Sessions about to start – Get your rig on!. Addressing Lync 2013 Security aspects Vakhtang Assatrian Asia Time Zone Communications TSP Lead Microsoft.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Enabling Secure Internet Access with ISA Server
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Name | Title | Microsoft Corporation
Voice over IP Fundamentals
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter 10 Securing Exchange Server 2003.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.
Chapter 7 HARDENING SERVERS.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Introduction 1 Lecture 5 Application Layer slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering Department.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Secure Remote Access & Lync Ilse Van Criekinge
Understanding Active Directory
Troubleshooting Federation, AD FS 2.0, and More…
IT Expo SECURITY Scott Beer Director, Product Support Ingate
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.
Microsoft ® Lync™ Server 2010 Edge Server/Remote Access Module 16 Microsoft Corporation.
CSCI 6962: Server-side Design and Programming
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Mobility And Anywhere Access Clancy Priest Technology Services Director City of Hayward.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Securing Data at the Application Layer Planning Authenticity and Integrity of Transmitted Data Planning Encryption of Transmitted Data.
Microsoft Office Communicator A General Introduction.
Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Lync Server Private cloud / dedicated Lync Server Single domain & directory Users split – server / online Lync Hybrid Office 365 Lync Online Hosted.
Module 7 Planning and Deploying Messaging Compliance.
Integrating and Troubleshooting Citrix Access Gateway.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Security fundamentals Topic 9 Securing internet messaging.
Adxstudio Portals Training
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Vakhtang Assatrian Asia Communications TSP Lead, Microsoft
The Session Initiation Protocol - SIP
Integrated System Enterprise voice Audio, video & web conferencing Mobile Persistent chat Reduced maintenance Single system Scalable Flexible Small.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Johan Delimon 26/04/2016 BE-COM E-COMMUNICATIONS EVENT THE INNER WORKINGS OF SKYPE FOR BUSINESS: NETWORKING.
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Securing the Network Perimeter with ISA 2004
Session Initiation Protocol (SIP)
Securing Lync Deployments
Alan Shen Director Unify Square
Goals Introduce the Windows Server 2003 family of operating systems
X-Road as a Platform to Exchange MyData
Presentation transcript:

Sessions about to start – Get your rig on!

Addressing Lync 2013 Security aspects Vakhtang Assatrian Asia Time Zone Communications TSP Lead Microsoft Worldwide Productivity Team OSS411

All communications are secured by default Including signaling Session Initiation Protocol (SIP), media Secure Real-time Transport Protocol (SRTP), content, web traffic Secure Hypertext Transfer Protocol (HTTPS), and inter- server traffic Server/Server, Server/Client, Client/Client An admin must make a change to the configuration to disable this, if needed Can be disabled only for interoperability traffic; inter-server traffic cannot be unsecure No accounts are enabled by default Account enabling requires admin interaction No users are admin by default No groups are ever added to the admin groups, not even the enterprise admin groups External access is disabled by default This access includes mobile devices, devices from home, and federated partners PINs are required on phones Users must configure a PIN on phones that they use Built-in limits to ease the load on Edge Servers Federated partners can send only 20 messages per second; if spam is detected, it is reduced to one message per second

Why is a server trusted (and when)? Server fully qualified domain name (FQDN) must match the name in the Lync Topology stored in Central Management store (CMS) Server must present a valid certificate The server certificate must be from a trusted Certificate Authority (CA) All criteria must be satisfied If either of these criteria is missing, the server is not trusted and connection with it is refused This double requirement prevents a possible, if unlikely, attack in which a rogue server attempts to take over a valid server’s FQDN

No security through obscurity All specifications are available on MSDN Redline documentation Vendors are encouraged to build devices and services that interact with Lync securely SNOM Polycom Lync Room System vendors Audiocodes NET etc...

1. Alice starts Lync client and provides her SIP address 2. Client queries DNS 3. DNS points to Lync pool 4. Lync client connects to Lync Pool 7. Trusted and encrypted connection established 6. Client authenticates 5. Server presents certificate

Certificate’s SN or SAN: Lyncdiscover.contoso.com Lyncdiscover.contoso.com

Authentication | Lync Client external | TLS-DSK Lync ClientLync Server FEWebTicket WSCertProv WSReverse ProxyAD Edge Establish TCP and TLS 443/tcp 5061/tcp 401 Authenticate with certificate (TLS-DSK) : URL for CertProv WS Establish TCP and TLS connection 443/tcp 4443/tcp Get Certificate Service MEX Document Web Ticket Security Token is required : URL for Web Ticket WS Request Web-Ticket MEX / Security Token Web-Ticket Security Token Establish TCP and TLS connection 443/tcp4443/tcp Certificate Signing Request w/ Web Security Token Lync Server Signed User Certificate Establish TCP and TLS connection 443/tcp4443/tcp Publishing Lync User Cert & PKI pair SIP Register with Lync Server Signed Certificate 200 OK 443/tcp 5061/tcp SIP Register Request Authentication NTLM Auth Credentials NTLM/Kerberos Auth Auth : success

