Post on 21-Dec-2015
transcript
Addressing Lync 2013 Security aspectsVakhtang Assatrian
Asia Time Zone Communications TSP LeadMicrosoft Worldwide Productivity Team
OSS411
Company Security Policy• Biggest challenge when deploying Lync
• Especially when the security team is not involved from day 1
• Policies dictate what is and what is not secure• Do we still have the right balance between security and workability?
• You really need to talk to Security team• Provide risk analysis, threat assessment, pen testing
• Trade off: security vs. meeting business objectives
Lync – Secure by Design/DefaultAll communications are secured by defaultIncluding signaling Session Initiation Protocol (SIP), media Secure Real-time Transport Protocol (SRTP), content, web traffic Secure Hypertext Transfer Protocol (HTTPS), and inter-server trafficServer/Server, Server/Client, Client/ClientAn admin must make a change to the configuration to disable this, if neededCan be disabled only for interoperability traffic;inter-server traffic cannot be unsecure
No accounts are enabled by defaultAccount enabling requires admin interaction
No users are admin by defaultNo groups are ever added to the admin groups,
not even the enterprise admin groups
External access is disabled by defaultThis access includes mobile devices, devices from home, and federated partners
PINs are required on phonesUsers must configure a PIN on phones that they use
Built-in limits to ease the load on Edge ServersFederated partners can send only 20 messages per second; if spam is detected, it is reduced to one message per second
Lync Trusted Servers
Why is a server trusted (and when)?Server fully qualified domain name (FQDN) must match the name in the Lync Topology stored in Central Management store (CMS)
Server must present a valid certificate
The server certificate must be from a trusted Certificate Authority (CA)
All criteria must be satisfiedIf either of these criteria is missing, the server is not trusted and connection with it is refused
This double requirement prevents a possible, if unlikely, attack in whicha rogue server attempts to take over a valid server’s FQDN
Open to Secure Third-Party Products• No security through obscurity• All specifications are available on MSDN
• Redline documentation• Vendors are encouraged to build
devices and services that interact with Lync securely• SNOM• Polycom• Lync Room System vendors• Audiocodes• NET• etc ...
Today we will follow Lync user …
Signing inReceive settings, contact list and see presenceContacting Lync user using IMCollaborate P2P with Lync user on LyncPlacing a PSTN callParticipating in a conferenceUsing Lync externallyCommunicating with external partnersUsing Lync Mobile
Lync Sign in Process
Lync clientDNS Server Lync Pool
1. Alice starts Lync client and provides
her SIP address
2. Client queries DNS
3. DNS points to Lync pool
4. Lync client connects to Lync
Pool
7. Trusted and encrypted connection established
6. Client authenticates
5. Server presents certificate
Client Trust Model• Client knows only users SIP address
• Client will look for DNS records in same domain
• Sign-in server’s FQDN in the same domain
• Certificate• Certificate must contain this FQDN
• Certificate must be trusted, valid and not revoked
• 1024, 2048, and 4096 bit length
• RSA, ECDH_P256, ECDH_P384, or ECDH_P521
Client Authentication options• Kerberos
• Preferred authentication method for internal clients signing in first time
• NTLM• If Kerberos is not available (e.g. for external clients) NTLM will be used
for first sign in
• TLS-DSK• After first sign in the Lync Server creates a certificate for the client, that
the client will use for subsequent sign ins
• Passive Authentication• Allows to implement dual factor authentication, but has some
limitations
TLS-DSK• Transport Layer Security - Derived Session Key • Certificate based authentication
• Client certificate created by Lync Server
• Client certificate trusted only by Lync Server
• Client certificate stored in clients personal certificate store
• Does not require connectivity to AD• Enables Branch Survivability Scenarios
• Certificate validity ranges from 8hr to 365 days (default 180)
• Previous certificate used to obtain a new one
Passive authentication• “Passive”
• Lync Server is not doing any authentication
• Authentication is handled by ADFS
• ADFS can be integrated with existing Security Token Service (STS)
• Dual Factor Authentication• ADFS can leverage (virtual) Smart Card
• STS can provide second factor
Passive Authentication Limitations• Lync Server only• Per pool settings• Exchange
• Dedicated authentication required in order to get Call Logs, Unified Contact Store
