Saturday, August 15, 2009

Microsoft Security Newsletter - Volume 6, Issue 8

Microsoft Security Newsletter
This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. To view an online version of this newsletter, click here or subscribe to the Featured Security and Privacy Content RSS feed to receive more frequent updates on news and featured resources. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
Note from the Editor
Kai Axford  
This month we're going to focus on database security.

Database security is something that should be near and dear to everyone's heart. Why? Simply put, all the data that you're busy securing has to live somewhere. Yes, I'm quite aware that "data in motion" can be intercepted through various attacks such as MITM or sniffing the wire. At the end of most days, that data is going to stop moving and become "data at rest." It's usually stored in a big blob known as a database. That being said, let's not limit ourselves to thinking only of the more traditional "relational database management systems" such as Microsoft SQL Server or Microsoft Office Access. We should also consider things like Excel spreadsheets—which as we all know is one of the best selling "databases" in use today! You've got to protect the assets no matter they live.

On that note, we've got a great article on SQL injection. A lot of things have changed since this technique raised its head a number of years ago. Brad and Geng from iSEC Partners wrote a terrific article on how to hunt for SQL injection bugs, and they discuss how SQL injection works. Even if you aren't a database administrator, this article will make you aware of what's going on in the field. Definitely a good read and we want to keep our skills up. It could be an interview question!

I also want to thank everyone for your feedback. I've received tons of great e-mail messages on how we can improve and what topics we should cover. My only request going forward is that you focus on how to improve this newsletter. I'm probably not going to be able to help you troubleshoot that new motherboard and the STOP 0x7E error you're getting on boot—even I call support when that happens! Continue to contact me through me blog at http://blogs.technet.com/kaiaxford or directly at kaiax@microsoft.com.

Like many of you, I'm gearing up for family vacation, but I did find some time late last night to install the release to manufacturing (RTM) version of Windows 7 and yes … it is sweet gold!! Look for some good info on the security aspects of Windows 7 in upcoming issues.

Enjoy the summer!

Kai Axford, MBA, CISSP, MCSE
Sr. Security Strategist, Microsoft Trustworthy Computing (TwC)

Top Stories
With the System Center Configuration Manager Extensions for SCAP, Configuration Manager can consume Security Content Automation Protocol (SCAP) data streams, assess systems for compliance, and generate report results in SCAP format.
Stay up to date with Microsoft Trustworthy Computing's top bloggers. Read posts in different languages, search entries by keyword, and much more.
In this report, the Microsoft Security Response Center summarizes the progress on three security-related programs—the Microsoft Active Protections Program, the Microsoft Exploitability Index, and Microsoft Vulnerability Research—that have increased your access to more effective countermeasures and additional information to help you better evaluate risks.
Gain an understanding of what cloud computing at Microsoft means today and how the company delivers a trustworthy cloud-computing infrastructure with this white paper from the Online Services Security and Compliance team, a part of the Global Foundation Services division that manages security for the Microsoft cloud infrastructure.

Security Guidance
Have you found yourself inadvertently in charge of a SQL Server database and don't know all the best practices for making it secure? Get a quick overview of the top 10 security areas you should worry about, common problems, and solutions.
Securing SQL Server can be viewed as a series of steps, involving four areas: the platform, authentication, objects (including data), and applications that access the system. Get detailed, step-by-step guidance on how to create and implement an effective security plan.
Get guidance to help you protect the replication scenarios that you deploy in SQL Server 2008 from malicious attacks and improve the security of your data.
This video demonstrates how this property of truncation may be used by an attacker to circumvent the above mentioned mitigation, resulting in a SQL injection attack. Various options for fixing SQL injection issues are also discussed.
This static code analysis tool for finding SQL Injection vulnerabilities in ASP code will scan ASP source code and generate warnings related to first-order and second-order SQL Injection vulnerabilities. It will also provide annotation support that can be used to improve the analysis of the code.
Microsoft Forefront Client Security uses SQL Server for collection and reporting databases. When you are choosing the SQL Server edition and the hardware on which it will run, take the topics discussed in this article into consideration.
Gain a better understanding of the Microsoft security release information, processes, communications, and tools—and how to manage organizational risk and develop a repeatable, effective deployment mechanism for security updates.
The Microsoft Operations Framework (MOF) is designed to help IT professionals quickly access practical, relevant information on how to connect service management principles to everyday IT tasks and activities, and to ensure alignment between IT and the business. Included in MOF 4.0 is guidance on how to use the framework to achieve the governance, risk, and compliance objectives defined in the COBIT and Val IT governance frameworks.

