Security Edge Filter

mountainromeInternet and Web Development

Oct 31, 2013 (3 years and 9 months ago)

91 views



Security
Edge
Filter

For Lync Server 2013, 2010 and Office Communications
Server 2007

R2






Lync
-
Solutions.com

fabian.kunz@grouptec.ch





www.l ync
-
sol uti ons.com


Version

Version

Dat
e

Author

Remarks

1.0

12/05/2011

Fabi an Kun
z

Ini ti al draft created.


1.1

12/29/2011

Rui Maxi mo

Edi ted.

1.2

1/1/2012

Fabi an Kunz

Updated screenshots i n secti on,‘Securi ty Fi l ter i n
Acti on‘.

1.3

4/2/2012

Fabi an Kunz

Updated screenshots order i n section,

Installati on on the Lync
Edge Server

.

1.4

7/19/2013

Rui Maxi mo

Update PowerShel l regi strati on commands.







Current Document p
roperties

Property

Status

Status

Fi nal

Publ i sh
date

11/1/2013






©
Lync
-
Solutions.com

2013

all rights reserved.

This document is i
ntellectual property of
Lync
-
Solutions.com
. No duplication or distribution allowed
without written notice of the owner.
No distribution outside the customer’s organization allowed.

Securi ty Filter Standard Edi tion

Page
3

of
19


www.l ync
-
sol uti ons.com

Table of contents

1

Introduction

................................
................................
................................
......................

4

1.1

Problem: Denial of Service (DoS)

................................
................................
................

4

1.2

Solution

................................
................................
................................
....................

4

2

Functionality

................................
................................
................................
.....................

4

3

Security Filter Design

................................
................................
................................
.........

7

4

Security Filter Editions

................................
................................
................................
.......

8

5

Considerations

................................
................................
................................
..................

8

5.1

Microsoft Exchange

................................
................................
................................
...

8

5.1.1

Microsoft Unified Access Gateway (UAG) 2010

................................
........................

9

5.1.2

Microsoft Threat Management Gateway (TMG) 2010
................................
...............

9

6

Requirements
................................
................................
................................
....................

9

7

Install Procedure

................................
................................
................................
..............
10

7.1

Prepare Lync Edge Server

................................
................................
..........................
10

7.2

Installation on the Lync Edge Server

................................
................................
..........
11

8

Security Filter in Action

................................
................................
................................
.....
16

9

Configuration

................................
................................
................................
...................
18

10

Monitoring
................................
................................
................................
...................
19




Securi ty Filter Standard Edi tion

Page
4

of
19


www.l ync
-
sol uti ons.com

1

Introduction

This documentation describes the requirements and installation procedure for the Standard Ed
i-
tion version of the Security Filter.

1.1

Problem: Denial of Service (DoS)

Why are
DoS attacks disruptive to your organization? Here are the most common reasons:



Each failed authentication attempt to your extranet counts in Active Directory as a failed
login.



It becomes trivial for a remote attacker to lock out any of your AD accounts if they know
(or can guess) the login name. No further credentials or privilege is required for this a
t-
tack.



In severe cases such as a distributed denial of service attack, this
can represent a substa
n-
tial vulnerability to your network.

1.2

Solution

The Security Filter augments the capabilities of Microsoft’s Lync Edge Server to allow a soft loc
k-
out.



Security Filter is designed to tract denied authentication attempts and block furthe
r login
attempts before the AD lockout limit is reached.



This provides an additional tier of account security, safely locking the account out of the
extranet.



Security Filter prevents password guessing on the extranet by blocking authentication a
t-
tempts
for that account once the number of failed authentication attempts reaches a
threshold.



Even when the account is locked out from the extranet, the user can still login from within
your corporate network or through a VPN. Thus, the DoS risk is substantiall
y mitigated,
with a minimum inconvenience.



Security Filter can enforce external users to login to Lync Server from a corporate issued
computer. By blocking NTLM authentication, external users are forced to sign
-
in using
TLS
-
DSK authentication, which requi
res a client certificate to be installed on the user’s
computer when connected to the corporate network.

