Lync Server 2010 has become very popular since its release in December 2010. The external access capabilities are incredible value adding. Lync Mobile clients over several mobile platforms are pushing more and more External access enabled Lync environment based on business demands. Now the security requirements for companies planning this functionality becomes very important. You can add a director to the environment to distribute users across lots of pools or just build a physical server pool to protect the internal Lync environment from DDOS attacks. But did you know that is not all?
Did you know that when I know or guessed your login account and e-mail address.. I can easily lock your active directory account?
So Rui Maximo gave me a tip last December which I have not been able to share on my bog until now. Thanks Rui for the heads-up!
By implementing the security filter of Maximo
Rui you can enhance your edge server security without a Director role. Please
note that I’m not pointing out that you should not implement a director role.
If there is a requirement just go ahead and do so. But what I’m saying is that
you should implement the Security filter in addition to the edge server
implementation.
This solution fills in a large security requirement around dual factor authentication and additional DDOS afflicted damage prevention.
I've concluded the following:
The security filter implementation is mandatory for every Lync and OCS edge server implementation.
Therefore I’ve dedicated this blog post to get you well informed and provide you some resource links and tips on how to approach this solution.
Important note:
You should test this solution out in a test lab first before deploying this solution into production. The solution is not native of Lync server 2010 therefore support is not provided by Microsoft. For support you should implement this solution with a solution partner like Wortell.
The security filter
The security filter can do 3 major things:
1) Disable NTLM v2
Enforcing authentication only on company
provisioned windows desktops and laptops. This is actually a form of dual
factor authentication.
2) Filter allowed Active directory
domains
Preventing guessed domain authentication
attempts
3) Enable a soft account lock
Preventing active directory account lockout So how does this work?
The security filter is actually a Windows Service MSPL Script that runs on the edge servers. The application monitors the authentication requests and keeps track on how the authentication progresses.
The drawing below I’ve extracted from the security filter documentation to explain a little bit more on how this solution works. (click on it for a larger representation)
The drawing below I’ve extracted from the security filter documentation to explain a little bit more on how this solution works. (click on it for a larger representation)
Disable NTLM v2 authentication
This function prevents NTLM v2 negotiation for authentication and forcing the authentication process to use TLS-DSK authentication. With NTLM v2 authentication disabled the only way to authenticate and user Lync services from outside the network is via TLS-DSK authentication.
Using this security feature you'll still be able to connect to Public IM services and Federation partners without compromising any functionality.
(I'll update this blog shortly if mobile connectivity is still working or not from mobile clients like ipad, windows phone and such with NTML v2 authentication turned off)
This creates an optional security measure to prevent against DDOS and account lockout.
Domain name filtering
If the authentication is based on a not configured AD domain name the authentication request is discarded and will not proceed to the internal director or front end pool for authentication.For example: the security filter is configured with the following accepted filter settings
NetBIOS domain: Contoso
Corresponding UPN suffix : Contoso.com
When a user logs in and authenticates like this the authentication request will be forwarded to the internal next hop for authentication.
Accepted Full UPN login
Accepted NetBIOS login
If the user authenticates with a wrong UPN or NetBIOS domain the authentication request will be discarded.
Discarded Full
UPN login
Discarded NetBIOS login
This creates the first line of defense to prevent account lockout and DDOS.
Soft Lockout Policy
The second defense mechanism comes in place when an authentication request is forwarded and monitored by the security filter service application. How this security measure behaves is based on the following configuration.
Lockout count: 5
Lockout period (minutes) 10
Lockout period (minutes) 10
These settings are only protective when you configure these settings are added up to be less than in active directory. This means that you should base these numbers on the configured account policies in active directory.
For example:
If the lockout count in active directory is 3 and the lock out period / duration is 30 minutes you should configure the security filter as a minimum to:
Lockout count: not higher than 2
Lockout period (minutes) not lower than 35
Now when a user is logging in and fails 2 authentication attempts the user will be soft locked out for 35 minutes. However the user can still log on in active directory true other means like VPN and continue to use AD based applications like you're email.
This creates the first line of defense to prevent account lockout and DDOS.
Security filter versions
The solution was first build for OCS 2007 R2. This solution is later ported to Lync server 2010. There are 2 product types; A Standard Edition and an Enterprise Edition.
