Lotus Domino Administrator 7 Help - Creating a security policy settings document

USER AND SERVER CONFIGURATION

Creating a security policy settings document
A security policy settings document controls the Administration ECL, as well as Notes and Internet passwords and public key requirements for Notes IDs.

To create Security settings

1. Make sure that you have Editor access to the Domino Directory and one of these roles:

PolicyCreator role to create a settings document
PolicyModifier role to modify a settings document

2. From the Domino Administrator, select the People & Groups tab, and then open the Settings view.

3. Click "Add Settings," and then choose Security.

4. On the Basics tab, complete these fields:

Field Action

Name Enter a name that identifies the users (and, if you are a service provider, the hosted organization) that use these settings.

Description Enter a description of the settings.

5. On the Password Management tab, complete these fields:

Field Action

Password management options

Use custom password policy for Notes clients Choose one:

No (default)
Yes - to implement a custom password policy. Custom password policies enable you to configure specific password parameters so that passwords are not trivial or predictable. Use settings on the "Custom Password Policy" tab to set up the policy.

Check password on Notes ID file Choose one:

No (default)
Yes - to require that all copies of the user ID have the same password

Allow users to change Internet password over HTTP Choose one:

Yes (default) -- to allow users to use a Web browser to change their Internet passwords.
No

Update Internet password when Notes client password changes Choose one:

No (default)
Yes -- to synchronize the user Internet password with the Notes client password.

Enable Notes single logon with Workplace Rich Client Choose one:

No (default)
Yes - to allow users to enable single logon with the Notes plug-in for the IBM Workplace rich client

Password expiration settings

Enforce password expiration Choose one:

Disabled (default) -- to disable password expiration. If you disable password expiration, do not complete the remaining fields in this section.
Note If you enable password expiration for any of the following options, the security settings document defaults change.

Notes only -- to enable password expiration for only Notes passwords.
Internet only -- to enable password expiration for only Internet passwords.
Notes and Internet -- to enable password expiration for both Notes and Internet passwords.
Note Internet password expiration settings are recognized only by the HTTP protocol. This means that Internet passwords can be used with other Internet protocols (such as LDAP or POP3) indefinitely.
Caution Do not enable password expiration if users use Smartcards to log in to Domino servers.

Required change interval Specify the number of days for which a password is valid before it must be changed. Default is 0.
Note If you set this value to less than 30, the value for the "Warning period" field is calculated automatically. The calculated value is 80% of the value entered for this field.

Allowed grace period Specify the number of days that users have to change an expired password before being locked out. Default is 0.

Password history (Notes only) Specify the number of expired passwords to store. Storing passwords prevents users from reusing old passwords. Default is 0.

Warning period Specify the number of days prior to password expiration at which the user receives an expiration warning message. Default is 0.
Note The value of this field is calculated if the "Required change interval" setting is set at less than 30 days. Password expiration must be enabled in order for the value of this field to be calculated. If this value is calculated, it cannot be overwritten.

Custom warning message Enter a custom warning message that will be sent to users whose password has passed the expiration threshold specified in the Warning Period field.
Note The custom warning message is for Notes clients only, regardless of how you enabled password expiration. Internet users do not see the warning message.

Password quality settings

Required password quality If you require users to choose passwords based on password quality, specify that quality by choosing a value from the drop-down list.
For more information, see Understanding the password quality scale.

Use length instead If you require users to choose passwords based on length, click Yes. When you do, the "Required Password Quality" field changes to "Required password length." Specify the minimum password length here.

6. If you have chosen to implement a custom password policy, complete these fields on the Custom Password Policy tab.

For more information, see Custom password policies.

Field Action

Change password on first Notes client use Require users to change their passwords the first time they log in using Notes.
Note This only works if the policy is applied during user registration.

Allow common name in password Allow combination of common name of user to be used in passwords.
For example: John232 is the password for user CN=John Doe/O=Mutt, where the common name is John Doe.

Password length minimum Specify the minimum number of characters that users can have in their passwords

Password length maximum Specify the maximum number of characters that users can have in their passwords

Password quality minimum Specify the minimum password quality value that users can have for their passwords

Minimum number of alphabetic characters required Specify the minimum number of alphabetic characters that users are allowed to have in their passwords

Minimum number of upper case characters required Specify the minimum number of uppercase characters that users are allowed to have in their passwords

Minimum number of lower case characters required Specify the minimum number of lowercase characters that users are allowed to have in their passwords

Minimum number of numeric characters required Specify the minimum number of special characters, namely punctuation, that users are allowed to have in their passwords

Minimum number of special characters required Specify the minimum number of special characters, namely punctuation, that users are allowed to have in their passwords

Maximum number of repeated characters required Specify the maximum number of repeated characters, of any kind, that are allowed in user passwords.

Minimum number of unique characters required Specify the minimum number of characters that appear only once in a password

Minimum number of non-lower case characters required Specify the minimum number of special characters, numbers, and upper case characters that you require in user passwords. A higher value here makes passwords more difficult to guess.
After you enter a number, a checklist appears, listing the character types you can specify for this requirement. You can pick any combination of the following:

numbers
special characters
upper case

Password may not begin with Specify the type of characters with which users cannot begin their passwords

Password may not end with Specify the type of characters with which users cannot end their passwords

7. Complete the fields on the Execution Control List tab to configure the Administration ECL.

For more information, see The execution control list.

Field Action

Admin ECL The default administration ECL is the default value for this field.
Choose one:

Edit -- to edit the default administration ECL.
New -- to create a new administration ECL. Enter the name of the new ECL and choose options in the Workstation Security: Execution Control List dialog box. The name of the new ECL appears in this field.

Update Mode Choose one:

Refresh -- to update workstation ECLs with changes made to the Administration ECL. If a setting appears in both the administration and workstation ECL, the administration ECL setting overrides the workstation ECL setting.
Replace -- to overwrite the workstation ECL with the Administration ECL. This option overwrites all workstation ECL settings.

Update Frequency Choose one:

Once Daily -- to update the workstation ECL when the client authenticates with the home server and either it has been a day since the last ECL update or the administration ECL has changed.
When Admin ECL Changes -- to update the workstation ECL when the client authenticates with the home server and the administration ECL has changed since the last update.
Never -- to prevent the update of the workstation ECL during authentication.

8. Complete the fields on the Keys and Certificates tab to configure key rollover for groups of users. You specify triggers that initiate key rollover for a group of users. You have the option of spacing out the rollover process over a specified period of time for the group of users to which this policy applies.

For more information on key rollover, see the topic User and server key rollover.

Field Action

Default Public Key Requirements

Inherit public key requirement settings from parent policy
Enforce public key requirement settings in child policies

User Public Key Requirements

Minimum Allowable Key Strength Choose one. Keys weaker than the one specified will be rolled over:

No minimum.
Maximum compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits).

Maximum Allowable Key Strength Choose one. Keys stronger than the one specified will be rolled over.

Minimum (512 bits)
Maximum compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits).

Preferred Key Strength Choose the preferred key strength to use when creating new keys:

Minimum (512 bits).
Maximum compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits).

Maximum Allowable Age for Key (in days) Specify the maximum age a key can reach before needing to be rolled over. Default is 36500 days (100 years).

Earliest Allowable Key Creation Date Any key created prior to this date will be rolled over.

Spread new key generation for all users over this many days: Specify the time period, in days, for new keys to be generated for all users to whom this security settings policy document applies. User keys are randomly rolled over during the configured time period. Default is 180 days.

Maximum number of days the old key should remain valid after the new key has been created Specify the length of time that the old key can be used during network authentication. During Notes key verification, all of the certificates, old and new, and all of the rollover keys are organized into a tree and then that tree is traversed looking for a set of certificates that can be chained together to verify the key. If a certificate has expired, it cannot be used in that chain. When rolling over a key because you fear that it has been compromised, it is a good idea to set a short value for the length of time the old certificates issued to that key can be used. Valid values for this setting are 1 to 36500 days, and the default is 365.

Certificate Expiration Settings

Warning period Specify the number of days prior to certificate expiration at which the user receives an expiration warning message. Default is 0.

Custom warning message Enter a custom warning message that will be sent to users whose certificate has passed the expiration threshold specified in the Warning Period field.

9. Save the document.

Assigning an existing Admin ECL to a security settings document

It is possible to assign an existing Admin ECL to a security settings document by doing the following:

1. In the Security Settings document, click Execution Control List.

2. Click Edit Settings.

3. Click New, and enter the name of the Admin ECL you want to assign to the Security Settings document. The Admin ECL appears.

4. Click OK.

For more information on Notes and Internet passwords, see the topics Setting up password verification and Name-and-password authentication for Internet clients.

For more information on administration and workstation ECLs, see the topics The execution control list and Default ECL settings.

See also

Creating a policy document

The password quality scale

Glossary

Help on Help

All Help Contents

Glossary

Help on Help

All Help Contents

Field	Action
Name	Enter a name that identifies the users (and, if you are a service provider, the hosted organization) that use these settings.
Description	Enter a description of the settings.

Field	Action
Password management options
Use custom password policy for Notes clients	Choose one: No (default) Yes - to implement a custom password policy. Custom password policies enable you to configure specific password parameters so that passwords are not trivial or predictable. Use settings on the "Custom Password Policy" tab to set up the policy.
Check password on Notes ID file	Choose one: No (default) Yes - to require that all copies of the user ID have the same password
Allow users to change Internet password over HTTP	Choose one: Yes (default) -- to allow users to use a Web browser to change their Internet passwords. No
Update Internet password when Notes client password changes	Choose one: No (default) Yes -- to synchronize the user Internet password with the Notes client password.
Enable Notes single logon with Workplace Rich Client	Choose one: No (default) Yes - to allow users to enable single logon with the Notes plug-in for the IBM Workplace rich client
Password expiration settings
Enforce password expiration	Choose one: Disabled (default) -- to disable password expiration. If you disable password expiration, do not complete the remaining fields in this section. Note If you enable password expiration for any of the following options, the security settings document defaults change. Notes only -- to enable password expiration for only Notes passwords. Internet only -- to enable password expiration for only Internet passwords. Notes and Internet -- to enable password expiration for both Notes and Internet passwords. Note Internet password expiration settings are recognized only by the HTTP protocol. This means that Internet passwords can be used with other Internet protocols (such as LDAP or POP3) indefinitely. Caution Do not enable password expiration if users use Smartcards to log in to Domino servers.
Required change interval	Specify the number of days for which a password is valid before it must be changed. Default is 0. Note If you set this value to less than 30, the value for the "Warning period" field is calculated automatically. The calculated value is 80% of the value entered for this field.
Allowed grace period	Specify the number of days that users have to change an expired password before being locked out. Default is 0.
Password history (Notes only)	Specify the number of expired passwords to store. Storing passwords prevents users from reusing old passwords. Default is 0.
Warning period	Specify the number of days prior to password expiration at which the user receives an expiration warning message. Default is 0. Note The value of this field is calculated if the "Required change interval" setting is set at less than 30 days. Password expiration must be enabled in order for the value of this field to be calculated. If this value is calculated, it cannot be overwritten.
Custom warning message	Enter a custom warning message that will be sent to users whose password has passed the expiration threshold specified in the Warning Period field. Note The custom warning message is for Notes clients only, regardless of how you enabled password expiration. Internet users do not see the warning message.
Password quality settings
Required password quality	If you require users to choose passwords based on password quality, specify that quality by choosing a value from the drop-down list. For more information, see Understanding the password quality scale.
Use length instead	If you require users to choose passwords based on length, click Yes. When you do, the "Required Password Quality" field changes to "Required password length." Specify the minimum password length here.

