Welcome to the Microsoft Security Newsletter - a monthly newsletter for IT professionals and developers bringing security news, guidance, updates, and community resources direct to your inbox. To view an online version of this newsletter, please click here. If you would like to receive less technical security news, guidance and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. **Editor's Note: The October edition of the Microsoft Security Newsletter contained an error. The Security Tip of the Month for October is "Who, Where, When? Simple Tools for Auditing in the Enterprise."** Give us feedback! We are dedicated to continuing to improve the value of the Microsoft Security Newsletter. Please take this short survey (eight questions) that will help us continue to improve your experience. Viewpoint | By Steve Riley, Senior Security Strategist, Microsoft Trustworthy Computing In this article, Steve Riley outlines four classes of access requests, the usage scenarios related to each, and the kinds of information that should be made available to each class in order to help you understand the client security responsibilities associated with the ongoing quest to provide "anywhere access." | Top Stories | Identity theft is not only a threat faced by consumers but also a significant concern for organizations as they handle growing volumes of personally identifiable information (PII) and use it in more diverse ways. This paper outlines a set of near-term tactics for mitigating online identity theft as well as a longer-range strategic vision for fundamentally "changing the game" with regard to how people assert their identity on the Internet and how such identity claims are verified by other parties during an online interaction or transaction. | | As part of its commitment to make the Security Development Lifecycle (SDL) available to every developer, Microsoft is delivering three new SDL programs and tools in November 2008: the SDL Pro Network, the SDL Optimization Model, and the Microsoft SDL Threat Modeling Tool. These offerings will enable the industry to create more secure and privacy-enhanced technology for an online world. Learn more about these programs or watch a demo about the SDL Threat Modeling Tool. | | UrlScan version 3.0 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) 6.0 will process. UrlScan screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering the requests helps secure the server by ensuring that only valid requests are processed. | | Check out J. D. Meier's overview of the patterns & practices approach to security engineering, which covers—among other topics—the security frame used to perform security code and design inspections. | Security Guidance | How do you know who is accessing what in your IT environment? This vital question is often faced by security administrators, and many IT organizations have challenges identifying and understanding patterns of client access to enterprise resources. This articles offers some quick tips and tools to help you understand which users or system accounts have access to which resources, and when. | | This collection of software components and guidance helps you configure a compliance health policy for computers that run Microsoft Forefront Client Security. Network administrators can use this kit to assess the health of these computers before they are granted network access. If a computer is not compliant with the health policy for Forefront Client Security, it can be isolated to a restricted network until it is properly remediated. | | This guide provides you with specific recommendations and automated tools to help strengthen the security of desktop and laptop computers running Windows Vista in a domain with the Active Directory service. You'll also learn how to use the GPOAccelerator tool that accompanies the guide to help you automatically deploy security settings in minutes instead of hours. | | Benefit from tested guidance and powerful tools to help you protect your most vulnerable information—the data residing on your laptops. This toolkit shows you how to use two key encryption technologies: BitLocker Drive Encryption, which is included with specific versions of Windows Vista, and the Encrypting File System, which is included with Windows XP Professional and Windows Vista. | | This toolkit provides you with best practices to plan, deploy, monitor, and remediate a security baseline for your organization. It also offers a proven method that you can use to effectively monitor the compliance state of a security baseline for Windows Vista, Windows XP Service Pack 2 (SP2), and Windows Server 2003 SP2. | | In this podcast, Paul Cooke, Director in the Windows Client division specializing in security, discusses BitLocker Drive Encryption, and how it has been extended in Windows Vista SP1. | | Learn how to effectively use the new Group Policy objects in Windows Vista to improve manageability and strengthen security with this podcast by Derek Melber, author, IT consultant, and Microsoft MVP for Group Policy. | This Month's Security Bulletins Critical: Important: Moderate: Community / MVP Update | Derek Melber -- one of the leading technical instructors, project leaders, and solution developers in the nation -- has an innate understanding of how to decipher, organize, and communicate complex issues. Derek's areas of expertise include Group Policy, Active Directory (former Directory Services MVP), security, desktop management, and security auditing. He provides custom and public training on all of these subjects and regularly speaks at conferences including TechMentor and MISTI. Derek runs Braincore ( www.braincore.net) and also is a contributing editor to Windowsecurity.com, Redmond Magazine, RIAG Journal, IT Audit newsletter, and various other publications. | Microsoft Product Lifecycle Information Security Events and Training | BlueHat v8: C3P0wned takes place October 16 - 17 at the Microsoft corporate headquarters. A by-invitation-only Microsoft event, the security conference brings together Microsoft security professionals and external security researchers in a relaxed environment to promote the sharing of ideas and social networking. | | Delve into Windows Vista secure deployment strategies, configurations, and best practices with Mark Russinovich and a panel of Microsoft MVPs and IT pros from multiple industries. | | Learn how to help keep your security environment operational and effective even during a disaster. Use the resources in this learning path to help you lock down your infrastructure and harden security to prevent PC and desktop disruption. | Upcoming Security Webcasts | Upcoming security webcasts in a dynamic, interactive format. | For IT Professionals For Developers Microsoft On-Demand Webcasts |