2

Functionality

In this extraordinarily interconnected world, companies want to allow the utmost flexibility and
mobility for their employees, many of wh
om may work remotely. Consequently, almost every
Securi ty Filter Standard Edi tion

Page
5

of
19


www.l ync
-
sol uti ons.com

organization exposes services to the Internet. However, there’s always the threat of attacks.
C
ompanies are particularly concerned with Denial of Service (DoS) and password brute
-
force a
t-
tacks. These types o
f attacks can be disruptive to users and consume internal server resources.

The primary trouble with DoS attacks is that they’re nearly indistinguishable from legitimate sign
-
in requests. The only differentiation is the frequency of sign
-
in attempts and th
eir origin. A large
number of sign
-
in attempts in rapid succession can be indicative of a DoS attack.

Most DoS attacks attempt to guess the user’s password to gain unauthorized access. They often
result in locking out the user account if the security polic
y is enabled in Active Directory Domain
Services, and has a maximum number of log
-
in attempts.

The Microsoft Lync Edge Server protects against unauthorized access using industry
-
standard
security measures. It monitors sign
-
in requests and enforces account
lockout at the network p
e-
rimeter. All communications are encrypted and authenticated.

Edge Server does not protect against DoS attacks. However, Lync Server provides a flexible pr
o-
gramming platform you can use to create server applications to intercept Ses
sion Initiation Prot
o-
col (SIP) messages on the server and perform specialized logic using the Microsoft SIP Processing
Language (MSPL). This is how the security filter operates.

It inspects all incoming sign
-
in requests on the Edge Server. The remote user
is not authenticated
at the Edge Server, so the sign
-
in request is passed to the Director or directly to the internal pool,
which then performs the authentication process. The response is then passed back to the Edge
Server. The security filter inspects bo
th the request and the response. If the sign
-
in fails, the sec
u-
rity filter tracks the number of failed attempts for each user account.

The next time a client attempts to sign in to the same user account, and the number of failed a
t-
tempts exceeds the maximu
m number of allowed sign
-
in attempts, the security filter immediately
rejects the request without passing the request to the Director or internal pool for authentication.
By enforcing account lockout at the Edge Server, the security filter blocks DoS attac
ks at the edge
of the network perimeter. As a result, the security filter protects the internal Lync Server r
e-
sources.

Using the security filter to prevent Windows NT LAN Manager (NTLM) version 2 authentication,
companies can force users to only sign in fr
om authorized company
-
issued laptops. With add
i-
tional security measures (like using BitLocker and Group Policy to prevent users from installing
unauthorized software), the corporate
-
issued laptops can themselves serve as a “smartcard” to
provide two
-
factor

authentication.

To prevent brute
-
force attacks on user accounts, many organizations enforce an Active Directory
Group Policy to lock out the account after a certain number of failed attempts. The side effect of
Securi ty Filter Standard Edi tion

Page
6

of
19


www.l ync
-
sol uti ons.com

this countermeasure is that the attacker can

lock out a user’s account by simply launching mult
i-
ple attempts. This amounts to a DoS attack.

If the account isn’t protected by an Active Directory Group Policy, the attacker can use this type of
brute
-
force attack on the user’s password. These attacks u
se up valuable internal server resources
and deny users access to their account.

Uniquely identifying the user can prevent attacks on user accounts. There are several options with
which to do this. You could use the source IP address, the sign
-
in name (tha
t is, the SIP URI), the
account name or even a combination of any of these options. After investigating each option, it
seems that rogue clients mounting a DoS attack could spoof the source IP address, eliminating
this choice as a way to uniquely identify
the user.

The sign
-
in name, although required to successfully sign in to Lync Server, does not authenticate
the user. A sign
-
in name can be varied during sign
-
in requests, yet still lock out the same user
account. Therefore, neither the source IP address n
or the sign
-
in name are good sources with
which to identify the user. Only the account name uniquely identifies the user account.

You can only extract the account name, which consists of the user name and domain name, from
the authentication protocol. Remo
te users trying to sign in and authenticate use the NTLM v2
protocol, not Kerberos. The NTLM protocol uses a three
-
stage handshake authentication process.
The client passes the user’s credentials in the third stage of the NTLM handshake.

The security filte
r runs as a trusted server application on the Edge Server, so it’s allowed to inte
r-
cept this sign
-
in request. The security filter decodes the user name and domain name from the
NTLM authentication message. Because the account name isn’t available in the re
sponse, the
security filter maps the response to the request using the message ID.

When either the internal pool or the Director sends the authentication response to the Edge
Server, the security filter captures the Register response. If the sign
-
in failed
, the security filter
counts the failed attempts. If the sign
-
in succeeds, the security filter resets the count of failed
attempts to zero.

Every time the Edge Server receives a sign
-
in request, it’s passed to the security filter. It checks
whether the sig
n
-
in request has exceeded the maximum number allowed for that particular user
account. If the request has not exceeded the maximum lockout count permitted, the security
filter allows the request to continue to either the internal pool or the Director.

If t
he request exceeds the maximum lockout count permitted, the security filter blocks the r
e-
quest and returns a 403 response. This summarily rejects the request. Any further sign
-
in a
t-
tempts are rejected for the duration of the lockout period. After the locko
ut period expires, it’s
reset to permit new sign
-
in requests.

Securi ty Filter Standard Edi tion

Page
7

of
19


www.l ync
-
sol uti ons.com

One problem can occur when users sign in from a computer not joined to the corporate Active
Directory domain. Lync
2013/
2010 can automatically attempt to sign in using the user’s local
computer
credentials. Because those credentials aren’t corporate domain credentials, the authe
n-
tication will fail. The user will eventually be blocked from signing in to Lync Server. To prevent the
security filter from locking out valid users, it doesn’t count thes
e attempts against the user.

Lync Server 2010 introduces support for an additional authentication protocol called TLS
-
DSK. This
requires users to supply a client certificate for authentication. The Lync client requests certificates
from Lync Server. This
is an automatic process that happens the first time the user signs in to Lync
Server from within the corporate network where the user is authenticated using Kerberos.

This client certificate is used for authentication with any subsequent log
-
in attempts. T
his is a self
-
signed certificate issued by Lync Server, not a Certificate Authority. If that same user tries to sign
in to Lync from a different computer, he’s authenticated using Kerberos (if inside the corporate
network) or using NTLM v2 (if outside the
corporate network). The process of obtaining another
client certificate starts all over.

TLS
-
DSK provides a level of security that’s very close to two
-
factor authentication. When co
m-
bined with Windows BitLocker, the computer or laptop acts as the equivalen
t of a smartcard
(something you have). The password that BitLocker requires to boot your computer is equivalent
to the pin required to authorize the use of the smartcard (something you know).

There’s the remote possibility someone could steal the client ce
rtificate from the user’s compu
t-
er, but you can mitigate this risk. Make sure corporate
-
issued computers are locked down to pr
e-
vent users from downloading unauthorized applications.

You can force the Edge Server to negotiate the authentication protocol dow
n from TLS
-
DSK to
NTLM v2. In this case, the attacker can still target the user’s account, as discussed earlier. To pr
e-
vent this scenario, the security filter provides an option to reject all NTLM v2 authentication r
e-
quests, forcing TLS
-
DSK
-
only authentica
tion.
This doesn’t affect federated partner connections or
PIC connections.

3

Security Filter Design

The Security Filter registers with the Edge Server where it is collocated. It intercepts all SIP REGI
S-
TER requests, extracts the user’s unique login name, an
d tracks the number of failed login r
e-
sponses sent back to the remote client. When the number of failed login attempts exceeds an
administrator specified threshold, the Security Filter blocks all further login attempts until the
lockout period expires.

Th
is is illustrated in Figure 1, which
describes the Security Filter design.

Securi ty Filter Standard Edi tion

Page
8

of
19


www.l ync
-
sol uti ons.com


Figure
1

Security Filter Architecture

4

Security Filter Editions

The Security F
ilter is available in two different editions.



Standard Edition

The Standard
Edition is the perfect choice for a single
Lync
Edge Server deployment.

There are no other requirements like a Microsoft SQL Database in the Enterprise Edition
version.
There is a simple installation pro
cedure for this

E
dition.



Enterprise Edition

Deployments

with multiple Edge Servers
should deploy
the Enterprise Edition

version of
the Security Filter. The En
terprise Edition version is a tw
o
-
tier architecture.
Every Edge
Server with the Security Filter installed

logs the information about the bad l
ogin attemp
ts
to a Microsoft SQL Database.

This guarantees that all Edge Server shares the same info
r-
mation about the current bad login status.

5

Considerations

5.1

Microsoft Exchange

The Security Filter prevents
DoS attacks

over the Lync Edge Server. You

should

consider that Lync
c
lient
s

outside of the company network
also authenticate

user
s

against the Microsoft Exchange
Securi ty Filter Standard Edi tion

Page
9

of
19


www.l ync
-
sol uti ons.com

environment for accessing the Exchange Availability Service and Unified Messaging information’s

from the internet.

It is strongly recommended
to implement a
solution

with the same functionality for

Microsoft
Exchange.

5.1.1

Microsoft Unified Access Gateway (UAG) 2010

If you
use

Microsoft

UAG 2010 for Exchange publishing you can configure similar settings as for
the Security Filter in the Advanced Trun
k Configuration settings. For more Information about M
i-
crosoft UAG v
isit the Microsoft Technet Site for UAG.


5.1.2

Microsoft Threat Management Gateway (TMG) 2010

If you use Microsoft TMG 2010 for
Lync

publishing
, consider using the Security Web Filter
for TMG
to prevent
similar
kind
s

of attacks
.

In addition to DoS and password brute
-
force attacks, the
Sec
u-
rity Web Filter

performs deep packet inspection for XSS and SOAP layer atta
cks.

6

Requirements

The Microsoft
.NET 4 Framework must be installed with the latest available patches

for the .NET
Framework

on the Lync Edge Server before you start the Security Filter installation.


Create a service account on the Lync Edge Server and ma
ke this account a member of the
RTC
Server Applications

g
roup (see Figure 2).

Securi ty Filter Standard Edi tion

Page
10

of
19


www.l ync
-
sol uti ons.com


Figure
2

Service account for the Security Filter

7

I
nstall Procedure

7.1

Prepare Lync
Edge Server

Before you can run the
S
ecurity
F
ilter, you must first register the application with your Edge Ser
v-
er. You only need to do this registration once by taking the following steps. Run these Lync Server
2013/
2010 Windows PowerShell cmdlets with Lync Server administrative permissions:


1. Run
the following Windows PowerShell cmdlet to register the security_filter application from
any Lync Server

except the Edge Server
.
Specify the fully qualified domain name (FQDN) of the
Edge Server in the parameter
,

<Edge Server FQDN>
,

and
KEEP

the ‘
-
uri’

parameter value

set to
"http://www.
lync
-
solutions.com
/security_filter"
.

new
-
CsServerAppl i cati on
-
i denti ty "EdgeServer:<Edge Server FQDN>/securi ty_fi l ter"
-
uri
"http://www.
l ync
-
sol uti ons.com
/securi ty_fi l ter"
-
cri ti cal $false


2. Run the following Windows

PowerShell cmdlet to initiate the replication of Central Manag
e-
ment S
tore c
onfiguration to the Edge Server.

i nvoke
-
CsManagementStoreRepl i cati on


3. Run the following Windows PowerShell cmdlet on the Edge Server to verify the proper registr
a-
tion of the se
curity_filter.

get
-
CsServerAppl i cati on
-
l ocal store


Securi ty Filter Standard Edi tion

Page
11

of
19


www.l ync
-
sol uti ons.com

4. Run the following Windows Powershell cmdlet to enable the application from
any Lync Server

except the Edge Server
.

Specify the fully qualified domain name (FQDN) of the Edge Server in the
parameter <E
dge Server FQDN>
.

Set
-
CsServerAppl i cati on

Identi ty
“servi ce:
<Edge Server FQDN>/
securi ty_fi l ter



Enabl ed $true


7.2

Installation on the
Lync

Edge Server

The Security Filter requires the installation of
.NET 4 Framework and all available
patches of this
version of the

.NET 4 Framework.

This pre
-
requisite can be downloaded
here
. The following table
details the installation steps for setting up the Security Filter on your Edge Server
.



-

Once you’ve downl oaded the Securi ty Fi l ter, r
un

the setup.exe

wi th
local administrator
pri vi l eges
.

