Details

Lync 2013 provides a single, unified client for real-time communications, including voice and video calls, Lync Meetings, presence, instant messaging, and persistent chat. These features require the ability to log into the service with a username and password. The Lync client could potentially be configured to store user passwords locally which would allow it to be susceptible to compromise and to be used maliciously.

Solution

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Lync 2013 -> Microsoft Lync Feature Policies ‘Allow storage of user passwords’ to ‘Disabled’.

Supportive Information

The following resource is also helpful.

• https://iasecontent.disa.mil/stigs/zip/U_MS_Lync_2013_V1R4_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Windows.

References

• 800-53|IA-5(1)(c)
• CAT|II
• CCI|CCI-000196
• Rule-ID|SV-52834r1_rule
• STIG-ID|DTOO420
• Vuln-ID|V-40776

Source

• Tenable.com/audits