...

DDOS ACCOUNT LOCKOUT PROTECTION FOR SKYPE-FOR-BUSINESS

DDOS ACCOUNT LOCKOUT PROTECTION FOR SKYPE-FOR-BUSINESS

The Problem
 Active Directory has a security policy locking account after several failed attempts
 Attacker can lock network account by just knowing a username value
 Attackers can write script for locking all users in the network
 This causes business downtime for all network systems and not only SfB downtime
Problem with generic solutions
Generic solutions against Account Lockout fail to secure Skype for Business as they expose:
 Multi-protocol – HTTPS/SIP
– Multi-method – Basic, NTLM, SOAP
– Multi-channel – Sign in, meeting, web API, Exchange
– Multi locations – EMEA, US, APAC
Our Solution
With SphereShield, we offer an effective DDoS Account Lockout Protection for Skype for Business
 All failed login attempts are audited
 Activate Soft Lockout in DMZ when attack detected
 Unified defense
  – Solution protecting all protocols, methods, and channels
 Device pre-authentication
   Only authentication request coming from a registered device will reach Active Directory
 Prevent simple scripting attack
 
SphereShield’s Tarpit Solution for User Enumeration
To learn about the User Enumeration attack, read our post –> Click Here
SphereShield’s Tarpit
SphereShield’s Tarpit feature for Skype for Business protects against enumeration attacks directed at exposed authentication services, such as the Webticket NTLM authentication interface as well as SOAP and OAuth interfaces that Skype for Business exposes externally.

Additionally, Skype for Business’s Lyncdiscover service, which is unauthenticated, is also protected.

SphereShield’s Tarpit delays failed authentication attempts and other relevant communication to prevent server response times from revealing whether the username sent exists or not.

The Tarpit can be fine-tuned by system admins to correspond with real-world delay times in the Skype for Business on-prem environment.

The user experience of users with correct credentials remains unaffected when activating this feature.
Additional Protection
SphereShield’s existing “SphereShield Credentials” feature continues to provide blanket protection against user enumeration attacks and many other potential vulnerabilities. Deployments using SphereShield Credentials don’t expose Windows Authentication interfaces to the internet.

Organizations using SphereShield Credentials have their users create a dedicated Skype for Business password which is different from their AD password and only used to connect externally to Skype for Business from Mobile and external Windows clients.

Customers already using SphereShield Credentials are already protected against user enumeration attacks and don’t need to activate this feature.