Skype for Business: Hardening The Backend Databases
We all know that Lync uses SQL server to store it’s backend databases such as the Central Management Store. However, do we pay much attention as to how the Lync Front End servers connect to the database? Let’s look at a scenario.
You have 3 front end enterprise edition servers in a single pool. You are using SQL server 2012 as a backend database server for the Lync databases. This SQL server has multiple instances running other LoB applications. The installation of SQL was completed only accepting the default settings from the SQL installer.
So what security implications does this have on your SQL estate? To begin with SQL will use the static TCP port of 1433 to allow external connections access to the default instance (usually MSSQL) and TCP port 1434 for the SQL Browser service. The SQL browser service is used to allow connections to databases from external clients to other instances on the same SQL server that use dynamic ports. This means the client does not need to know which port the SQL server has assigned to the backend database and therefore only requires the SQL server name or IP address and the name of the SQL instance to target. Using dynamic ports also means that your machine firewall is perhaps not as effective as it should be as you have to allow the high end ports between 49152 and 65535 through the firewall to cater for your SQL instances using dynamic ports.
This makes the life of an attacker a little easier, because not only do they need is attack to port TCP 1434, they also have a large attack surface they can manipulate in this range. You may have another application or service running on your SQL server that uses a port or 2 in the dynamic port range, which would give the attacker another opportunity to seek access.
To make their lives a little harder, we should be attempting to restrict these high end ports and tightening our firewall. How do we do this?
The answer is simply assigning static ports to each of your database instances. You cannot have the same port assigned to multiple instances. How this affects Lync will become apparent later but for now lets concentrate on hardening the SQL server.
Note this will cause downtime – so do this Out of Hours!
- Open SQL Server network configuration manager and select Protocol for (SQL Instance)
- Edit the TCP/IP properties and click on IP Addresses Tab
- You will notice many IP Addresses. Go through each one and clear the dynamic ports field.
- In the TCP Port field for each IP Address variant, enter the new static port that will be assigned to this instance. I recommend using mid-range ports around the 25,000-35,000 range and stay away from all the zeros! don’t use 25000, its easy to guess, use something like 25493 instead
- Repeat this for the rest of your instances
- Open Windows Firewall if you use it (or your computer firewall of choice) and block all inbound connections apart from RDP, and the static ports you have assigned to your SQL instances. (use caution with this, when I say all, take into consideration your environment, you may need to allow other services and ports in.)
- Now Open Windows Services Management Console and stop the SQL Browser Service. Change the start-up mode to disabled.
- Restart the SQL Server Services for each instance for the changes to take affect
By now you would have secured the SQL server as best you can against attacks and reduced its attack surface quite dramatically. However, all those applications that depend on SQL browser and dynamic ports will now be unable to connect to the databases. For the purpose of this article I am covering Lync FE servers, but the same principle can be used for other applications.
Now to reconnect the Lync servers back to the databases
- On the primary front end server logon as an administrator
- From windows start type in cliconfig.exe
- From the SQL Client Network Utility select the Alias tab and click Add
- In the server alias field enter the name “LyncDatabases“
- Under Network libraries select TCP/IP
- In the connection parameters enter the SQL Server name in the format of sqlserver.domain.com\lyncinstancename
- In the Port Number field enter the static port you used for the Lync DB instance e.g. 25493
- Deselect the Dynamically determine port option
- Press OK
Now we need to apply the same settings to the other Lync Front End Servers. To do this you can export the following reg key from the server you have just configured HKLM\software\Microsoft\mssqlserver\client\connecto to a .reg file. Simply copy this to your other FE servers and run the reg file.
Now attackers must perform a port scan to determine open ports which you can protect against at the network layer or with Anti-virus capable software.
Next Steps: For those who want to go further you can enable Transparent Data Encryption (TDE) which is supported by Lync 2013. More on TDE here: https://msdn.microsoft.com/en-gb/library/bb934049.aspx
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale