Organizations, which use Skype for Business
(Lync), are exposed to security threats arising from the interaction with the Exchange server. The Skype for Business client approaches the Exchange server to obtain meeting information and this in turn requires Exchange Web Services (EWS) published externally.
This exposes the client to the following threats:
· The deployment of EWS includes an authentication service, thus exposing the network to account lockout in case of a DDoS attack.
· The EWS service allows for retrieving events, mails and attachments, tasks and contacts. Therefore, once exposed, all the Exchange data is also exposed.
· One of the problems is that users, which use Outlook Web Access (OWA) have access to their full mail data, raising the risk that an attacker, equipped with valid Active Directory (AD) credentials, can access the users’ organizations’ mail.
SphereShield eliminates this risk. It blocks any information requests arriving from unregistered devices and adds a Two Factor Authentication (TFA) layer for the Exchange.
The solution is based on a Two Factor Authentication process, which uses the client’s password and device. The result is that unauthorized usage of the user’s credentials is not sufficient to connect to Skype for Business or Exchange without having access to the device itself. This also enables restricting the usage of these services to approved or registered devices only.
Disable “Save Password” option
Companies that do not want passwords to be cached in the device may disable the “Save Password” option on Skype for Business.
Choosing this option, however, creates difficulties in accessing the Exchange during the ongoing usage of Skype for Business as the Exchange requires credentials that were not saved on the device and therefore no longer exist. This causes the user to receive an error.
SphereShield offers a solution for this scenario, enabling a smooth user experience for continuous connectivity to Skype for Business and Exchange without saving the password on the device.
This allows the user to deploy the disabled “Save Password” option and still stay connected to the Exchange until the user signs out, thus not compromising on security as well as user experience.
Registering the device adds an authentication factor, allowing the organization to control which devices will obtain permission to connect.
SphereShield offers several approaches for registering and approving mobile devices using the Skype for Business access control module. The registration process is done by using SphereShield Access Portal, a self-service Web portal.
Device Registration Options
Skype for Business Access Control supports the following enrollment options:
· Automatic registration – the device is registered when the user connects to Skype for Business for the first time. Once registered, Skype for Business Access Control verifies, during subsequent synchronizations, that the connection is in fact from the registered device. Any attempt to connect from a different device, using the same credentials, will be automatically blocked.
· Two step registration – a tighter security approach which requires users to register first on a dedicated access portal and connect within a short period (defined in the portal configuration). In such a scenario, the user logs into the access portal with his active directory credentials (window authentication) from an internal network PC. After doing so, he is asked to press the register button and to perform a Skype for Business connectivity operation within a limited period defined by the admin (default is 15 minutes). Once the user successfully connects his device, it is registered. From that point on, SphereShield will only allow the current user to connect from the registered device.
· A user can add another device if SphereShield is configured to support multiple devices. SphereShield can also limit the number of devices approved for a user to a specific number.
Admin manual approval
By using SphereShield’s approach, every device must be approved by the SphereShield admin. In such a case, when the user connects for the first time, the device is registered in the blocked device list. Admin then approves the device manually so that it is authorized and connected to the specific user.