By default, Lync provides a pretty open conferencing experience for users. It allows a fair degree of flexibility in terms of functionality after you’ve first deployed it; and I suppose this is to provide the most complete experience to users when they first try it out. In this post, I’m going to talk about why we would want to modify this default behaviour and how we can make Lync conferences more secure. The two main default behaviours that would make you want to increase conference security are:
- The same meeting URL and conference ID is assigned for the user for every meeting by default.
- PSTN callers will bypass the lobby when they join a meeting and do not need to be admitted to the meeting by a presenter. This contradicts the behaviour of a lot of audio conferencing providers today, where everybody must wait for the leader to arrive until the conference begins.
Together, these behaviours may represent a security risk to some organisations. Let’s go through how we can mitigate them.
Increasing Conference Security
This will be a pretty common requirement for an organisation that discusses sensitive information on calls, has lots of users using dial-in conferencing or is just used to this functionality from an existing provider. To do this, we need to use a Meeting Configuration. Meeting configurations in Lync can either be defined globally (so they apply to all pools everywhere), at site level (say, for all pools/users in the US or UK site) or at service level (per pool/server). I love just how granular you can get with policies/configurations in Lync. Firstly, I’m going to create a new Meeting Configuration for my St Albans site by running the cmdlet New-CsMeetingConfiguration -identity Site:StAlbans. I’m doing this because I don’t want to modify the Global Meeting Configuration.
We can see that a new meeting configuration has been created for the St Albans site with the defaults set. Now, let’s explain what all of these do and what we want to set them to to secure our Lync conferences.
Setting this to True ($true) or False ($false) will define whether PSTN callers can bypass the lobby or not when they join an audio conference. If they are placed in the lobby, they have to admitted by a presenter before they can join the conference. By default, this is set to True.
This defines whether users are allowed to schedule public meetings. Setting it to True ($true) means they can schedule public meetings, setting it to False ($false) means they will only be able to schedule private meetings. By default, this is set to True.
If you set this to True ($true), users will scheduled public meetings by default. Set it to False ($false) and users will schedule private meetings by default. By default, this is set to True.
What’s the difference between a public meeting and a private meeting?
So you’re probably saying just that – what’s the difference? For a Public Meeting, the conference ID and meeting link stay the same from meeting to meeting. When the meeting is a Private Meeting, the conference ID and meeting link will change from meeting to meeting. The latter is considered a bit more secure because it avoids users that weren’t sent the meeting invite dialling into your conference. For example, if I schedule one call for 11:00am Monday and another for 4:00pm Tuesday, each will have different meeting URLs and conference IDs.
This determines what category of user is allocated presenter rights in a meeting when they join. The default is Company (i.e. anyone else on Lync in your organisation) but you may want to set this None so only the organiser has presenter rights. Or if you’re very liberal, you can set it to Everyone.
The Difference Between a Presenter and an Attendee
Just to clarify, when we say Presenter, we’re talking about one of two roles in a meeting – Presenter or Attendee. Being a Presenter means that the participant has full control over what content is shared, can mute other participants, remove others from the meeting, change meeting settings etc. If you’re just an Attendee, you can do none of these things (only view content and participate in the call).
This setting defines whether anonymous (i.e. non-authenticated) users are admitted into the conference. By default this is set to True. If your organisation plans on only using conferences for internal staff, then you might want to set this to False so users that have not authenticated with a PIN or with AD credentials aren’t able to join conferences.
Modifying the Meeting Configuration
So once I’ve defined how secure I want to make my Lync conferences, I’m going to make changes to the Meeting Configuration. In my case, I want to make sure users do not schedule public meetings and that the meeting URL and conference ID change from meeting to meeting, so I run this cmdlet: Set-CsMeetingConfiguration -identity Site:StAlbans -EnableAssignedConferenceType $false -AssignedConferenceTypeByDefault $false
If you want to modify the Global Meeting Configuration, just omit the -identity Site:SiteName portion of the cmdlet.
To verify that the change was made, I run the cmdlet Get-CsMeetingConfiguration -identity Site:StAlbans.
We can see that the site-level meeting configuration has been modified so public conferences can no longer be used in Lync.
The User Experience
Below is where all of this is reflected on the client side – the Online Meeting Options in Outlook.
After we’ve made changes to the Meeting Configuration in Lync Server Management Shell above, you’ll see that the default settings in the Online Meeting Options change. If you change the DesignateAsPresenter setting in the Meeting Configuration, you’ll see this reflected under Presenters. If you change PstnCallersBypassLobby, you’ll see this reflected in the Access section, and so on.
As we can see, there are lots of variables available here in Lync to customise the conference experience for your organisation so that it both meets security requirements and remains easy to use for your users. You can learn more about conference security on the Lync Server 2010 TechNet Library. If you have any questions about this functionality, drop me a line in the comments below.
Great post Justin
When discussing Conference Security, it may be worthwhile to mention the following cmdlet and corresponding parameters.
set-CsUserServicesConfiguration -AnonymousUserGracePeriod -DeactivationGracePeriod
These two options are specific to conferencing configuration, but not easily discovered. Also, the default settings for these parameters are, in my opinion, much too liberal for someone who is concerned about conference security.
Great info Phil, thanks for the tip. Definitely something additional to look at when considering conference security.
Pingback: Understanding Conference Security in Lync Server 2010 | Justin Morris on UC « JC’s Blog-O-Gibberish
Very useful post.
The meeting options windows for a Meet Now (Menu -> Meet Now -> Join Information and meeting Options -> Meeting options)
are slightly different and include “Meeting access” as well as a couple of drop downs under “Privileges”.
Have you come across away to configure these setting via Lync policy, GPO or reg key?
No I haven’t. All of these are configured via a meeting configuration only.
Great post Justin.
Regarding security, my agency runs public trainings/briefings that we open up to users outside our organization, but I need to limit chances of random or anonymous folks getting in.
Beyond just using the lobby, and without federated AD or Lync backends, what other options do I have for filtering attendees?
Does Lync 2010 or 2013 support a “meeting password” or a way to set some sort of “guest list” ?
Thank you very much.
Unfortunately not. Once you open up the meeting to anonymous users, anyone that wasn’t originally sent the invite but happened to come across the meeting URL/conference ID, would be able to join.
I think this is really about managing/accepting risk. If the above scenario happened, then that would be construed as somewhat malicious/leakage. In the first instance, the meeting organiser did all they could within the confines of the product to ensure only the required attendees were invited.
Great, I have customer who migrated from 2010 to 2013 but conference directory not transffered from 2010 (but instead its been removed) so now if user doesn’t reset the conference id, dial-in conference doesn’t work (because conference id still belongs to 2010).
I can set global policy for private meetings and that should solve the issue 🙂
Pingback: Understanding Skype for Business Server and Online PSTN Conference ID Configuration - Tom Talks
Pingback: Dial in Conferencing with ShoreTel and Skype for Business 2015/Lync – When Rebooting Is Not The Answer