The question of how to secure Lync voice traffic, both on an internal network and external to the network, is one that has been hovering around in the minds of many. Server-to-server Lync Server 2010 communications are encrypted by default. By requiring all servers to use certificates and by using Kerberos authentication, TLS, Secure Real-Time Transport Protocol (SRTP) and other industry-standard encryption techniques, including 128-bit Advanced Encryption Standard (AES) encryption, virtually all Lync Server data is protected on an internal network.
General features of Microsoft Lync Server 2010 security are:
- role-based access control (RBAC) to enable you to delegate administrative tasks while maintaining high standards for security. You can use RBAC to follow the principle of “least privilege,” in which users are given only the administrative rights that their jobs require.
- a robust and powerful management interface built on the windows command line power shell interface. It uses cmdlets to control and operate Lync security. Furthermore, windows PowerShell security features are turned on by default hence a user cannot easily or unknowingly run a script on it. This maximizes the default security and ensures immunity against many types of security attacks and breaches. Another interesting thing to note here is that Lync 2010 does not support the use of network address translation on the internal interface of an edge server.
The problem of eavesdropping – when an attacker gains access to the data path in a network and has the ability to monitor and read the traffic – has also been made difficult. This has been done by making the default traffic recommendation and settings within Microsoft Lync Server 2010 to use mutual TLS (MTLS) between trusted servers and TLS from client to server, making this attack very difficult, if not impossible, to achieve within the time period in which a given conversation could be attacked. TLS authenticates all parties and encrypts all traffic. This does not prevent eavesdropping, but the attacker cannot read the traffic unless the encryption is broken.
Whilst the security features of Microsoft Lync Server 2010 help protect against third-party intrusion there is also the issue of state authorities demanding access to corporate information. Microsoft hasn’t explicitly said anything regarding their policy about this – officially Microsoft only divulges client information if demanded by a court order but so far this case appears to be untested.