Authentication | Lync Client external | 2FA Lync ClientLync Server FEWebTicket WSCertProv WSReverse ProxyAD FS Edge Establish TCP and TLS 443/tcp 5061/tcp 401 Authenticate with certificate (TLS-DSK) : URL for CertProv WS Establish TCP and TLS connection 443/tcp 4443/tcp Get Certificate Service MEX Document Web Ticket Security Token is required : URL for Web Ticket WS Request Web-Ticket MEX / Security Token Web-Ticket Security Token Establish TCP and TLS connection 443/tcp4443/tcp Certificate Signing Request w/ Web Security Token Lync Server Signed User Certificate Establish TCP and TLS connection 443/tcp4443/tcp Publishing Lync User Cert & PKI pair SIP Register with Lync Server Signed Certificate 200 OK 443/tcp 5061/tcp SIP Register Establish TCP and TLS connection 443/tcp Establish TCP and TLS connection 443/tcp Request Authentication Authentication Token Authentication Redirect Authentication Token

1. IM sent in SIP connection secured using TLS 2. Pool A forwards IM to Pool B in encrypted SIP/MTLS channel 3. IM sent to Bob’s Lync client in SIP connection secured using TLS 5. During the conversation, IMs might be stored in Archiving Database or Exchange 4. IM replies in the same path but opposite direction 6. After conversation is over, conversation history record may be stored

5. Alice sends a file to Bob 1.Alice places audio/video call to Bob. Session is established via encrypted SIP/TLS/MTLS channel 2. A/V media exchanged in P2P fashion, secured by SRTP protocol 3. Bob shares an application, the information about sharing is sent via encrypted SIP/TLS/MTLS signaling channel 4. Sharing of the application is secured by SRTP protocol 7. Transfer of the file is secured by SRTP protocol 6. Bob accepts the file

1. Call setup with Pool in SIP/TLS 2. Call setup with MS in SIP/MTLS 3. Call setup with GW in SIP/MTLS or SIP/TCP 4. Call setup with PSTN in ISDN 5. Media secured by SRTP protocol PSTN 5. Media secured by SRTP protocol or unencrypted (RTP) 6. Media unprotected in ISDN

1. Signaling via SIP/TLS 2. Media A/V/AppSharing with SRTP 3. File upload and download via HTTPS 4. Files are stored on File Share. 5. OWAS server receives PPTX via Front End Server from File Share via HTTPS 6. Client views PowerPoint presentations directly from OWAS Server via HTTPS 7. Annotations and whiteboard sent via PSOM/TLS

1. Sign-in, contacts, presence, IMs, call setups etc. to Edge in SIP/TLS 2. Sign-in, contacts, presence, IMs, call setups etc. to Pool in SIP/MTLS 3. ABS, Meeting Files, etc. to RP in HTTPS 4. ABS, Meeting Files, etc. via to/from Pool in HTTPS 5. Media for audio, video, appsharing, file transfer to Edge in SRTP 6. Media in SRTP

Threat Probability to affect Lync Mitigation solutions Compromised-key attackLowProtect private PKI keys Network denial-of-service attackLowUse firewall to throttle Internet traffic EavesdroppingVery lowProtect private PKI keys Identity spoofing/IP address spoofingVery low Transport Layer Security (TLS) protects from spoofing IP addresses Man-in-the-middle (MiM) attackVery low Protect Active Directory from adding MiM as trusted server RTP replay attackVery lowLync maintains an index of received SRTP packets SPIM (spam over Internet Messaging, or IM) Low Block SPIM-offending IP at firewall or disable federation during the attack. Edge server also automatically throttles down requests if failure/success ratio becomes too high for IM. Personally identifiable informationLow Train users to only accept federation requests from known and trusted individuals.

Type of information: Blocked Contacts?External Contacts?Colleagues?Workgroup?Friends & Family? Presence InformationYes Presence StatusYes Display NameYes AddressYes Title *Yes Work Phone *Yes Mobile Phone *Yes Home Phone *Yes Other PhoneYes Company *Yes Office *Yes SharePoint Site *Yes Meeting Location #Yes Meeting Subject #Yes Free BusyYes Working HoursYes Location #Yes Notes (Out-of-Office Note) Yes Notes (Personal)Yes Last ActiveYes Personal Photo Web Address (if applicable) Yes (*) if this information is defined in an organization’s directory service, it will be visible to all contacts in your organization, regardless of privacy relationship, and to external contacts (if configured and recognized by your organization’s network). (#) this information is visible by default

Lync Server 2013 relies on certificates and public key infrastructure (PKI) Important changes for organizations that use Public certificates internally Changes per November 1 st 2015 Private IP addresses may no longer be part of a certificate Private DNS names may no longer be part of a certificate The Subject Name / Common Name field is deprecated and discouraged for use After 2015, it will be impossible to obtain a publicly trusted certificate for any host name that cannot be externally verified What if your servers are installed in contoso.local ? An internal Enterprise Certificate Authority (CA) is required

1. IM or Call Setup to Pool in SIP/TLS 2. IM or Call Setup to Edge in SIP/MTLS 5. IM or Call Setup to Pool in SIP/MTLS Internet 4. IM or Call Setups in Federation SIP/MTLS 5. IM or Call Setup to in SIP/TLS 6. Media in SRTP via both Edges for Federation (not client-to-client) Media in SRTP

Thanks! Don’t forget to complete your evaluations aka.ms/mytechedmel

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.