Updated 5-20-11 with new independent security tests against Lync Server 2010
I sometimes get asked by telecom teams how secure is the voice traffic in Lync and is the conferencing traffic secure both on the internal network or externally. Note: diagrams and a few excerpts taken from our whitepapers
What type of secure communications are used with Lync?
Server to server Lync Server 2010 communications is encrypted by default. By requiring all servers to use certificates and by using Kerberos authentication, TLS, Secure Real-Time Transport Protocol (SRTP), and other industry-standard encryption techniques, including 128-bit Advanced Encryption Standard (AES) encryption, virtually all Lync Server data is protected on the network.
Lync Clients to Server traffic uses TLS for SIP traffic and SRTP for media such as audio, video and desktop sharing.
The following is a matrix showing the secure traffic types:
This diagram from the whitepaper shows how clients communicate securely using audio and video SRTP and TLS and Lync servers communicate securely with MTLS
Can someone sniff the packets and get access to my Lync voice/data?
By using TLS it would render a sniff/man in the middle attack very difficult to impossible to achieve within the time period in which a given conversation could be attacked. TLS authenticates all parties and encrypts all traffic. This does not prevent listening over the wire, but the attacker cannot read the traffic unless the encryption is broken. Additionally, by enabling SRTP voice, video and desktop sharing traffic will be encrypted.
How do I secure my voice traffic?
Are there Lync Server GPOs I can use to lock things down?
Yes, there is a communicator.adm file located in the %windir%\inf folder that you can leverage.
What are tips to secure my Lync Edge servers?
What do I need to exclude from my antivirus program running on my Lync Server 2010?
· Lync Server 2010 processes:
· IIS processes:
· SQL Server processes:
· %ProgramFiles%\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\SQLServr.exe
· %ProgramFiles%\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
· %ProgramFiles%\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe
Download the excellent Lync Security Guide available here.
Independent Lync Server 2010 security attacks conducted from Miercom here in Section 6.0.