Field	Action
Change password on first Notes client use	Require users to change their passwords the first time they log in using Notes. Note This only works if the policy is applied during user registration.
Allow common name in password	Allow combination of common name of user to be used in passwords. For example: John232 is the password for user CN=John Doe/O=Mutt, where the common name is John Doe.
Password length minimum	Specify the minimum number of characters that users can have in their passwords
Password length maximum	Specify the maximum number of characters that users can have in their passwords
Password quality minimum	Specify the minimum password quality value that users can have for their passwords
Minimum number of alphabetic characters required	Specify the minimum number of alphabetic characters that users are allowed to have in their passwords
Minimum number of upper case characters required	Specify the minimum number of uppercase characters that users are allowed to have in their passwords
Minimum number of lower case characters required	Specify the minimum number of lowercase characters that users are allowed to have in their passwords
Minimum number of numeric characters required	Specify the minimum number of special characters, namely punctuation, that users are allowed to have in their passwords
Minimum number of special characters required	Specify the minimum number of special characters, namely punctuation, that users are allowed to have in their passwords
Maximum number of repeated characters required	Specify the maximum number of repeated characters, of any kind, that are allowed in user passwords.
Minimum number of unique characters required	Specify the minimum number of characters that appear only once in a password
Minimum number of non-lower case characters required	Specify the minimum number of special characters, numbers, and upper case characters that you require in user passwords. A higher value here makes passwords more difficult to guess. After you enter a number, a checklist appears, listing the character types you can specify for this requirement. You can pick any combination of the following: numbers special characters upper case
Password may not begin with	Specify the type of characters with which users cannot begin their passwords
Password may not end with	Specify the type of characters with which users cannot end their passwords

Field	Action
Admin ECL	The default administration ECL is the default value for this field. Choose one: Edit -- to edit the default administration ECL. New -- to create a new administration ECL. Enter the name of the new ECL and choose options in the Workstation Security: Execution Control List dialog box. The name of the new ECL appears in this field.
Update Mode	Choose one: Refresh -- to update workstation ECLs with changes made to the Administration ECL. If a setting appears in both the administration and workstation ECL, the administration ECL setting overrides the workstation ECL setting. Replace -- to overwrite the workstation ECL with the Administration ECL. This option overwrites all workstation ECL settings.
Update Frequency	Choose one: Once Daily -- to update the workstation ECL when the client authenticates with the home server and either it has been a day since the last ECL update or the administration ECL has changed. When Admin ECL Changes -- to update the workstation ECL when the client authenticates with the home server and the administration ECL has changed since the last update. Never -- to prevent the update of the workstation ECL during authentication.

Field	Action
Default Public Key Requirements	Inherit public key requirement settings from parent policy Enforce public key requirement settings in child policies
User Public Key Requirements
Minimum Allowable Key Strength	Choose one. Keys weaker than the one specified will be rolled over: No minimum. Maximum compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits).
Maximum Allowable Key Strength	Choose one. Keys stronger than the one specified will be rolled over. Minimum (512 bits) Maximum compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits).
Preferred Key Strength	Choose the preferred key strength to use when creating new keys: Minimum (512 bits). Maximum compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits).
Maximum Allowable Age for Key (in days)	Specify the maximum age a key can reach before needing to be rolled over. Default is 36500 days (100 years).
Earliest Allowable Key Creation Date	Any key created prior to this date will be rolled over.
Spread new key generation for all users over this many days:	Specify the time period, in days, for new keys to be generated for all users to whom this security settings policy document applies. User keys are randomly rolled over during the configured time period. Default is 180 days.
Maximum number of days the old key should remain valid after the new key has been created	Specify the length of time that the old key can be used during network authentication. During Notes key verification, all of the certificates, old and new, and all of the rollover keys are organized into a tree and then that tree is traversed looking for a set of certificates that can be chained together to verify the key. If a certificate has expired, it cannot be used in that chain. When rolling over a key because you fear that it has been compromised, it is a good idea to set a short value for the length of time the old certificates issued to that key can be used. Valid values for this setting are 1 to 36500 days, and the default is 365.
Certificate Expiration Settings
Warning period	Specify the number of days prior to certificate expiration at which the user receives an expiration warning message. Default is 0.
Custom warning message	Enter a custom warning message that will be sent to users whose certificate has passed the expiration threshold specified in the Warning Period field.