-

The Securi ty Fi l ter compri ses the fol l owi ng two
fi l es:



Securi tyFi l terSetup.msi



Setup.exe


-

Cl i ck
Next


-

Thi s page l i sts the PowerShel l cmdl ets that must be
run to regi ster the Securi ty Fi l ter wi th your Edge
Server. These steps are detai l ed i n the previ ous
secti on,
Prepari ng Lync Edge Server
.

-

Cl i ck
Next

Securi ty Filter Standard Edi tion

Page
12

of
19


www.l ync
-
sol uti ons.com


-

Accept the
Li cense Agreement

-

Cl i ck
Next


The Securi ty F
i l ter

does not

over
wri te

any

changes
to Act
i ve Di rectory's l ockout counter.

T
hat val ue i s
managed i nternal l y by the domai n control l ers.

For the next 4 screens, speci fy the fol l owi ng para
m-
eters for each unique

internal Active Directory (AD)
forests you may have. If you have less than four AD
forests, leave the fields blank.

N
ebtios domain:

Th
is field
specifies
one
of your internal domain
names.
This

is
the do
main name

used by remote
users
to authenticate

to you
r internal Lync Servers
when connecting through your Edge Server. For
example, if your company, Woodgrove Bank, has
the following three internal Active Directory forests
(a legacy from mergers and acquisitions), woo
d-
grovebank.com, contoso.com and fabri kam.
com,
and empl oyees have accounts from each of
these
AD
forests, you shoul d speci fy
the Netbi os name,
"woodgrovebank"
,

as the val ue for thi s parameter
,
and the other two AD forest names, “,contoso” and
“fabrikam”, in the same field of the subsequent two
scr
eens
. These domain names are used to verify that
remote users who are trying to sign in to Lync Server
are connecting using credentials from one of these
three domains (
e.x.


contoso
\
bob
” or


fabr
i -
kam
\
al i ce”
).

Corresponding UPN suffix:

The Lync cl i ent al so al l ows users to l ogi n usi ng thei r
Securi ty Filter Standard Edi tion

Page
13

of
19


www.l ync
-
sol uti ons.com

UPN name (e.x.
Fabi an@contoso.com
) i nstead of
thei r Netbi os name (e.x. contoso
\
fabi an). Speci fy
the UPN suffi x, for exampl e “contoso.com”, i n thi s
fi el d.

-

Cl i
ck
Next


Speci fy the l ockout count and l ockout peri od.

Lockout count:

Thi s i s the
number

of fai l ed si gn
-
i n attempts that are
al l owed before an account l ock out i s
enforced
.

The l ockout count val ue must be set l ower than the
‘Account l ockout threshol d’
val ue i n Acti ve Di rect
o-
ry. If you have mul ti pl e domai ns consi der the ‘A
c-
count l ockout threshol d’ val ue from al l your d
o-
mai ns.


Lockout period (minutes):

Thi s
parameter i s the account l ockout peri od. After
an account i s l ocked out, thi s l ockout peri od spec
i -
fi es how l ong the account remai ns l ocked before
another s i gn
-
i n attempt i s al l owed. Any s i gn
-
i n a
t-
tempts during this lockout period are immediately
rejected
a
t the Edge Server
without
being proxied to
the internal Lync Server for
verification.

The defined value should be set to a higher value
than the “Reset account lockout counter after”
value in Active Directory. Since the clocks on Lync
Edge and the domain c
ontrollers may not be sy
n-
chroni zed exactl y, you shoul d speci fy a hi gher val ue
i n the securi ty fi l ter setti ngs than i n Acti ve Di rectory,
by 3
-
5 mi nutes. Th
i s mi ti gates the ri sk that the S
ec
u-
ri ty
F
i l ter
al l ows
the l o
gon attempt

to be proxi ed by
the Edge Serv
er to the i nternal Lync Server for a
u-
thenti cati on whi l e

the bad password count i s sti l l i n
effect

by the Acti ve Di rectory di rectory servi ce
. You
Securi ty Filter Standard Edi tion

Page
14

of
19


www.l ync
-
sol uti ons.com

shoul d al so ensure that the cl ocks on the
Lync

Edge
and the domai n control l ers are not al l owed to vary
by more
than thi s amount.


