AGAT

CONTACT US
CONTACT US

Tag: Active Directory authentication

Categories
Mobile Security Skype for Business

How to verify DDoS/account lockout protection while deploying Skype for Business

While deploying Skype for Business (Lync) on mobile devices, laptops or any other external devices outside the corporate network, special attention should be given to the possible exposure of authentication services.

The exposure of these services increases the risk of Active Directory (AD) accounts becoming locked if someone who only knows a user name sends authentication attempts to the Active Directory. If an account is locked out, the user will be prevented from accessing any services, even internally, that require an organizational account. This will likely include their workstation.

Several authentication channels need to be addressed:

  • Mobile/desktop Skype for Business client logins
  • Web App logins
  • Dial-in page logins from a meeting invitation
  • Any NTLM/Basic or SOAP login sent via HTTP to a Skype for Business Front End server or director
  • NTLM authentication requests sent using the SIP protocol to an Edge server
  • Exchange Web Service (EWS)

Each of these channels should be monitored and the tally should be aggregated across all.

If you handle SIP and mobile HTTP protection separately, an attacker can send authentication attempts through separate channels without going over the specific channel threshold. In such a case, the attacker would be able to cause account lockout.

So, for example, if your network policy locks your account after five attempts, an attacker can send three attempts through a Lync mobile and another three to an SIP edge server. They could cause your network account to be locked out without reaching the limit in each channel.

Moreover, most generic proxy solutions offered currently fail to handle SOAP and certainly SIP authentication attempts because they are structured specifically for Lync.

The most effective solution for preventing such attacks is to have a unified solution that protects your distributed resources.

SkypeShield offers site and multi-site defense against DDoS attacks. All AD authentication attempts from the channels listed above are monitored via SkypeShield. Failed attempts are counted and stored in a central database table which is shared by all SkypeShield components.

SkypeShield monitors Active Directory authentication attempts for all Microsoft Skype for Business services published to the Internet. The solution counts failed attempts, and once an admin-set threshold has been reached, it blocks any further attempts from reaching AD servers. Such “soft locking” prevents AD accounts from being locked out.

Categories
BYOD Mobile Security Skype for Business Two Factor Authentication Uncategorized

Mobile Skype for Business connectivity security threats need to be addressed

BYOD (Bring-Your-Own-Device), in which a growing number of workers use their smartphones for both personal and work purposes is a hot trend.

A recent report by research company Gartner predicts that by 2017 half of all employers will require  employees to supply their own device for work purposes. The report, entitled “Bring Your Own Device:  The Facts and the Future,” indicates that security remains the top concern for BYOD.

Another survey, published by the Ponemon Institute and Zix Corporation, indicates that the majority of  IT and IT specialists believe their companies do not use any tools or policies to protect corporate data  from risks arising from BYOD.

The research shows that 60 percent of IT professionals are dissatisfied with  current BYOD solutions, mostly due to cost and inadequate security.

The problem is not limited to organizations that deploy a BYOD policy, but also includes companies which provide their workers with mobile devices. So for example, workers who use the corporate network to connect to services such as Microsoft Skype for Business (Lync) may expose their employers to serious security threats.

The major risks for the organizations’ networks include:

Hacking of network active directory credentials

Active Directory usernames and passwords can be hacked and used to provide unauthorized access to many core business applications. Using Active Directory credentials in the non-secured environment of a mobile device introduces major risks.

The exposed credentials might be hacked and used to either receive emails or log in to other corporate applications. Hacking is typically achieved by “eavesdropping” on public networks, through hostile applications installed by users or received by SMS. Another danger is that the user will allow other people, such as friends and family members, to use his or her device, and unintentionally expose the corporate network to risk.

The best solution for such problems is to try to refrain from using or storing the Active Directory credentials on the mobile device.

Usage of uncertified devices

The worker might connect to the corporate network by using his or her name and password on other unauthorized devices, therefore companies need to adopt a policy in which workers can access the system only from authorized devices.

An addition risk is posed when someone has access to a user’s credentials and can connect unnoticeably from a different device.
To avoid these two issues, the required solution is to allow only registered devices to connect, thus implementing a Two Factor Authentication connection.

Brute Force attack and denial of service (DoS)

The exposure of internal services, such as Skype for Business, through the use of a BYOD policy introduces a risk of brute force attacks and denial of service attacks.

The authentication of these services must be publicly available in order to allow the worker to connect anytime from anywhere, thus exposing the Active Directory authentication interface to potential attacks.

Brute-force attacks are conducted by systematically checking all possible keys or passwords until the correct one is found.

Denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) are attempts to make the corporate network unavailable to its intended users. They generally consist of efforts to temporarily or indefinitely interrupt or suspend the services of a host connected to the Internet.

These attacks can make the network unavailable and cause significant business damage. The best way to defend the organization from such attacks is by blocking them at the gateway level by configuring a block-failed login policy that prevents the attack attempts from reaching the Active Directory by implementing a gateway layer blocking these attacks before they enter the network.

Identifying the risks arising from adopting BYOD policies and from making internal services available for external mobile devices is the first step that organizations need to take before they authorize such a strategy.

As the BYOD trend is expected to play a major role in the future, IT managers should explore the possible solutions and find the ones that are most suitable for their organization.

Get a free trial

Sign-up for a free trial and demo with an AGAT expert

    Select your service

    For support please login to our support portal

    Get in touch

    Har-Hotzvim Hi-Tech Park, Jerusalem, Israel

    +972-2-579-9123

    info@agatsoftware.com

    Facebook Twitter Youtube Linkedin

    Compliance

    Ethical Wall

    Real Time DLP

    Archive & eDiscovery

    Recording AI Compliance Analysis

    Productivity

    AI Meeting Assistant

    Channel Management

    AI Sentiment Analysis

    Privacy Policy

    Terms and Conditions

    Resources​

    Company overview

    Partners

    Careers

    Blog

    Contact

    © 2013-2023 AGAT ALL RIGHTS RESERVED