Microsoft Skype for Business 2016 Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2016-11-02
  • Released: 2016-11-14
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

The Microsoft Skype for Business 2016 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
b
The ability to store user passwords in Skype must be disabled.
CM-6 - Medium - CCI-000366 - V-70901 - SV-85525r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
DTOO420
Vuln IDs
  • V-70901
Rule IDs
  • SV-85525r1_rule
Allows Microsoft Lync to store user passwords. If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password. If you do not configure this policy setting and the user logs on to a domain, Microsoft Lync does not store the password. If you do not configure this policy setting and the user does not log on to a domain (for example, if the user logs on to a workgroup), Microsoft Lync can store the password. Note: You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence.
Checks: C-71345r2_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Allow storage of user passwords" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\office\16.0\lync Criteria: If the value savepassword is REG_DWORD = 0, this is not a finding.

Fix: F-77233r1_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Allow storage of user passwords" to "Disabled".

b
Session Initiation Protocol (SIP) security mode must be configured.
SC-23 - Medium - CCI-001184 - V-70903 - SV-85527r1_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
DTOO421
Vuln IDs
  • V-70903
Rule IDs
  • SV-85527r1_rule
When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify whether Digest and Basic authentication are supported. Disabled (default): NTLM/Kerberos/TLS-DSK/Digest/Basic Enabled: Authentication mechanisms: NTLM/Kerberos/TLS-DSK Gal Download: Requires HTTPS if user is not logged in as an internal user.
Checks: C-71347r2_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Configure SIP security mode" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\office\16.0\lync Criteria: If the value enablesiphighsecuritymode is REG_DWORD = 1, this is not a finding.

Fix: F-77235r1_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Configure SIP security mode" to "Enabled".

b
In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP.
SC-23 - Medium - CCI-001184 - V-70905 - SV-85529r1_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
DTOO422
Vuln IDs
  • V-70905
Rule IDs
  • SV-85529r1_rule
Prevents from HTTP being used for SIP connection in case TLS or TCP fail.
Checks: C-71349r3_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Disable HTTP fallback for SIP connection" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\office\16.0\lync Criteria: If the value disablehttpconnect is REG_DWORD = 1, this is not a finding.

Fix: F-77237r1_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies "Disable HTTP fallback for SIP connection" to "Enabled".