Standard Edition
The standard edition has no relevance to the Lync server Standard or Enterprise front end deployment versions. The Security filter Standard Edition is the Security filter implementation for 1 single edge server. There is no requirement for a SQL database
Enterprise Edition
The Enterprise Edition has no relevance to the Lync server Standard or Enterprise front end deployment versions. The Security filter Enterprise Edition is the Security filter implementation for an multiserver edge pool 1 centralized SQL database solution on a dedicated SQL server placed in the internal DMZ zone.
Implementation notes:
In addition I would like to point out the following.
The enterprise edition of the security filter requires an SQL database(at least SQL express). THe standard edition however does not use any SQL database. When you're planning the Enterprise Edition you'll need to prepare for a centralized SQL solution. This can be based on SQL express. This is because the enterprise edition of the security filter needs a central location to store and track authentication in a single location so that the Lock count settings are compliant for all edge pool member servers. This is not the case for the standard edition server where this information only need to be known locally on a single server.
Security best practices
“Quote in”
Best Practices for Edge Server SecurityCreate a new subnet just for the Microsoft Lync Server 2010 Edge Servers.
- Enhance the security of the routing rules for access to that subnet (disable broadcast, multicast, and traffic to other perimeter network subnets).
- Refrain from changing the service account under which edge services run.
- Read and use the information in Protecting the Edge Server against DoS and Password Brute-Force Attacks in Lync Server 2010 at http://go.microsoft.com/fwlink/?LinkID=214180.
“Quote out”
I hope this blogpost gives you some information on how to enhance your environment and / or provides additional options that enables you to meet more requirements so that you will succeed in extending your deployment with all external capabilities Lync has to offer.
Sources
Microsoft Lync Server 2010 Security Guide (best practices)http://www.microsoft.com/download/en/details.aspx?id=2729
You’ll find a trial and more detailed documentation and Implementation manual here:http://lyncsecurityfilter.com/
The software is not freeware. However a very small price to pay for rather simple but grand solution. If you would like to know details about pricing and implementation costs please contact me by e-mail on Jonathan . Steeman @ Wortell dot nl.
Hi there,
I just wanted to add something to the discussion.
I have seen the WebEx presentation software on the iPhone and I just love it. It is cool.
Microsoft is very strong in the software landscape. And I think you all agree to that. Software and development is pretty open when you look at Microsoft products. This is often underestimated. This is also the same with Lync.
The power of Lync is that you can build your own Lync endpoint very easy. This is included in the licensing and does not require any additional licensing purchase.
This opens the window for a large ecosystem of 3rd party applications developers to build their solution based on the Lync core infrastructure. To get an idea of what solutions there are build please look here:
http://lync.microsoft.com/en-us/Partners/Pages/application-partners.aspx
Look at Peter Connects software solutions for example. JDM software build their attendant console to interoperate with Cisco. They are also porting the software for use with Lync.
Microsoft still has an edge on this area. I believe that no product vendor has an application development eco system as big as Microsoft has. This means that Lync out of the box provides extendibility with 3rd party applications specifically build and certified for Lync and thus meeting more and more specific customer requirements. Contact centers, Communications enabled business processes (CEBP), video interoperability with Google talk. Need a specific solution to handle delegates? Why not build a button that does that for you. Even Cisco builds on top of Lync with the CuCiLync client(not that I’m happy with the solution).
The point is that it’s all buildable on top of Lync server 2010!
And now the great part:
There is a 3rd party cross platform Mobile client available that provides just everything to the mobile platform. It’s named Xync build by Damaka.
Xync provides a full Lync endpoint and thus providing the following features:
Presence
IM
Audio Call
PSTN
Video Call
Search
Contact Mgmt
IM Conference
Audio Conference
Desktop Sharing
Program Sharing
File Transfer
IOS, Android, Symbian (later Windows Phone 7) are all supported.
https://xync.damaka.com/xync/index.jsp
The application costs money. But I think that it’s still worth it if you require the full feature set.
There are still some things to consider tho.
When using 3G/4G mobile carrier lines using voice and such… this is kind of a wordwide problem for every celphone carrier. They all seem to try and block voip usage since that is their core business. Besides that… If you can VOIP with the application the customer expects this also to be true when riding in a car or train. That means huge latency’s when roaming from one GSM antenna to another. So maybe it is not a good idea for a vendor to provide functionality that can potentially be blocked of provides bad user experience based on mobile internet contracts and non optimized voip / internet protocols for roaming.