Secure Your Meetings Now–No More Excuses!
In Skype for Business you can choose from two meeting creation types, secure or dedicated meeting space. During my time on deployments I always recommend and try to steer customers down the secure route as it avoids a multitude of situations around conference bleeding. Imagine having a conversation with management discussing an employee’s future, and you’re having a meeting with the employee immediately after the meeting. Maybe you leave 15 minute gap, but the meeting runs over by several minutes, then the employee joins early expecting silence but hears you talking about how to best fire them! Sticky situation right?
However, some choose to go down the dedicated route because “its easier”. But ease often comes with compromise. Aside from the conference bleeding, if not used in the correct manner then you leave yourself open to some serious abuse. Not only from internal users, but anonymous users as well that could have some serious impacts on your business from financial to corporate espionage!
Did you know its relatively easy to find a conference on the internet? Even if you don’t have the meeting URL? Dedicated meetings make it super easy, while secure meetings a lot harder.
Google “Skype for Business Web App” and go to page 3 onwards (actually look who is on page 1….) and you will see some names with URLs like join.domain.com/meet/user.name/meetid
Notice that dedicated Meeting IDs are exposed (Last result). Undefined means that the conference has expired and no longer available. On the meetings that have an ID you can click to join them anonymously using the Skype for Business Web App
After that you are at the mercy of the conference policy applied to the conference organizer! If it allows anonymous users to dial out, then any one can use this conference to dial out to the PSTN and call whoever they want for free (well to them at least!). If you have added any attachments or other meeting content this is also accessible by the anonymous user (policy dependent).
So now do you want to secure your meetings?….. I thought so!
There are some valid reasons to use dedicated meeting spaces, but if you are using conferences for internal private communication then it really should be secure. The problem here is that meeting join pages are can be indexed by search engines. So you need to take action to prevent indexing as well as employing adequate conference policies that protect you in a last line of defence against fraud or espionage.
Ensure that your conference policy applies the following permissions
- Allow Anonymous Dial Out set to false
- Profile your users, do you need to allow anonymous users into a meeting for some of the user departments?
- Allow External users to save content set to false
- Allow external users to record meetings set to false
- Make sure you do not allow anyone to bypass the lobby
There are others that you may consider, full settings found here: https://technet.microsoft.com/en-us/library/gg425788.aspx
Block search engines from indexing your meeting url. You can do this using IIS on the External Skype for Business Website on ALL your front end servers. You can do this in multiple ways and no single way really is 100% fool proof. The most obvious method is to use a robots.txt file located in the root of the External Skype for Business website. Most reputable search engines use this file to figure out if they are supposed to index or not.
- Create a text file in the root of the External Website folder for Skype for Business called robots.txt
- Add the following code and save it.
# Make changes for all web spiders User-agent: * Disallow: /
The second method you can use is to use the HTTP Response Header
- Open IIS Manager
- Click on the Server name
- Then click on HTTP Response Headers and open it
- Click Add to add a new response
- In the Name field enter X-Robots-Tag
- In the Value field enter noindex
You could also deploy IIS Search Engine Optimization module from the IIS Web Gallery and control indexing via a UI. More Information here: https://docs.microsoft.com/en-us/iis/extensions/iis-search-engine-optimization-toolkit/managing-robotstxt-and-sitemap-files
If you find that your meetings have been indexed, I recommend that the immediate course of action is to re generate your conference IDs and delete your old conference(s) (every event that uses the same ID) out of your Outlook calendar. This will deactivate the conference on all conference servers making it unavailable to join.
Then you should request that the search engine removes the link from their search. Here are the removal links for the major engines
Yahoo – Does not have a removal tool – so you’ll just need to sit tight
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale