While deploying Skype for Business (Lync) on mobile devices, laptops or any other external devices outside the corporate network, special attention should be given to the possible exposure of authentication services.
The exposure of these services increases the risk of Active Directory (AD) accounts becoming locked if someone who only knows a user name sends authentication attempts to the Active Directory. If an account is locked out, the user will be prevented from accessing any services, even internally, that require an organizational account. This will likely include their workstation.
Several authentication channels need to be addressed:
- Mobile/desktop Skype for Business client logins
- Web App logins
- Dial-in page logins from a meeting invitation
- Any NTLM/Basic or SOAP login sent via HTTP to a Skype for Business Front End server or director
- NTLM authentication requests sent using the SIP protocol to an Edge server
- Exchange Web Service (EWS)
Each of these channels should be monitored and the tally should be aggregated across all.
If you handle SIP and mobile HTTP protection separately, an attacker can send authentication attempts through separate channels without going over the specific channel threshold. In such a case, the attacker would be able to cause account lockout.
So, for example, if your network policy locks your account after five attempts, an attacker can send three attempts through a Lync mobile and another three to an SIP edge server. They could cause your network account to be locked out without reaching the limit in each channel.
Moreover, most generic proxy solutions offered currently fail to handle SOAP and certainly SIP authentication attempts because they are structured specifically for Lync.
The most effective solution for preventing such attacks is to have a unified solution that protects your distributed resources.
SkypeShield offers site and multi-site defense against DDoS attacks. All AD authentication attempts from the channels listed above are monitored via SkypeShield. Failed attempts are counted and stored in a central database table which is shared by all SkypeShield components.
SkypeShield monitors Active Directory authentication attempts for all Microsoft Skype for Business services published to the Internet. The solution counts failed attempts, and once an admin-set threshold has been reached, it blocks any further attempts from reaching AD servers. Such “soft locking” prevents AD accounts from being locked out.