| Hi, I'm Tim Rains, your guest editor for this month's edition of the Microsoft Security Newsletter. In case you missed last month's announcement, the latest Microsoft Security Intelligence Report (SIRv7) was released on November 2. It's the largest security report that Microsoft has ever published -- with 232 pages on the latest trends and data points you need to better understand what is happening in the threat landscape today. For those of you who aren't familiar with the SIR, the report provides insights into the threat landscape from multiple vantage points so that you receive a well-rounded view of how attackers are behaving on the Internet. For example, on page 41 you'll find a malware infection rate "heat map" that illustrates infection rates around the world followed by deep dives into malware trends in 19 countries -- very helpful information if your organization does business in different parts of the world. Later in the report there is a graph that shows infection-rate trends for the different operating systems and service packs over the past two years. If you are an IT pro looking for data to help make the case to move to a newer, more secure OS or simply the newest service pack, the data in SIRv7 may be able to help. Personally, I find the section in the SIR on industry-wide vulnerability disclosure trends to be very interesting. On page 149 you'll see that the vast majority of vulnerability disclosures since 2004 have been related to applications. This is a good reminder for all IT departments to maintain a strategy to keep all software up to date, not just the OS or the browser. I hope these examples have made you curious about SIRv7. You can get the full report or the 19-page Key Findings Summary in ten languages at www.microsoft.com/sir, as well as video overviews if you aren't in the mood to read. If you have any feedback on the report -- what you find useful or areas that can be improved -- please send us an e-mail message at sirfb@microsoft.com. In addition to SIRv7, Microsoft Office 2010 Beta is now available; try it and Microsoft Exchange 2010 in your environment today. Read on for tools and guidance to help you protect your applications and messaging servers from the modern threat landscape. Wishing you safe and happy holidays, Tim Rains, Group Product Manager, Microsoft Trustworthy Computing
Top Stories | | Based on the past decade of experience examining and addressing privacy challenges in the evolving online services realm, this new "Privacy in the Cloud Computing Era" paper discusses how Microsoft is approaching privacy as it relates to cloud computing and describes how the underlying privacy principles provide a solid foundation for addressing evolving privacy issues. | | | Quickly find security podcasts, stream or download .WMA or MP3 files to your favorite podcast software or mobile device, and subscribe to RSS feeds or automatically have podcasts downloaded to your computer. |
Security Guidance | | Learn how to leverage Windows Identity Foundation (WIF) to significantly reduce the code required to implement rich application scenarios that involve federated and claims-based security. | | | Per the Agile Manifesto, Agile projects should have short iterations, lasting from one month to a few weeks or less. SDL-Agile breaks the SDL into three categories of requirements: the requirements so important that they must be completed every iteration; the requirements that only have to be completed once per project no matter how long it runs; and the requirements that still need to be completed regularly but are not so important that they need to be completed every sprint. Read this overview of SDL methodologies for Agile development and then download the complete SDL-Agile guidance, part of the SDL 4.1a Process Guidance. | | | Get guidance, workbooks, and tools to help you plan, deploy, and monitor the security baselines of computers running the 2007 Microsoft Office Service Pack 1 (SP1) applications in your environment. | | | Use this technical reference for the security settings and privacy options in the 2007 Microsoft Office system to determine what each setting does, what the default configurations are, which tool to use to configure a setting, and where to find the setting in the Office Customization Tool (OCT) or the Group Policy Object Editor. | | | Learn about the new password rules feature in Microsoft Office 2010, and get guidance on how to enable and configure it. Want a high-level introduction to several of the new security features in Office 2010? Click here. | | | The Application Verifier (AppVerifier) is a collection of tests used during the application development and testing process to help developers identify potential application compatibility, stability, and security issues -- and find guidance for source-code level fixes. | | | Gain an understanding of the Windows Mobile security model from both the device and server perspectives. This paper will help you know which security levels and features are available on front door and back door Windows Mobile powered devices and how Microsoft Exchange ActiveSync interacts with each of them. Read the Security Model for Windows Mobile 5.0 and Windows Mobile 6 for more detailed technical information on provisioning and managing Windows Mobile powered devices. |
This Month's Security Bulletins Critical: Important: Security Bulletin Overview for December 2009
Microsoft Product Lifecycle Information Find information about your particular products on the Microsoft Product Lifecycle Web site. Microsoft provides free software updates for security and nonsecurity issues for all supported service packs. You can see a list of supported packs here.
Security Events and Training | | Wednesday, February 3, 2010 | San Francisco, CA
Learn the basics of secure design, development, and testing, and then delve into threat modeling and building privacy into software products and services. | | | Learn how to deploy your Office Add-ins and SharePoint applications and the roles that the end user and administrator play in each. Topics covered are security, SharePoint Solution (WSP) files, ClickOnce, Add-ins, and Document Templates. | | | This one-hour clinic describes Microsoft Exchange Server 2010 features, deployment scenarios, and development platform options, including storage, compliance, and management tools. Follow up with Clinic 6901: Exchange Server 2010 in an Enterprise for more detail on unified messaging and data protection. | | | Learn how AppLocker provides not only security protections, but also operational and compliance benefits by: stopping users from running applications that needlessly consume network bandwidth or otherwise impact the enterprise computing environment; preventing vulnerable, unauthorized applications from running in your desktop environment, including malware; and helping ensure your desktop environment is in compliance with corporate policies and industry regulations. |
Upcoming Security Webcasts | | Tuesday, December 22, 11:00 AM Pacific Time
The Access Control Service (ACS), part of Windows Azure platform AppFabric, makes it easy to secure REST-based services using a simple set of standard protocols. Take a tour of ACS features and learn how to configure ACS, how to request a token from the ACS, and how applications and services can authorize access based on the ACS token. | | | Upcoming security webcasts in a dynamic, interactive format. | For IT Professionals For Developers Now On Demand | • | | | • | ARCHITECT CAFÉ Webcast: Software as a Service in the Cloud Learn how to solve difficult technical problems encountered when building software as a service applications. Topics include certificate security, low-IT-capable clients, business continuity when connectivity is lost, provisioning of services, scalability as the number of clients increase, database design for clients, how to use virtualization, and how to integrate and release service functionality over several different client applications. |
| |  | Volume 6, No. 12  December 2009 | | Additional Security Resources | | | © 2009 Microsoft Corporation. All rights reserved. Microsoft, MSDN, ActiveSync, Azure, Forefront, SharePoint, Windows, Windows Media, Windows Mobile, Windows Server, Windows Vista, and Zune are trademarks of the Microsoft group of companies. To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information. This newsletter was sent by the Microsoft Corporation One Microsoft Way Redmond, Washington, USA 98052 | | | | |
