Securing Your Lync Server (Part 1)
If you would like to read the other parts in this article series please go to:
Today's business world is all about communications, and many enterprises use Microsoft's Lync unified communications platform for instant messaging, voice and video conferencing. Microsoft has built additional security features into the latest version of Lync, and as with any software, how you configure and use it plays a big part in security. In this article, we'll look at what Lync is and how it works, the security mechanisms that are included and how you can best secure your organization's Lync server.
The evolution of Lync
Microsoft Lync is the renamed and “reimagined” iteration of the enterprise software formerly known as Office Communications Server (OCS), which itself got its start back in the heyday of Microsoft’s “live” period, as Live Communications Server 2003. It was renamed to OCS in 2007 and became Lync in 2010. Prior to the release of LCS, Microsoft included instant messaging functionality in Exchange 2000, but they moved that to LCS and removed it from Exchange 2003.
The current version is Lync Server 2013, which was released in October 2012. It has grown to include not just instant messaging and file transfer but also presence (indication of availability status), Voice over IP (VoIP), and audio and video conferencing, with others within the local network, external users over the Internet and over traditional PSTN phone lines via a SIP gateway or trunk.
Participants in a Lync collaboration session can also share desktops, applications, OneNote notes, documents, presentations, whiteboard drawings, and polls. Organizers of Lync conferences can designate whether particular participants are attendees only or presenters and set policies and permissions governing what participants in each category can do. You can also organize topic-based virtual chat rooms for working groups.
How it works
Although it’s now a separate product, Lync integrates with Exchange server and retrieves contact information from the Exchange database.
Lync uses the SIP (Session Initiation Protocol) protocol, which is a standard for Internet voice and video, for communications with the client software and SIMPLE extensions (SIP for Instant Messaging and Presence Leveraging Extensions) are used for managing presence information and short real-time messages. RTP (the Real-time Transport Protocol) and SRTP (Secure RTP) are used to transfer media. Communications can also be encrypted by using SIP over TLS (Transport Layer Security).
Lync client software is available for Windows PCs and Mac OS X. There is a Lync app in the Windows Store for Windows 8/8.1/RT, a “Basic” client that doesn’t support multi-party video, VDI, OneNote integration, advanced call handling and some other features. Those features are included in the full Lync 2013 client. Users who can’t or don’t want to install the Lync software on their computers can use the Lync Web App. There are also versions available from Microsoft for Windows Phone 7 and 8, Android and iOS devices. There is a Lync client for Linux made by Fisil, a company that provides Lync software and outsourcing services. You can see the differences between the functionalities of different clients in the Client Comparison Tables on the TechNet web site.
Lync security mechanisms
Lync uses your organization’s PKI (public key infrastructure) or a public CA (certification authority) to issue certificates for the private keys and session keys that are used to encrypt and decrypt information that’s sent over TLS connections, which helps prevent man-in-the-middle attacks and eavesdropping. The Lync server requires that certificates meet its specifications; not all public CAs do so. The CA must be trusted by the client and the server’s DNS name has to match that on the certificate. MTLS (Mutual TLS) is used for protecting server-to-server communications.
Instant messages sent over Lync can be encrypted via TLS and MTLS, both internally and over the Internet. Internal messages ca be sent over TCP (unencrypted) but best security practice is to use TLS. Shared desktop and web conferencing are also protected by TLS, while sharing of audio and video media are protected by SRTP and downloading of address books and meeting content is protected by HTTPS.
User authentication is accomplished via either Kerberos v5 or NTLM if the user has Active Directory credentials. Kerberos is used for users on the internal network and NTLM is used when users connect from outside the internal network. Kerberos can be used for external users if they connect through a VPN. Anonymous users (those with no Active Directory credentials) are authenticated via Digest protocol. Users can also be authenticated by client certificates issued by the Lync server. These certificates can’t be issued by the PKI or a public CA, only by the Lync server.
Active Directory and Group Policy
Lync stores global settings, service information about the servers running Lync and some user settings in the Active Directory database. Lync 2013 client group policies are now included in the Office Group Policy Administrative Template, instead of having a standalone administrative template as previous versions of Lync and Office Communicator had. You can also use a third party product such as PolicyPak to manage the Lync 2010 or 2013 clients.
The ADMX (administrative template) file that you use to apply Group Policy that controls the client bootstrapping settings (settings that are needed before the client logs onto the Lync server) is called Lync15.admx. It’s part of the Office 2013 administrative templates package. You’ll need to download the 32 or 64 bit version, depending on the version of Office 2013/Lync 2013 you’re using. It’s an executable file, for example admintemplates_32bit.exe.
After you run the .exe and extract the contents, you’ll see a spreadsheet named office2013grouppolicyanddoctsettings.xlsx. In the spreadsheet, you’ll find a list of settings for the GPO. You can filter the file name column to display Lync15.admx. You’ll find this file in the admx folder.
You can put the admx file in a central store (for use of multiple administrators) or you can put them on a computer running Windows 7 or 8/8.1. If you create a central store, you will put each language specific template into a separate folder within a root folder and the non-language specific templates in the root folder. Create the folder on the domain controller operating as PDC emulator and it will replicate to your other DCs. Details for creating a central store, as well as the instructions for installing the administrative templates on a workstation, can be found on Daniel Petri’s web site at http://www.petri.co.il/add-administrative-templates-to-gpo.htm#
Lync Server Management Shell and Lync Server Control Panel
For those who prefer to perform admin tasks via a graphical interface, Lync Server 2013 has the Lync Server Control Panel that is automatically installed on Lync servers and can also be installed on another computer for centrally managing Lync servers.
IT admins who have kept abreast of what’s going on with Microsoft server operating systems know that the company has gone back to “the dark place” – the command line – in a big way. PowerShell is the preferred management interface now, and most of the settings for Lync 2013 can be controlled via PowerShell, using the Lync Server Management Shell.
The Lync Server Management Shell is already installed when you install Lync Server (Enterprise Edition Front End Server or Standard Edition). You must use it to run the Lync Server cmdlets; you cannot run these in the regular Windows PowerShell interface. There are over 500 cmdlets that come with Lync Server 2013. You can get a list of all of the Lync Server 2013 cmdlets by typing the following command at the prompt in the Lync Server Management Shell:
Get-Command * -Module Lync -CommandType cmdlet
There are many different kinds of cmdlets. There are 54 cmdlets that are classified as security related, which include cmdlets for managing certificates and authentication, user rights and permissions, and interoperability. Many of the cmdlets are used for delegating administrative control of the Lync Server using the new role-based access control feature (RBAC).
There are a number of administrative roles already included in Lync Server 2013 but you can also create new roles and specify which cmdlets can be used by each role. There is an Active Directory group created for each of the roles.
When you create your own roles, you must first create the corresponding AD universal security groups. The highest level role is CsAdministrator, which can perform all administrative tasks, including creating new roles. Other built-in roles include:
The scope of each role’s authority is in most cases indicated by the name. For example, the CsVoiceAdministrator can only create, configure and manage voice-related settings and policies.
The RBAC limitations only apply when a user is managing the Lync Server remotely, not when physically working on a local server.
In this, Part 1 of this series on securing your Lync server, we took a look at what Microsoft Lync is, how it works, and the security mechanisms and management tools that are built in. In Part 2, we’ll get into some of the details of how to harden and protect your Lync server and the Lync database, and how to plan and configure two-factor authentication for Lync.
If you would like to read the other parts in this article series please go to: