How To Manage Skype In the Enterprise
Once you decide and document your policies, you then need a way to check and enforce it. This article focuses on how you can do that for Skype, but the advice here would work for any other similar application.
Note that we're assuming for this article that Skype is allowed in your enterprise, and we'll cover how to manage it, not how to thoroughly block it.
The first thing you need to do is find systems running Skype. After that, you need to change Skype configurations to match your company's policy. We'll cover how to block or delete Skype in another article.
How do I find systems running Skype?
If you work for a larger company, you could use your configuration management or software distribution solution and run a job to locate any systems with Skype. But not all companies have those solutions, and not all are able to detect Skype. So I have developed a free tool you can use to automatically do the job for it. I developed a simple script called SkypeCheck (to use as is, feel free to send me your updates) that you can download from my website. I wrote this batch file to perform several functions:
- Check if Skype is installed and creates a report of systems that have it
- Reports the version of Skype
- Checks to see if a Proxy is set
- Checks the port Skype is using and reports it
- If port 80 is enabled and reports it
- Checks the port being used and allows you to copy the corporate Shared.XML file with the correct settings
- Checks and disables File Transfer and reports it
- Checks and disables API and reports it
For managed systems connected to the network and that can log in to some Windows Domain or Active Directory you can run this script from the login script and capture the information. I also provide a way to send the reports to a file server share if you want to send them to a specific location, or you can store them on the login servers and harvest them as needed. You can also just attach to each system on the network, copy the script and then launch a job to run it and send the reports to a central server or harvest them as needed.
The first goal is to locate the systems that have Skype so that you can manage them. The second is to understand and report on the settings of each system. There are several things you will want to look for in your environment. These include:
- Main Listening Port
- If port 80 and 443 are used for incoming connections
- If a HTTPS or SOCKS proxy is used
- If file transfer is disabled
- If the API option is disabled
The Listening Port is important in corporate environments because you can set a specific port on your firewall to allow incoming Skype calls. Port 80 and 443 are important so that you can disable your Skype clients from using port 80 or 443 and force them to use your specific corporate Listening Port, if you so choose. The HTTPS or SOCKS proxy is important if you have the option to use and set a Proxy server for connections. Of course, for security and control you can disable file transfer and any API add-ons from being installed. All these things will help you manage your Skype environment. Using the script I mentioned will allow you to regularly monitor your Skype clients and their settings.
For Remote Users you will have to rely on them attaching to the network and logging in or use your Configuration Management or Software Distribution solution to deploy, run and collect the results of the script. The main goal is to have the ability to manage Skype in the enterprise. Whether you use the script I provide or your configuration management or software distribution solution or a combination of both, you will be able to manage your Skype user configuration at an enterprise level. If you want to make sure your users are running the latest version of Skype, you will need to manage it just like any other application and send out a package to install the latest version instead of relying on the user to maintain the application. I recommend this approach if you want to maintain security and have any concerns about using a public IM tool like Skype. Keep it updated! How can I change the configuration of Skype?
There are two files that Skype uses to manage the settings of Skype. Skype uses XML files and not the Registry to maintain the settings. Except for disabling File Transfer and the API functions, the Registry is little used with Skype. XML is used so that Skype can be used on multiple operating systems. The two files are "Shared.xml" used for every Skype user on the system, and "Config.xml" for each individual Skype user. Shared.xml may be found in the following location:
C:\Documents and Settings\"windows_username"\Application Data\Skype
If you want to manage your Skype environment you can modify and maintain a corporate version of Shared.xml. You can copy it to each system to manage and set all the shared settings like the Listening Port, Proxy Servers and the port 80 and 443 incoming port option. You can replace Shared.xml without interfering with the user and the next time the user launches Skype the new file and settings will be applied.
Shared.xml <ListeningPort>443</ListeningPort> (sets your main incoming listening port) <DisablePort80>1</DisablePort80> ('1' disables port 80 & 443 bypass) <HttpsProxy> <Addr>web-proxy.com:8080</Addr> <Enable>1</Enable> <Pwd>Z291Y2g=</Pwd> <User>mike</User> <SocksProxy> <Addr>web-proxy.com:8080</Addr> <Enable>1</Enable> <Pwd>R291Y2g=</Pwd> <User>Mike</User>
Config.xml
Here are some settings that can be found in Config.xml that you may want to adjust for each Skype user of a system. Remember Config.xml exists for each Skype user. This file is found under the Skype username directory for each user on the system. Modification of this file will adjust the users individual settings and environment and thus their client configuration and cause some possible inconvenience. Unfortunately, the Hotfix and Major Update settings are maintained in this file and not Shared.xml. To manage and update this file, a more complex utility would need to be used since replacing it would change all the users existing settings. You could however modify this file and include it as a part of a deployment for new users. Config.xml may be found in the following location:
(Documents and Settings\"windows_username"\Application Data\Skype\"Skype_username")
To set Skype to only allow calls only from people in the users contact list, set it to "buddies". This avoids call SPAM.
<Call> <IncomingPolicy>buddies</IncomingPolicy>
- Everyone (anyone)
- Authorized (only authorized contacts)
- Buddies (only contacts in your list - recommended)
To set Skype to only allow IM chat only from people in the users contact list, set it to "buddies". This avoids IM SPAM.
<Message> <IncomingPolicy>authorized</IncomingPolicy>
- Everyone (anyone)
- Authorized (only authorized contacts)
- Buddies (only contacts in your list - recommended)
To disable the video option in Skype, set this to '1'.
<Video> <Disable>1</Disable> (disables video)
If you maintain corporate versions of Shared.xml and Config.xml or use a utility to specifically find and change specific settings in these two files or replace these files with corporate versions, you can manage Skype's behavior to be more consistent in your environment. The script I provide on my website, may give you ideas of how you can scan your environment for Skype and update certain settings so that you can have a managed Skype environment. In my next article I will discuss how to block Skype in the enterprise if your policy is not to allow it, or you want an Incident Response option in the event a vulnerability or incident occurs and you need to disable Skype until you can patch the application.