UCF STIG Viewer Logo

The ability of Lync to store user passwords must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-40776 DTOO420 SV-52834r1_rule Medium
Description
Lync 2013 provides a single, unified client for real-time communications, including voice and video calls, Lync Meetings, presence, instant messaging, and persistent chat. These features require the ability to log into the service with a username and password. The Lync client could potentially be configured to store user passwords locally which would allow it to be susceptible to compromise and to be used maliciously.
STIG Date
Microsoft Lync 2013 STIG 2018-04-04

Details

Check Text ( C-47151r1_chk )
Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Lync 2013 -> Microsoft Lync Feature Policies "Allow storage of user passwords" is set to "Disabled".

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKLM\Software\Policies\Microsoft\office\15.0\lync

Criteria: If the value savepassword is REG_DWORD = 0, this is not a finding.
Fix Text (F-45760r1_fix)
Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Lync 2013 -> Microsoft Lync Feature Policies "Allow storage of user passwords" to "Disabled".