Updated 5-20-11 with new independent security tests against Lync Server 2010
I sometimes get asked by telecom teams how secure is the voice traffic in Lync and is the conferencing traffic secure both on the internal network or externally. Note: diagrams and a few excerpts taken from our whitepapers
What type of secure communications are used with Lync?
Server to server Lync Server 2010 communications is encrypted by default. By requiring all servers to use certificates and by using Kerberos authentication, TLS, Secure Real-Time Transport Protocol (SRTP), and other industry-standard encryption techniques, including 128-bit Advanced Encryption Standard (AES) encryption, virtually all Lync Server data is protected on the network.
Lync Clients to Server traffic uses TLS for SIP traffic and SRTP for media such as audio, video and desktop sharing.
The following is a matrix showing the secure traffic types:
This diagram from the whitepaper shows how clients communicate securely using audio and video SRTP and TLS and Lync servers communicate securely with MTLS
Can someone sniff the packets and get access to my Lync voice/data?
By using TLS it would render a sniff/man in the middle attack very difficult to impossible to achieve within the time period in which a given conversation could be attacked. TLS authenticates all parties and encrypts all traffic. This does not prevent listening over the wire, but the attacker cannot read the traffic unless the encryption is broken. Additionally, by enabling SRTP voice, video and desktop sharing traffic will be encrypted.
How do I secure my voice traffic?
- Use TWO nics cards with mediation servers even if you can get away with one so you can lock down the routes:
- Configure the internal edge of a Mediation Server to correspond to a unique static route that is described by an IP address and a port number. The default port is 5061.
- Configure the external edge of a Mediation Server as the internal next hop proxy for the media gateway. The external edge should be identified by a unique combination of IP address and port number. The IP address should not be the same as that of the internal edge; the default port is 5068.
- Enable MTLS and SRTP between mediation server and media gateway (if gateway supported) to secure SIP and media – requires a cert on the media gateway
- Limit the number of failed call attempts on the media gateway to reduce phone attacks
- Don’t leverage IP sec between Mediation and Edge can impact voice quality
- Configure Lync 2010 clients to use TLS and not TCP
- Enable the Require SIP high security mode Group Policy setting for the users GPO for the Lync 2010 Clients
Are there Lync Server GPOs I can use to lock things down?
Yes, there is a communicator.adm file located in the %windir%\inf folder that you can leverage.
What are tips to secure my Lync Edge servers?
- Use a different subnet just for the Microsoft Lync Server 2010 Edge Servers.
- Lock down the routing rules for access to that subnet (disable broadcast, multicast, and traffic to other perimeter network subnets).
- Don’t change the service account under which edge services run.
- Read and use the information in Protecting the Edge Server Against DoS and Password Brute-Force Attacks in Lync Server 2010 at http://go.microsoft.com/fwlink/?LinkID=214180
What do I need to exclude from my antivirus program running on my Lync Server 2010?
· Lync Server 2010 processes:
· IIS processes:
· SQL Server processes:
· %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr.exe
· %ProgramFiles%\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
· %ProgramFiles%\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe
Download the excellent Lync Security Guide available here.
Independent Lync Server 2010 security attacks conducted from Miercom here in Section 6.0.