• SharePoint• Supported clients
• Lync 2013 desktop client • Microsoft Lync 2013 for iPhone • Microsoft Lync 2013 for iPad• Microsoft Lync 2013 for Windows Phone 8
Authentication | Lync Client external | TLS-DSK Lync Client Lync Server
FEWebTicket WS CertProv WSReverse Proxy ADEdge
Establish TCP and TLS443/tcp 5061/tcp
401 Authenticate with certificate (TLS-DSK) : URL for CertProv WS
Establish TCP and TLS connection 443/tcp 4443/tcpGet Certificate Service MEX Document
Web Ticket Security Token is required : URL for Web Ticket WS
Request Web-Ticket MEX / Security Token
Web-Ticket Security Token
Establish TCP and TLS connection 443/tcp 4443/tcp
Certificate Signing Request w/ Web Security Token
Lync Server Signed User Certificate
Establish TCP and TLS connection 443/tcp 4443/tcp
Publishing Lync User Cert & PKI pair
SIP Register with Lync Server Signed Certificate
200 OK
443/tcp 5061/tcp
SIP Register
Request Authentication
NTLM Auth Credentials
NTLM/Kerberos Auth
Auth : success
Authentication | Lync Client external | 2FA Lync Client Lync Server
FEWebTicket WS CertProv WSReverse Proxy AD FSEdge
Establish TCP and TLS443/tcp 5061/tcp
401 Authenticate with certificate (TLS-DSK) : URL for CertProv WS
Establish TCP and TLS connection 443/tcp 4443/tcpGet Certificate Service MEX Document
Web Ticket Security Token is required : URL for Web Ticket WS
Request Web-Ticket MEX / Security Token
Web-Ticket Security Token
Establish TCP and TLS connection 443/tcp 4443/tcp
Certificate Signing Request w/ Web Security Token
Lync Server Signed User Certificate
Establish TCP and TLS connection 443/tcp 4443/tcp
Publishing Lync User Cert & PKI pair
SIP Register with Lync Server Signed Certificate
200 OK
443/tcp 5061/tcp
SIP Register
Establish TCP and TLS connection 443/tcp
Establish TCP and TLS connection
443/tcp
Request Authentication
Authentication Token
Authentication
Redirect
Authentication Token
Session Initiation Protocol• Session Initiation Protocol – SIP
• RFC 3261• Extensions documented in “Office Protocols”
http://msdn.microsoft.com/en-us/library/office/cc307432(v=office.12).aspx
• Used for• Signaling• Instant Messages• Receiving configuration from server
• Encrypted• Server Certificate used to create TLS encrypted connection
• Mobile Clients encapsulate SIP in https• iOS, Android, Windows Phone• Optimize battery life and bandwidth usage
Inband provisioning• After being authenticated, encrypted SIP/TLS channel
will provide• Settings for the client
• Contact list of the user
• Settings are stored on the Lync Server and allow centralised configuration
Lync Contact list• Location
• SQL (RTC)
• Exchange (UCS)
• Retrieved via SIP/TLS channel• Lync client builds contact cards using data from multiple
sources (Lync Presence Information , Outlook contacts, AD, SharePoint, …) • Lync contact list retrieved is just list of SIP URIs
Presence & Address book information• Presence
• Transported via SIP/TLS channel• Contains current information about user• Level of information revealed via Presence can be controlled
by Lync user via Privacy Relationships
• Address Book• Two modes
• Download to client• Search via Web Service
• Mobile clients always use Web Service• Security
• All communication via https• User need to authenticate
Contact Lync User using IM
1. IM sent in SIP connection secured using
TLS
Lync Pool A
2. Pool A forwards IM to Pool B in encrypted SIP/MTLS
channel
Lync Pool B
Lync Archiving Database
or Exchange 2013
3. IM sent to Bob’s Lync client in SIP
connection secured using TLS
5. During the conversation, IMs might be stored in
Archiving Database or Exchange
4. IM replies in the same path but
opposite direction
6. After conversation is over, conversation history record may be
stored
5. Alice sends a file
to Bob
Collaborate P2P with Lync user on Lync
1. Alice places
audio/video call to
Bob. Session is
established via encrypted SIP/TLS/MTLS
channel
Lync Pool A Lync Pool B
2. A/V media exchanged in P2P fashion, secured by SRTP protocol
3. Bob shares an application, the
information about sharing is sent via
encrypted SIP/TLS/MTLS
signaling channel
4. Sharing of the application is secured by SRTP protocol
7. Transfer of the file is secured by SRTP protocol 6. Bob accepts the
file
Lync P2P from “user security” perspective• Audio • Called user can decline or accept session but with less “open” channel of IM• User can initiate recording of the session
• Video• Called user can decline use of video or accept session but with less “open” channel,
eg. audio or IM
• Desktop or Application sharing/control• Most often used to share a whole desktop, but view can be narrowed down to just
selected application• Privilege to “control” what’s being shared has to be explicitly granted by the sharer• Lync will not allow to share DRM protected files
• File Transfer• Receiving user can decline file that is being sent to him/her
Lync P2P from “admin security” perspective• Audio
• Ability to disable Audio• Ability to record audio can be disabled
• Video• Ability to use video can be disabled
• Desktop or Application sharing/control• Privilege to share a whole desktop can be narrowed down to just selected application,
or revoked completely• Privilege to “control” can be revoked completely• Can also be removed for Anonymous/Federated users
• File Transfer• Transferring of files can be completely blocked by administrator• Transferring certain types of files can be blocked by administratively enforced filters
Security for PSTN calls
1. Call setup with Pool in
SIP/TLS
2. Call setup with MS in SIP/MTLS
3. Call setup with GW in SIP/MTLS or
SIP/TCP
4. Call setup with PSTN in
ISDN
5. Media secured by SRTP protocol
PSTN
5. Media secured by SRTP protocol or unencrypted
(RTP)
6. Media unprotected in
ISDN
Call flows
1. Signaling via SIP/TLS
2. Media A/V/AppSharing
with SRTP
3. File upload and download
via HTTPS
4. Files are stored on File
Share.
5. OWAS server receives PPTX via Front
End Server from File Share via HTTPS
6. Client views PowerPoint
presentations directly from OWAS Server via HTTPS
7. Annotations and whiteboard
sent via PSOM/TLS
Conference Participation
• User types• Domain users• Federated users• Anonymous users
• Conference roles• Organizer• Presenter• Attendee
• Lobby• Organizer decides who joins meeting via lobby
Lync Meeting files• Stored on File Share• Protected via File Share permissions
• Administrators• Required RTC groups (configured by topology builder)
• Clients retrieve files via Lync web service• No direct connections from clients to File Share• Need to present the conference ID• Need to present file name (obfuscated when stored on File Share)• Encryption key required to decrypt (received via signaling in conference)
• Meeting content lifecycle• Default 15 days after meeting ended
Call flows
1. Sign-in, contacts,
presence, IMs, call setups etc.
to Edge in SIP/TLS
2. Sign-in, contacts,
presence, IMs, call setups etc.
to Pool in SIP/MTLS
3. ABS, Meeting Files, etc. to RP
in HTTPS
4. ABS, Meeting Files, etc. via
to/from Pool in HTTPS
5. Media for audio, video,
appsharing, file transfer to
Edge in SRTP
6. Media in SRTP
Adding a Lync DirectorWhy?Security policy says “No direct contact between Perimeter and Internal Servers”
Topology ChangesAddition of Lync Director (Pool)Bridgehead servers / Session Border Controllers between Perimeter and Internal network
ConsiderationsSupported topology, however director no longer required or recommendedAdditional hardware, software, management and administration
Impact on User Experience?Minor delays on sign in because of redirection
Added value?Limited
Inte
rnet
Perim
eter
Inte
rnal
Remote User Mobile UserFederated /
Anonymous User
Edge Server Reverse Proxy
Lync Pool
Lync Director
Inte
rnet
Perim
eter
Inte
rnal
Remote User Mobile UserFederated /
Anonymous User
Lync Pool
VPN
Remote Access Through VPNWhy?Security policy says “All External Traffic must use our VPN solution” and “No direct exposure of services directly”
Topology ChangesRemove Lync Edge (Pool) and Reverse Proxy Make use of existing VPN Concentrator
ConsiderationsVPN is supported but media over VPN is discouraged
Impact on User Experience?User should sign in to VPN before Lync unexpected behavior will occurAll media over VPN performance degradation because of double encryptionNo mobile clients, no federation and no anonymous web conferences
Added value?No, breaks most important Lync scenarios
Inte
rnet
Perim
eter
Inte
rnal
Remote User Mobile UserFederated /
Anonymous User
Edge Server Reverse Proxy
Lync Pool
VPN
VPN for Corporate UsersWhy?Security policy says “All Corporate users must use our VPN solution” and “Federated partners and anonymous users can use Edge/Reverse Proxy”
Topology ChangesMake use of existing VPN ConcentratorDisable remote access for Corporate Lync Users
ConsiderationsVPN is supported but media over VPN is discouragedComplex scenario, setting up routing is difficult
Impact on User Experience?User should sign in to VPN before Lync unexpected behavior will occurAll media over VPN performance degradation because of double encryption (implement split tunneling as alternative)No mobile clients
Added value?No, mobile work load not supported, added complexity, does not increase security42
“Public” and “Private” Edge Servers Why?
