BIO 13.01.01 ISO A.10.1.1

Skype For Business (Lync): Enable SIP Security Mode (TLS Required)

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Enable SIP security mode in Skype for Business - requires TLS for SIP protocol (encrypted signaling).

Aanbeveling
IMPLEMENT (if Lync still used)
Risico zonder
High
Risk Score
8/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Skype for Business (formerly Lync)

SIP security = TLS encryption: SIP protocol: Session Initiation Protocol (Skype for Business signaling - call setup, messages), Unencrypted SIP: Cleartext protocol (credentials, messages visible), TLS SIP: Encrypted signaling (SIP over TLS - port 5061), Attack: Unencrypted SIP β†’ man-in-the-middle intercepts credentials, messages (cleartext). Enable security mode: TLS REQUIRED (unencrypted SIP rejected), Defense: Signaling encryption (credentials, messages protected in transit).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

SIP security mode: Policy: Enable SIP security mode: Enabled (TLS required), Effect: SIP connections require TLS (port 5061), Unencrypted SIP: Rejected (no cleartext signaling), Encryption: Credentials, messages, call signaling protected.

Vereisten

  1. Skype for Business (Lync) 2013+
  2. Network: TLS SIP (port 5061) allowed
  3. Intune of GPO

Implementatie

Intune Settings Catalog: Lync\Security β†’ Enable SIP security mode: Enabled (TLS required). Network: Verify port 5061 (TLS SIP) allowed (firewall).

Compliance

BIO 13.01 (Encryption in transit), ISO 27001 A.10.1.1, NIST CSF PR.DS-2.

Monitoring

Gebruik PowerShell-script sip-security-mode-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script sip-security-mode-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Schakelt SIP security mode in voor Lync .DESCRIPTION Dit script implementeert CIS control O365-LY-000001 voor het inschakelen van SIP security mode in Microsoft Lync. Dit dwingt het gebruik van TLS voor SIP communicatie en verbetert de beveiliging van real-time communicatie. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft Lync geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\sip-security-mode-enabled.ps1 -Monitoring Controleert of SIP security mode is ingeschakeld .EXAMPLE .\sip-security-mode-enabled.ps1 -Remediation Schakelt SIP security mode in .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\Lync Waarde: EnableSIPSecurityMode = 1 CIS Control: O365-LY-000001 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Lync" $ValueName = "EnableSIPSecurityMode" $ExpectedValue = 1 $ControlID = "O365-LY-000001" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: SIP security mode inschakelen" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: SIP security mode inschakelen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: SIP security mode instelling herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\sip-security-mode-enabled.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Lync 2016" -ForegroundColor White Write-Host "> Microsoft Lync Feature Policies > Enable SIP security mode: Enabled" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Unencrypted SIP = credentials/messages in cleartext (MITM risk).

Management Samenvatting

Lync SIP security mode: TLS required. Encrypted signaling. No cleartext SIP. Legacy (Teams = modern). Implementatie: 1-2 uur.