Well back for ILUG where I attended to Admin Blast session with Paul Mooney, I was packed with tips and good things to with my servers. I could'nt wait.
The "Don't allow URL open" setting on the database seemed like a good place to start.
This property locks down your database for web access. Domino URL's will not work.
You would use this on any database you want to secure.
I ofcourse ran of and put this on our Domino Directory. We don't want anybody to hack their way in to that ofcoure. Turning this seems like a good thing. But there are some gotcha's waiting.
First of all this setting replicates. Beware of that.
You may want to turn "Dont' allow...." on on your web server, but keep it off elsewhere in your production environment. Typically you may have a dedicated web server for inhouse web services and for your Domino Web Access server. You will need the Address Picker in these environment. Turning on "Don't allow URL open" will brake the Address Picker.
You need to be aware of that this setting stops everty url request that has an '?' in it like
myDatabase/myDocument?Openform .. and so on.
Second, the Domino Web Access dailog does use the type of URL that is beeing blocked. My mistake!! I tought it was a servlet. In that case it wouldn't be blocked.
So there you have it. The setting replicates thru you domain and it breaks the Domino Web Access Address Picker. I've asked Paul Mooney about the impact of this setting on BleedYellow, he didn't answer. I guess he left to finnish Fluffy off. My bad for asking silly questions instead of doing my own resarch.
So this setting should probably not be turn on on your administration server. Secure it using ACL. You could however turn this on on other servers that do not replicate back to the admin server ,which in my opinion, Domino Directory databases should not do.
No comments:
Post a Comment