Security Edge Filter - Solutions安全边缘滤波器解决方案.docx

Security Edge FilterFor Lync Server 2013, 2010 and Office Communications Server 2007 R2 Lync-SSecurity Filter Standard EditionPage 19 of 19VersionVersionDateAuthorRemarks1.012/05/2011Fabian KunzInitial draft created. 1.112/29/2011Rui MaximoEdited.1.21/1/2012Fabian KunzUpdated screenshots in section,Security Filter in Action.1.34/2/2012Fabian KunzUpdated screenshots order in section, Installation on the Lync Edge Server.1.47/19/2013Rui MaximoUpdate PowerShell registration commands.Current Document propertiesPropertyStatusStatusFinalPublish date2/27/2019 Lync-S 2019 all rights reserved.This document is intellectual property of Lync-S. No duplication or distribution allowed without written notice of the owner. No distribution outside the customers organization allowed.Table of contents1Introduction41.1Problem: Denial of Service (DoS)41.2Solution42Functionality43Security Filter Design74Security Filter Editions85Considerations85.1Microsoft Exchange85.1.1Microsoft Unified Access Gateway (UAG) 201095.1.2Microsoft Threat Management Gateway (TMG) 201096Requirements97Install Procedure107.1Prepare Lync Edge Server107.2Installation on the Lync Edge Server118Security Filter in Action169Configuration1810Monitoring191 IntroductionThis documentation describes the requirements and installation procedure for the Standard Edition version of the Security Filter.1.1 Problem: Denial of Service (DoS)Why are DoS attacks disruptive to your organization? Here are the most common reasons: Each failed authentication attempt to your extranet counts in Active Directory as a failed login. It becomes trivial for a remote attacker to lock out any of your AD accounts if they know (or can guess) the login name. No further credentials or privilege is required for this attack. In severe cases such as a distributed denial of service attack, this can represent a substantial vulnerability to your network. 1.2 SolutionThe Security Filter augments the capabilities of Microsofts Lync Edge Server to allow a soft lockout. Security Filter is designed to tract denied authentication attempts and block further login attempts before the AD lockout limit is reached. This provides an additional tier of account security, safely locking the account out of the extranet. Security Filter prevents password guessing on the extranet by blocking authentication attempts for that account once the number of failed authentication attempts reaches a threshold. Even when the account is locked out from the extranet, the user can still login from within your corporate network or through a VPN. Thus, the DoS risk is substantially mitigated, with a minimum inconvenience. Security Filter can enforce external users to login to Lync Server from a corporate issued computer. By blocking NTLM authentication, external users are forced to sign-in using TLS-DSK authentication, which requires a client certificate to be installed on the users computer when connected to the corporate network.2 FunctionalityIn this extraordinarily interconnected world, companies want to allow the utmost flexibility and mobility for their employees, many of whom may work remotely. Consequently, almost every organization exposes services to the Internet. However, theres always the threat of attacks. Companies are particularly concerned with Denial of Service (DoS) and password brute-force attacks. These types of attacks can be disruptive to users and consume internal server resources.The primary trouble with DoS attacks is that theyre nearly indistinguishable from legitimate sign-in requests. The only differentiation is the frequency of sign-in attempts and their origin. A large number of sign-in attempts in rapid succession can be indicative of a DoS attack.Most DoS attacks attempt to guess the users password to gain unauthorized access. They often result in locking out the user account if the security policy is enabled in Active Directory Domain Services, and has a maximum number of log-in attempts.The Microsoft Lync Edge Server protects against unauthorized access using industry-standard security measures. It monitors sign-in requests and enforces account lockout at the network perimeter. All communications are encrypted and authenticated.Edge Server does not protect against DoS attacks. However, Lync Server provides a flexible programming platform you can use to create server applications to intercept Session Initiation Protocol (SIP) messages on the server and perform specialized logic using the Microsoft SIP Processing Language (MSPL). This is how the security filter operates.It inspects all incoming sign-in requests on the Edge Server. The remote user is not authenticated at the Edge Server, so the sign-in request is passed to the Director or directly to the internal pool, which then performs the authentication process. The response is then passed back to the Edge Server. The security filter inspects both the request and the response. If the sign-in fails, the security filter tracks the number of failed attempts for each user account.The next time a client attempts to sign in to the same user account, and the number of failed attempts exceeds the maximum number of allowed sign-in attempts, the security filter immediately rejects the request without passing the request to the Director or internal pool for authentication. By enforcing account lockout at the Edge Server, the security filter blocks DoS attacks at the edge of the network perimeter. As a result, the security filter protects the internal Lync Server resources.Using the security filter to prevent Windows NT LAN Manager (NTLM) version 2 authentication, companies can force users to only sign in from authorized company-issued laptops. With additional security measures (like using BitLocker and Group Policy to prevent users from installing unauthorized software), the corporate-issued laptops can themselves serve as a “smartcard” to provide two-factor authentication.To prevent brute-force attacks on user accounts, many organizations enforce an Active Directory Group Policy to lock out the account after a certain number of failed attempts. The side effect of this countermeasure is that the attacker can lock out a users account by simply launching multiple attempts. This amounts to a DoS attack.If the account isnt protected by an Active Directory Group Policy, the attacker can use this type of brute-force attack on the users password. These attacks use up valuable internal server resources and deny users access to their account.Uniquely identifying the user can prevent attacks on user accounts. There are several options with which to do this. You could use the source IP address, the sign-in name (that is, the SIP URI), the account name or even a combination of any of these options. After investigating each option, it seems that rogue clients mounting a DoS attack could spoof the source IP address, eliminating this choice as a way to uniquely identify the user.The sign-in name, although required to successfully sign in to Lync Server, does not authenticate the user. A sign-in name can be varied during sign-in requests, yet still lock out the same user account. Therefore, neither the source IP address nor the sign-in name are good sources with which to identify the user. Only the account name uniquely identifies the user account.You can only extract the account name, which consists of the user name and domain name, from the authentication protocol. Remote users trying to sign in and authenticate use the NTLM v2 protocol, not Kerberos. The NTLM protocol uses a three-stage handshake authentication process. The client passes the users credentials in the third stage of the NTLM handshake.The security filter runs as a trusted server application on the Edge Server, so its allowed to intercept this sign-in request. The security filter decodes the user name and domain name from the NTLM authentication message. Because the account name isnt available in the response, the security filter maps the response to the request using the message ID.When either the internal pool or the Director sends the authentication response to the Edge Server, the security filter captures the Register response. If the sign-in failed, the security filter counts the failed attempts. If the sign-in succeeds, the security filter resets the count of failed attempts to zero.Every time the Edge Server receives a sign-in request, its passed to the security filter. It checks whether the sign-in request has exceeded the maximum number allowed for that particular user account. If the request has not exceeded the maximum lockout count permitted, the security filter allows the request to continue to either the internal pool or the Director.If the request exceeds the maximum lockout count permitted, the security filter blocks the request and returns a 403 response. This summarily rejects the request. Any further sign-in attempts are rejected for the duration of the lockout period. After the lockout period expires, its reset to permit new sign-in requests.One problem can occur when users sign in from a computer not joined to the corporate Active Directory domain. Lync 2013/2010 can automatically attempt to sign in using the users local computer credentials. Because those credentials arent corporate domain credentials, the authentication will fail. The user will eventually be blocked from signing in to Lync Server. To prevent the security filter from locking out valid users, it doesnt count these attempts against the user.Lync Server 2010 introduces support for an additional authentication protocol called TLS-DSK. This requires users to supply a client certificate for authentication. The Lync client requests certificates from Lync Server. This is an automatic process that happens the first time the user signs in to Lync Server from within the corporate network where the user is authenticated using Kerberos.This client certificate is used for authentication with any subsequent log-in attempts. This is a self-signed certificate issued by Lync Server, not a Certificate Authority. If that same user tries to sign in to Lync from a different computer, hes authenticated using Kerberos (if inside the corporate network) or using NTLM v2 (if outside the corporate network). The process of obtaining another client certificate starts all over.TLS-DSK provides a level of security thats very close to two-factor authentication. When combined with Windows BitLocker, the computer or laptop acts as the equivalent of a smartcard (something you have). The password that BitLocker requires to boot your computer is equivalent to the pin required to authorize the use of the smartcard (something you know).Theres the remote possibility someone could steal the client certificate from the users computer, but you can mitigate this risk. Make sure corporate-issued computers are locked down to prevent users from downloading unauthorized applications.You can force the Edge Server to negotiate the authentication protocol down from TLS-DSK to NTLM v2. In this case, the attacker can still target the users account, as discussed earlier. To prevent this scenario, the security filter provides an option to reject all NTLM v2 authentication requests, forcing TLS-DSK-only authentication. This doesnt affect federated partner connections or PIC connections.3 Security Filter DesignThe Security Filter registers with the Edge Server where it is collocated. It intercepts all SIP REGISTER requests, extracts the users unique login