6

We are a mobile application development company.

Due to the security of Source Code and other files, we need to restrict Skype file transfer outside of LAN.

How to restrict Skype file transfer outside of LAN?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
Md Mahbubur Rahman
  • 476
  • 2
  • 5
  • 15
  • 6
    Ultimately you can't (I have some really interesting ways to send data across skype), really you need to be able to trust the employees and educate them to be an integral part of the security system. – ewanm89 Nov 14 '12 at 10:48
  • Maybe you should start *trusting* your developers?! And that drag&drop failure is likely to be noticed quickly - maybe even before the other end accepted the transfer - or goes to someone with no malicious intent who won't spread the file. – ThiefMaster Nov 14 '12 at 18:23

3 Answers3

11

It's exceedingly difficult to block Skype file transfers at the network level. They've designed it to use common ports (80 / 443) and proprietary encryption (albeit an extension to SSL) along with UPnP NAT holepunching to ensure absolutely minimal conflicts and setup issues. Remote file transfers go through supernodes as part of a P2P architecture, so it's not possible to blacklist a server to prevent the transfer.

You can disable the file transfer ability of Skype entirely, though. It's done via a registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone

You may need to create this key first. Once you've found / created it, make a value called DisableFileTransfer as a DWORD and set its value to 1. This will completely disable file transfers within Skype. You may need to restart Skype or the whole computer for it to take effect.

After the transfers are disabled, you can use an alternative file sharing mechanism within your LAN, such as shared drives.

Note that you'll need to restrict access to the registry on those computers. Your users should run as limited accounts, and you should use group policy to deny access to administrative tools like regedit.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 2
    And that stops the user sitting down and dictating the source code across Skype how? What about whistling morse? Using an audio coupled modem? I expect the also have POTS landline that is also vulnerable... – ewanm89 Nov 14 '12 at 11:04
  • +1 for Great Answer @Polynomial. Most of our users use Windows. But, We have Mac and Linux User too (As we develop iPhone and Android Applications), What should we do for those users? – Md Mahbubur Rahman Nov 14 '12 at 11:21
  • 1
    @ewanm89 Nothing. It's about proving intent. It's potentially possible for a user to accidentally send a confidential file over Skype to a 3rd party due to a drag-drop misclick, but if they intentionally send source code over Skype you've got better evidence for a prosecution. Skype logs conversations to `%AppData%\Skype\main.db` (along with other stuff) so you could set up a hard link to a networked drive and have that file regularly backed up. – Polynomial Nov 14 '12 at 11:35
  • 1
    @Polynomial Yeah I was just pointing out that there are plenty of methods once one has an open connection of any kind. – ewanm89 Nov 14 '12 at 13:44
  • Limited accounts for developers are a horrible idea... – ThiefMaster Nov 14 '12 at 18:25
  • @ThiefMaster It depends on what the developer is doing. Even if they do end up being an administrative user, they should enable UAC. – Polynomial Nov 14 '12 at 23:17
  • → Polynomial: fully agree. May I suggest you a light improvment: "you can use an alternative file sharing mechanism…" → "you should provide an alternative file sharing service…". Hence you will limit any will for users to improve (or restaure) the Skype file transfer mechanism. – dan Nov 20 '13 at 07:37
0

You could use the lync product suite for skype like communication and you also can enable skype connectivity there. In this case you can disable the transfer of file types by using this settings. You also have some other possiblities for security there. The downside for lync are the license costs.

amaruk
  • 101
  • 2
0

As another suggestion, are you only using Skype internally? If so, there are other platforms available that you could use for an internal experience that is very similar. Depending on your size, Microsoft Lync can be a nice (I'll be it, not free) option that behaves very similarly to Skype. There are also a number of open source and/or free options out there that provide text chat, but lack some of the more advanced features or ease of use that Skype has, but many of them can provide server side logging and prevent outside connections which is often a good best practice for internal communications unless outside connectivity is needed for a business reason.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110