Keeping Skype for Business Server Environment Secure from Hacks & Exploits


A recent Skype for Business exploit was found & fixed in a timely fashion by Microsoft, but this incidence underscores the importance of UC security once again. In this article we will 1) look at some historical Skype for Business/Lync hacks/exploits and 2) some things that can be considered to preemptively stave off these types of issues.

Brought Force Password Attacks: All Users (even non-Lync/Skype for Business Users) Need to Have Secure Passwords

Login pages facing the web potentially expose all domains users, even those who are not Lync or Skype for Business users, to brute force attacks and so all users need to have secure passwords. Even those test users and perhaps especially those test users.

Overview of this method is that lyncdiscover is used to find servers and then a login page like dialin or scheduler is used to launch a password brute force attack. The video below gives the details. (more docs)

Lesson: The importance of all domain users having strong passwords and why MFA is important.

Exploits Like “Skype for Business 2016 XSS Injection”: Keep Skype for Business Server & Client Up to Date

On July 12, 2017 an exploit appeared in the Exploit Database which is described below:

XSS injection is possible via the Lync 2013 SDK and PowerShell. No user-interaction is required for the XSS to execute on the target machine. It will run regardless of whether or not they accept the message. The target only needs to be online.

This was addressed by Microsoft before the exploit was published, so that is great, but the update needs to be installed.

Lesson: The lesson here is that you need to keep your servers and clients up to date.

What Are Some Things That Can Be Done to Mitigate Risk?


Implement Multifactor Authentication

Configure multifactor authentication. To get started take a look at:

Modern Authentication

Secure with App Security Layer


If you have any additional ideas on way to keep Skype for Business secure, I welcome your comments.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.