| This month we're going to focus on database security. Database security is something that should be near and dear to everyone's heart. Why? Simply put, all the data that you're busy securing has to live somewhere. Yes, I'm quite aware that "data in motion" can be intercepted through various attacks such as MITM or sniffing the wire. At the end of most days, that data is going to stop moving and become "data at rest." It's usually stored in a big blob known as a database. That being said, let's not limit ourselves to thinking only of the more traditional "relational database management systems" such as Microsoft SQL Server or Microsoft Office Access. We should also consider things like Excel spreadsheets—which as we all know is one of the best selling "databases" in use today! You've got to protect the assets no matter they live. On that note, we've got a great article on SQL injection. A lot of things have changed since this technique raised its head a number of years ago. Brad and Geng from iSEC Partners wrote a terrific article on how to hunt for SQL injection bugs, and they discuss how SQL injection works. Even if you aren't a database administrator, this article will make you aware of what's going on in the field. Definitely a good read and we want to keep our skills up. It could be an interview question! I also want to thank everyone for your feedback. I've received tons of great e-mail messages on how we can improve and what topics we should cover. My only request going forward is that you focus on how to improve this newsletter. I'm probably not going to be able to help you troubleshoot that new motherboard and the STOP 0x7E error you're getting on boot—even I call support when that happens! Continue to contact me through me blog at http://blogs.technet.com/kaiaxford or directly at kaiax@microsoft.com. Like many of you, I'm gearing up for family vacation, but I did find some time late last night to install the release to manufacturing (RTM) version of Windows 7 and yes … it is sweet gold!! Look for some good info on the security aspects of Windows 7 in upcoming issues. Enjoy the summer! Kai Axford, MBA, CISSP, MCSE Sr. Security Strategist, Microsoft Trustworthy Computing (TwC)
Top Stories | | With the System Center Configuration Manager Extensions for SCAP, Configuration Manager can consume Security Content Automation Protocol (SCAP) data streams, assess systems for compliance, and generate report results in SCAP format. | | | Stay up to date with Microsoft Trustworthy Computing's top bloggers. Read posts in different languages, search entries by keyword, and much more. | | | In this report, the Microsoft Security Response Center summarizes the progress on three security-related programs—the Microsoft Active Protections Program, the Microsoft Exploitability Index, and Microsoft Vulnerability Research—that have increased your access to more effective countermeasures and additional information to help you better evaluate risks. | | | Gain an understanding of what cloud computing at Microsoft means today and how the company delivers a trustworthy cloud-computing infrastructure with this white paper from the Online Services Security and Compliance team, a part of the Global Foundation Services division that manages security for the Microsoft cloud infrastructure. |
Security Guidance | | Have you found yourself inadvertently in charge of a SQL Server database and don't know all the best practices for making it secure? Get a quick overview of the top 10 security areas you should worry about, common problems, and solutions. | | | Securing SQL Server can be viewed as a series of steps, involving four areas: the platform, authentication, objects (including data), and applications that access the system. Get detailed, step-by-step guidance on how to create and implement an effective security plan. | | | Get guidance to help you protect the replication scenarios that you deploy in SQL Server 2008 from malicious attacks and improve the security of your data. | | | This video demonstrates how this property of truncation may be used by an attacker to circumvent the above mentioned mitigation, resulting in a SQL injection attack. Various options for fixing SQL injection issues are also discussed. | | | This static code analysis tool for finding SQL Injection vulnerabilities in ASP code will scan ASP source code and generate warnings related to first-order and second-order SQL Injection vulnerabilities. It will also provide annotation support that can be used to improve the analysis of the code. | | | Microsoft Forefront Client Security uses SQL Server for collection and reporting databases. When you are choosing the SQL Server edition and the hardware on which it will run, take the topics discussed in this article into consideration. | | | Gain a better understanding of the Microsoft security release information, processes, communications, and tools—and how to manage organizational risk and develop a repeatable, effective deployment mechanism for security updates. | | | The Microsoft Operations Framework (MOF) is designed to help IT professionals quickly access practical, relevant information on how to connect service management principles to everyday IT tasks and activities, and to ensure alignment between IT and the business. Included in MOF 4.0 is guidance on how to use the framework to achieve the governance, risk, and compliance objectives defined in the COBIT and Val IT governance frameworks. |
This Month's Security Bulletins Critical: Important:
Community / MVP Update | | iSEC Partners is a full-service security consulting firm that offers a variety of mobile, Web application, and client/server security services. Services provided by iSEC Partners include penetration testing, secure systems development, security education, and software design verification. | | | In this article, Brad Hill and Geng Yang from iSEC Partners offer some tips and tricks to help you hunt down and eliminate SQL injection in your applications. |
Microsoft Product Lifecycle Information
Security Events and Training | | Use this learning path to find out about new tools and security features in SQL Server 2008 to help keep your databases more secure. For example, learn how to create a policy that defines the desired surface area settings, enforce the Windows password policy on your SQL Server accounts, and activate Web Service endpoint authentication. | | | Use the resources in this learning path to better understand how to approach security issues like dissolving network perimeters, disrupted security models from new technologies like virtualization, and the evolving Web platform. | | | Find out more about the new process template for Microsoft Visual Studio Team System, which is intended to ease adoption of the Microsoft Security Development Lifecycle (SDL), in this Channel 9 interview with Microsoft SDL Program Manager Jeremy Dallman. |
Upcoming Security Webcasts | | Use this dynamic, interactive format to find upcoming security webcasts. | For IT Professionals For Developers Now On Demand | • | TechNet Webcast: Best Practices for Security with SQL Server 2008 and SafeNet Luna HSM Support (Level 300) With SQL Server 2008, third-party hardware security modules (HSMs) now can store cryptographic operations such as key creation, deletion, encryption, and decryption. Learn how integrating SafeNet Luna SA with SQL Server 2008 allows storage of the servers' master cryptographic keys—the foundation of a robust security solution—within the hardware and not the software, as well as how it helps provide greater application security and performance by offloading select key management functionality. | | • | TechNet Webcast: Configuring with Least Privilege in SQL Server 2008 (Level 300) Attend this webcast and gain an understanding of configuring least-privileged service accounts for SQL Server services, best practices for configuring least-privileged principals used by the front-end or middle tiers to connect to the SQL Server back end, and the details of configuring SQL Server job steps with least privilege. |
| |  | Volume 6, No. 8  August 2009 | | Additional Security Resources | | | © 2009 Microsoft Corporation. All rights reserved. Microsoft, Access, Forefront, MSDN, SQL Server, Visual Studio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information. This newsletter was sent by the Microsoft Corporation One Microsoft Way Redmond, Washington, USA 98052 | | | | |