name, and tracks the number of failed login responses sent back to the remote client. When the number of failed login attempts exceeds an administrator specified threshold, the Security Filter blocks all further login attempts until the lockout period expires. This is illustrated in Figure 1, which describes the Security Filter design.Figure 1 Security Filter Architecture4 Security Filter EditionsThe Security Filter is available in two different editions. Standard EditionThe Standard Edition is the perfect choice for a single Lync Edge Server deployment. There are no other requirements like a Microsoft SQL Database in the Enterprise Edition version. There is a simple installation procedure for this Edition. Enterprise EditionDeployments with multiple Edge Servers should deploy the Enterprise Edition version of the Security Filter. The Enterprise Edition version is a two-tier architecture. Every Edge Server with the Security Filter installed logs the information about the bad login attempts to a Microsoft SQL Database. This guarantees that all Edge Server shares the same information about the current bad login status.5 Considerations5.1 Microsoft ExchangeThe Security Filter prevents DoS attacks over the Lync Edge Server. You should consider that Lync clients outside of the company network also authenticate users against the Microsoft Exchange environment for accessing the Exchange Availability Service and Unified Messaging informations from the internet.It is strongly recommended to implement a solution with the same functionality for Microsoft Exchange.5.1.1 Microsoft Unified Access Gateway (UAG) 2010If you use Microsoft UAG 2010 for Exchange publishing you can configure similar settings as for the Security Filter in the Advanced Trunk Configuration settings. For more Information about Microsoft UAG visit the Microsoft Technet Site for UAG.5.1.2 Microsoft Threat Management Gateway (TMG) 2010If you use Microsoft TMG 2010 for Lync publishing, consider using the Security Web Filter for TMG to prevent similar kinds of attacks. In addition to DoS and password brute-force attacks, the Security Web Filter performs deep packet inspection for XSS and SOAP layer attacks. 6 RequirementsThe Microsoft .NET 4 Framework must be installed with the latest available patches for the .NET Framework on the Lync Edge Server before you start the Security Filter installation.Create a service account on the Lync Edge Server and make this account a member of the RTC Server Applications group (see Figure 2). Figure 2 Service account for the Security Filter7 Install Procedure7.1 Prepare Lync Edge ServerBefore you can run the Security Filter, you must first register the application with your Edge Server. You only need to do this registration once by taking the following steps. Run these Lync Server 2013/2010 Windows PowerShell cmdlets with Lync Server administrative permissions:1. Run the following Windows PowerShell cmdlet to register the security_filter application from any Lync Server except the Edge Server. Specify the fully qualified domain name (FQDN) of the Edge Server in the parameter, , and KEEP the -uri parameter value set to /security_filter. new-CsServerApplication -identity EdgeServer:/security_filter -uri /security_filter -critical $false2. Run the following Windows PowerShell cmdlet to initiate the replication of Central Management Store configuration to the Edge Server.invoke-CsManagementStoreReplication3. Run the following Windows PowerShell cmdlet on the Edge Server to verify the proper registration of the security_filter.get-CsServerApplication -localstore4. Run the following Windows Powershell cmdlet to enable the application from any Lync Server except the Edge Server. Specify the fully qualified domain name (FQDN) of the Edge Server in the parameter .Set-CsServerApplication Identity “service:/security_filter” Enabled $true7.2 Installation on the Lync Edge ServerThe Security Filter requires the installation of .NET 4 Framework and all available patches of this version of the .NET 4 Framework. This pre-requisite can be downloaded here. The following table details the installation steps for setting up the Security Filter on your Edge Server. - Once youve downloaded the Security Filter, run the setup.exe with local administrator privileges.- The Security Filter comprises the following two files: SecurityFilterSetup.msi Setup.exe- Click Next- This page lists the PowerShell cmdlets that must be run to register the Security Filter with your Edge Server. These steps are detailed in the previous section, Preparing Lync Edge Server.- Click Next- Accept the License Agreement- Click NextThe Security Filter does not overwrite any changes to Active Directorys lockout counter. That value is managed internally by the domain controllers.For the next 4 screens, specify the following parameters for each unique internal Active Directory (AD) forests you may have. If you have less than four AD forests, leave the fields blank.Nebtios domain:This field specifies one of your internal domain names. This is the domain name used by remote users to authenticate to your internal Lync Servers when connecting through your Edge Server. For example, if your company, Woodgrove Bank, has the following three internal Active Directory forests (a legacy from mergers and acquisitions), , and , and employees have accounts from each of these AD forests, you should specify the Netbios name, woodgrovebank, as the value for this parameter, and the other two AD forest names, “,contoso” and “fabrikam”, in the same field of the subsequent two screens. These domain names are used to verify that remote users who are trying to sign in to Lync Server are connecting using credentials from one of these three domains (e.x. “contosobob”