Securing Clients for Lync Server 2010
Topic Last Modified: 2011-07-17
When you configure clients prior to deploying an Microsoft Lync Server 2010 network, take the following recommended measures to enhance client security:
Use Windows 7, Windows Vista, or Windows XP with the latest service pack.
Configure client policies for media encryption and other functionality. Some of these key policies are client bootstrapping policies that specify, for example, the default servers and security mode that the client should use until sign-in is complete. Because these policies take effect before the client signs in and begins receiving in-band provisioning settings from the server, they must exist in the client computer’s registry before initial sign-in. You can use Group Policy to configure these policies. There are also certain settings that you should configure by using Lync Server Management Shell before client deployment. For details about these policies and settings, see Key Client Policies and Settings in the Planning documentation.
Configure Lync 2010 to use TLS, which provides encrypted signaling. The confidentiality even of otherwise encrypted communications, such as media, is not protected when a user connects to the server using TCP. The encryption key can be intercepted by an attacker and used to decrypt the message. If you must allow client connections over TCP, be aware of this vulnerability.
File transfer between users is peer-to-peer. All file transfers are encrypted by default. Instruct users to run a virus check before opening transferred files.
Consider restrictions on client connections and messages.
Isolate users according to usage requirements.
Run antivirus software on the client.
Frequently check and apply updates and security updates.
Use strong password best practices.
Run only necessary services and applications.
Enable the Require SIP high security mode Group Policy setting for the users GPO.
In general, you control access for a user account by enabling and disabling each user account in Active Directory. However, if a user is signed into Lync Server 2010 when you disable the user account, the user continues to have access until sign out. Also, a user can sign in for up to 180 days (default Lync certificate expiration time) after the user account is disabled in Active Directory. To prevent this, you can disable certificate-based authentication or reduce the certificate expiration time. To help ensure that only users with appropriate credentials can access Lync Server 2010, you can also do the following:
If you disable a user in Active Directory and want to ensure that that the user cannot access Lync Server 2010, use Lync Server Management Shell to run the Disable-CsUser cmdlet. This forces the sign out of the user, if the user is signed in, and prevents the user from signing in again unless you re-enable the user.
Running the Disable-CsUser cmdlet deletes user data. If you need to maintain user data, do not use this cmdlet. Instead
Set-CSUser -Enabled $false -Identity <userIdentity>to disable all Lync functionality (not just certificate authentication), but still retain the user data. You can also use the Revoke-CsClientCertificate to prevent client access.
If a user has a password that may have been compromised and you reset it in Active Directory, use Lync Server Management Shell to run the Revoke-CSClientCertificate cmdlet. This revokes the client certificate and helps ensure that the previous password cannot be used to sign-in to the account in the future.
For details about the use of these cmdlets, see the specific cmdlet in the Lync Server Management Shell section of the Operations documentation.
Client Firewall Exclusions
The Lync client installer configures the firewall during installation with the following exceptions:
Microsoft Lync 2010
UCMapi (on a 32-bit computer) or UCMapi64 (on a 64-bit computer)
Uninstalling the Lync client removes these entries.
Microsoft Lync 2010 Attendee is available to join meetings only, for users without Lync 2010. Two installers are available (Administrator mode and User mode)client exceptions depend on the installation method:
Administrator mode installation, for user accounts that are members of the Administrators group. Administrators can install this client through download from the web, or IT admins can push this client to end user desktops to simplify Lync 2010 meeting joins. The Attendee Lync client configures the firewall during installation with the following exception:
- Microsoft Lync 2010 Attendee. Uninstalling the Attendee client removes this entry.
User mode installation, for user accounts that are members of the Users group, which typically prevents admin installation of new software. Installation includes a per-user installation of the Attendee client. Using this installation method, the Attendee Lync client does not configure the firewall during installation. The user is prompted with a Windows Firewall request dialog when joining their first meeting. This adds an entry for Microsoft Lync 2010 Attendee to the firewall exception list, if the user grants access. This entry is not removed when a user uninstalls the Attendee client because the user granted access separately.
When users first use the Lync Web App client, they are prompted to install the Microsoft ActiveX control, which is required only if the user wants to share their screen or share an application. To view shared content, the Active X control is not required. If the user chooses to install the ActiveX control, a firewall exception is added for ReachAppShaX.exe.