Security policy says “Anonymous users should different infrastructure as corporate users”
Topology ChangesAdd additional Edge and Reverse proxy servers with private certsManual configuration of Lync clients
ConsiderationsLync does not support double Edge serversMedia path/flow cannot be guaranteedComplex scenario, setting up routing is difficult and should be done manual
Impact on User Experience?No mobile clients (need certificates, manual configuration)
Added value?No, unsupported configuration, very complex, no real traffic separation, no increase in security
Inte
rnet
Perim
eter
Inte
rnal
Remote User Mobile UserFederated /
Anonymous User
Lync Pool
Inte
rnet
Perim
eter
Inte
rnal
Remote User Mobile UserFederated /
Anonymous User
Edge Server Reverse Proxy
Lync Pool
Third-party MSPL ScriptsWhy?Security policy says “Block IP address in case of multiple wrong login attempts”Requirements or rules that extend beyond what Lync provides out of the box
Topology ChangesThird-party Microsoft SIP Processing Language (MSPL) script/app installed on Edge and Front End Servers (for example: http://lync-solutions.com )Third-party apps and scripts on the Reverse Proxy
ConsiderationsThird-party script not built or maintained by Microsoft, how about Continuity and upgrades for future versions?
Impact on User Experience?None (if scaled properly of course)
Added value?Yes, will increase security if deployed and maintained correctlyAddresses security rules and policies
To Summarise
The world is changing, are your security policies still applicable?
Lync is secure by default, all traffic is encrypted, understanding why and how will help you to choose the right approach
User education is a key
Use the Microsoft recommended and supported topology
Product Group feedbackSkype Experience Engine via MSFT local contact
Track resources
Microsoft Lync Server 2010 Security Guidehttp://www.microsoft.com/en-us/download/details.aspx?id=2729
Securing external and mobile access in Lync 2013http://channel9.msdn.com/Events/Lync-Conference/Lync-Conference-2014/CLNT300
Planning for security in Lync Server 2013http://technet.microsoft.com/en-us/library/dn342827.aspx
“Trustworthy Computing Initiative”• 2002 initiated by Microsoft
• Availability, Security, Privacy, Business Integrity
• Whitepaper• http://aka.ms/TCI
• Email Bill Gates• “So now, when we face a choice between adding features and resolving
security issues, we need to choose security”
• Security relevant principles• Secure by Design
• Secure by Default
Threat Probability to affect Lync Mitigation solutions
Compromised-key attack Low Protect private PKI keys
Network denial-of-service attack Low Use firewall to throttle Internet traffic
Eavesdropping Very low Protect private PKI keys
Identity spoofing/IP address spoofing
Very lowTransport Layer Security (TLS) protects from spoofing IP addresses
Man-in-the-middle (MiM) attack Very lowProtect Active Directory from adding MiM as trusted server
RTP replay attack Very low Lync maintains an index of received SRTP packets
SPIM (spam over Internet Messaging, or IM)
Low
Block SPIM-offending IP at firewall or disable federation during the attack. Edge server also automatically throttles down requests if failure/success ratio becomes too high for IM.
Personally identifiable information LowTrain users to only accept federation requests from known and trusted individuals.
Perceived Threat Scenarios49
SQL backend• Every Lync pool has a SQL back-end• Holds all Lync information
• Central Management Store• Scheduled meetings• Contact lists• Services like Location Information Service or Call Admission Protocol
• How are they secured?• Physically secured in data center • Also supports Transparent Data Encryption (TDE)
• Minimum required access permissions based on AD• Microsoft SQL Server 2012 Security Best Practice Whitepaper• http://download.microsoft.com/download/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/
SQL_Server_2012_Security_Best_Practice_Whitepaper_Apr2012.docx
Conversation History• User side record for personal archive• Administrator control
• Administrator can disable or allow
• User control• User can always opt out• User can delete items from conversation history
• Storage location• Lync Desktop Client and Lync Windows Store App: Mailbox of user• Mobile clients: locally on devices• There is a separate policy to disable it
• Mac Client: locally in file system
Archiving• Server side recording for compliance• Administrator control
• Administrator has full control
• User control• User has no control• User is not able to see stored content
• Storage location• Archiving database on SQL Sever
• Same security principles as for Lync BackEnd SQL databases
• Exchange 2013 or Exchange Online
• Messages are stored in a hidden folder (Recoverable Items > Purges)
• Same location that is used for email location used for Litigation Hold
• Communication between Lync and Exchange secured using OAuth
Privacy RelationshipsType of
information:Blocked Contacts? External Contacts? Colleagues? Workgroup? Friends & Family?
