Free live demo

DDoS Account Lockout Protection for Skype-for-Business

The Problem

  • Active Directory has a security policy locking account after several failed attempts​
  • Attacker can lock network account by just knowing a username value​
  • Attackers can write script for locking all users in the network​
  • This causes business downtime for all network systems and not only SfB downtime​


Problem with generic solutions


Generic solutions against Account Lockout fail to secure Skype for Business as they expose:​

  • Multi-protocol – HTTPS/SIP​
  • Multi-method – Basic, NTLM, SOAP​
  • Multi-channel – Sign in, meeting, web API, Exchange​
  • Multi locations – EMEA, US, APAC​


Our Solution

With SphereShield, we offer an effective DDoS Account Lockout Protection for Skype for Business

  • All failed login attempts are audited​
  • Activate Soft Lockout in DMZ when attack detected​
  • Unified defense ​
    • Solution protecting all protocols, methods, and channels​
  • Device pre-authentication​
    • Only authentication request coming from a registered device will reach Active Directory​
    • Prevent simple scripting attack​



SphereShield's Tarpit Solution for User Enumeration


To learn about the User Enumeration attack, read our post --> Click Here

SphereShield's Tarpit

SphereShield's Tarpit feature for Skype for Business protects against enumeration attacks directed at exposed authentication services, such as the Webticket NTLM authentication interface as well as SOAP and OAuth interfaces that Skype for Business exposes externally.

Additionally, Skype for Business's Lyncdiscover service, which is unauthenticated, is also protected.

SphereShield's Tarpit delays failed authentication attempts and other relevant communication to prevent server response times from revealing whether the username sent exists or not.

The Tarpit can be fine-tuned by system admins to correspond with real-world delay times in the Skype for Business on-prem environment.

The user experience of users with correct credentials remains unaffected when activating this feature.

Additional Protection

SphereShield’s existing “SphereShield Credentials” feature continues to provide blanket protection against user enumeration attacks and many other potential vulnerabilities. Deployments using SphereShield Credentials don’t expose Windows Authentication interfaces to the internet.

Organizations using SphereShield Credentials have their users create a dedicated Skype for Business password which is different from their AD password and only used to connect externally to Skype for Business from Mobile and external Windows clients.

Customers already using SphereShield Credentials are already protected against user enumeration attacks and don’t need to activate this feature.

Get a Free Trial

Sign-up for a free trial and demo with a SphereShield expert

For support please login to our support portal.

Get in touch

Har-Hotzvim Hi-Tech Park, Jerusalem, Israel