Lync Conference: Securing External and Mobile Access in Lync

Here are the notes for another session I attended at the conference.

Unlocking Lync Mobile Deployments

Francois Doremieux (Microsoft)

Rui Maximo (Lync-Solutions)

Authentication in Earlier Mobile Versions

• To Lync server
  • Through Reverse Proxy
  • NTLM only
  • Re-authorize every 8 hours
• To EWS
• For voice mail, meetings, UCS in 2013
• NTLM only
• Authorization is required for each query

Recent Improvements

• Improvement Principles
  • Reduce or remove AD credential exposure
  • Two options for initial authorization
    • NTLM
    • Passive Authentication
  • Dissociate subsequent re-authorizations - personal Lync certificate issued by Lync server
  • No solution for EWS yet
    • Remains NTLM for every query
    • Can remove/disable EWS dependent capabilities
• Lync Certificate Authorization
  • Client obtains certificate on initial authorization
  • Method has been used for awhile with other clients (desktop, phone)
  • Admin can revoke a user's certificate at any time
  • Certificate lifetime and auto-renewal interval manageable by Lync admin
  • Certificate is scoped only to Lync - can't be used to gain access to anything else on the network
  • Sign-out, deleting client, upgrading client required intial sign-in again
• Initial Authentication
• NTLM
• Used to obtain web ticket from web ticket service

• Protecting AD Credentials
  • New policy to disable password storage
    • Set-CsMobilityPolicy -AllowSaveCredentials
  • Disable EWS
    • Set-CsMobilityPolicy -AllowExchangeConnectivity
    • Voicemails will still be in email, Meeting links in calendar
• Passive Authentication
• • New auth method introduced in Q1 CY2013
  • Lync server gets out of authentication
    • Server delegates authentication to trusted Security Token Service
    • STS serves custom authorization web page rendered in Lync app
    • Uses form entries in Trident page - not possible to use cert on device or smart card but can support forms based multifactor (password + OTP or SecurID)
    • STS passes token to client which it presents to Lync server
  • Set up server side
    • Can't be client policy as client would only get it after authentication
    • Server Policy - scope per pool, affects all users and all client types
    • Enable Passive, disable kerberos and NTLM
  • Experience - pop up window to authenticate

• 
  

  • • Not quite ready for all clients

  
  

  Other questions around mobile security

  • MDM discussion
    • Lync Mobile does not support MDM
      • No path to distribute
      • Rich, real-time behavior of app does not lend itself to complex integration
      • Distribution through App Store is most efficient way to get current release
    • What we endeavour instead
      • Why should app security depend on MDM?
      • Improvement on policies, authentication, protection of data at rest
      • Open to feedback toward closing possible remaining gaps
  • What does Lync mobile do for data security
    • Data transfers
      • Authenticated, encrypted at similar grade as encapsulating solutions
    • Data at rest
      • Very little data at rest
      • Not accessible to other apps
      • No local storing of address books
  • Pre-authentication in DMZ
    • All authentication done in network
    • Third party solutions available where Lync Mobile traffic is intercepted at reverse proxy

  
  Incremental capabilities through third party solutions

  • Lync-Solutions Security Filters
  • Modular security solution
  • Not just mobile but external access
  • Intercepts login traffic in DMZ, deep packet inspection and validation
  • Prevention of DoS and Brute Force attacks
  • User-device affinity
  • Logging, monitoring, alarming

  

  
  

  

  
  

• • • Authentication mechanism
      • kerberos contrained
      • Passive authentication
    • Addresses customer asks
      • Pre-authentication and validation in DMZ
      • Device restriction - enables verification of device used by user, can be combined with policies, alarming, etc

    
    

    
    

    
    
  • Random Trivia: 

  
  

  The Hoover Dam is made of enough concrete to make a two lane highway from New York to San Francisco, that’s around 4000 miles (2500 kilometres).