Presence Information Yes Yes Yes YesPresence Status Yes Yes Yes YesDisplay Name Yes Yes Yes Yes YesEmail Address Yes Yes Yes Yes YesTitle * Yes Yes Yes YesWork Phone * Yes YesMobile Phone * YesHome Phone * YesOther Phone Yes Yes Yes YesCompany * Yes Yes Yes YesOffice * Yes Yes Yes YesSharePoint Site * YesMeeting Location # YesMeeting Subject # Yes Yes YesFree Busy Yes Yes YesWorking Hours Yes Yes YesLocation # Yes Yes YesNotes (Out-of-Office Note)
Yes Yes Yes
Notes (Personal) Yes Yes YesLast Active Yes Yes YesPersonal Photo Web Address (if applicable)
Yes Yes Yes
(*) if this information is defined in an organization’s directory service, it will be visible to all contacts in your organization, regardless of privacy relationship, and to external contacts (if configured and recognized by your organization’s network).(#) this information is visible by default
Class of Service• Usage policy define who can call which number
• Preventing abuse and toll fraud
• Flexible assignment• Policies can be Global, per Lync site, Pool or user
• Rules based on Regular Expressions• Configured using Voice Policies, PSTN Usages and Routes
• Common practice to have classes for• Internal • National• International• Premium Numbers
Certificate Changes That Will Affect Lync• Lync Server 2013 relies on certificates and public key
infrastructure (PKI)• Important changes for organizations that use Public certificates internally
• Changes per November 1st 2015• Private IP addresses may no longer be part of a certificate• Private DNS names may no longer be part of a certificate• The Subject Name / Common Name field is deprecated and discouraged for
use• After 2015, it will be impossible to obtain a publicly trusted certificate for any
host name that cannot be externally verified
• What if your servers are installed in contoso.local ? • An internal Enterprise Certificate Authority (CA) is required
Lync Media Transport - SRTP
• Direct media flow between two clients, encrypted end to end
• SRTP used for protection of Audio/Video/DesktopSharing/File Transfer (p2p)
• AES with 128 bit key is used as per [MS-SRTP]• SRTP exchanged between clients using secured
SIP/TLS/MTLS channel
Reverse Proxy security• Reverse Proxy does not authenticate users• Anonymous users need to be able to download meeting files
• Published to dedicated web service• “External Web Server”• Located on Front End Server• Uses a dedicated Kerberos account with minimum permissions• Default is a local services account, but Kerberos is recommended
• Does not provide access to any management interfaces
If an attacker would “take over” Web Server, they would be in the context of the webserver with
minimal permissions. So another exploit would be required in order to get access to the machine or
Lync topology.
The SSL connection is terminated on the Reverse Proxy. This means that traffic can be inspected additional security can be provided to protect
against DoS
Call flows
1. IM or Call Setup to Pool in
SIP/TLS
2. IM or Call Setup to Edge
in SIP/MTLS
5. IM or Call Setup to Pool in
SIP/MTLS
Internet
4. IM or Call Setups in
Federation SIP/MTLS
5. IM or Call Setup to in
SIP/TLS
6. Media in SRTP via both Edges for Federation (not client-to-
client)
Contoso
Media in SRTP
Litwareinc
Media in SRTP
Open Federation Security• General limits• 1 000 SIP URIs• 20 messages per second• Statistics retained for one week• Individually on each Edge Server
• Ratio for valid/invalid SIP messages• Partner added to watch list• Restriction: 1 message per second
• Too many users contacted• Partner added to watch list• Restriction: no additional users can be contacted
Skype• Works similar to Federation
• Different configuration• Federation partner is Microsoft cloud service• Translates between SIP and Skype protocol
• Audio• Gateway in Microsoft cloud service translates Lync to Skype audio• Lync to cloud service encryption: “regular” Lync call• Cloud service to Skype encryption: “regular” Skype call
• Contact list security• “Block all invites and communication”• “All invites but block all other communication”• “Allow anyone to contact me”• People on contact list will always be able to contact a user