Microsoft Security Newsletter – June 2010

Sign up for other newsletters | Unsubscribe | Update your profile This is a monthly newsletter for IT professionals and developers-bringing security news, guidance, updates, and community resources directly to your inbox. To view an online version of this newsletter, click here or subscribe to the Featured Security and Privacy Content RSS feed to receive more frequent updates on news and featured resources. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. Special Note: In April, we changed to a new newsletter publishing system. As a result, you may have noticed that the last two editions of this communication came from the following address: Microsoft Global Security [Microsoft@e-mail.microsoft.com]. This change may have resulted in this email being filtered as junk mail, so we'd like to take this opportunity to assure you that this is a genuine Microsoft communication and to let you know that this and all future editions will be delivered simply from Microsoft [Microsoft@e-mail.microsoft.com]. Note from the Editor Welcome to June's Security Newsletter! Networking and network security are topics that are near and dear to my heart. When I started working at Microsoft almost twelve years ago, I was a support engineer in Customer Service and Support (CSS), helping enterprise customers with their toughest networking issues like building out their DNS infrastructures for their Windows 2000 Active Directory deployments. Years later, I had the opportunity to help build the CSS Security team and help enterprise customers with a variety of security challenges. During this time I developed and released many tools to help IT professionals with their networking and network security work. Tools like DNSLint, Portqry, and Port Reporter became staples in many IT pros' toolkits and are still in wide use today. Later in my career I had the opportunity to work on network diagnostics and some related networking features in Windows Vista and Windows Server 2008. You'll read about some secure networking technologies in this month's newsletter. Speaking about the good old days, I do want to draw your attention to one of this month's top stories because of its potential impact to your infrastructure. Support for Windows XP Service Pack 2 (SP2) and Windows 2000 will end on July 13, 2010. This means that security updates will no longer be offered for these platforms. Support for Windows Vista Release to Manufacturing (RTM) ended on April 13, 2010. Moving off of these platforms as soon as possible, and moving to Windows 7 is the best option to consider for many reasons. Finally, for those of you interested in downloading the Application Security Assessment we discussed in May's Security Tip of the Month, you can do so here. We have also updated the online Security Tip article to include a link to the download. Best regards, Tim Rains, Group Product Manager, Microsoft Trustworthy Computing Follow the Microsoft Security Response team on Twitter @MSFTSecResponse for the latest information on the threat landscape. Top Stories End of Support for Windows XP SP2, Windows 2000, and Windows Vista RTM Support for Windows XP Service Pack 2 (SP2) and Windows 2000 will end on July 13, 2010. If you are running Windows XP, stay more secure by moving to Windows XP Service Pack 3 (SP3) or migrating to Windows 7. If you are running Windows 2000, we recommend that you move to Windows 7 as no additional support or updates will be offered for the Windows 2000 operating system. Also, as a reminder, support for Windows Vista Release to Manufacturing (RTM) ended on April 13, 2010. To help ensure your Windows Vista PCs stay secure and up-to-date, make sure they are running Windows Vista Service Pack 1 (SP1) or SP2. Please note that customers running an unsupported version of Windows or a service pack will not be eligible for any Microsoft support options. Updates, including security updates released with bulletins from the Microsoft Security Response Center, will be reviewed and built for the supported versions and service packs only. Boost Security with the Microsoft SDL Threat Modeling Tool Now you can easily identify and analyze security threats to your software, even when you are still in the design phase. The Microsoft Security Development Lifecycle (SDL) Threat Modeling Tool finds potential issues early-when they are easier and less costly to resolve. It's the first modeling tool designed primarily for developers and software architects, and it's available at no charge.   Security Guidance Security Tip of the Month: Network Diagnostics and Tracing in Windows 7 Learn about the new features and integrated support for network diagnostics and event tracing in Windows 7 from TechNet's The Cable Guy.   Azure Network Security Deep Dive Take a closer look into how network communications work and are more secure within the Windows Azure platform. Learn why we don't use IPSec between the Compute node and store. Get a breakdown of the virtualization security in Azure and how to protect against malicious users launching Denial of Service (DoS) attacks. Learn how to protect against users who create a bogus account and try to make attacks from inside the Azure framework.   Using Windows 7 and Windows Server 2008 R2: Controlling Communication with the Internet Explore the communication that flows between the features in Windows 7 and Windows Server 2008 R2 and sites on the Internet, and then learn how you can limit, control, or prevent that communication in an organization with many users.   Support for IPv6 in Windows Server 2008 R2 and Windows 7 Learn how Windows Server 2008 R2 and Windows 7 offer new features that support IPv6 for local and remote connectivity, and for simplified management of host settings.   Network Access Protection (NAP) Client Configuration Overview Find out when to use NAP Client Configuration and how to manage NAP settings on client computers.   BranchCache Technical Overview Explore the different modes in which BranchCache operates and learn how BranchCache is configured. Find out how BranchCache works with web servers and file servers and the steps BranchCache takes to determine that the content is up-to-date.   BranchCache Deployment Guide Get step-by-step guidance on how to deploy BranchCache in distributed cache mode or hosted cache mode for either web server-based content servers, BITS-based application servers, or file server-based content servers.   DirectAccess Technical Overview Learn about the benefits of DirectAccess, how it works, and what you will need to deploy it in your organization.   DirectAccess Deployment Guide Find out how to deploy DirectAccess for full Internet access, selected server access, or end-to-end access. Also, learn how to deploy configurations for DirectAccess with NAP, Hyper-V, and more.   Troubleshooting NAP Enforcement Learn about the components of a health requirement policy, how the NPS service processes incoming requests for NAP evaluation, and how to troubleshoot the most common issues with NAP enforcement.   A Guide to Securing ISA Server 2006 While many IT pros rely on Internet Security and Acceleration (ISA) Server 2006 to secure their technology assets, not everyone takes the extra step of securing ISA Server itself. Get a brief recap of general best practices for securing servers. After that, take a step-by-step look at hardening strategies for ISA Server itself, using the Security Configuration Wizard to reduce the attack surface area of the ISA Server and Administrative roles to restrict access to the ISA Server.   This Month's Security Bulletins Critical: • MS10-033: Vulnerabilities in Media Decompression Could Allow Remote Code Execution (979902) • MS10-034: Cumulative Security Update of ActiveX Kill Bits (980195) • MS10-035: Cumulative Security Update for Internet Explorer (982381)   Important: • MS10-032: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (979559) • MS10-036: Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235) • MS10-037: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Elevation of Privilege (980218) • MS10-038: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (2027452) • MS10-039: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554) • MS10-040: Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666) • MS10-041: Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)   Security Bulletin Overview for June 2010 • Microsoft Security Response Center (MSRC) Blog Post • Windows Media Video (WMV) • Windows Media Audio (WMA) • iPod Video (MP4) • MP3 Audio • High Quality WMV (2.5 Mbps) • Zune Video (WMV)   Community/MVP Update Security MVP of the Month: Debra Littlejohn Shinder Debra Littlejohn Shinder is a technology trainer, author, and consultant. She is owner and CEO of TACteam, which provides white papers, marketing materials, product documentation, online training courses, and more, for companies such as Microsoft, Sunbelt Software, GFI, Network Engines, Hewlett-Packard, Intel, and 2X Software. Deb is the author of Computer Networking Essentials (Cisco Press) and Scene of the Cybercrime (Syngress). She is also coauthor of or contributor to 26 other technology books including the bestselling Configuring ISA Server 2000 and Configuring ISA Server 2004 with husband Tom Shinder. She has published hundreds of articles in TechRepublic, CNET, Windows & .NET Magazine, Windows IT Pro Magazine, ComputerWorld, and other print and online publications. She is editor of WXPNews, Win7News, a lead author at Windowsecurity.com and ISAServer.org, and a contributor to several technology blogs.   MVP Article of the Month: Windows Server 2008 R2 Remote Access Options Learn about the various remote access solutions available in Windows Server 2008 R2, including traditional PPTP or L2TP/IPsec VPN, SSL-encrypted HTTP VPN with SSTP, IPsec tunnel mode, and DirectAccess.   Microsoft Product Lifecycle Information Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of Supported Service Packs: Microsoft provides free software updates for security and nonsecurity issues for all supported service packs. Security Events and Training Security Talk: MSF Agile + SDL Learn how to add security practices to Team Foundation Server (TFS) with MSF Agile+SDL. MSF Agile+SDL is a TFS process template that incorporates Security Development Lifecycle (SDL) guidance into the development framework by enabling the code checked into the Visual Studio Team System source repository to be analyzed for compliance with SDL practices. This helps automate the security workflow for things like threat modeling, making sure security items are not missed or skipped.   TechNet Simulcast: Forefront Virtual Event Day 1: Wednesday, June 23, 8:00 AM Pacific Time Day 2: Thursday, June 24, 8:00 AM Pacific Time Dive deep into the new Forefront products and related solutions. Hear from the product team and ask them questions as we teach you about the product and deliver some amazing technical demos on FEP, FIM, TMG, UAG, FPSP, FPE, FOPE, and ADRMS + Exchange.   