Compass Security Blog

Offensive Defense

Lync – Privacy Configuration

We have shortly described the Lync federations in a previous post. With the usage of federations the question comes about the privacy and the security of the user’s information (e.g. presence information). There are scenarios where an employee doesn’t answer the phone but is mentioned as “available” in Lync. This could lead to a misunderstanding and bad mood at the customer’s or a partner’s side because the person “should” be available. Other scenarios involve e.g. stalking a given person using his present / idling status. These are just two practical examples – without mentioning any legal aspect – why there are good reasons to restrict access to this kind of information.

A further restriction could be set to only allow communication request of persons who are already in the contact list. Lync doesn’t offer many options for this. So in this post we try to show you the spot to look at to enhance privacy in Lync.

The following cmdlets are involved depending on your infrastructure:

  • CsPrivacyConfiguration
  • CsAccessEdgeConfiguration
  • CsHostingProvider
  • CsPublicProvider

Lync offers an option to limit access to your presence information to the people you already have in your contact list. Unfortunately, there is no distinction of corporation: you can’t just give access to your presence information to people of your company while restricting access for federated contacts present in your contact list. So either restrict access for all or nobody in your contact list.

Quote from “Configuring Enhanced Presence Privacy Mode” [2]:

“With enhanced presence privacy mode, users can restrict their presence information so that it is visible only to the contacts listed in their Lync 2013 Contacts list. The New-CsPrivacyConfiguration and Set-CsPrivacyConfiguration cmdlets have an EnablePrivacyMode parameter controls this option. When EnablePrivacyMode is set to True, the option to restrict presence information to contacts becomes available in the Lync 2013 Status options. When EnablePrivacyMode is set to False, users can choose either to always allow everyone to see their presence information or to adhere to any future changes the administrator makes to the privacy mode.”

PS> Get-CsPrivacyConfiguration

Identity : Global
EnablePrivacyMode : True
AutoInitiateContacts : False
PublishLocationDataDefault : False
DisplayPublishedPhotoDefault : False

Further quote from [2]:
“[…]Lync 2013 and Lync 2010 privacy settings are not honored by previous versions (Microsoft Office Communicator 2007 R2 or Microsoft Office Communicator 2007). If previous versions of Office Communicator are allowed to sign in, a Lync 2013 user’s status, contact information, or picture could be viewed by someone who has not been authorized to view it […]

In a migration scenario and due to these aforementioned compatibility reasons, enforce the following points before you enable enhanced presence privacy mode:

  • Ensure that every user has Lync 2013 installed.
  • Define a client version policy rule to prevent previous versions of Communicator from signing in.

[…]”

Lync Server 2013 has public provider configurations for America Online, Windows Live and Yahoo! instant messaging. Each public provider is configured with the provider’s Edge server fully qualified domain name, and the default verification level is set to “Allow users to communicate only with people on their Contacts list who use this provider” (CsHostingProvider and CsPublicProvider). This default setting will limit communication to contacts that you have accepted and are in your contact list.

Selecting “Allow users to communicate with everyone using this provider” removes the restriction. Anyone can now retrieve your presence information, without you received and accepted a contact invite. This setting does not limit who can contact you from the public provider’s network.

A further VerificationLevel property is used to monitor and assess the verification level of incoming messages (CsAccessEdgeConfiguration, [3]). Valid values are:

  • AlwaysVerifiable: All requests received on the default route are marked as verified. If a verification header is not present it will automatically be added to the message.
  • AlwaysUnverifiable: Messages are passed only if the addressee (the user the message is intended for) has configured an Allow ACE (access control entry) for the person who sent the message.
  • UseSourceVerification: Message verification is based on the verification level included with the message. If no verification header is present then the message will be marked as unverified.

We strongly recommend to use “AlwaysUnverifiable” for the VerificationLevel.

Conclusion
There are not many options to limit access to presence information and how the communication is established to federated users, but the few options should be evaluated during the implementation phase. With the privacy setting, the users are able to restrict access to their presence information for those people who are on their contact list.

We recommend to use the privacy mode and to restrict the communication establishment as strictly as possible.

References
[1] Privacy supplement for Microsoft Lync 2013, http://office.microsoft.com/en-us/lync-help/privacy-supplement-for-microsoft-lync-2013-HA102762444.aspx, last visited 26.01.2014
[2] Configuring Enhanced Presence Privacy Mode, http://technet.microsoft.com/en-us/library/gg399028.aspx, last visited 26.01.2014
[3] Set-CsAccessEdgeConfiguration, http://technet.microsoft.com/en-us/library/gg413017.aspx, last visited 26.01.2014

2 Comments

  1. Steven

    Hello,
    from the documentation of set-csPublicProvider, it is said: “Note that Lync 2013 users can manually override this setting, thereby allowing themselves to receive messages people not on their Contacts list.”
    Do you know which parameter is it?
    Is there is a way to avoid this client side overriding?

    • Andreas Hunkeler

      Hi Steven,

      I don’t know a way to prevent that. These settings are client-side settings and not stored on the server.

      There is the Alert tab within the Lync options, where you can further specify the behavior for non-contacts (Contacts not using Lync).

      Regard,
      Andreas

Leave a Reply

Your email address will not be published. Required fields are marked *