| I love football. I love high school football. I love college football. I love NFL football. What I do not love is missing football. This year, one of the games of my beloved Green Bay Packers is on Monday night. That's the Monday night before the second Tuesday of the month. You know … the night before we release the monthly updates. When I should be sitting at home, yelling at my television, I'll be doing what you're doing—spending hours reading, worrying, and hoping that the solution won't be worse than the problem. That leads me to my focus for this month: security update management. Rolling out fixes is not the most glamorous of tasks. It is, however, one of the most crucial tasks we perform. A lot could go wrong either way. The process you use plays a huge part in that. I'm not just talking about whether you're a small business that relies on Microsoft Update or a medium-sized one that takes advantage of Windows Server Update Services (WSUS). You may even be using the great features available in Microsoft System Center Configuration Manager 2007. Regardless of the vehicle that gets you to the stadium, you still have to practice and have a good game plan to win. It's all about effective and consistent processes. Now, I realize that understanding the whole Microsoft Security Update process is … challenging. We have security updates, and security bulletins, and security notifications, and security advisories. Who can keep up? It's more difficult than trying to read an NFL playbook. Good luck figuring it all out. Until now. Thanks to some great work by our very own Michael Grady (who just happens to be a former college football player), Microsoft has finally put together a playbook that makes sense of it all. The Microsoft Security Update Guide is "must have" security guidance that walks you through all the terms, processes, and tools to get it all done correctly. What is the difference between a bulletin and an advisory? What things should I consider before deployment? Do I even need this update? What resources are available to assist me? Get this guide. It will make your job a lot easier, leaving you plenty of time to enjoy the game. Until next time! Kai Axford, MBA, CISSP, MCSE Sr. Security Strategist, Microsoft Trustworthy Computing (TwC)
Top Stories | | Better understand how to use Microsoft security release information, processes, tools, and communications to help manage organizational risk and develop a repeatable, effective deployment mechanism for security updates. In this guide, you will find a convenient glossary of terms, an overview of the Microsoft Security Bulletin process, and a stage-by-stage review of Microsoft Security Updates. | | | This next-generation version of Forefront Security for Exchange Server provides fast and effective detection of malware and spam, blocks out-of-policy content, and integrates with Microsoft Forefront Online Protection for Exchange to offer the defense-in-depth benefits of hosted and on-premises filtering in a single solution. | | | WSUS 3.0 SP2 supports the latest operating systems, including Windows Server 2008 R2 and Windows 7 clients. WSUS 3.0 SP2 is more robust and features significant improvements in client performance, reliability, and increased server usability. | | | Brought to you by the Springboard Series, a 90-day trial is now available to help you test and evaluate the RTM version of Windows 7 Enterprise. Designed specifically for IT professionals, this 90-day trial is offered in English, French, German, Japanese, and Spanish. (Note: If you already have Windows 7 through MSDN, TechNet, or Software Assurance, you do not need to download this trial.) |
Security Guidance | | This toolkit series provides an end-to-end solution to help your organization plan, deploy, and monitor security baselines of Windows operating systems and 2007 Microsoft Office applications. | | | The Microsoft Exploitability Index makes an assessment on the likelihood that code will be released that exploits the vulnerability or vulnerabilities addressed in a security bulletin within the first 30 days after that bulletin's release. Learn how to take advantage of this tool in your organization. | | | Learn how to keep single or multiple servers up to date, and improve your knowledge of the processes required to create a sound patch management system. | | | Microsoft Forefront Client Security uses the WSUS engine to deploy definition updates to all the clients that Forefront Client Security manages. Microsoft System Center Configuration Manager 2007 uses WSUS to provide metadata to the scanning engine on Configuration Manager clients that facilitate software updates. This document provides guidance on how to configure Forefront Client Security definition updates to use an existing Configuration Manager WSUS infrastructure while ensuring that Configuration Manager and Forefront Client Security function properly and work together in harmony. | | | The Security Development Lifecycle (SDL) Process Template was developed to ease the integration of security into the software development process. This four-minute video will show you how to modify the default work items that are created in your new SDL Process Template team project, and how to modify the default work item types, such as Task or Bug. |
This Month's Security Bulletins Critical: Security Bulletin Overview for September 2009
The Business of Security There is a reason you subscribe to this newsletter. You are working, or hope to be working, in the area of information security. You are in the security business, a term often confused with the "business of security." The business of security focuses on those skills that security professionals rely on, beyond their deep technical knowledge. It refers to the ability to translate technical concepts into business value. It's about understanding that the chief financial officer is more worried about cash flow than packet flow. In short, it's about managing risk. As you continue to progress in your career, these are skills you will find as valuable as your ability to install a perimeter firewall. Each month, in this new section of the newsletter, we will concentrate on those things that will allow you to move onward and upward in your security career. Over the next few months, we'll hear from those who have obtained a seat in the boardroom and from those who can put you there. We'll hear from chief information security officers and IT directors who can tell you what they like and dislike when interviewing candidates for roles in their company. We'll help you understand things like security metrics and return on security investment (ROSI), so you can have a business discussion with your senior managers. We'll also discuss how to deliver an effective presentation to those senior staff members. Security needs to be seen as a business enabler, not a hurdle, and this is where we'll learn to do that. So welcome. It's time to set aside the technical manual and get ready to work on upgrading one the most overlooked assets in your organization—you! Is there a topic you would like to see us discuss? E-mail us at secaware@microsoft.com.
Microsoft Product Lifecycle Information
Security Events and Training | | Join Marcus Murray, Microsoft MVP in Security, as he and fellow MVPs present a free online Windows 7 webinar on October 7. Walk through the various Windows 7 security features and the threats they mitigate, plus learn about deployment, migration, virtualization, and more. | | | Heat up your skills with the all-new Firestarter event series. Each day-long event tackles a single Microsoft technology, including free sessions presented live by Microsoft developer and IT pro evangelists as well as technology specialists—with special appearances from community luminaries. Attend in person or via live meeting or download the webcast at your convenience and start learning about new built-in security enhancements in Windows. | | | Internet Information Services (IIS) 7.0 maximizes Web server security by default with minimal Web server footprint and automatic application isolation. Learn how to capitalize on IIS 7.0 to offer greater application isolation by giving worker processes a unique identity and a sandboxed configuration by default, further reducing security risks. |
Upcoming Security Webcasts | | Thursday, September 17, 11:00 AM Pacific Time | | | Thursday, September 24, 11:00 AM Pacific Time | | | Thursday, October 8, 11:00 AM Pacific Time | | | Use this dynamic, interactive format to find upcoming security webcasts. | For IT Professionals Now On Demand
|
