Secure your Skype/ LYNC meetings

SKYPE for Business and LYNC servers have recently been the target of “attacks” er exploits rather where the attacker would join a non expired meeting and from use the dialout feature to make thousands of calls – resulting in gigantic bills from the telco.

What happens is that attackers find

The most prominent source for attacks are people from outside the org getting their hands on the links of either meetings that haven’t yet expired, or even recurring meetings that never expire.

There are several ways of getting to these links.

Either through public search engines, via hacked O365 mailboxes or Remote access to the client computer.

The issues with meeting URL’s in public search engines was fixed in December 2017, so if you have not installed that patch yet better get to it.

Consider the following scenario in a Microsoft Skype for Business Server 2015 environment:
  • You schedule a Microsoft Skype for Business meeting
  • The meeting URL is posted somewhere publicly online
In this scenario, when you search for “Skype for Business Web App” in search engines such as Google, Bing or Yahoo, you can see the meeting URL publicly.

Additionally, other people can join the meeting randomly if you enable the anonymous meeting join feature.
But in any case i would suggest that you take the step to make sure that user know how to set the meetings to NOT let anyone in the meeting without them the organizer being there.

When you create a new Skype for Business meeting, you decide who gets into the meeting directly, and who waits until you let them in. We recommend that you change these options for large meetings, or when you have confidential or sensitive info. You can set the following options in a new Skype for Business meeting by clicking Meeting Options on the Meeting tab.

From your Outlook calendar, click New Skype Meeting
In the meeting window, click Meeting Options.

Outlook New Skype Meeting button

Outlook Meeting Options button

The lobby is a virtual place where attendees wait to be admitted to your meeting. Options are:

Who gets in directly?
What happens?
Recommended when…
Only me, the meeting organizer
You are the only one who gets into the meeting directly. Everyone else has to wait until admitted.
You have a high security meeting and confidential information.
People I invite from my company
Only people who were invited can join the meeting directly. Everyone else has to wait until admitted.
You’re discussing confidential information, and want to only allow specific people to join.
Anyone from my organization
Anyone from your company can get in to the meeting directly, even if not invited.
You don’t have external participants and you are not discussing confidential information.
Anyone (no restrictions)
(Default option)
Anyone who has access to the meeting link gets in to the meeting directly.
You’re inviting outside participants and you’re not discussing confidential information.

Resource accounts such as meeting rooms, conference rooms, and system accounts have a slightly different behavior for lobby options.

Option
What happens
Only me, the meeting organizer
Resource accounts have to wait in lobby until admitted.
People I invite from my company
Resource accounts have to wait in lobby until admitted.
Anyone from my organization
Resource accounts have to wait in lobby until admitted.
Anyone (no restrictions)
Resource accounts get in to the meeting directly.

Who’s a presenter? 
Presenter options control which participants are automatically given presenter privileges when you schedule the meeting. Presenters can also let people who are waiting in the lobby into the meeting. The following table describes each of these options in detail.

Presenter option
Who is a presenter?
When to choose this option
Only me, the meeting organizer
Only the person who schedules the meetings
For presentations where the participants don’t have to interact with the meeting content. (You can designate additional presenters during the meeting.)
People I choose
You and the participants you choose
For presentations with more than one presenter.
Anyone from my organization
(Default option)
Everyone you invite who has an account on your network
For group work sessions, where all participants work at your organization and can share and modify meeting content.
Anyone (no restrictions)
Everyone you invite
For group work sessions with people who don’t have an account on your network.

Click Choose presenters to determine who among your invitees will be an attendee or presenter. You must have already added invitees to your meeting request in order to see names in this list.

(Source Microsoft)
And lastly consider if you want to allow anonymous participants at all – maybe for that large numbers of users who only have internal participants, grant them a conferencing policy that does not allow them to invite anonymous attendants.

And as always – Happy Collab’ing 🙂

Comments

  1. Post
    Author
    spinnetho

    Hi Michael – Nope – there is indeed Meeting options – also for Teams. But for now, far less options, but more to come – you find the meeting options below the join link.

Leave a Reply

Your email address will not be published. Required fields are marked *