Increase Lync 2013 security

My posting will have a little Lync sprint at the moments since we’re in the middle of Lync Conf 14. As I mentioned in my previous post, this post will be about securing your Lync 2013 deployment. More specifically it will focus on how to increase security when you publish your Lync to the Internet.

When publishing a default installed Lync deployment to the Internet, clients will authenticate directly to the Lync Front-End server using their domain credentials. While it’s true that the traffic is sent through a reverse proxy the actual authentication takes place at the Lync Front-End server.

This means that for instance you can lock any user’s AD account by just knowing its username, thereby inflicting a Denial-Of-Service, not only for Lync. On the mobile clients you can also choose to save the password in the client which means that a lost or stolen device has the domain credentials stored on the device. It’s also worth to notice that two-factor authentication is not possible without ADFS and a third-party identity provider.

For many, this just isn’t not good enough for a system that is published to the Internet. Looking back at past projects, which have included publishing a system to the internet, there are a two requirements that have been in common for almost all of them.

1)      Domain credentials may not be used.
2)      Two-factor authentication is mandatory for external access.

So, how do we fulfill these two requirements? There are two ways to solve this and both Requires integration from a third party. Both solutions have their advantages.

pa_pam2

Deploying any of these solutions greatly increases the security of your Lync deployment.

My upcoming post will explain how to configure both solutions, starting with “Lync Passive Authentication with two-factor authentication”. Stay tuned for more Lync security!

Advertisements

One thought on “Increase Lync 2013 security

  1. Pingback: Lync Passive Authentication with two-factor authentication – Part I | Techmikal

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s