Upcoming Security Webcasts • Governance & Compliance of Windows Azure Applications Monday, June 14, 2010 1:00 PM Central Time • Business Insights Webcast: Identity and Access with Microsoft Forefront Identity Manager (Level 100) Wednesday, June 23, 2010 11:00 AM Pacific Time • Governance & Compliance of Windows Azure Applications Monday, June 28, 2010 1:00 PM Central Time Interactive Security Webcast Calendar Upcoming security webcasts in a dynamic, interactive format.   For IT Professionals • TechNet Webcast: Centralizing Application Authorization with AD FS 2.0 (Level 200) Tuesday, June 15, 2010 1:00 PM Pacific Time • TechNet Webcast: Enabling Secure Messaging - Forefront Online Protection for Exchange Deployment Best Practices (Level 200) Wednesday, June 16, 2010 10:00 AM Pacific Time • TechNet Webcast: Federated Single Sign-on to Applications Using Interoperable Standards (Level 200) Thursday, June 17, 2010 1:00 PM Pacific Time • TechNet Webcast: Windows 7 Security Talk (Part 3 of 3): Data Protection & Security Guidance (Level 200) Friday, June 18, 2010 10:00 AM Pacific Time • TechNet Webcast: Technical Introduction to System Center Data Protection Manager 2010 (Level 200) Tuesday, June 22, 2010 8:00 AM Pacific Time • TechNet Webcast: Deployment Best Practices for Information Protection (Level 300) Tuesday, June 22, 2010 9:00 AM Pacific Time • TechNet Webcast: Using a Microsoft Information Protection Solution with RSA Data Loss Prevention (Level 300) Tuesday, June 22, 2010 12:00 PM Pacific Time • TechNet Webcast: How to Protect Windows Clients with System Center Data Protection Manager 2010 (Level 200) Thursday, June 24, 2010 9:00 AM Pacific Time • TechNet Webcast: Forefront Endpoint Protection 2010 and System Center Configuration Manager (Level 200) Thursday, June 24, 2010 10:00 AM Pacific Time • TechNet Webcast: Deploying a Microsoft Identity and Access Management Solution (Level 300) Monday, June 28, 2010 11:00 AM Pacific Time • TechNet Webcast: Using a Microsoft Information Protection Solution with RSA Data Loss Prevention (Level 300) Wednesday, June 30, 2010 8:00 AM Pacific Time • TechNet Webcast: Information About Microsoft July Security Bulletins (Level 200) Wednesday, July 14, 2010 11:00 AM Pacific Time   For Developers • MSDN Webcast: Security Talk: File Fuzzing for Fun and Profit (Level 300) Tuesday, June 15, 2010 9:00 AM Pacific Time • MSDN Webcast: Security Talk: Using Windows Azure Storage Securely (Level 200) Thursday, July 01, 2010 1:00 PM Pacific Time   Now On Demand • MSDN Webcast: Security Talk: Security Best Practices for Design and Deployment on Windows Azure (Level 200) Developing secure applications and services in the cloud requires knowledge of the threat landscape specific to the cloud provider. The key is understanding threat mitigations implemented by the cloud architecture versus those that are the responsibility of the developer. Learn about the threats that are specific to the cloud, how the Windows Azure architecture deals with these threats, how to use built-in Windows Azure security features to protect your applications, and how to design services to minimize attack surface. • TechNet Webcast: Windows 7 Security Talk (Part 2 of 3): Networking Security and Application Control (Level 200) Explore the networking components of the Windows 7 operating system, including DirectAccess, Network Access Protection, and how to deploy Windows 7 in a secure manner with the utilization of AppLocker. • Security Talk: Overview of the Microsoft Security Intelligence Report (SIR) Volume 8 Join a conversation with Khalid Kark, Forrester Vice President and Principal Analyst, to discuss the findings from the latest SIR. Haven't read SIR Volume 8 - download it today.   Volume 7, No. 6 June 2010 In This Issue: Top Stories Security Guidance This Month's Security Bulletins Community/MVP Update Microsoft Product Lifecycle Information Security Events and Training Upcoming Security Webcasts Security Program Guide • Microsoft SDL - Developer Starter Kit • Security Awareness Materials • Learn Security On the Job • Learning Paths for Security -Microsoft Training References and Resources Upcoming Chats • View a listing of upcoming technical chats Security Blogs • Trustworthy Computing Security/Privacy Blogs • Michael Howard • Eric Lippert • Eric Fitzgerald • MSRC Blog • ACE Team • Windows Security • Forefront Team • Solution Accelerators - Security & Compliance • Security Vulnerability Research & Defense • Security Development Lifecycle (SDL) • Security/Privacy Blogs Community Web Sites • IT Pro Security Community Additional Security Resources • Security Help and Support for IT Professionals • TechNet Troubleshooting and Support Page • Microsoft Security Glossary • TechNet Security Center • MSDN Security Developer Center • Sign-Up for the Microsoft Security Notification Service • Security Bulletin Search Page • Microsoft Security Center • Home Users: Protect Your PC • MCSE/MCSA: Security Certifications • Subscribe to TechNet • Register for TechNet Flash IT Newsletter © 2010 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information. This newsletter was sent by the Microsoft Corporation One Microsoft Way Redmond, WA, 98052, USA Sign up for other newsletters | Unsubscribe | Update your profile © 2010 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement