{
"stig": {
"date": "2016-11-02",
"description": "The Microsoft Skype for Business 2016 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-70901": {
"checkid": "C-71345r2_chk",
"checktext": "Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies \"Allow storage of user passwords\" is set to \"Disabled\".\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKLM\\Software\\Policies\\Microsoft\\office\\16.0\\lync\n\nCriteria: If the value savepassword is REG_DWORD = 0, this is not a finding.",
"description": "Allows Microsoft Lync to store user passwords. If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password. If you do not configure this policy setting and the user logs on to a domain, Microsoft Lync does not store the password. If you do not configure this policy setting and the user does not log on to a domain (for example, if the user logs on to a workgroup), Microsoft Lync can store the password. Note: You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence. \n",
"fixid": "F-77233r1_fix",
"fixtext": "Set the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies \"Allow storage of user passwords\" to \"Disabled\".\n",
"iacontrols": null,
"id": "V-70901",
"ruleID": "SV-85525r1_rule",
"severity": "medium",
"title": "The ability to store user passwords in Skype must be disabled.\n",
"version": "DTOO420"
},
"V-70903": {
"checkid": "C-71347r2_chk",
"checktext": "Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies \"Configure SIP security mode\" is set to \"Enabled\".\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKLM\\Software\\Policies\\Microsoft\\office\\16.0\\lync\n\nCriteria: If the value enablesiphighsecuritymode is REG_DWORD = 1, this is not a finding.",
"description": "When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify whether Digest and Basic authentication are supported. Disabled (default): NTLM/Kerberos/TLS-DSK/Digest/Basic Enabled: Authentication mechanisms: NTLM/Kerberos/TLS-DSK Gal Download: Requires HTTPS if user is not logged in as an internal user. \n",
"fixid": "F-77235r1_fix",
"fixtext": "Set the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies \"Configure SIP security mode\" to \"Enabled\".\n",
"iacontrols": null,
"id": "V-70903",
"ruleID": "SV-85527r1_rule",
"severity": "medium",
"title": "Session Initiation Protocol (SIP) security mode must be configured.\n",
"version": "DTOO421"
},
"V-70905": {
"checkid": "C-71349r3_chk",
"checktext": "Verify the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies \"Disable HTTP fallback for SIP connection\" is set to \"Enabled\".\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKLM\\Software\\Policies\\Microsoft\\office\\16.0\\lync\n\nCriteria: If the value disablehttpconnect is REG_DWORD = 1, this is not a finding.",
"description": "Prevents from HTTP being used for SIP connection in case TLS or TCP fail.\n",
"fixid": "F-77237r1_fix",
"fixtext": "Set the policy value for Computer Configuration -> Administrative Templates -> Skype for Business 2016 -> Microsoft Lync Feature Policies \"Disable HTTP fallback for SIP connection\" to \"Enabled\".\n",
"iacontrols": null,
"id": "V-70905",
"ruleID": "SV-85529r1_rule",
"severity": "medium",
"title": "In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP.\n",
"version": "DTOO422"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-70901": "true",
"V-70903": "true",
"V-70905": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "microsoft_skypebusiness_2016",
"title": "Microsoft Skype for Business 2016 Security Technical Implementation Guide",
"version": "1"
}
}