This Month's Security Bulletins
Critical:
Important:

Community / MVP Update
Microsoft SDL Pro Network Member: iSEC Partners   
iSEC Partners is a full-service security consulting firm that offers a variety of mobile, Web application, and client/server security services. Services provided by iSEC Partners include penetration testing, secure systems development, security education, and software design verification.
In this article, Brad Hill and Geng Yang from iSEC Partners offer some tips and tricks to help you hunt down and eliminate SQL injection in your applications.

Microsoft Product Lifecycle Information
Find information about your particular products on the Microsoft Product Lifecycle Web site.
See a list of supported service packs: Microsoft provides free software updates for security and nonsecurity issues for all supported service packs.

Security Events and Training
Use this learning path to find out about new tools and security features in SQL Server 2008 to help keep your databases more secure. For example, learn how to create a policy that defines the desired surface area settings, enforce the Windows password policy on your SQL Server accounts, and activate Web Service endpoint authentication.
Use the resources in this learning path to better understand how to approach security issues like dissolving network perimeters, disrupted security models from new technologies like virtualization, and the evolving Web platform.
Find out more about the new process template for Microsoft Visual Studio Team System, which is intended to ease adoption of the Microsoft Security Development Lifecycle (SDL), in this Channel 9 interview with Microsoft SDL Program Manager Jeremy Dallman.

Upcoming Security Webcasts
Use this dynamic, interactive format to find upcoming security webcasts.
For IT Professionals
For Developers
Now On Demand
TechNet Webcast: Best Practices for Security with SQL Server 2008 and SafeNet Luna HSM Support (Level 300)
With SQL Server 2008, third-party hardware security modules (HSMs) now can store cryptographic operations such as key creation, deletion, encryption, and decryption. Learn how integrating SafeNet Luna SA with SQL Server 2008 allows storage of the servers' master cryptographic keys—the foundation of a robust security solution—within the hardware and not the software, as well as how it helps provide greater application security and performance by offloading select key management functionality.
TechNet Webcast: Configuring with Least Privilege in SQL Server 2008 (Level 300)
Attend this webcast and gain an understanding of configuring least-privileged service accounts for SQL Server services, best practices for configuring least-privileged principals used by the front-end or middle tiers to connect to the SQL Server back end, and the details of configuring SQL Server job steps with least privilege.

Security Newsletter
Volume 6, No. 8

August 2009
In This Issue:
Top Stories
Security Guidance
This Month's Security Bulletins
Community / MVP Update
Microsoft Product Lifecycle Information
Security Events and Training
Upcoming Security Webcasts
Security Program Guide
Security Awareness Materials
Guidance, samples, and templates for creating a security-awareness program in your organization.
Learn Security On the Job
Learning Paths for Security - Microsoft Training References and Resources
Upcoming Chats
View a listing of upcoming technical chats
Security Blogs
Michael Howard RSS
Eric Lippert RSS
Eric Fitzgerald RSS
MSRC Blog RSS
ACE Team RSS
Windows Security RSS
Solution Accelerators - Security & Compliance RSS
Kai Axford RSS
Security Vulnerability Research & Defense RSS
Security Development Lifecycle (SDL) RSS
Trustworthy Computing Security/Privacy Blogs RSS
Security Newsgroups
General Security issues/questions
Open with newsreader
Virus issues/questions
Open with newsreader
ISA Server
Open with newsreader
Window Vista: Security
Open with newsreader
SQL Server: Security
Open with newsreader
Windows Server: Security
Open with newsreader
Community Web Sites
IT Pro Security Community
Additional Security Resources
Security Help and Support for IT Professionals
TechNet Troubleshooting and Support Page
Microsoft Security Glossary
TechNet Security Center
MSDN Security Developer Center
Sign-Up for the Microsoft Security Notification Service
Security Bulletin Search Page
Home Users: Protect Your PC
MCSE/MCSA: Security Certifications
Subscribe to TechNet
Register for TechNet Flash IT Newsletter
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Access, Forefront, MSDN, SQL Server, Visual Studio, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site.

Legal Information.

This newsletter was sent by the Microsoft Corporation
One Microsoft Way
Redmond, Washington, USA
98052

Sign up for other newsletters | Unsubscribe | Update your profile
© 2009 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement
Microsoft

Your cOmment"s Here! Hover Your cUrsOr to leave a cOmment.


Subscribe to: Post Comments (Atom)