Organizations, which use Skype for Business (Lync), are exposed to security threats arising from the interaction with the Exchange server. The Skype for Business client approaches the Exchange server to obtain meeting information and this in turn requires Exchange Web Services (EWS) published externally.
This exposes the client to the following threats:
- The deployment of EWS includes an authentication service, thus exposing the network to account lockout in case of a DDoS attack.
- The EWS service allows for retrieving events, mails and attachments, tasks and contacts. Therefore, once exposed, all the Exchange data is also exposed.
One of the problems is that users, which use Outlook Web Access (OWA) have access to their full mail data, raising the risk that an attacker, equipped with valid Active Directory (AD) credentials, can access the users’ organizations’ mail.
SphereShield eliminates this risk. It blocks any information requests arriving from unregistered devices and adds a Two Factor Authentication (TFA) layer for the Exchange.
The solution is based on a Two Factor Authentication process, which uses the client’s password and device. The result is that unauthorized usage of the user’s credentials is not sufficient to connect to Skype for Business or Exchange without having access to the device itself. This also enables restricting the usage of these services to approved or registered devices only.
Disable “Save Password” option
Companies that do not want passwords to be cached in the device may disable the “Save Password” option on Skype for Business.
Choosing this option, however, creates difficulties in accessing the Exchange during the ongoing usage of Skype for Business as the Exchange requires credentials that were not saved on the device and therefore no longer exist. This causes the user to receive an error.
SphereShield offers a solution for this scenario, enabling a smooth user experience for continuous connectivity to Skype for Business and Exchange without saving the password on the device.
This allows the user to deploy the disabled “Save Password” option and still stay connected to the Exchange until the user signs out, thus not compromising on security as well as user experience.