Security Filter
Companies that allow employees to remotely sign in to Microsoft Lync Server 2010 communications software from the Internet can be susceptible to denial-of-service (DoS) and brute-force attacks. Both types of attacks involve guessing users' passwords or locking out user accounts when too many incorrect password attempts are made to a valid Active Directory Domain Services user account when a password policy is enforced. Although internal security is not compromised, both types of attacks can be disruptive to users and consume internal server resources. To help prevent your organization from such attacks at the network perimeter, the security filter for the Microsoft Lync Server 2010, Edge Server monitors sign-in attempts and enforces account lockout at the network perimeter.
Product Details
The Security Filter is a server application that inspects all inbound sign-in requests on the Edge Server. The remote user is not authenticated at the Edge Server, so the sign-in request is passed to the director or directly to the internal pool. This is where the authentication process happens.
The response is then passed back to the Edge Server. The Security Filter inspects both the request and the response. If the sign-in fails, the Security Filter tracks the number of failed attempts for each user account.
The next time a client attempts to sign in to the same user account, and the number of failed attempts exceeds the maximum number of allowed sign-in attempts, the Security Filter immediately rejects the request without passing the request along for authentication. By enforcing account lockout at the Edge Server, the Security Filter blocks DoS attacks at the edge of the network perimeter and protects internal Lync Server resources.
To uniquely identify the user attempting to authenticate, the security filter reverse engineers the authentication protocols (NTLM v.2 or TLS-DSK) used in Lync Server. In the case of NTLM v.2, the security filter extracts the domain and user name from the GSS data. In the case of TLS-DSK, the security filter extracts the client certificate used to authenticate the user. The security filter uses this unique identifier to track the number of failed login attempts, and blocks any further login attempts regardless of whether the attacker spoofs the user's SIP URI or other identifier to outsmart the security filter.
Product Versions
The Security Filter is available in two versions: Standard Edition and Enterprise Edition. The Enterprise Edition is targeted to customers with more than one Edge Server. The difference between the Standard Edition and the Enterprise Edition is the use of a SQL Server database to centrally track all the failed login attempts across a bank of Edge Servers.
Product Features
Monitors every client login request crossing the Edge Server.
Uniquely identifies each login request based on domain credentials submited by client.
Recognizes different username formats, UPN (
rui@maximo.ws), Netbios (maximo\rui), or hybrid (maximo.ws\rui) as the same user account.
Tracks number of failed login attempts and source.
Blocks client login requests when the number of failed login attempts exceeds administrator configurable threshold.
Ability to block NTLM based login requests (Lync Server version only).
Ability to centrally store failed login information across a bank of Edge Servers into a SQL Server database.
Provides logging information to Application Event Log (verbose mode available).
More details are described in the following articles.
Customers
Lync Server 2010 is a trademark of Microsoft Corporation.