Category: Security

Skype for Business Q&A on Privacy

Privacy in Skype for Business

They'll never know it was me! Photo by Braydon Anderson on Unsplash.

I’ve always meant this blog to serve as a resource for Skype for Business use. Both for users and for administrators…leaning a bit more toward administrators. Not today though. Today I’m leaning over to the user side, to answer common questions about privacy in Skype for Business.

Where did I find these questions? You asked them. Yes, you, right there.

Like I do (at least) monthly, I went through Google Search Console to examine this blog’s data. In the Queries data, I found a large group of fully-formed questions. People asking simple, direct questions about Skype for Business.

Questions everyone from basic users to admins might have. Questions that I can answer in just a few lines. Thus they don’t need their own posts…but they do need answering.

Solution: Group them together! Write up a resource post where you can find several answers in one spot. Which brings us here. This is the first group of questions I found. They all have one thing in common: Privacy.

Group Post 1: Privacy Questions & Answers

These are the 5 most-asked privacy questions on Skype for Business. My answers come from our own experiences deploying & supporting hybrid and on-prem Skype for Business Servers.

—-

“Are Skype for Business calls recorded?”
Only if you record them. The Monitoring Server does collect data on call connections & quality, but not their contents.

Dog Chatting on Skype4B

It can’t tell you that you’re chatting with a dog, for instance.

—-

“Are Skype for Business conversations private?”
Yes. Skype for Business encrypts the pipe between users’ conversations, as well as from each client to the Skype for Business Server.

However, you can potentially have eavesdroppers (though it’s very unlikely). It depends on your deployment type.

  • On-Prem: Your Server Administrator can view conversations.
  • Hybrid/Cloud: Microsoft CAN technically view conversations, though they’ve stated that they don’t.

One important caveat: Conversations between Skype for Business users and Skype-C users have one extra privacy risk. Even if you control privacy on the Skype for Business side, you don’t control the Skype-C side’s privacy. I documented this back in 2016: The Privacy Risks in Skype for Business-to-Skype Conversations.

—-

“Are Skype for Business conversations recorded?”
Since this one mentioned ‘conversations’ and not ‘calls’ I’ll split up the answer.

VOICE: Only if you leave a voicemail. Otherwise, see above question on recording calls.

TEXT/INSTANT MESSAGING: These conversations are saved in your Conversation History, as well as the Conversation History of all parties involved.

“Recorded” in the sense of the NSA collecting data on you? They apparently like to do that to everyone. Good news is, with proper security for an on-prem deployment, the chances of your conversations showing up in an NSA vault go down to pretty much zero.

—-

“Does Skype for Business track you?”
If you are logged into the Skype4B client on your devices, yes…to a certain degree. Skype4B does track your activity within its infrastructure.

  • The client tracks your Presence status from the last active client.
  • The client tracks your location, also by last active client.
  • There is also the Monitoring Server. This tracks users’ activity, call details, and system health.
    • A Monitoring Server is not required; admins can choose not to install it. But most would go ahead & do so, as it provides extremely useful data on communications stability & troubleshooting. We recommend Monitoring for all deployments.

If you’re worried about an Orwellian-esque sensor constantly following your movements…you’re thinking of Apple. Skype for Business doesn’t do that. Like any good communications software, it responds when someone triggers a conversation.

Privacy in Skype for Business

They’ll never know it was me! Photo by Braydon Anderson on Unsplash.

—-

“How does Skype for Business know when you are away?”
Device activity! Skype4B clients monitor the last activity performed on the last device you used while logged in.

They look for mouse movements or keyboard presses on desktops, and taps/swipes on phones. After a certain interval (set by your Server Administrator) without any such activity, Skype for Business assumes you are ‘away from desk’ and changes your status to Away.

Server Administrators can set this ‘Away Interval’ anywhere from 5 minutes to 360 minutes, site-wide. We generally keep it to 5 minutes or 10 minutes for customer deployments.

—-

“Does Teams record your calls/conversations?”
This question came up as well. Since people have just as much right to question Teams’ privacy controls as they do Skype for Business, I included it.

Teams does log your chat conversations. Since Teams is primarily text-based, and since most conversations take place in channels, it makes sense to keep records of those chats. You as the participant may access the logs. Teams Administrators within your O365 tenant can as well. Microsoft doesn’t scan or collect them either.

If you want to record a call or meeting, you have the option. The process is near-identical to Skype for Business recording: Record a Meeting in Teams – Office Support

Skype for Business Does a Good Job on Privacy

All in all, Skype for Business maintains a solid reputation for protecting your privacy. We’ve deployed it for thousands of users now, and received zero tickets on data leaks or breaches. I asked two of our customers if they thought their Skype for Business deployments risked their privacy. Both said no, not at all.

I take that as a vote of confidence. Hopefully you can too.

Thanks for reading! The next “Group Post” will discuss how to change several common Skype for Business elements. Join us back here next time for those.

Facebooktwitterlinkedinmail

Do We Still Need the Skype for Business Director? In One Instance, Yes!

The poor Director server role. No longer needed by Teams, its primary function usurped by Azure AD for Office 365…Microsoft’s march into the future seems to have passed right by it.

Now, this is not the first time Microsoft has left a server by the digital wayside. But I have a special place in my heart for Directors. I like the concept, and what it embodies, Looking at the Skype for Business/Teams ecosystem now, I thought Directors would join Microsoft Bob and Small Business Server on the trash heap.

But I found a little light instead…one instance where it does still make sense to deploy Directors in today’s world. Let’s find out what that is!

What a Director Does, and How Skype for Business Changed Around It

I first wrote about the Director way back in 2012: What’s the Director For?
I characterized it as a sentry on the castle walls. Permitting only legitimate Lync/Skype for Business users entry.
That’s what a Director does—it provides authentication for users, so the Front End Server/Pool doesn’t have to. The Front End carries on with facilitating calls, Meetings, etc. while the Director handles authentication.

Now, the Front End CAN handle authentication requests as well. It never needed the Director. Having a Director server/pool helped in two ways:

  1. Ease congestion on the Front End Server/Pool, which often translates to better call quality & Meeting stability.
  2. Defend against DoS attacks targeting the Skype for Business Server. Not a common threat, but a growing one in recent years.

So the analogy still holds. You can still use a Director as a sentry, defending your Skype for Business deployment.

The Director Role and Offloading Authentication in Skype for Business 2015 – IT Pro Today

Director as Authentication Sentry

You shall not pass! …unless you brought me a treat!
Photo by Kenan Süleymanoğlu on Unsplash

But what if the deployment structure changes?

Which is what Microsoft’s done. By first offering a Hybrid deployment option with Office 365, then introducing Teams and beginning to fold Skype for Business Online into it, Microsoft’s slowly pulling the rug out from under Directors.

What about authentication requests though? How will Teams and Office 365 manage all those requests in your tenants?

Skype for Business Hybrid and Teams: Director’s Role Usurped

Since Office 365 tenants handle authentication through Microsoft’s cloud-based Azure Active Directory, they don’t need on-prem authentication from a Director. But what about hybrid deployments?

In most hybrid configurations, authentication’s done through on-prem Active Directory and Azure AD. Azure AD syncs to your on-prem Active Directory server, providing a built-in failsafe. Directors become superfluous.

However, Directors are still mentioned as a possible hybrid topology component on Microsoft’s Plan hybrid connectivity between Skype for Business Server and Skype for Business Online page:

To configure your deployment for hybrid with Skype for Business Online, you need to have one of the following supported topologies:

  • A mixed Lync Server 2013 and Skype for Business Server 2015 deployment with the following server roles in at least one site running Skype for Business Server 2015:
    • At least one Enterprise Pool or Standard Edition server
    • The Director Pool associated with SIP federation, if it exists
    • The Edge Pool associated with SIP federation
  • A mixed Lync Server 2010 and Skype for Business Server 2015 deployment with the following server roles in at least one site running Skype for Business Server 2015:
    • At least one Enterprise Pool or Standard Edition server
    • The Director Pool associated with SIP federation, if it exists
    • The Edge Pool associated with SIP federation for the Site
  • A mixed Lync Server 2010 and Lync Server 2013 deployment with the following server roles in at least one site running Lync Server 2013:
    • At least one Enterprise Pool or Standard Edition server in the site
    • The Director Pool associated with SIP federation, if it exists in the site
    • The Edge Pool associated with SIP federation for the site

“If it exists.” In other words, the Director is not critical to these hybrid topologies.

What about Teams? Since Teams will absorb Skype for Business Online anyway, does Teams need a separate authentication server?

No. It’s not designed that way. Even if it was, as a fully cloud-based application, Azure AD will handle the authentication. A Director isn’t listed anywhere in the Teams dependencies for guest access…only Azure AD.

(Whether or not Azure AD handles guest accounts & user expansion WELL is up for debate…but we’ve talked about that already.)

Director on guard duty

Yeah, the fence keeps people out. But I still hang out here, in case someone climbs over it…
Photo by Elizabeth French on Unsplash

It’s safe to say that for Office 365 and Teams, Azure AD usurped the Director’s role. That leaves us with one other potential use: the upcoming Skype for Business Server 2019.

Directors Going Away? Not Quite. Not Yet.

The Director sees a tidbit of salvation in our next on-prem Skype for Business Server. Ever-knowledgeable Tom Arbuthnot hints at the Director staying in Skype4B Server 2019, citing it under the 2019 System Requirements on his blog: Skype for Business Server 2019 Public Preview, What’s New, What’s Gone? – Tom Talks

Edge Servers, standalone Mediation Servers, and Director: 6-core, 2.4 gigahertz / 16GB RAM / 8 or more 10000 RPM disks or SSD / Gig NIC/ dual Gig NIC for Edge

These may seem steep. But they’re almost identical to Front End Server requirements; the only exception is that Front End needs 64 GB RAM.

I can see many admins using requirements to justify dropping Directors from their 2019 deployments. In truth, our IT Consulting team hasn’t installed a Director in any Skype for Business deployments (on-prem or hybrid) since early 2017.

However, after some discussion and brainstorming, I realized the Director is in Server 2019 for a reason. One Skype for Business topology does exist where a Director helps.

The One Deployment Topology Where a Director (Still) Makes Sense: Director on Guard

Here’s my “Director On Guard” topology. The deployment must meet all of the following characteristics:

  • Enterprise business
  • Installing Skype for Business Server 2019
  • Fully on-prem
  • More than 2 office locations
  • 1,000+ users
  • The company has suffered a cyberattack in the past

Why these? I’m so glad you asked.

  1. An enterprise business will want the control and security they can exert over data trafficked within Skype for Business. This also gives them control over their phone system.
  2. More than 2 locations means branch servers to maintain the call network. More than 1,000 users means thousands of authentication requests every single day.
  3. A cyberattack? Nothing makes cybersecurity more important than suffering a cyberattack. (I wish this on NOBODY, but it’s a tragic reality of our world.)

