Microsoft Security Newsletter - November 2010

	Are you having difficulty viewing our HTML e-mail? View this e-mail in a browser window. NOTE FROM THE EDITOR Welcome to November's Security Newsletter! The focus of this month's newsletter is data and database security. To help you understand how attackers are using SQL injection attacks to attempt to exploit database applications, we published a section in the latest Microsoft Security Intelligence Report (SIR) focused on this topic. Microsoft uses a number of methods to detect and track websites that have been victimized by certain classes of automated SQL injection attack. The latest SIR shows you how different top level domains were affected in the first half of 2010. The report also provides solid guidance on how to guard against SQL injection. I also recommend that you read this month's Security Tip of the Month for some useful mitigation guidance. Best regards, Tim Rains, Group Product Manager, Microsoft Trustworthy Computing Follow the Microsoft Security Response team on Twitter @MSFTSecResponse for the latest information on the threat landscape. November 2010 Edition IN THIS ISSUE •  Top Stories •  Security Guidance •  Community/MVP Update •  Cloud Security Corner •  This Month's Security Bulletins •  Microsoft Product Lifecycle Information •  Security Events and Training •  Upcoming Security Webcasts SECURITY PROGRAM GUIDE •  Microsoft SDL - Developer Starter Kit •  Security Awareness Materials •  Learn Security On the Job COMMUNITY WEBSITES •  IT Pro Security Community

Download Microsoft Forefront Endpoint Protection 2010 Release Candidate Forefront Endpoint Protection 2010, the next version of Forefront Client Security, helps enable businesses to simplify and improve endpoint protection while greatly reducing infrastructure costs. Download the free trial and also get access to the Forefront Endpoint Protection Security Pack. Announcing the IT GRC Process Management Pack for System Center Service Manager The Microsoft IT Governance, Risk, and Compliance (GRC) Process Management Pack for System Center Service Manager (SCSM) provides end-to-end compliance management and automation for desktop and datacenter computers by translating complex regulations and standards into authoritative control objectives and control activities for the IT organization's compliance program. Malicious Software Removal Tool (MSRT) Tackles Fake Microsoft Security Essentials Learn how to recognize threats disguising themselves as, or imitating, Microsoft Security Essentials--and find out where to download the authentic version from Microsoft. Security Tip of the Month: Blocking Automated SQL Injection Attacks Watch a step-by-step demonstration on how to deploy a new Windows Azure Web Role Application to the Cloud in Azure Platform, create a new Azure Storage Service for the application's data access, create a new Azure Hosted Application Service, configure and publish the Web Role Application's package and configuration, and deploy the application to Azure staging and production environments. Data Security in Windows Azure: Part 1 Explore the various methods and tools for securing your application data in Windows Azure including methods for securing Azure Storage accounts and data during the transition to the cloud. This video also covers protocols for securing requests to, and responses from, Azure Storage, platform-provided methods for ensuring data integrity, and cryptographic pubic key distribution between Azure roles and Azure Fabric Controller. Data Security in Windows Azure: Part 2 Learn how to make your Azure Storage container and blob items URL-addressable in a secure fashion, including the setup of permission structure on the URLs, generating hashes to secure individual items and containers, expiration and revocation of storage hashes and keys, and auditing access to the store. How to Configure SQL Azure Security Familiarize yourself with security within SQL Azure with demonstrations on the creation of logins, databases and users and information about sys.sql_logins and sys.databases, which allow the display of logins and databases from the master database. How to Configure the SQL Azure Firewall The Microsoft SQL Azure service prevents access to your SQL Azure server with the SQL Azure firewall. You can use the SQL Azure portal or master database to review and edit your firewall configuration. This topic describes how you can define firewall settings to specify which clients should have access to your SQL Azure server. For more information, see SQL Azure Firewall. How to Manage SQL Azure Firewall Rules Learn about the IP Firewall Rules inherent in SQL Azure, and get guidance on how to connect to a SQL Azure database using Microsoft SQL Server Management Studio 2008. Data Encryption Toolkit for Mobile PCs Get tested guidance and powerful tools to help you protect your organization's most vulnerable data. The strategies outlined in this toolkit are easy to understand, and the guidance shows you how to optimize two key encryption technologies already available to you in Windows XP, Windows Vista, or Windows 7: the Encrypting File System (EFS) and BitLocker Drive Encryption. Database Security Best Practices for the Vigilant Database Administrator and Developer By Hugo Shebbeare, Microsoft MVP - SQL Server: Systems Administration Find out which key considerations you should keep in mind when planning to, optimizing the way you, store, purchase, and acquire data that are critical to your organization. TechNet Radio: Preserving Data Privacy and Confidentiality in the Cloud Join John Baker and Javier Salido, Senior Program Manager with the Trustworthy Computing Group here at Microsoft, as they discuss some challenges and solutions organizations may face when trying to maintain the privacy and security of their confidential data, if they decide to migrate their infrastructure to the cloud. Critical: • MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) Important: • MS10-088: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386) • MS10-089: Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074) Security Bulletin Overview for November 2010 Microsoft Security Response Center (MSRC) Blog Post Monthly Security Bulletin Webcast Q&A Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio Zune Video (WMV) Mobile Phone Video (3GP) SECURITY BLOGS •  Trustworthy Computing Security/Privacy Blogs  •  Michael Howard  •  Eric Lippert  •  Eric Fitzgerald  •  MSRC Blog  •  ACE Team  •  Windows Security  •  Forefront Team  •  Solution Accelerators - Security & Compliance  •  Security Vulnerability Research & Defense  •  Security Development Lifecycle (SDL)  UPCOMING CHATS •  View a listing of upcoming technical chats COMMUNITY SITES •  IT Pro Security Community ADDITIONAL SECURITY RESOURCES •  Security Help and Support for IT Professionals •  TechNet Troubleshooting and Support Page •  Microsoft Security Glossary •  TechNet Security Center •  MSDN Security Developer Center •  Sign-Up for the Microsoft Security Notification Service •  Security Bulletin Search Page •  Microsoft Security Center •  Home Users: Protect Your PC •  MCSE/MCSA: Security Certifications •  Subscribe to TechNet •  Register for TechNet Flash IT Newsletter

Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of Supported Service Packs: Microsoft provides free software updates for security and non-security issues for all supported service packs. SQL Server 2008 Online Training: Database Security Tuesday, October 12, 2010 8:45 AM Pacific Time - 2:00 PM Pacific Time In this module, you will learn how to manage access to database through user accounts, control access to data through privileges and roles, and manage access to server using login accounts. Course 10155: Managing Security in Microsoft SQL Server 2008 This two-hour course provides you with the skills and knowledge required to manage security in SQL Server 2008. In this course, you will explore the SQL Server 2008 security model. You will also learn how to create SQL logins and database users and use existing or new roles to facilitate security at a user level or role level. SharePoint User Identify Fundamentals for PowerPivot Server Administrators Get an introduction to PowerPivot for SharePoint architecture and learn how user identity is flowed throughout the SharePoint system. For Decision Makers Business Insights Webcast: Security and Management Convergence on the Desktop (Level 100) Tuesday, December 14, 2010 9:00 AM Pacific Time Delivering the Database as a Cloud Service Tuesday, December 14, 2010 9:00 AM Pacific Time For IT Professionals TechNet Webcast: Office 2010: Learn New Productivity Features and Deployment Tips (Level 200) Thursday, December 09, 2010 11:00 AM Pacific Time TechNet Webcast: Information About Microsoft December Security Bulletins (Level 200) Wednesday, December 15, 2010 11:00 AM Pacific Time Now on Demand MSDN Webcast: Security Talk: Protecting Your Data from the Application to the Database (Level 300) Familiarize yourself with the considerations that both the application developer and the database administrator should consider to help increase data security. Topics they discuss include securing the network channel, using proper authentication, new authorization features introduced in Microsoft SQL Server 2005, execution contexts, database encryption, and common errors and problems related to Microsoft SQL Server security. TechNet Webcast: Security Talk: Protecting Your Data Using Encryption in SQL Server (Level 300) Get an overview of the encryption features in SQL Server 2008 as well as details on key uses, strengths, and weaknesses associated with each encryption technology, including Transparent Data Encryption (TDE) and Entensible Key Management (EKM). Interactive Security Webcast Calendar Upcoming security webcasts in a dynamic, interactive format.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2010 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information. This newsletter was sent by the Microsoft Corporation One Microsoft Way Redmond, WA, 98052, USA

Sign up for this newsletter | Unsubscribe | Update your profile © 2010 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement