Most people are aware of what a Domino server does - it holds all of the databases and therefore access to pretty much everything. And each server has a server ID. Protecting a server ID with a password works in much the same way that protecting a computer or account with an ID works. In this case, the server ID password is individual to the server itself, rather than the user, but access to that password is limited to a finite number of people with administrator authority.
Server ID Passwords Only Work if You Use Them
The idea of why a password protected server id would be useful isn't surprising. What might be shocking to those who don't work in the IT field is that they're rarely used. The truth is that most servers are not protected by a password because it's cumbersome. Someone needs to put in the password every time the server is started or restarted. It only takes a few seconds for an administrator to punch in a specific password, but often they forego this step allowing the server to restart without password protection. Besides the time savings when an administrator is present, there isn't always one available. Sometimes the server goes down or needs to be restarted outside of business hours or when no one with administrator authority is present. And it's often imperative to have the server back up and running as quickly as possible.
For administrators, it's far easier not to use a server ID password. This allows them to skip that step if they are available and it also allows that they don't have to be there for the server to be started or re-started. This isn't the most secure decision considering the vast amount of information easily accessible to anyone in the server. Without a server ID password, you're leaving the system open to anyone with enough knowledge to access the many databases contained within. An even scarier scenario, you're leaving access to people with limited knowledge who might do far more damage.
Several experts and even IBM itself have been recommending setting up a password for the Domino server ID for years.
Improving the Protocol for Security
Server ID protection isn't something that's widely talked about. If you hunted for information, you're more likely to find a lot of articles detailing how to get past an outdated server ID password. There's a kind of standard protocol in a lot of companies to simply save the step and not use a password. If pressed, most professionals would tell you that it does leave the server unprotected to a level that should never really happen, even if there are no internal dangers.
A server id password is an excellent measure that shouldn't be foregone. If an administrator can't be present for every restart, the information might be passed to a proxy in an emergency situation and the password can be changed afterwards. Other options might include software solutions – like DominoProtect from BCC – to allow password protection while still allowing automated restarts and starts of the server without administrator presence.
For more information check out the webinar replay: Top 5 Actions to Boost Your IBM Domino Server Security
Need some help with your Domino security?