On a production Domino server exposed to the internet, after a pentest, we're told we should restrict access to this URL to anonymous users.
How can we do this?
Thanks!
Hello Federico,
To restrict access to a URL like xxx.xxx.xxx.xxx/names.nsf?OpenPreferences for anonymous users in an HCL Domino environment, you can implement access control at different levels depending on your requirements.
Use Access Control Lists (ACL)
You can configure the ACL settings for the specific database (names.nsf in this case) to limit access for anonymous users. Here’s how to do it:
Steps:
Open the Domino Designer and locate the names.nsf database.
Click on File > Database > Access Control to open the ACL settings for the database.
Edit the ACL:
Ensure that the Anonymous user is set to "No Access" or another restricted level (e.g., "Reader" if you want limited access).
You can also use specific user roles or groups to control who has access.
Save your changes and restart the Domino server if necessary.
This will prevent any unauthenticated (anonymous) user from accessing the database directly through the URL.
For your awareness, we have launched a new Digital Solutions Community site (https://developer.ds.hcl-software.com/) which includes our new product forums. The content for our legacy product forums will soon be migrated to this new site. If you haven’t yet done so, we encourage you to sign up on the site and engage with the community of experts for our products!
It does not work: seems that OpenPreferences opens even if Anonymous is set to "No Access"
Names.nsf should not allow any access to Anonymous user.
Change the access control of names.nsf (your directory) by
(a) add Anonymous to access control if not already there
(b) set access to No Access
Usually you can give reader access to Default and Manager Access to the admin and the server as per your reqmt.
However openPreferences is not connected to names.nsf and hence is not a security risk. it is a specialURL for setting a cookie for user preferences.
You can append ?openPreferences to any valid or invalid Domino URL irrespective of the access control for that db to see the same result. Test it by https://server/xyz.nsf?openPreferences.
This is not a security issue. It just creates a cookie in the browser session for user preferences allowing the server to customize the formats for all browser accesses.
You may apprise the security team regarding this
For your awareness, we have launched a new Digital Solutions Community site (https://developer.ds.hcl-software.com/) which includes our new product forums.
The content for our legacy product forums will soon be migrated to this new site. If you haven’t yet done so, we encourage you to sign up on the site and engage with the community of experts for our products!
################
On this forum thread.
Setting anonymous to "NO" in the server document/internet site document should prompt user for authentication as below when they hit the said URL.
Server document has below settings.
Thanks
Regards
Shrikant J
hi Shrikant
after change anonymous access in web section (server documento) this happend with form login, any image of style is loss, this can be resolved ?
Hi Fedrico,
Try setting the ini "HTTPPublicUrls" as per the below article.
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0094919
If the suggestion has helped, mark this thread as answered and helpful.
Thank you
Regards
Shrikant J
