Friday, September 11, 2009

Microsoft Security Newsletter - Volume 6, Issue 9

Microsoft Security Newsletter
This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. To view an online version of this newsletter, click here or subscribe to the Featured Security and Privacy Content RSS feed to receive more frequent updates on news and featured resources. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
Note from the Editor
Kai Axford  
I love football. I love high school football. I love college football. I love NFL football. What I do not love is missing football.

This year, one of the games of my beloved Green Bay Packers is on Monday night. That's the Monday night before the second Tuesday of the month. You know … the night before we release the monthly updates. When I should be sitting at home, yelling at my television, I'll be doing what you're doing—spending hours reading, worrying, and hoping that the solution won't be worse than the problem. That leads me to my focus for this month: security update management.

Rolling out fixes is not the most glamorous of tasks. It is, however, one of the most crucial tasks we perform. A lot could go wrong either way. The process you use plays a huge part in that. I'm not just talking about whether you're a small business that relies on Microsoft Update or a medium-sized one that takes advantage of Windows Server Update Services (WSUS). You may even be using the great features available in Microsoft System Center Configuration Manager 2007. Regardless of the vehicle that gets you to the stadium, you still have to practice and have a good game plan to win. It's all about effective and consistent processes.

Now, I realize that understanding the whole Microsoft Security Update process is … challenging. We have security updates, and security bulletins, and security notifications, and security advisories. Who can keep up? It's more difficult than trying to read an NFL playbook. Good luck figuring it all out. Until now.

Thanks to some great work by our very own Michael Grady (who just happens to be a former college football player), Microsoft has finally put together a playbook that makes sense of it all. The Microsoft Security Update Guide is "must have" security guidance that walks you through all the terms, processes, and tools to get it all done correctly. What is the difference between a bulletin and an advisory? What things should I consider before deployment? Do I even need this update? What resources are available to assist me? Get this guide. It will make your job a lot easier, leaving you plenty of time to enjoy the game.

Until next time!

Kai Axford, MBA, CISSP, MCSE
Sr. Security Strategist, Microsoft Trustworthy Computing (TwC)

Top Stories
Better understand how to use Microsoft security release information, processes, tools, and communications to help manage organizational risk and develop a repeatable, effective deployment mechanism for security updates. In this guide, you will find a convenient glossary of terms, an overview of the Microsoft Security Bulletin process, and a stage-by-stage review of Microsoft Security Updates.
This next-generation version of Forefront Security for Exchange Server provides fast and effective detection of malware and spam, blocks out-of-policy content, and integrates with Microsoft Forefront Online Protection for Exchange to offer the defense-in-depth benefits of hosted and on-premises filtering in a single solution.
WSUS 3.0 SP2 supports the latest operating systems, including Windows Server 2008 R2 and Windows 7 clients. WSUS 3.0 SP2 is more robust and features significant improvements in client performance, reliability, and increased server usability.
Brought to you by the Springboard Series, a 90-day trial is now available to help you test and evaluate the RTM version of Windows 7 Enterprise. Designed specifically for IT professionals, this 90-day trial is offered in English, French, German, Japanese, and Spanish. (Note: If you already have Windows 7 through MSDN, TechNet, or Software Assurance, you do not need to download this trial.)

Security Guidance
This toolkit series provides an end-to-end solution to help your organization plan, deploy, and monitor security baselines of Windows operating systems and 2007 Microsoft Office applications.
The Microsoft Exploitability Index makes an assessment on the likelihood that code will be released that exploits the vulnerability or vulnerabilities addressed in a security bulletin within the first 30 days after that bulletin's release. Learn how to take advantage of this tool in your organization.
Learn how to keep single or multiple servers up to date, and improve your knowledge of the processes required to create a sound patch management system.
Microsoft Forefront Client Security uses the WSUS engine to deploy definition updates to all the clients that Forefront Client Security manages. Microsoft System Center Configuration Manager 2007 uses WSUS to provide metadata to the scanning engine on Configuration Manager clients that facilitate software updates. This document provides guidance on how to configure Forefront Client Security definition updates to use an existing Configuration Manager WSUS infrastructure while ensuring that Configuration Manager and Forefront Client Security function properly and work together in harmony.
The Security Development Lifecycle (SDL) Process Template was developed to ease the integration of security into the software development process. This four-minute video will show you how to modify the default work items that are created in your new SDL Process Template team project, and how to modify the default work item types, such as Task or Bug.

This Month's Security Bulletins
Critical:
Security Bulletin Overview for September 2009
Active Template Library Security Update for Developers
Get detailed information and guidance for controls and components built with the Active Template Library.

The Business of Security
There is a reason you subscribe to this newsletter. You are working, or hope to be working, in the area of information security. You are in the security business, a term often confused with the "business of security."

The business of security focuses on those skills that security professionals rely on, beyond their deep technical knowledge. It refers to the ability to translate technical concepts into business value. It's about understanding that the chief financial officer is more worried about cash flow than packet flow. In short, it's about managing risk. As you continue to progress in your career, these are skills you will find as valuable as your ability to install a perimeter firewall.

Each month, in this new section of the newsletter, we will concentrate on those things that will allow you to move onward and upward in your security career. Over the next few months, we'll hear from those who have obtained a seat in the boardroom and from those who can put you there. We'll hear from chief information security officers and IT directors who can tell you what they like and dislike when interviewing candidates for roles in their company. We'll help you understand things like security metrics and return on security investment (ROSI), so you can have a business discussion with your senior managers. We'll also discuss how to deliver an effective presentation to those senior staff members.

Security needs to be seen as a business enabler, not a hurdle, and this is where we'll learn to do that. So welcome. It's time to set aside the technical manual and get ready to work on upgrading one the most overlooked assets in your organization—you!

Is there a topic you would like to see us discuss? E-mail us at secaware@microsoft.com.

Microsoft Product Lifecycle Information
Find information about your particular products on the Microsoft Product Lifecycle Web site.
See a list of supported service packs: Microsoft provides free software updates for security and nonsecurity issues for all supported service packs.

Security Events and Training
Join Marcus Murray, Microsoft MVP in Security, as he and fellow MVPs present a free online Windows 7 webinar on October 7. Walk through the various Windows 7 security features and the threats they mitigate, plus learn about deployment, migration, virtualization, and more.
Heat up your skills with the all-new Firestarter event series. Each day-long event tackles a single Microsoft technology, including free sessions presented live by Microsoft developer and IT pro evangelists as well as technology specialists—with special appearances from community luminaries. Attend in person or via live meeting or download the webcast at your convenience and start learning about new built-in security enhancements in Windows.
Internet Information Services (IIS) 7.0 maximizes Web server security by default with minimal Web server footprint and automatic application isolation. Learn how to capitalize on IIS 7.0 to offer greater application isolation by giving worker processes a unique identity and a sandboxed configuration by default, further reducing security risks.

Upcoming Security Webcasts
Thursday, September 17, 11:00 AM Pacific Time
Thursday, September 24, 11:00 AM Pacific Time
Thursday, October 8, 11:00 AM Pacific Time
Use this dynamic, interactive format to find upcoming security webcasts.
For IT Professionals
TechNet Webcast: Microsoft Secure Collaboration Solution (Level 200)
Tuesday, September 29, 1:00 PM Pacific Time
TechNet Webcast: Microsoft Secure Messaging Solution (Level 200)
Thursday, October 8, 1:00 PM Pacific Time
TechNet Webcast: Microsoft Secure Endpoint Solution (Level 200)
Tuesday, October 13, 12:00 PM Pacific Time
TechNet Webcast: Microsoft Integrated Security Solution (Level 200)
Thursday, October 15, 1:00 PM Pacific Time
Now On Demand
Help Customers Protect Offline Virtual Machines from Security Threats
Learn how to keep offline virtualized servers up to date and safe from attack.

Security Newsletter
Volume 6, No. 9

September 2009
In This Issue:
Top Stories
Security Guidance
This Month's Security Bulletins
The Business of Security
Microsoft Product Lifecycle Information
Security Events and Training
Upcoming Security Webcasts
Security Program Guide
Microsoft SDL – Developer Starter Kit
Security Awareness Materials
Guidance, samples, and templates for creating a security-awareness program in your organization.
Learn Security On the Job
Learning Paths for Security - Microsoft Training References and Resources
Upcoming Chats
View a listing of upcoming technical chats
Security Blogs
Trustworthy Computing Security/Privacy Blogs RSS
Michael Howard RSS
Eric Lippert RSS
Eric Fitzgerald RSS
MSRC Blog RSS
ACE Team RSS
Windows Security RSS
Solution Accelerators - Security & Compliance RSS
Kai Axford RSS
Security Vulnerability Research & Defense RSS
Security Development Lifecycle (SDL) RSS
Security Newsgroups
General Security issues/questions
Open with newsreader
Virus issues/questions
Open with newsreader
ISA Server
Open with newsreader
Window Vista: Security
Open with newsreader
SQL Server: Security
Open with newsreader
Windows Server: Security
Open with newsreader
Community Web Sites
IT Pro Security Community
Additional Security Resources
Security Help and Support for IT Professionals
TechNet Troubleshooting and Support Page
Microsoft Security Glossary
Security TechCenter
MSDN Security Developer Center
Sign-Up for the Microsoft Security Notification Service
Security Bulletin Search Page
Home Users: Protect Your PC
MCSE/MCSA: Security Certifications
Subscribe to TechNet
Register for TechNet Flash IT Newsletter
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Forefront, MSDN, Windows, Windows Media, Windows Server, and Zune are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site.

Legal Information.

This newsletter was sent by the Microsoft Corporation
One Microsoft Way
Redmond, Washington, USA
98052

Sign up for other newsletters | Unsubscribe | Update your profile
© 2009 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement
Microsoft

Your cOmment"s Here! Hover Your cUrsOr to leave a cOmment.


Subscribe to: Post Comments (Atom)