If you would like to read the other parts in this article series please go to:
Introduction
In Part 1 of this series on securing your Lync Server, we discussed the evolution of Microsoft’s Lync software that grew out of the old Office Communications Server (OCS), what it does and how it works, the built-in security mechanisms (authentication and encryption) and the use of Active Directory and Group Policy, as well as how to use the Lync Server Management Shell to assign and create administrative roles.
In this, Part 2, we’re going to talk about common threats to Lync servers, some tips and tricks for hardening your Lync server and the Lync database, and how to plan and configure two-factor authentication for Lync. Then next time, we’ll wrap it up with some security tips specific to using Lync across the Internet and with users outside the organization.
Common threats
Your Lync server can be vulnerable to many of the same threats and attack types as any other Windows server application running on the Windows Server operating systems. Because Lync is a communications tool through which users may discuss a wide range of topics related to your business via voice, video and instant messages, the data that passes through it and is archived by it is often intended to be private. Thus the Lync server requires the same level of protection as your email servers.
Lync also contains enhanced presence data, which is personal information about users that can be suppressed from a user’s contact list via enhanced presence privacy mode, as well as information such as the user’s IP address, SIP URI and name as defined in Active Directory, which is used by the server and network for routing and signaling and cannot be controlled by the user or the system admin. This data could be exposed and used by an attacker.
As with any server, the Lync server can be the target of denial of service (DoS) attacks that can be implemented by sending an overload of traffic to the system or by sending invalid data to the applications and services running on it, with the result of making the server and its services inaccessible to users and disrupting their ability to communicate.
Even more of a concern are eavesdropping attacks that can allow an attacker to access the data passing between clients and the server. By default, the Lync server uses TLS encryption to protect against this type of attack. Although the data could still be intercepted, the encryption prevents the attacker from being able to read it and thus renders it useless to him/her.
Hardening the Lync server
Of course, Lync server software runs on the Windows Server operating system, so the first step in securing Lync is to ensure that the underlying operating system has been hardened. Lync Server 2013 will run on Windows 64 bit editions of Server 2008 R2 SP 1, Windows Server 2012 or Windows Server 2012 R2. It is not supported on the server core installation, so you can’t lock down the OS that way if you’re going to run Lync Server on it. However, you can – and should – take the time to disable all unneeded services.
In addition, the databases that are used by Lync Server include the back-end database, the archiving database, the monitoring database, and the persistent chat and persistent chat compliance databases. These can run on 64 bit editions of SQL Server 2008 R2 or SQL Server 2012 (Standard or Enterprise editions), and SQL Server 2012 Express. Best security practices for both the underlying OS and SQL server on the machines holding the databases should be instituted.
As with any critical servers that contain information that may be sensitive or confidential, the Lync server and database servers should be in a secured physical location where unauthorized persons can’t gain local access. Unless the servers are absolutely physically inaccessible at all times, best security practice is to encrypt the operating system and data drives using BitLocker full-volume encryption, and disable DMA (Direct Memory Access) ports to prevent DMA-based attacks, which can be used to read and manipulate system memory and expose private keys or other sensitive information.
If your Lync server is running on a virtual machine, it’s important to remember that any snapshots of the VMs can contain sensitive information such as in-memory data dumps and copies of the data on the server’s disks. Best security practice is to disable server snapshots. You can do this by setting the snapshot location to a location that doesn’t exist so that if a user tries to create a snapshot, an error message will be returned. If you do need for snapshots to remain enabled, always store snapshots in a secure location.
You can utilize FIPS 140-2 encryption algorithms but you need to configure each of the Lync servers to support it and use of FIPS also needed to be enabled on the client computers.
Users can be authenticated through client certificates rather than user name and password. The certificate has to be issued by a root CA that the Lync server trusts. When using certificate-based authentication, users enter a PIN instead of user name and password. This is useful for users accessing the Lync server through a mobile device, since entry of a PIN is easier on a small on-screen keyboard.
You can use the Intelligent IM Filter to block SPIM (unsolicited/unwanted instant messages) as well as IMs that may contain malicious code originating outside the company network. You can specify what types of instant messages you want to block. For example, you can block messages containing files with particular extensions such as executables, Office documents, etc. or you could block messages that contain hyperlinks that might take users to malicious web sites. You also have the option of allowing messages that contain hyperlinks but having the Intelligent IM Filter disable the link. It does this by inserting an underscore at the beginning. You can also create a warning message to be inserted into any messages that contain hyperlinks.
Hardening the Lync databases
Why do criminals rob banks? Because that’s where the money is. Why do attackers target the databases? Because that’s where the information is. The SQL Server databases that are used by your Lync servers contain a wealth of information, some of it sensitive or confidential. This is where the communications data is archived, where user information is stored and where call detail records reside. An attacker who is able to access the databases could discover company secrets as well as information about users that could be used in a social engineering attack to gain further access into your systems and network.
Microsoft recommended that you partition the server to separate the operating system and application files from the data files. The trend in consumer computing recently has been to use one big partition for everything, but partitioning should be standard practice for servers. It protects the data in case of OS corruption or failure, and can also increase performance. The best option is to put the data on a separate physical drive rather than just a virtual drive on the same physical hard drive. All the data drives on the SQL server, as with the drives on the Lync server, should be encrypted with full-volume encryption.
Of course, you should restrict access to the databases to only a few trusted database administrators. Further, best security practice is to restrict access to the back-end databases on the SQL server to as few front end servers as possible.
The message queuing service is used by Lync servers to move messages collected by the archiving server and monitoring server, as well as the compliance service. Messages can be encrypted on the sending message queue, via certificates. The encryption services uses 40 or 128 bit encryption to encrypt the body of each message from source queue manager to destination queue manager. Encryption is done at the message level.
Two-factor authentication
You can configure Lync Server 2013 to use two-factor authentication in a network environment where you have an Enterprise Root CA that supports smart card authentication, with users using the July 2013 desktop client. To do this, you need to enable passive authentication for Lync users and that requires disabling other authentication methods (Kerberos, NTLM and Certificate authentication) for the web service and proxy service.
Note that there are some features that don’t work when Lync is enabled for two-factor authentication, including the Skill Search feature and contacts from the Unified Contact Store. If two-factor authentication for Exchange is deployed, some Lync client features are not available. There are a number of factors that must be considered prior to deploying two-factor authentication for Lync, which you can read more about here.
In addition to configuring the Lync server, you’ll need to set up Windows 8 to use virtual smart cards (if you don’t want to use physical cards), enroll users for smart card authentication and configure Active Directory Federation Services (ADFS) for client authentication. Instructions for these steps can be found here.
To configure the Lync server for passive authentication so users must use a smart card (which can be either a physical or virtual smart card) along with entering a PIN to log onto Lync, your Lync Server 2013 must have the July 2013 cumulative updates installed. After logging onto the server with an admin account, you use the Lync Server 2013 Management Shell command line to create new web service configurations for each server that you want to enable for passive authentication. You will also need to create a custom proxy configuration that’s enabled for passive authentication. The instructions/commands for doing both of these can be found here.
Summary
In this second article in a three-part series, we went over the common threats to Lync servers, provided some tips and tricks for hardening your Lync server and the Lync database, and discussed how to plan and configure two-factor authentication for Lync. In Part 3, we’ll summarize how to use Lync across the Internet and with users outside the organization.
If you would like to read the other parts in this article series please go to:
