Title

The ability of Lync to store user passwords must be disabled. (Cat II impact)

Discussion

Lync 2013 provides a single, unified client for real-time communications, including voice and video calls, Lync Meetings, presence, instant messaging, and persistent chat. These features require the ability to log into the service with a username and password. The Lync client could potentially be configured to store user passwords locally which would allow it to be susceptible to compromise and to be used maliciously.

Check Content

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Lync 2013 -> Microsoft Lync Feature Policies "Allow storage of user passwords" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\office\15.0\lync Criteria: If the value savepassword is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Lync 2013 -> Microsoft Lync Feature Policies "Allow storage of user passwords" to "Disabled".

Additional Identifiers

Rule ID: SV-52834r1_rule

Vulnerability ID: V-40776

Group Title: DTOO420 - Store user passwords

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.