Topic Last Modified: 2011-05-15
When you configure clients prior to deploying an Microsoft Lync Server 2010 network, take the following recommended measures to enhance client security:
- Use Windows 7, Windows Vista, or Windows XP with the latest
service pack.
- Configure client policies for media encryption and other
functionality. Some of these key policies are client bootstrapping
policies that specify, for example, the default servers and
security mode that the client should use until sign-in is complete.
Because these policies take effect before the client signs in and
begins receiving in-band provisioning settings from the server,
they must exist in the client computer’s registry before initial
sign-in. You can use Group Policy to configure these policies.
There are also certain settings that you should configure by using
Lync Server Management Shell before client deployment. For details
about these policies and settings, see Key Client Policies and
Settings in the Planning documentation.
- Configure Lync 2010 to use TLS, which provides encrypted
signaling. The confidentiality even of otherwise encrypted
communications, such as media, is not protected when a user
connects to the server using TCP. The encryption key can be
intercepted by an attacker and used to decrypt the message. If you
must allow client connections over TCP, be aware of this
vulnerability.
- File transfer between users is peer to peer. All file transfers
are encrypted by default. Instruct users to run a virus check
before opening transferred files.
- Consider restrictions on client connections and messages.
- Isolate users according to usage requirements.
- Run antivirus software on the client.
- Frequently check and apply updates and security updates.
- Use strong password best practices.
- Run only necessary services and applications.
- Enable the Require SIP high security mode Group Policy setting
for the users GPO.
In general, you control access for a user account by enabling and disabling each user account in Active Directory. However, if a user is signed into Lync Server 2010 when you disable the user account, the user continues to have access until sign out. Also, a user can sign in for up to 180 days (default Lync certificate expiration time) after the user account is disabled in Active Directory. To prevent this, you can disable certificate-based authentication or reduce the certificate expiration time. To help ensure that only users with appropriate credentials can access Lync Server 2010, you can also do the following:
- If you disable a user in Active Directory and want to ensure
that that the user cannot access Lync Server 2010, use Lync Server
Management Shell to run the Disable-CsUser cmdlet. This forces the
sign out of the user, if the user is signed in, and prevents the
user from signing in again unless you re-enable the user.
Warning:Running the Disable-CsUser cmdlet deletes user data. If you need to maintain user data, do not use this cmdlet. Instead Set-CSUser -Enabled $false -Identity <userIdentity>to disable all Lync functionality (not just certificate authentication), but still retain the user data. You can also use the Revoke-CsClientCertificate to prevent client access. - If a user has a password that may have been compromised and you
reset it in Active Directory, use Lync Server Management Shell to
run the Revoke-CSClientCertificate cmdlet. This revokes the client
certificate and helps ensure that the previous password cannot be
used to sign-in to the account in the future.
For details about the use of these cmdlets, see the specific cmdlet in the Lync Server Management Shell section of the Operations documentation.
Client Firewall Exclusions
The Lync client installer configures the firewall during installation with the following exceptions:
- Microsoft Lync 2010
- UCMapi (on a 32-bit computer) or UCMapi64 (on a 64-bit
computer)
Uninstalling the Lync client removes these entries.
Microsoft Lync 2010 Attendee is available to join meetings only, for users without Lync 2010. Two installers are available (Administrator mode and User mode)client exceptions depend on the installation method:
- Administrator mode installation, for user accounts that are
members of the Administrators group. Administrators can install
this client through download from the web, or IT admins can push
this client to end user desktops to simplify Lync 2010 meeting
joins. The Attendee Lync client configures the firewall during
installation with the following exception:
- Microsoft Lync 2010 Attendee. Uninstalling the Attendee client
removes this entry.
- Microsoft Lync 2010 Attendee. Uninstalling the Attendee client
removes this entry.
- User mode installation, for user accounts that are members of
the Users group, which typically prevents admin installation of new
software. Installation includes a per-user installation of the
Attendee client. Using this installation method, the Attendee Lync
client does not configure the firewall during installation. The
user is prompted with a Windows Firewall request dialog when
joining their first meeting. This adds an entry for Microsoft Lync
2010 Attendee to the firewall exception list, if the user grants
access. This entry is not removed when a user uninstalls the
Attendee client because the user granted access separately.
When users first use the Lync Web App client, they are prompted to install the Microsoft ActiveX control, which is required only if the user wants to share their screen or share an application. To view shared content, the Active X control is not required. If the user chooses to install the ActiveX control, a firewall exception is added for ReachAppShaX.exe.