Disallow Microsoft Lync to automatically detect and securely communicate with SIP servers that have non-standard fully-qualified ...

Disallow Microsoft Lync to automatically detect and securely communicate with SIP servers that have non-standard fully-qualified domain names (FQDNs). 

Note: This policy setting takes effect only if Microsoft Lync uses "automatic configuration" to query DNS for a list of SIP servers, and only if Microsoft Lync communicates with the SIP server using the TLS transport. In this case, the set of supported server FQDNs depends on the SIP URI of the user who starts Microsoft Lync.

For example, if you disable or do not configure this policy setting, and the user's SIP URI is SIP:[email protected], Microsoft Lync can communicate with a SIP server in TLS transport only if its FQDN is either EXAMPLE.COM or SIP.EXAMPLE.COM. In other words, the FQDN of the server must exactly match the domain portion of the user's SIP URI, or else the FQDN must be "SIP." followed by the domain portion of the user's SIP URI. This prevents a "man-in-the-middle" security vulnerability: an attacker can detect the UDP message that the client uses to perform the DNS lookup, and respond to the client with the name of an unauthorized SIP server. The attacker could then impersonate a trusted user, or the server could cause the client to authenticate using weak encryption. 

However, if you enable this policy setting, Microsoft Lync can communicate in TLS transport with any SIP server that has an FQDN that ends with the domain portion of the user's SIP URI. Continuing the previous example, by enabling this policy setting you allow Microsoft Lync to communicate with servers named SIP.DIVISION.EXAMPLE.COM or LC.EXAMPLE.COM. However, an attacker can respond to the initial DNS query with a response that contains the server name ATTACKER.EXAMPLE.COM.

Note: You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence.

Note: in Communicator 2.0 Beta 3, this is by-default disabled and Communicator might be vulnerable to man-in-the-middle attach. Enabling this policy is strongly recommended.
English
English (United States)
italiano
Italian