Skip to the content 
Companies using Skype for Business (Lync) externally are often unaware that they expose their corporate networks to account lockout threats arising from the exposure of external authentication services.
Another scenario that exposes this risk is using ADFS for online services (not only for Skype for Business).
Tests carried out by AGAT Software on some production environments demonstrated the ability of hackers to lock production network accounts in networks which were believed to be secured and protected. To do so, all the hacker needs to know is the username, which is typically easy to guess or find out.
The tests revealed that attackers can lock accounts through ADFS even when the ADFS Extranet Lockout feature of Win 2012 R2 is deployed to protect ADFS. More widely, AGAT managed to show that for most Skype for Business deployments, even when using generic account lockout protection systems, the network is vulnerable to these kinds of attacks.
Skype for Business topology creates challenges that are hard to address using generic solutions due to the multiple protocols, channels and methods used for the variety of clients supported.
A successful attack might cause significant business damage by preventing the user from logging into the network and from performing any type of work, even if not related to Skype for Business. This might also be part of a wider DDoS attack, stopping all the company’s activities by locking all of the domain network users.
In order to raise awareness of the threats arising from Skype for Business usage, AGAT Software, which developed SkypeShield and ADFS Protector, is now offering a free vulnerability scan test for companies wishing to validate that their network accounts are indeed well protected against account lockout.
The test, which only lasts several minutes and does not require the tested company to grant any access or privileges to the network, is carried out using a vulnerability-scanning tool developed specifically for this purpose by AGAT Software. The results will not be shared with any third party besides the company itself.
During the risk-assessment test, when the tool was run on several production environments which were believed to be secure, generic solutions that are part of reverse proxies failed to protect the corporate server, and the innovative scanning tool was able to lock internal accounts.
