Welcome to the Microsoft Security Newsletter - a monthly newsletter for IT professionals and developers bringing security news, guidance, updates, and community resources direct to your inbox. To view an online version of this newsletter, please click here. If you would like to receive less technical security news, guidance and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. Viewpoint | | By Jesper M. Johansson, Software Architect and Microsoft MVP in Enterprise Security, and Roger Grimes, Senior Security Consultant, Microsoft ACE Team
Security by obscurity involves taking measures that do not remove an attack vector but instead conceal it. Some argue that this is a bad practice while others claim that as part of a larger strategy, every bit counts. The debate is quite heated, and, in this article, some of our finest security experts face off, explaining security by obscurity and presenting both sides of the debate. |
Top Stories | | Volume 5 of the Security Intelligence Report (SIR) contains an all-new examination of the threat ecosystem and the use of botnets to spread threats. It also includes unique content on browser-based exploits and updated information on software vulnerability disclosures, vulnerability exploits, security and privacy breaches and trends in malicious and potentially unwanted software. With extensive guidance on mitigations and countermeasures, SIR is a valuable tool for all IT professionals who need to know what is happening in the threat ecosystem. | | | Microsoft code name "Geneva" is an open platform for simplified user access based on claims. This release consists of three components: Geneva Framework for .NET developers, Geneva Server for IT Pros, and Windows CardSpace Geneva for users. Read the white paper by David Chappell for an overview of the platform, and then visit the Microsoft Connect Geneva home page for access to downloads and other resources. | | | Presented at the Virus Bulletin 2008 (VB2008) Conference in October, this paper tracks the evolution of certain families of malware as they have grown and diversified, adapting and improving to effectively accomplish their required results. |
Security Guidance | | The Microsoft Security Assessment Tool employs a holistic approach to measuring your security posture by covering topics across people, process, and technology. This revised version features an updated defense-in-depth assessment plus questions related to the evolving threat landscape. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance. | | | The IT Compliance Management Guide can help you shift your governance, risk, and compliance (GRC) efforts from people to technology. Use its configuration guidance to help efficiently address your organization's GRC objectives. | | | The Encrypting File System (EFS) Assistant is a software tool you can use to centrally control EFS settings on your mobile or desktop PCs. The EFS Assistant can help you encrypt the sensitive files on your users' laptops, regardless of where those files are located. Part of the Data Encryption Toolkit for Mobile PCs, a community version of the tool, is also available from CodePlex at www.codeplex.com/EFSAssistant. | | | Windows Server 2008 featuring Internet Information Services 7.0 (IIS 7.0) is a powerful Web application and services platform that delivers rich Web-based experiences. Learn how to install and configure security settings for IIS 7.0, including built-in user and group accounts, URL authorization, SSL, and request filtering. | | | UrlScan version 3.1 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) 6.0 will process. UrlScan screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed. | | | Part of the patterns and practices guide for "Improving Web Application Security," this checklist is designed to help developers build and secure Web services by outlining design, development, and administrative considerations. | | | Get best practices for securing your servers, using the Security Configuration Wizard, and assigning administrative roles. |
This Month's Security Bulletins Critical: Important:
Community / MVP Update | | Don Kiely, MVP, MCSD, MSDE, is a senior technology consultant specializing in developing secure desktop and Web applications that integrate databases, Microsoft Office, and related technologies, using tools including SQL Server, Visual Basic, C#, ASP.NET, and XML. Don has authored and coauthored several programming books and writes regularly for many industry journals, including InformationWeek, IEEE Computer, Visual Studio .NET (VBPJ), and other magazines. Don also trains developers and speaks regularly at industry conferences, including Tech•Ed, VSLive!, DevConnections, and others. |
Microsoft Product Lifecycle Information
Security Events and Training | | Learn the rewards of building security into the development process and cultivate "defensive thinking." Explore secure development by examining decomposition, asset analysis, and other steps in the threat-modeling methodology. | | | Microsoft provides technologies that legitimate users can use to access resources, while raising the bar for unauthorized users such as external hackers or internal disgruntled employees. See which tools verify user identity, control what resources users can access, and protect access to data throughout its lifecycle. |
Upcoming Security Webcasts | | Upcoming security webcasts in a dynamic, interactive format. | For IT Professionals | • | TechNet Webcast: Microsoft Security Intelligence Report 5: Latest Trends in Vulnerabilities, Exploits, and Malicious Software (Level 200) Friday, November 14, 9:30 AM Pacific Time Jimmy Kuo, Principal Development Manager, Malware Protection Center, Microsoft Corporation, Jeff Jones, Director, Trustworthy Computing, Microsoft Corporation, and Ziv Mador, Senior Program Manager, Malware Protection Center, Microsoft Corporation | | • | | | • | | | • | | | • | | | • | | | • | | | • | | | • | | For Developers Microsoft On-Demand Webcasts | • | MSDN Webcast: "Geneva" Deep Dive (Level 400) In this webcast, we examine the architecture of code name "Geneva" and how you can customize the architecture for advanced security scenarios. At the center of the discussion is the Security Token Service (STS), a core component that provides authentication and identity services. Learn how many applications benefit from an embedded STS and how many scenarios call for an STS that is built on a specialized user store. | | • | | | • | |
|
