nsf database/application on the web.

This view exposes the user data in Notes Domino, potentially compromising sensitive information such as email, phone numbers, identification numbers, and more if it falls into the hands of hackers.

To address this issue, we need to hide this view when accessed through the web. But can we achieve this by simply checking the “Don’t Allow URL Open” option in the database properties?

Checked box “Don’t allow URL open” won’t work for hiding vital information on names.nsf

The answer is “NO”. Enabling this option will impact the “Select Addresses” dialog in the iNotes ( web mail application), which will not display the user list.

Enabling the “Don’t allow URL open” option will disrupt the functionality of your iNotes application.

Here’s how to remove the user data view when accessed through a web browser:

1. Open the “names.nsf” database on the server using Domino Designer.
2. Find and open the “$$ViewTemplateDefault” form.
3. A dialog will appear with a warning: “If you make changes to this design element, you may lose them, as it inherits its design from a different template.” Click “OK” to proceed.
4. Delete all design elements on that page until it is empty. Press CTRL+S to save the changes made to the “$$ViewTemplateDefault” page.

Next, ensure that these changes are permanent:

Checked box “Prohibit design refresh or replace to modify”

1. Select “Properties” -> “Design” -> “Prohibit design refresh or replace to modify.”
2. If you skip this step, the modified form will revert to its original appearance according to the “Public Address Book” template.
3. Repeat the same steps for the “$$SearchTemplateDefault” form.

Now, let’s check again after making these changes. Reopen the URL http://www.example.com/names.nsf, and the view located on the right side of the frameset will appear empty since it has been deleted.

View Deleted from form “$$ViewTemplateDefault”

However, the view on the left side of the frameset may still disrupt the user experience as unnecessary menus for Notes Domino users are still visible in the web browser.

To address this, follow these steps for the names.nsf application/database:

1. Right-click on the names.nsf application/database.
2. Change the design element “when opened in a browser” from “Notes launch option” to “Open designated Page” with the “pgEmpty” page as the selected option.

Change “Open designated Page” to “pgEmpty”

Now, let’s verify the changes by reopening the URL http://www.example.com/names.nsf. As anticipated, you will observe a blank white page. We have successfully protected vital information from user web access on the Domino Server.

White blank page

Specifically, for other applications/databases such as admin4.nsf, ddm.nsf, domcfg.nsf, catalog.nsf, and log.nsf, we need to create this empty page (pgEmpty) beforehand.

Here are the steps to create an empty page (pgEmpty):

1. Open Domino Designer and open the database you want to secure, for example, admin4.nsf.
2. Create a new page by right-clicking on the “Pages” area in the left panel and selecting “New Page.”
3. Name this new page as “pgEmpty.”
4. On the newly created page, don’t add anything. just keep it blank as it is.
5. Save the changes by pressing CTRL+S or through the “File” -> “Save” menu.

Once the empty page (pgEmpty) is created, you can apply the same steps to other databases such as ddm.nsf, domcfg.nsf, catalog.nsf, and log.nsf.

By following these steps, you have successfully secured your Domino Web Server by hiding the unnecessary user data view when accessed through a web browser. It’s essential to always maintain the security of your server to protect user data and sensitive information from unauthorized access.

I hope this guide has been helpful to you in securing your Domino Web Server. If you have any further questions, feel free to ask. Thank you for reading!

Gunawan TW