The benefits of using Internet Password Lockout
You can configure the Lotus Domino Internet Password Lockout (IPL) feature to help protect your Lotus Notes Traveler environment against brute force and dictionary attacks on the user passwords used to authenticate with the Lotus Notes Traveler server. If mobile devices are connecting directly to the Lotus Notes Traveler server, or if there is no lockout capability present on a front-end authentication proxy, then it is recommended to enable this capability.
Because email addresses are relatively easy to ascertain, there is a definite security value in protecting the passwords used by Lotus Notes Traveler against multiple incorrect password attempts. This is especially true if you have deployed your Lotus Notes Traveler server in an "internet facing" configuration (that is, your Lotus Notes Traveler server is directly accessible through the internet). However, even if the Lotus Notes Traveler server is only available internally, using IPL can help protect against the actions of a rogue employee attempting to maliciously access another employee’s email.
How Internet Password Lockout works
IPL is actually a feature of the Lotus Domino web engine, but can be used in a Lotus Notes Traveler environment as well, even if the user’s Lotus Notes Traveler passwords are stored in an external LDAP directory rather than native Domino directory. This is because all connectivity to Lotus Notes Traveler server is handled by the Domino HTTP task, which utilizes the IPL feature.
IPL works on the simple concept of defining how many failed user authentication attempts are allowed. Once this number is exceeded, a record for the user is created in an IPL database stored on the Domino server. The HTTP task queries the contents of this database every time it receives a new authentication request and automatically fails any attempt for a user name that has a matching record.
A user is unable to authenticate with the Lotus Notes Traveler server all the time that they have a record present in the IPL database (even if he subsequently try and authenticate with the correct credentials). There are two options on how user records can be removed from the IPL database to re-enable the user access:
- They can be configured to delete automatically, after an administrator definable period of time has elapsed (for example, after 24 hours).
- They can be deleted manually by a Domino or Lotus Notes Traveler Administrator who has the necessary access permission to the IPL database.
The following figure shows how the IPL integrates into a simple Lotus Notes Traveler architecture:
Lotus Notes Traveler with Internet Password Lockout
Things to be aware of when using Internet Password Lockout
If you do choose to enable IPL in your environment there are three main things to be aware of:
- It will inconvenience users who accidentally enter the password incorrectly enough times to be “locked out”. It is important to have a well defined and communicated process that users can follow to re-enable their access to Lotus Notes Traveler.
- Depending how IPL is configured, it can be an additional overhead on your Lotus Notes Traveler administrators as they have to process requests from locked out users.
- IPL can be used as a potential denial of serviceattack, because anyone can attempt multiple incorrect password attempts on any Lotus Notes Traveler account if they have network connectivity to the server and know the email address. This is more of a potential issue if the Lotus Notes Traveler server is connected directly to the internet. Remember that once a user is added to the IPL database, they are locked out until that record is explicitly deleted by an administrator or the record is removed because it expires.
Using Internet Password Lockout with Single Sign On
If you configure your Lotus Notes Traveler environment to use Single Sign On (SSO) authentication with another authentication source (for example, an alternative LDAP server), then it is not necessary to use the IPL feature on your Lotus Notes Traveler servers. This is because when SSO is enabled, all of the authentication work actually is done by the external SSO server and therefore the Lotus Notes Traveler server will receive only an SSO token for a user who has already been successfully authenticated. In these circumstances, there is no need to use IPL on the Lotus Notes Traveler servers anymore because users will no longer be authenticating with them directly.
What does IBM do internally?
In the IBM internal implementation of Lotus Notes Traveler, IPL was originally configured to block a user after three failed password attempts. The block is maintained for 24 hours after which, it is configured to automatically delete, enabling the user to try again. IBM also deployed a custom "self service" application that allows users to delete any IPL lock out that matches their own Lotus Notes ID. This enables users to unlock themselves on a 24/7 basis, as long as they have access to their Lotus Notes client and ID. Otherwise, they must wait for the 24 hour period to expire, or they can submit a help desk request for a Lotus Notes Traveler Administrator to unlock them.
Further reading on the Internet Password Lockout feature
The following articles describe the IPL feature in more detail, including a step by step of how to enable it: