LyncShield and NTLM Blocking script solution

Why deploy the LyncShield and NTLM Blocking script solution ?

lyncshield-mobile-logo

Lync provides in the following external capabilities:

  • Anonymous access
  • Federation
  • Mobility
  • External Access

The external access capabilities of Lync require the deployment of an Edge server and a Reverse proxy. The Lync edge server is able to authenticate users using NTLM and TLS-DSK (a certificate based authentication technology). The Reverse proxy will use NTLM authentication and with a Lync Web Ticket.

The Lync Edge and Reverse Proxy components however are not providing sufficient build in protection against Denial of Service attacks. The issue at hand is that NTLM authentication from non-managed systems can be done resulting in the lockout of any Active Directory user password. This issue requires mitigation in order to proceed with enabling any Lync external access capability.

The following solutions are developed to mitigate the DOS vulnerability. These solutions will also provide the foundation of a secured Lync mobile signing solution.

NTLM blocking script

The NLTM blocking script prevents NTLM authentication from succeeding. It’s an MSPL script which actively monitors SIP traffic for NTLM authentication and blocks returning NTLM traffic from the Front end server.

Bastion Proxy server

The Bastion Proxy server provides in a soft lockout policy that protects the Active directory account from being locked out. The server monitors the authentication traffic and counts the failed attempts.

Based on preconfigured settings the number of failed attempts will initiate a soft lockout preventing any additional failed authentication attempts passing through the Bastion Reverse proxy. Other applications will not be hindered by the soft lock since this only works on the Bastion Reverse proxy server.

Lync Edge Services Security Solution overview

The Lync Edge Services Security Solution consists out of the following components:

  • LyncShield Bastion Reverse proxy
  • LyncShield Access Portal
  • LyncShield SQL database
  • Lync Edge server NTLM Blocker Script

The LyncShield solution also provides the following:

  • Administrative access web portal for configuration options
  • Provides real time and Microsoft event viewer logs
  • Blocks DoS attacks
  • Prevents AD account lockout and enumeration

ACTIVE DIRECTORY CREDENTIALS PROTECTION

Avoid using and storing AD credentials on device by defining dedicated Lync credentials.

Highlights
  • High security level
  • Active Directory (AD) credentials are not stored on the mobile device
  • Safely connect from external network
  • Dedicated user name and password
  • Avoid using Active Directory credentials on mobile devices
Flow diagram : Dedicated Lync Credentials

dedicated lync credentials

 User Experience

On the access portal, register your custom login password to secure the Lync access.

lyncschield dedicated credentials protection

 ACCESS CONTROL : TWO FACTOR AUTHENTICATION

Two Factor Authentication (TFA) by matching user and device – allowing only registered devices to connect.

In case of TFA, you will need to decide what registration process you want to use from the following options:

Highlights
  • Prevent connecting unauthorized devices which carry corporate credentials
  • Matching the device and user
  • Two factor authentication
  • Avoid connection to Skype & SharePoint servers by hackers and other unauthorized users
  • Prevent connecting unauthorized devices which carry corporate credentials
Flow diagram : Two Factor Authentication

lyncshield two factor authentication

User Experience

User first has to register device on access portal. Using this approach you can limit also specific AD groups by limiting on the IIS the site to specific groups.

lyncshield two factor authentication 2

LyncShield offers the following security features:

lyncshield-conclusion

If you want more informations about this solution, you can contact me.

I can also deploy into your network company a PoC of this solution with the full components.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *