Securing your OCS deployment
Office Communications Server (OCS) is Microsoft's Unified Communications solutions for enterprises, but as with all UC deployments, applications that enable voice, video, IM, file transfers and application sharing can pose security issues. In this article, we address those concerns and discuss OCS's built-in security features, configuration choices for best security practices, and integrated software solutions (both from Microsoft and third parties) to add security to OCS.
A unified communications system is vulnerable to such threats as eavesdropping or sniffing, identity/IP address spoofing, RTP replay, and so forth, as well as viruses/worms, man-in-the-middle and denial of service (DoS) attacks. Because the confidentiality and integrity of your communications are critical to your business, it's essential to protect against all of these threats.
Built-in security features in OCS 2007
OCS 2007 provides many new features that LCS 2005 didn't have, including:
- Enterprise VoIP
- Multi-party IM
- On-premise web conferencing that allows participation by outside users who don't have enterprise credentials
In addition, features such as presence and federation support have been improved and enhanced.
With new features come new security challenges, but Microsoft has addressed many of these with built-in features. As always, the best security is multi-faceted, so the security framework upon which OCS is built has many components.Active Directory
Windows server security in a domain is built around the Active Directory, and OCS uses AD to store global settings (used by multiple OCS servers in a forest), data identifying the roles of OCS servers, and user settings.
You must prepare AD for OCS by extending the schema to include OCS classes and attributes, creating OCS objects and attributes and add permissions on objects in each domain. You do this in one of two ways: by using the LcsCmd.exe command line tool on the OCS CD, or by using the Setup.exe deployment tool for OCS 2007. The command line tool can be run remotely. The deployment tool has a graphical interface and wizards to guide you through each task.
The specific steps to prepare AD include:
- Prep Schema (run once)
- Prep Forest (run once)
- Prep Domain (run on every domain where you deploy OCS)
For step by step information on how to prepare AD for OCS, see the Microsoft Office Communications Server 2007 Active Directory Guide.Active Directory Guide.
OCS can use standard Windows authentication protocols, depending on the user:
- Kerberos v5 is the most secure and is used for internal clients with AD credentials.
- NTLM is used for clients outside the LAN who have AD credentials.
- Digest protocol is used for on-premise conferencing clients outside the LAN who don't have AD credentials (they must, however, have been invited to use on-premise conference and must have been supplied with a valid conference key).
To protect data traveling over the network, OCS 2007 encrypts communications by default. Endpoint authentication and encryption are accomplished by using Transport Layer Security (TLS) and Mutual Transport Layer Security (MTLS). Server-to-server SIP communications use MTLS and client-server SIP communications use TLS. These protocols protect against man-in-the-middle and eavesdropping.
TLS and MTLS are also used to encrypt instant messages. TLS encryption is optional for internal client-to-client IMs. OCS communications with public IM servers is encrypted; however, it is up to the public IM provider to encrypt communications between the public IM server and the outside client.
The Secure Real-time Transport Protocol (SRTP) is used to encrypt streaming media. SRTP protects RTP data by adding authentication, confidentiality and replay protection.
Public Key Infrastructure
Server authentication for OCS 2007 is based on the use of digital certificates issued by a trusted CA. This can be an internal or public CA (you may need a public CA if the OCS server needs to communicate with systems outside the LAN). OCS is designed to work with a Windows 2003 Public Key Infrastructure (PKI).
For OCS, all server certificates are required to support Enhanced Key Usage (EKU) to authenticate the servers. This is used by MTLS. Server certificates must also include at least one Certificate Revocation List (CRL) distribution point.
Federation security features
Like its predecessor, Live Communications Server 2005 (with SP1), OCS 2007 has the capability of federating with the major public instant messaging providers (MSN, Yahoo! and AOL). It also supports "enhanced federation," which allows peer enterprises to be discovered using DNS SRV records. OCS 2007 includes new security features for the federation model. These include:
- Restriction on how many users a federated peer can communicate with over a specified time period. This is designed to prevent "directory harvesting" by which an attacker tries different user names to find a valid one.
- Restriction on the rate at which the Access Edge Server will accept messages from the federated peer, based on analysis of the traffic.
Administrators can also restrict access by adding domains to the Deny list, or blocking peer certificates via the certificate store.
Blocking unwanted or dangerous IMs
You can use the Intelligent IM filter to block unwanted or potentially harmful instant messages and file transfers. You can configure the filters to use the criteria you want, in order to selectively block IMs and file transfers. For example, you can block IMs containing hyperlinks or you can allow the IM to go through with the hyperlink disabled. You can block files with specific extensions.
For much more detailed information on using OCS's built in security features, see the Microsoft Office Communications Server Security Guide.
Hardening your servers and clients
The OCS server, along with other servers in your infrastructure, should be "hardened" by locking down both the operating systems and applications as much as possible. You can do this through Group Policy. TheWindows Server 2003 Security Guide provides specific information on how to harden Server 2003 servers.
Unused services on your servers should be disabled. The SQL Server database used to store OCS information should be protected. In short, best network security practices become even more important when you have an OCS server on the network. And of course, all servers should be kept updated with security patches and the latest virus signatures.
Client machines must also be configured for best security. You can use OCS group policy to disable the appropriate features and set the client for media encryption. Of course, the latest service packs and security updates should be installed on the client machines.
And don't forget other OCS devices, such as OCS-compatible phones. You can use the Office Communications Server Software Update Service to automatically update all unified communications devices deployed in your organization.
To evaluate the overall health of your OCS 2007 servers and topology, you can download the Office Communications Server 2007 Best Practices Analyzer.
Microsoft integrated security solutions
In June, Microsoft released a public beta version of Forefront Security for OCS. This is the latest in the Forefront family of enterprise security products and allows you to scan for malicious software using multiple engines, and filter instant messages and files by keywords. It also includes automated signature updates and IM notification alerts.
Forefront Security for OCS is integrated with Access Edge role in OCS 2007 Enterprise edition, which secures messages to and from external public IM clients and federated networks as well as internal communications. You can download the beta.
Third party security add-ons
Third party security products designed to protect OCS 2007 include:
- Trend Micro IM Security for Microsoft Office Communications Server
- Akonix L7 Enterprise,, for adding unified policy and risk management for OCS
Microsoft OCS 2007 is Microsoft's answer to the unified communications question. It goes way beyond the scope of LCS 2005 and now manages all types of real-time communications, including VoIP and conferencing. In today's threat-filled world, communications applications are among the most vulnerable, so it is important to consider security first when deploying OCS. This article has provided an overview of security considerations relating to OCS 2007.