In this case, the Director serves a purpose. It performs its original function of handling authentication requests, taking load off the Front End pool and preserving bandwidth. All worthwhile performance goals, which makes IT look good to the budget-conscious C-suite.

A Director also provides additional guard against cybercriminals. Post-cyberattack security improvements go a long way toward securing the network, and user workstations. The Director performs a similar role within the Skype for Business ecosystem—a central component of the enterprise business’ communications.

It’s doing its time-honored job…being a silent sentinel, ready to admit those who have authorization, and defend against those who do not. Hence my terming it, “Director on Guard.”

If we don’t get an on-prem Skype for Business version after 2019, it’s likely the Director role will fade with it. That’s okay…it’s done its job. But for now, don’t count the Director out yet. With cyberattacks on an upward swing, all systems need protection. Including Skype for Business.

Do you still use a Director in your Skype for Business deployment?

 

Facebooktwitterlinkedinmail

5 Ways to Conceal a Teams Channel

We can’t make fully private channels in Teams yet. But we can conceal a channel from other Teams users.

Private Channels has taken the top spot at UserVoice, as the most-requested Teams feature. Microsoft is, as of this post, “Working on it” with no indication of a release date.

Support for Private Channels – UserVoice

You can make a Team private, of course. But within that Team, channels are visible and searchable. If you really need to keep a conversation private, that kind of defeats the purpose, doesn’t it?

So what are Teams users doing in the meantime? Using workarounds, naturally. Or staying outside of Teams altogether (email, Slack, Skype for Business, etc.).

What kind of workarounds do people use? I’m going to list 5 in this post. Together they form a framework for ‘concealing’ Teams channels & their contents. Privatizing them, essentially, as best you can.

Dog Hiding

Hopefully your channel’s a little better-hidden than this…but you get the idea.
Photo by Pippalou on Morguefile.

When to Conceal a Teams Channel

Why would Teams users need private channels in the first place? A multitude of reasons exist, all valid. In my research I came across several compelling ones:

  • The channel would contain a set of information involving legal or compliance processes, which means it must fall under those same requirements.
  • The channel would contain, and thus need to protect, a customer’s private data.
  • The channel would discuss internal tests or R&D data.
  • You’re planning an office party for the CEO/CIO/COO/VP’s birthday and they can’t find out early. (Hey, it’s possible!)

I’m sure you can think of other reasons to conceal a Team conversation. But please remember: Teams conversations are hosted on Microsoft’s servers. That doesn’t mean Microsoft spies on them. But the servers may reside outside the U.S., which could jeopardize regulatory compliance adherence like SOX or GDPR.

Okay! Let’s see what “concealment tactics” we have in Teams. You can use any combination of these, including all of them (they don’t conflict with one another).

 

Concealment Tactic #1 – Make a new Private Team

When you make a new Team, you have the option to set them to Public or Private. The first step, then, is to set the entire Team to Private. Then create your channel. You don’t have a Public/Private switch at channel level; that comes from the Team setting.

Private Team

Creating a Private Team.

Make a Public Team Private in Teams – Office Support

What This Accomplishes: Prevents unauthorized users from joining. Locks the gate.

 

Concealment Tactic #2 – Equip the Team with an Access Code

Generating an access code is simple within Teams. In your Team, click the Options menu (the ‘…’). Click “Manage Team.” In the Manage window, click the “Settings” tab.

You should see a “Team Code” section. Click it and you’ll get a Generate button. One more click and poof, a randomly-generated access code to that Team. Copy the access code and give it to your selected members.

If a member doesn’t have the access code, they don’t get in. Nice, huh?

Teams Code Access

Generating a Teams Access Code.

How to Enable Join Code Feature in Microsoft Teams – TechCommunity

What This Accomplishes: Provides a secondary authentication for Team members. “What’s the password?”

 

Concealment Tactic #3 – Limit Team member permissions

In the Team’s settings (accessible via “Manage Team” under the Team’s Options menu), remove permissions to add bots, add connectors, or delete channels from invited Team members.

Teams Member Permissions

Your Team permissions should look similar to this.

What This Accomplishes: Guards against information leaks. Shuts the back door.

 

Concealment Tactic #4 – Lock down the files with SharePoint permissions

Maybe you’re not too concerned about others viewing your Teams conversation. But you want to make sure the files you’re discussing stay private.

Since Teams files are stored in the Team’s SharePoint site, you can block people from viewing those files. Bob German showed us all how to do it in an April blog post:
Using SharePoint Permissions in Microsoft Teams Channels – Vantage Point [MSDN]

What This Accomplishes: Privatizes file permissions, including viewing. Stows the valuables in a locked chest.

 

Concealment Tactic #5 – Archive the Team when no longer necessary

If you want a private Team/channel for a specific purpose, and that purpose completes, then you don’t need the Team/channel active anymore. As with older data, it’s best to archive the Team.

Archive Team

Archiving a Team with One Click.

Archive or Restore a Team – Office Support

Now we see why you need to make a dedicated Team…you can’t archive a channel. Archive works at the Team-level. (Note: You can restore an archived Team later if you need to.)

What This Accomplishes: Locks down the Team’s data in cold storage. Closes the blast doors.

 

Next-Best Thing to Teams Private Channels While We Wait

Many commenters on UserVoice said they’d left Teams, or wouldn’t switch to Teams from another chat app, because of Private Channels. Hopefully these tactics will help dissuade you from the more drastic steps!

It’s a bit of a stopgap, I know. But Teams does have these tools for a reason. Concealing channels through private, secured Teams will serve most privacy needs. Until we get Private Channels.

How do you protect your chat conversations?

 

Facebooktwitterlinkedinmail

How to Prevent Malware Infections via Skype for Business

Like all computer systems, Skype for Business is vulnerable to cyberattack. Let’s talk about how to prevent one from happening.

What a Skype for Business Cyberattack Can Look Like

Skype for Business Down

We lost Skype AND email?!

Unfortunately, real-life circumstances prompted this post. We recently had to help a customer deal with a ransomware infection that affected most of their servers. (I’ll keep details private of course.)

The customer called us in a panic. They’d lost email, Skype for Business, and several client desktops. Someone had clicked a phishing link & triggered a Locky infection. We did have some backups available, but wound up having to wipe/replace a couple systems.

While this wasn’t the first time we’d helped resolve a ransomware infection, it was the first time the ransomware hit someone’s Skype for Business Server. I’m not sure the exact route Locky took to reach it, but I believe it got in via an abandoned administrator’s account. They had a systems admin leave the company a few months prior—but they hadn’t shut off his account!

The aftereffects: Four days of lost business, a bunch of angry clients, unknown number of emails lost, thousands spent on emergency support and replacement IT hardware.

(At least they didn’t have to pay the ransom on top of all that!)

Where Malware Can Reach Skype for Business

Skype4B isn’t just vulnerable through its Internet connection. As our example shows, it’s vulnerable from client-level too.

Here are the routes most malware/ransomware would take to reach & infect yours:

  • Front End Server. Where Skype4B lives.
  • Exchange Server. The server with which Skype4B interacts most often…which means the most potential routes for malware to take.
  • File Share. A BIG vulnerability. A shared folder through which users exchange files? It only takes one infected file, and your entire deployment’s in trouble.
  • End User Devices. Not just desktops/laptops now…even phones can carry malware into the office.

Malware Reaching Skype for BusinessNow we know where to watch. What kinds of protections do we put in place?

8 Ways to Protect your Skype for Business Server from Malware/Ransomware

1. Limit the number of Skype for Business admins.
Good admin practice extends to Skype for Business. Create ONLY the fewest number of administrator accounts as you need to manage the system. This includes admin accounts for all of the physical AND virtual servers on which Skype for Business runs.

2. Lock down permissions to the file share.
Controlling the file share’s permissions plugs that hole inside your Skype for Business Server. This blog post illustrates how to lock down the permissions: Keeping your Lync/Skype Business Environment safe from Ransomware – Enabling Technologies

3. Use intelligent routing in your perimeter network.
Restrict open ports on your Edge Server and Reverse Proxy to only those needed for Skype for Business traffic. Here are the port and protocol requirements.

4. Keep the Skype4B Server and its server components up-to-date.
Are you up to the March 2018 Cumulative Update? If not, here’s the download link: Skype for Business Server 2015 Cumulative Update KB3061064 – Download Center
Don’t forget the security patches & updates for your Windows Server as well. If nothing else, the security patches help keep those servers safe.

5. Secure all email servers with anti-malware software & monitoring.
Your Exchange Servers should have anti-malware protection too. The easiest method, of course, is to use a network-wide security gateways from providers like Sophos or F5.

6. Disable Office macros company-wide.
Not many malware apps use macros anymore. But that doesn’t mean it’s impossible. Use a Group Policy to block macros and forget about it.

7. Educate users about phishing/ransomware emails.
If you only do one of these, make it this one. User education goes further to prevent malware infections than any other factor. Users are typically the “weakest link” in cybersecurity…but it only takes some training to make them stronger.

(By the way—we offer cybersecurity education for businesses in the SF Bay Area. Just saying.)

8. Keep current backups.
Always, always keep backups! All servers should have two sets of automatic backups running…one kept on-site in case of a crash, and one kept off-site in case of malware infection. You probably do this already. But it’s too important to take for granted.

—-

“What if we use Skype for Business Online?” you might ask. Well, Microsoft has pretty decent security protections built into Office 365. But you can always make it better.

As Teams and Skype for Business are still on the path to merging, I don’t want to speculate too much on the anti-malware precautions you must take. That said, these stalwarts should always figure into your office’s IT infrastructure:

  • Limit the number of Office 365 admins
  • Use perimeter network protections
  • If you run a hybrid configuration, secure the on-prem server to the same level as your other servers
  • Educate users about phishing/ransomware
  • Keep current backups

Frustrated System AdminIf you’re already Teams users, strengthen Teams’ security with our post from December: 3 Ways to Protect Teams Users from Malware-Infected Files.

Don’t Make Skype for Business the Weak Link in Your Office’s Cybersecurity

It’s always harder to secure a server (any server!) after it’s already running. People don’t want to lose the service, even for a moment. If security updates cause an outage…well, we’ve all heard that particular scream, haven’t we?

That said, 15 minutes of downtime beats 4 days of lost business any day.

There are many layers to protect in Skype for Business: The Windows Servers on which it runs, the perimeter network, the Front End pool, inter-network traffic, and client devices. But, think of it this way…either you find the security holes, or a malware infection will.

Have you ever experience a malware infection on your Skype for Business Server? Please share your experience in the comments.

Facebooktwitterlinkedinmail

The Security Behind 6 Business Chat Apps (Including Skype for Business)

In a recent Spiceworks survey, 59% of respondents said that “Sensitive files/information should not be shared via collaborate chat applications.”

Business Chat Apps vs Email

Image courtesy of Spiceworks.com.

So, 59% think chat rooms aren’t secure. A little more than half. Healthy caution; nothing wrong with that.

But you know it’s going to happen. Someone asks a co-worker for help, not realizing they’ve asked for some Intellectual Property. The co-worker pastes it into the chat window.

What then? Does everybody gasp at once? Scramble to delete it?
Or do they just shrug and keep chatting, believing the chat room itself has enough security to protect the IP?

Chances are, they do the latter. The question is, which business chat apps DO have the security to protect data shared within them?

That’s what we’re tackling in this post. A comparison of 6 popular business chat apps at the security level.

The Source: A 2017 Spiceworks Survey

The Spiceworks survey that started all this is here: Business Chat Apps in 2017: Top Players and Adoption Plans

I came across it in my daily reading. (Hey there Spiceheads!) A group of IT Pros gave their thoughts on 6 chat apps – Skype for Business, Slack, Google Hangouts, HipChat, Microsoft Teams, and Workplace by Facebook.

This section caught my eye, talking about chat room security:

“In terms of security, the results show less than one third of IT pros are concerned about business chat apps introducing security risks. For example, 32% said messaging apps put corporate data more at risk of being hacked, and 29% said they pose a security risk that is difficult to manage.
“However, that doesn’t mean caution can be thrown to the wind. Nearly 60% of IT pros believe sensitive files/information should not be shared via group chat apps. In other words, IT pros aren’t overly concerned about the security risks as long as their employees use chat services wisely.”

Using chat services wisely. Agreed! When it comes to IP, take care to keep it safe. So, which of those 6 is the most secure chat platform? Can we rank them? Let’s find out.

The Big Three: Slack, Microsoft Teams, Skype for BusinessSlack Logo

SLACK & MICROSOFT TEAMS—The Bitglass Blog put together a review of Slack’s security vs. Microsoft Teams’.
Microsoft Teams vs Slack Security – The Bitglass Blog
They’ve done their homework; it’s definitely worth a read.

Slack and MS Teams are pretty much neck-and-neck in terms of their security. Teams has greater regulatory compliance, but Slack already delivers on at-rest and in-transit encryption. Adding external users is a risk on both services.

Microsoft Teams LogoThis of course makes me happy! I like seeing Slack and Teams in competition…like iron sharpening iron, they should continue to make each other better. That they both have good security on their chats is yet another benefit to users.

(I talked before about Slack and MS Teams – when it was called Skype Teams – back in October.)

 

SSkype for Business LogoKYPE FOR BUSINESS—Our favorite, naturally. And in terms of security, it’s our favorite for good reason.

Persistent Chat is a server within Skype for Business Server, and uses SQL Server for its database. Hardening the SQL Server and configuring security on the Windows Server on which Persistent Chat runs will provide high-grade security for the chats.

In addition, a Persistent Chat administrator controls memberships, file uploads, and the domains from which users can join. There’s a lot of granular control. It’s safe to say that if you’ve secured your Skype for Business Server, your Persistent Chat rooms are pretty darn private.

Now, what about the others?

The Other Three: HipChat, Google Hangouts, Workplace by Facebook

HipChat LogoHIPCHAT—HipChat is run by Atlassian, makers of Jira and Confluence. Their Security of HipChat page indicates 256-bit SSL encryption on your chats & files. It even tells you where HipChat hosts its data – on Amazon Web Services, which employs its own security.

However, HipChat has had a couple issues. In 2015, hackers stole usernames & passwords from HipChat. Atlassian responded with fixes of course.

But in February 2016, a Redditor pointed out a HipChat flaw with downloading files if you have a link, without logging into HipChat. I haven’t used HipChat much, so I don’t want to disparage it, but I am left a little uncertain on its security after reading these accounts.

 

Google Hangouts IconGOOGLE HANGOUTS—Okay, let’s talk Google. The search giant is famous for collecting data on its users. But it tries to maintain their privacy, at the same time. Hangouts uses encryption to protect your chats and files.

How Hangouts Encrypts Information – Hangouts Help

A few things I note on this page:

  • Direct peer-to-peer. Good; cuts down on overhead and helps keep the chat private.
  • 128-bit encryption. Not 256-bit like HipChat. You’d think Google would go higher on its encryption level…
  • No mention of end-to-end encryption like Slack and Microsoft Teams. In fact, Google avoided the question when asked in May 2015.

Verdict: Google Hangouts is convenient and fun to use. But it’s not the most secure business chat option.

 

Workplace by Facebook LogoWORKPLACE BY FACEBOOK—Up until now I hadn’t even looked at Workplace. It’s very new, and as such, I’m keeping expectations low.

The Workplace app does almost exactly the same things as Microsoft Teams and Slack: chat rooms, groups, external users, video, etc. It’s just made by the Facebook team. Pricing is cheaper than Slack, which makes sense if Workplace wants to grab users from other platforms.

Some good (and bad) points:

  • Workplace accounts are different from Facebook accounts. That’s good; separating work and play means better privacy overall.
  • Workplace has a Trust Center posted, like Office 365: Workplace Trust Principles. Good for you guys!
  • Workplace debuts with a handicap though—Facebook’s dubious privacy practices. It’s a separate system, but Workplace does run off Facebook’s servers. Some businesses will shy away on reputation alone (and I can’t honestly blame them).

It’s too soon to tell what kind of adoption Workplace gets. As such, I don’t want to say this is a good or bad choice in terms of security. It looks like they’re doing all the right things security-wise…but we’ll have to see how it unfolds.

The People Side of Chat: Use a Secure Business Chat App, but Exercise Caution All the Same

From all this, we can conclude that “the Big Three” are pretty secure chat apps. “The Other Three” do take some security steps, but using them may risk your business’ intellectual property. If security is a big concern, stick with the “Big Three.”

Even on secure chat apps though, prudence is called for. There’s the technical side of security, and the people side. As a good security practice, you should only share sensitive data over channels you know are secure. And only when it’s necessary.

Enjoy Business Chat Apps Responsibly!

Readers know I’m a big advocate for group chat. It’s fast, easy, nobody gets bothered by a phone ringing, no participant limit, and there’s a record for conversations.

So long as that record, and all files sent to colleagues within the chat app, are kept secure. It’s easy to presume security, and chat with everybody on the team as if it’s always there. It’s not so easy to verify security after-the-fact.

Which business chat app do you use? Why that one? Please comment or email your thoughts. I would hope that none of my readers have ever experienced a security breach due to a chat app…but if you have, I’d like to hear your account too.

Facebooktwitterlinkedinmail

The Privacy Risks in Skype for Business-to-Skype Conversations

“Can I use my regular Skype now?”

A customer asked us following their Skype for Business install the other day. She meant her consumer Skype, or Skype-C account. She wanted to use that account in Skype for Business. We explained that she needed to use her new Skype for Business account. She in turn asked if she could add all her existing Skype contacts to her Skype for Business account.

Rather than just say, “No, that’s a bad idea,” let’s explain why. It has to do with privacy.

How Private is Skype? Not Very.

You can add Skype contacts in Skype for Business. It’s one of the much-trumpeted features Microsoft added when they made the update from Lync Server. However, that doesn’t mean Skype-to-Skype4B conversations are private.

Why? Simple. You (the Skype for Business admin) control the Business accounts. You don’t control the Skype-C accounts.

The Privacy Danger: You Can’t Secure the Other Person’s Side of the Conversation

Microsoft runs the Skype servers. Now, they do incorporate a set of legal privacy terms, laying out protections for Skype users and detailing how they use consumer information.

But right there is one privacy concern. We’ve known Microsoft monitors your activity for a while now. They gather data and use it to improve services & work with partners. (Yes, and show us ads.) But in 2013, bloggers discovered that Microsoft computers accessed previously-unseen webpages transmitted via Skype. Something they shouldn’t be able to do.

Now, let’s say you’re having a conversation on a new project. You’re using Skype for Business; another person (we’ll call them Frank) is on Skype-C. You send Frank a message with a staging link in it.

“Frank, here’s the current staging link for the XYZ project. Don’t share it around, it’s got proprietary information on it. Just have a look through and let me know what you think.”

Surprise. The privacy you thought you had? Microsoft itself just compromised it.

Open computer at coffee shop

“Uhh, Sir? You left your computer up…”

Don’t Forget the “Oops!”

Even if you avoid sending links, you’re still open for an accidental information leak.

What if Frank leaves his Skype window open and goes to the bathroom without locking his PC? Worse, what if he does this when he’s in a coffee shop? Anyone can just stop and take a peek!

Accidental leaks are just that…accidents. People don’t mean any harm. But the simple fact does remain that any side of a conversation – especially if one side is an unmanaged, unsecured Skype-C account – can accidentally display or share Intellectual Property.

Essentially, the moment you allow Skype for Business users to talk with Skype-C accounts within your work environment? It’s the moment you start bleeding business information out of your work environment’s safeguards.

Technical Risks to Skype’s Privacy

Skype-C has been around for many years. Many people have written add-ons and plugins for the software. Some good, some great, some…not so good.

I’m thinking in particular of malware. Several malware apps exist which record Skype calls & conversations. Palo Alto Networks discovered a new one, T9000, back in February. Guess what it does? It records your Skype calls—without your knowledge!

Obviously, malware can get to a Windows Server inside your network too (if you’re not careful!). But you can monitor for that. Can you monitor the computers of all the Skype contacts out there, talking with your Skype for Business users? Didn’t think so.

Which means every Skype-C/Skype4B conversation can contain a privacy hole.

What Can You Do to Protect Privacy? Policy and Awareness

There’s only a few things you can do on the technical side to protect privacy in Skype for Business. Your best approach is awareness and policy limitations.

I have some advice here. We give these recommendations to our new Skype for Business customers during their user training.

  1. Limit the Skype-C contacts your employees add. Can they make a business case for Contact A? Then they get to add Contact A.
  2. Stay familiar with Skype for Business privacy relationships. From the Skype for Business Privacy Supplement:

    “Note: By default all external contacts, either personal or federated, will be assigned the External Contacts privacy relationship, which will share your name, title, email address, company, and picture. These contacts will not be able to view your Presence Note. Assigning external contacts to other privacy relationships, for example Work Group, Friends and Family, and so on, will allow them to see your Presence Note and could inadvertently share information that should not be disclosed to them.”

  3. If your users need to talk with Skype-C contacts, have those contacts beef up their Skype privacy. You can send those contacts this link: Use These Skype Privacy Settings to Secure Your Account – MakeUseOf.com.
    And install Malwarebytes too!
  4. Inform the C-level execs of the privacy concerns. That way they can update corporate policy (if it’s needed) regarding sharing of Intellectual Property and links.

The Privacy Spectre Lurks in the Background. Don’t Forget it’s There!

We advised the customer to limit the number of Skype-C contacts she adds to her Skype for Business. Trusted business associates only…and always use caution about what you send them. To her credit, she understood right away what we meant about privacy.

Having the ability to add Skype-C contacts in Skype for Business is a big help. But, just because you “can” doesn’t mean you “should”!

What are your biggest Skype for Business privacy concerns? Please comment or email. If you’ve had a Skype privacy issue, please share what happened (and I’m sorry you had to deal with it!).

Facebooktwitterlinkedinmail

Are Lync Conversations Preserved by eDiscovery?

If you’ve followed political news lately, you’ve heard about Hillary Clinton using a private email server during her term as Secretary of State.

Not only did this throw suspicion on her actions in office, it illustrated several dangers in using personal email for work purposes.

We wrote a newsletter article on the dangers. You can read it here: Corporate Lessons from the Hillary Clinton Email Scandal – PlanetMagpie WOOF!

I bring this up here because there’s one specific danger that relates to Lync Server environments: the question of eDiscovery.

What is eDiscovery?

A simple (but clear) definition of eDiscovery is:

“The process of finding, preserving, analyzing, and producing content in electronic formats as required by litigation or investigations.”

(Courtesy of “Intro to eDiscovery in SharePoint, Exchange, and Lync 2013” – Office Blogs)eDiscovery Papers?

Pay special attention to the last part: “As required by litigation or investigations.” eDiscovery is a legal protection. Businesses use it to preserve records in case they’re needed by law enforcement or the courts.

Many larger businesses must keep records in paper format in case of litigation. eDiscovery occurs for the same reason, just in electronic formats. (Using personal email for work escapes eDiscovery—which is why it’s dangerous to businesses.)

What kind of records are kept? Typically emails, office documents, database data, sometimes videos and internal webpages.

That brings us to records from Lync. Are those considered “legal records” by eDiscovery? And if so, what do we have to keep?

The Legal Value of Lync Conversations

On Microsoft platforms, eDiscovery runs primarily on Exchange Server, SharePoint Server, and Office 365. You’ll find more details on the versions and how they operate here:
eDiscovery FAQ – TechNet

Down a little ways you’ll see the question, “Does the eDiscovery Center work with different product versions?” In its chart, we see “Lync 2013 (when archived in Exchange 2013)” listed. It’s included in Search, In-Place Hold and Export categories.

It looks like Lync Server is included in eDiscovery all right—via Exchange. The question is, if Lync records are considered legally valuable…which records is it preserving?

Which Lync Records are Preserved by eDiscovery?

The answer to this question took a little digging for me to clarify. I’ll save you that trouble.

  • Archived Lync instant messages are preserved through In-Place Hold. (In-Place Hold is present in Exchange Server, which stores the Lync messages.)
  • Documents shared during Lync Meetings are also archived in Exchange mailboxes, and thus protected by eDiscovery.
  • Lync phone calls and video are not included in eDiscovery.

It goes back to what can & can’t be archived by Lync. If we go back to What Archiving Server Archives…and What It Doesn’t, we find that this list pretty much matches the record types preserved by eDiscovery.

Remember though, Archiving is not enabled by default. You must enable it, and configure it properly, if you want to/need to archive Lync records for eDiscovery. Defining Your Requirements for Archiving in Lync Server 2013 – TechNet

A quote from this page: “The archiving database is not intended for long-term retention and Lync Server 2013 does not provide an e-discovery (search) solution for archived data, so data needs to be moved to other storage [in Exchange].”

The MS Exchange Blog has a thorough article series discussing Exchange’s eDiscovery features.
Exchange 2013 In-Place Hold and In-Place eDiscovery (Part 1)

Lync cooperates with eDiscovery for IM conversations and meetings. Factor this into your Records Retention.

As of yet, I’ve heard nothing on whether Skype for Business will alter this eDiscovery preservation method. Offhand I’d say no. The content archiving process is relatively straightforward, and we aren’t getting a new Exchange version (yet).

All the same, I want to stress the importance of preserving Lync conversations for legal discovery. If you’re in a business which must keep records for Legal, take a look at these statistics: Overview of Microsoft Office eDiscovery with Exchange, SharePoint, and Lync 2013 – Quentin on Compliance, eDiscovery

90% of corporations were involved in litigation last year! Yikes. Now that we know Lync conversations are included in eDiscovery (if you configure Lync to archive with Exchange), maybe we can breathe a little easier.

More on eDiscovery, courtesy of Wikipedia.org: Electronic Discovery

How do you preserve records for legal purposes? Please comment or email your experiences. This is a meaty topic; I’d love to hear how you tackle it.

Facebooktwitterlinkedinmail

Reverse Proxies 101

Technically, Reverse Proxy is not a Lync Server role. It’s more like a helping hand, guiding Lync’s communications to where you want them to go.

I haven’t focused much on reverse proxies here in the past. Which is why today’s Lync Insider post is dedicated to their explanation and understanding. Let’s get started.

What is a reverse proxy? What does it do?

Definition of a reverse proxy from Wikipedia:

“In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though they originated from the server itself (or servers themselves). While a forward proxy acts as an intermediary for its (usually nearby) associated clients and returns to them resources accessible on the Internet, a reverse proxy acts as an intermediary for its (usually nearby) associated servers and only returns resources provided by those associated servers.”

So a reverse proxy is a type of intermediary. Like a regular proxy, it stands between your computer and a server, passing messages between them when appropriate. The function serves to aid privacy, keep security tight and balance network resources.Reverse Proxy as a Way Out

There is an excellent diagram of how a reverse proxy operates (as well as a regular ‘forward’ proxy) at StackOverflow.com:
Difference between Proxy Server and Reverse Proxy Server – StackOverflow

Is this process the same when you use a Reverse Proxy Server in Lync?

Primarily, yes. The Reverse Proxy Server sits in the perimeter network, like your Edge Servers do. There it processes certain messages you send via your Lync 2013 client. The difference is in what those messages ask for.

When do we need to use a reverse proxy in Lync Server?

The Reverse Proxy’s function in Lync is to facilitate client access to the Lync Web Services. These are optional services, but the list is long and very useful. From TechNet:

  • Enabling external users to download meeting content for your meetings.
  • Enabling external users to expand distribution groups.
  • Enabling remote users to download files from the Address Book service.
  • Accessing the Lync Web App client.
  • Accessing the Dial-in Conferencing Settings webpage.
  • Accessing the Location Information service.
  • Enabling external devices to connect to Device Update web service and obtain updates.
  • Enabling mobile applications to automatically discover and use the mobility (Mcx) URLs from the Internet.
  • Enabling the Lync 2013 client, Lync Windows Store app and Lync 2013 Mobile client to locate the Lync Discover (autodiscover) URLs and use Unified Communications Web API (UCWA).

Please note: None of these are critical, necessary functions! Lync users can get by just fine without a reverse proxy. IM/Presence, Enterprise Voice, & Persistent Chat all work without one.

It’s only when you want to provide those Web services to external users (normal users on mobile devices, telecommuters, non-users such as customers) that you’ll want to put in a reverse proxy.

How do I set up a Reverse Proxy in Lync?

In the past, the standard software choice for running a Reverse Proxy Server with Lync was the ForeFront Threat Management Gateway 2010 (TMG). However Microsoft discontinued TMG in November 2012.

Since then, the standard has been Internet Information Server Application Request Routing (IIS ARR). There are other options you can try – see “Additional Resources” below for one such option – but we’d normally recommend using IIS ARR.

You’ll find setup instructions linked on the Setting Up Reverse Proxy Servers page. The Vytru Blog also has a good tutorial: Installing Lync 2013 Reverse Proxy IIS ARR – Vytru Blog.

The basic steps are:

  1. Install PowerShell prerequisites
  2. In Lync Topology Builder, configure Web Services FQDNs
  3. In IIS Manager, create a server farm in Application Request Routing
  4. Add application servers to the farm (minimum 1, more if you need redundancy or load balancing)
  5. Configure the new servers
  6. Request & install a certificate on the reverse proxy
  7. Configure Web Publishing Rules
  8. Create DNS Records
  9. Test your new reverse proxy!

I encourage you to read the above links before attempting to install a reverse proxy. The process has many steps–and many steps means many places where we can miss or skip something by accident.

Ideally, the best time to install a reverse proxy is right after you install a fresh instance of Lync Server 2013. But so long as you have the Web Services URLs, you can install one at any time.

What’s your experience with Reverse Proxy? If you have a story – or a question – please comment or email it to us.

Additional Resources:
Configuring Reverse Proxy Access to Microsoft Lync Server 2013 using KEMP LoadMaster – NextHop
Lync Edge Server Best Practices – Jeff Schertz’s Blog

Facebooktwitterlinkedinmail

Lync Clients Have a Graphics Bug! How to Patch the Hole

There’s a new security flaw in Lync! Microsoft announced it yesterday, with a couple workarounds. Both are easy to implement, so let’s not waste any time.

Where It Is: Code for Graphics Handling

The flaw is located in the TIFF graphics handling code of both Lync clients, as well as Windows Server 2008 and Office 2003, 2007 and 2010.

What It Can Do: Let Remote Code In

TIFF graphics files, if made in a certain way, could allow for a remote code execution by an attacker.

By itself this is not a network-wide threat. But even a small door left open can bring trouble.

According to ITNews.com, attacks are already occurring in Southern Asia and the Middle East. Emails with specially-crafted Word attachments are opening user access to outside attackers, compromising local security & allowing a potential hole into networks.

Let’s all avoid that unpleasant possibility, shall we?

How to Patch the Security Flaw: Two Workarounds

Two workarounds are available to prevent any exploits. These work for all affected systems, but I’m focusing on the Lync 2010 and 2013 clients (this IS a Lync blog!).

The first option is disabling the TIFF codec on computers running Lync 2010 or 2013.
You can use a Fix It Microsoft has provided here (the quickest solution):
https://support.microsoft.com/kb/2896666

Or disable the codec manually. If you want to do that:

  1. Open the Registry Editor.
  2. Add a new registry entry under: HKEY_LOCAL_MACHINESOFTWAREMicrosoftGdiplus
  3. Create a DWORD value for the TIFF code by creating a registry entry under the Gdiplus subkey, named DisableTIFFCodec.
  4. Set the value of the DisableTIFFCodec registry entry to 1. Close Registry Editor.

(If you want to enable the TIFF codec again later, just change the entry’s value to 0.)

The second workaround option is deploying the Enhanced Mitigation Experience Toolkit (EMET). Download EMET version 4.0 here.

It should auto-configure once installed, so you won’t need to do anything else. Refer to its documentation if you need to manually configure.

Both workarounds are listed under “Suggested Actions” of this bug’s TechNet Advisory. Along with extra instructions, a FAQ and a full list of the software affected.

You can do both if you’d like. It won’t hurt anything.

Microsoft will include a patch in the next security update, no doubt. But in the meantime you can use these to protect any systems you’re concerned about.

I know a lot of people still use the Lync 2010 client and Office 2010. I’d prefer you continuing to use them without worrying about the next email attachment coming in.

Any other day, I’d recommend you updating to Windows Server 2012 and Lync 2013 to avoid security issues. But this flaw affects 2013 too…as well as 3 versions of Office!

So take a moment and apply your choice of workaround. Patch the security hole before someone else finds it.

Facebooktwitterlinkedinmail