Thursday, April 16, 2009

CORRECTION: Microsoft Security Newsletter - Volume 6, Issue 4

Microsoft Security Newsletter
Welcome to the Microsoft Security Newsletter - a monthly newsletter for IT professionals and developers bringing security news, guidance, updates, and community resources direct to your inbox. To view an online version of this newsletter, please click here. If you would like to receive less technical security news, guidance and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

Want to receive more frequent updates on news and featured resources? Subscribe to the Featured Security and Privacy Content RSS feed. Have an idea for a future article, or looking for guidance around a specific topic that you have not seen in this newsletter (or on TechNet or MSDN)? E-mail secaware@microsoft.com.

CORRECTION: For our Featured Article, we inadvertently used part of last month's author byline and misrepresented Jesper Johansson's current position. Jesper is currently a Principal Security Architect for a well-known Fortune 200 company and a Microsoft MVP in Enterprise Security.

Featured Article
By Jesper Johansson, Principal Security Architect and Microsoft MVP, Enterprise Security
In the first in an ongoing series, Jesper Johansson discusses the broad and varied challenges faced in the field of Information Security Management and the keys to planning a sound InfoSec strategy.

Top Stories
The latest volume of the Microsoft Security Intelligence Report (SIR) is now available. Providing a comprehensive assessment of the threat landscape during the second half of 2008, the SIR provides the industry's most comprehensive and wide-reaching security analysis.
Join Microsoft security experts Jeff Jones and Thomas Dawkins as they walk you through the new release of the Microsoft Security Assessment Tool, MSAT 4.0. Once you're familiar with the improvements, check out an in-depth demo on how to use the tool to build your business risk profile, create an assessment of the current security state of your business IT infrastructure, and review specific guidance to strengthen the security of your organization.
The new Security Compliance Management Toolkit series features updated security guides, the GPOAccelerator tool, and configuration packs to help you establish, deploy, and monitor your Windows and 2007 Microsoft Office System security baselines. Download it today.

Security Guidance
!exploitable (pronounced "bang exploitable") Crash Analyzer is a Windows debugger extension that provides automated crash analysis and security risk assessment. !exploitable Crash Analyzer puts analysis that previously required the help of a security expert into a tool that every developer and tester can use.
Get valuable guidance, instructions, and recommendations to address your key security concerns around server virtualization.
Organizations today are facing a rising tide of cyber attacks on their computers and networks. They need a proactive approach to protect their assets and sensitive information against such attacks. This guide provides an easy-to-understand method that enables you to develop threat models for your environments and prioritize investments in IT infrastructure security.
This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.
Securability refers to the ability to provide security to an application and its data. Numerous design choices impact the securability of an application. The documentation in this section covers several aspects of choosing a security model for a distributed application created using ASP.NET including authentication, impersonation, and process identity.
Learn about the security features in Internet Information Services (IIS) 7.0 and their benefits, and then get step-by-step guidance to configure them.

This Month's Security Bulletins
Critical:
Important:
Moderate:
Get the information you need to help protect your systems from the Conficker Worm or to recover systems that have been infected.

Community / MVP Update
Security MVP of the Month: Rudolph Araujo   
Rudolph Araujo is a Technical Director at Foundstone, where he is responsible for creating and delivering the threat modeling and security code review service lines. Rudolph has many years of software development experience on both UNIX and Windows environments and is a contributor to many online and print journals such as Software Magazine, where he writes a column on Writing Secure Code.
The lack of data validation in Web applications has gone beyond just being a problem with a single application -- it now has an impact on entire organizations and the larger Internet community. This article discusses some of the key strategies that are effective and efficient at helping software developers validate data within their Web applications. It also provides specific examples in Microsoft ASP.NET of how much of this validation can be achieved for "free" by taking advantage of features in the framework.

Microsoft Product Lifecycle Information
Find information about your particular products on the Microsoft Product Support Lifecycle Web site.
See a List of Supported Service Packs: Microsoft provides free software updates for security and nonsecurity issues for all supported service packs.

Security Events and Training
This month's learning path to will help you learn to address your needs for a high level of control over content and site management, with the ability to offer people more flexibility and to encourage collaboration, spanning the entire information lifecycle.
Take a three-day instructor-led course that teaches you how to deploy Forefront security products.

Upcoming Security Webcasts
Thursday, April 16, 11:00 AM Pacific Time
Mike Ziock, Senior Director Operations, Business Online Services, Microsoft Corporation
Find out about upcoming security webcasts using a dynamic, interactive format.
For IT Professionals
TechNet Labcast: Application Compatibility and Managing Your Office Clients with Group Policy (Level 200)
Monday, April 20, 1:00 PM Pacific Time
Dennis Wakefield, Senior Technical Trainer, Entirenet, LLC
TechNet Webcast: Microsoft Active Directory Rights Management Services Overview (Level 300)
Tuesday, April 28, 1:00 PM Pacific Time
Cristian Mora, Technical Product Manager, Microsoft Corporation
TechNet Webcast: First Look at Microsoft System Center Data Protection Manager 2007 v3 (Level 300)
Wednesday, April 29, 1:00 PM Pacific Time
Jason Buffington, Senior Technical Product Manager, Microsoft Corporation
TechNet Webcast: Microsoft Active Directory Rights Management Services: Installation Best Practices (Level 300)
Thursday, April 30, 1:00 PM Pacific Time
Cristian Mora, Technical Product Manager, Microsoft Corporation
TechNet Labcast: Application Compatibility and Managing Your Office Clients with Group Policy (Level 200)
Monday, May 4, 8:30 AM Pacific Time
Dennis Wakefield, Senior Technical Trainer, Entirenet, LLC
TechNet Webcast: Secure Collaboration Using AD RMS, MOSS, and AD FS (Level 300)
Tuesday, May 5, 1:00 PM Pacific Time
Enrique Saggese, Senior Consultant, Microsoft Corporation
TechNet Webcast: Security for Exchange and SharePoint: What's Not in the Box? (Level 200)
Wednesday, May 6, 1:00 PM Pacific Time
Uri Lichtenfeld, Product Manager, Microsoft Corporation
TechNet Webcast: SharePoint Server 2007 and Exchange Server 2007 Integration with Active Directory (Level 400)
Thursday, May 7, 1:00 PM Pacific Time
Cristian Mora, Technical Product Manager, Microsoft Corporation
TechNet Webcast: How Microsoft Does IT: System Center Configuration Manager 2007 Client Health Strategies (Level 300)
Tuesday, May 12, 9:30 AM Pacific Time
Paul Thomsen, Microsoft IT Senior Systems Engineer, Microsoft Corporation
TechNet Webcast: Information About Microsoft May Security Bulletins (Level 200)
Wednesday, May 13, 11:00 AM Pacific Time
Adrian Stone, Senior Security Program Manager Lead, Microsoft Corporation and Christopher Budd, Security Response Communications Lead, Microsoft Corporation
For Developers
MSDN Webcast: 24 Hours of Windows Mobile Application Development: WCF Development and Mobile Devices (Level 300)
Wednesday, April 22, 10:00 AM Pacific Time
Nickolas Landry, MVP and Principal Architect, Infusion Development, New York City
MSDN Webcast: Hiding the Key: Practical Security for Windows Mobile Applications (Level 300)
Monday, April 27, 10:00 AM Pacific Time
Andy Wigley, Mobile Application Development MVP, Appa Mundi
Microsoft On-Demand Webcasts
MSDN Webcast: Managing Cross-Site Scripting Using CAT.NET and AntiXSS (Level 200)
Cross-site scripting attacks are one of the most common attack vectors that plague Web applications. In this webcast, we provide an overview of the tools designed for discovery and mitigation of cross-site scripting vulnerabilities in Microsoft .NET applications.
MSDN Webcast: geekSpeak: Access Control Service with Michele Leroux Bustamante (Level 200)
In this episode of geekSpeak, industry guru Michele Leroux Bustamante will introduce us to the Access Control Service that is part of the Azure Services Platform under .NET Services. She will also show how developers can build federated security scenarios leveraging the Access Control Service, your Security Token Service hosted in the cloud.
MSDN Webcast: More Secure Online Services Powered by the Microsoft Security Development Lifecycle (Level 300)
In this webcast, we demonstrate the most common and most dangerous threats to online services, and we describe the coding procedures and tools required by the Microsoft Security Development Lifecycle (SDL) to mitigate or defeat these threats. Additionally, we discuss some strategies on how to implement the SDL successfully in the fast-paced environment of online services on the Internet, in which development teams can literally be delivering new versions of their products every single day.

Security Newsletter
Volume 6, No. 4

April 2009
In This Issue:
Featured Article
Top Stories
Security Guidance
This Month's Security Bulletins
Community / MVP Update
Microsoft Product Lifecycle Information
Security Events and Training
Upcoming Security Webcasts
Security Program Guide
Security Awareness Materials
Guidance, samples, and templates for creating a security-awareness program in your organization.
Learn Security On the Job
Learning Paths for Security - Microsoft Training References and Resources
Upcoming Chats
IT Manager Community Chat - Security
May 18, 11:00 AM Pacific Time
Learn from fellow experts, get your security questions answered, and improve your understanding of the Microsoft solutions that can help jumpstart your efforts.
View a listing of upcoming technical chats
Free In-Person Events
TechNet Events
Security Blogs
Michael Howard RSS
Eric Lippert RSS
Eric Fitzgerald RSS
Steve Lamb RSS
MSRC Blog RSS
ACE Team RSS
Jeff Jones RSS
Windows Vista Security RSS
Solution Accelerators - Security & Compliance RSS
Kai Axford RSS
Security Vulnerability Research & Defense RSS
Steve Riley RSS
Security Development Lifecycle (SDL) RSS
Security Newsgroups
General Security issues/questions
Open with newsreader
Virus issues/questions
Open with newsreader
ISA Server
Open with newsreader
Windows 2000: Security
Open with newsreader
Window Vista: Security
Open with newsreader
SQL Server: Security
Open with newsreader
Windows Server: Security
Open with newsreader
Other Security Newsgroups
Community Web Sites
IT Pro Security Community
Security Newsgroups
Related Communities
Additional Security Resources
Security Help and Support for IT Professionals
TechNet Troubleshooting and Support Page
Microsoft Security Glossary
TechNet Security Center
MSDN Security Developer Center
Midsize Business Security Center
Sign-Up for the Microsoft Security Notification Service
Security Bulletin Search Page
Home Users: Protect Your PC
MCSE/MCSA: Security Certifications
Subscribe to TechNet
Register for TechNet Flash IT Newsletter
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Azure, Forefront, Hyper-V, MSDN, SharePoint, Visual Studio, Windows, and Windows Mobile are trademarks of the Microsoft group of companies.

To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site.

Legal Information.

This newsletter was sent by the Microsoft Corporation
One Microsoft Way
Redmond, Washington, USA
98052

Sign up for other newsletters | Unsubscribe | Update your profile
© 2009 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement
Microsoft

Your cOmment"s Here! Hover Your cUrsOr to leave a cOmment.


Subscribe to: Post Comments (Atom)