-

Cl i ck Next


Speci fy whether remote users are permi tted to
authenti cate usi ng NTLM v.2.

Allow remote users to login using NTLM v.2 cr
e-
dentials

T
hi s opti on al l ows remote users to l ogi n
usi ng
NLTM
v2

credenti al s
. Thi s means that a user can l og i n
from every computer wi th a Lync
c
l i ent i n
stal l ed
even i f thi s

c
omputer i s not domai n joi ned

to your
enterpri se Acti ve Di rectory and i s an authori zed
computer
. For exampl e
,

sel ect
thi s
opti on i
f
your
company al l ows users
to l ogi n from thei r home PC’s.


Disallow remote users to login using NTLM v.2
credentials

Thi s

opti on
forces remote users to l ogi n usi ng an
authori zed company
-
i ssued
computer
. Wi th add
i -
ti onal s ecuri ty meas ures (us i ng Bi tLocker and Group
Pol i cy to prevent
us ers from i ns tal l i ng unauthori zed
s oftware), the corporate
-
i s s ued l aptops can the
m-
selves serve as a “smartcard” to provide two
-
factor
authentication.

-

Click
Next

Securi ty Filter Standard Edi tion

Page
15

of
19


www.l ync
-
sol uti ons.com


-

To i nstal l the Securi ty Fi l ter to a di fferent fol der,
speci fy the new path i n the
‘Fol der’ fi el d or cl i ck
‘Browse’.

-

Cl i ck Next



-

Cl i ck
Next


-

Cl i ck
Cl ose

Securi ty Filter Standard Edi tion

Page
16

of
19


www.l ync
-
sol uti ons.com


-

Open the Servi ces Management Consol e.

-

Locate the Securi ty Fi l ter servi ce.

-

Modi fy the l og on setti ngs of the Securi ty Fi l ter
servi ce and speci fy the previ ousl y created

servi ce
account.

-

Restart the Servi ce

8

Security Filter in Action

The Sec
urity Filter logs by default all

information about login attempts and service i
nteractions in
the Application Windows L
og
s
.

The following
table

illustrates

examples of possible event log entries.



1
st

b
ad l
ogi n attempt

Securi ty Filter Standard Edi tion

Page
17

of
19


www.l ync
-
sol uti ons.com


Maxi mum bad l ogi n
attempt
s

reached and
l ockout enforce
d


Lockout sti l l enforced
for an al ready bl ocked
user

Securi ty Filter Standard Edi tion

Page
18

of
19


www.l ync
-
sol uti ons.com


NTLM v2 l ogi n attempt
rejected.

Securi ty Fi l ter
i s
co
n-
fi gured onl y for
TLS
-
DSK authenti cati on
and bl ocks NTLM v2
authenti cati on
.

9

Configuration

The Security Filter installs all files to the
default
location
, %ProgramFiles%
\
MB
\
Security Filter,

during the installation process.


All
of the
installation
settings can be
modified
after the installation
is complete from

the file
,

‘s
e-
curity_filter_svc.exe.config’
.


<?xml version="1.0" encoding="utf
-
8"?>

<configuration>


<appSettings>


<add key="domainA" value="contoso" />


<add key="upnA" value="contoso.com" />


<add key="domainB" value="" />


<add key="upnB" value="" />

Securi ty Filter Standard Edi tion

Page
19

of
19


www.l ync
-
sol uti ons.com


<add key="domainC" value="" />


<add key="upnC" value="" />


<add key="domainD" value="" />


<add key="upnD" value="" />


<add key="count" value=
"5" />


<add key="period" value="10" />


<add key="disableNTLM" value="false" />


<add key="path" value="C:
\
Program Files
\
MB
\
Security Filter
\
" />


<add key="logLevel" value="verbose" />


</appSettings>

</configuration>


It’s

important to
re
start the Security Fil
ter

service
once
a change
is made
to make the new se
t-
tings take effect.

10

Monitoring

E
nterprise IT e
nvironments with System Center Operations Manager

(SCOM) can easily monitor
bad login attempts and lockout enforcement
fr
om
the
Application E
vent
L
og. The most important
event log entries are listed in the
section,

Security filter in Action
.