Microsoft Security Newsletter – January 2011

	NOTE FROM THE EDITOR Welcome to the first Security Newsletter of 2011! The focus of this month's newsletter is secure anywhere access. Late last year I was lucky enough to get a new Windows Phone 7—and I love it! Whether I'm at home, in the office, or traveling to visit customers, I can use Microsoft Office Mobile and Microsoft SharePoint Server to stay up-to-date with my team, my stakeholders and customers. If you are an IT professional and your business users are asking for Windows Phone 7, we have a bunch of new guidance for you to use as you start investigating what it takes to integrate and support the phone in your organization. In particular, the Windows Phone 7 Guides for IT Professionals explore a variety of topics and include how-to guidance on integrating technologies that businesses already use while helping to support corporate security and management requirements. If you are a developer or are concerned about how to implement secure mobile apps in your environment, we have new Windows Phone security guidance for you too. This MSDN Library article is a good primer that includes guidance on a range of topics including safeguards for mobile apps and using the Microsoft Security Development Lifecycle (SDL). (Speaking of the SDL, check out our new video series showing you how to use each one of the SDL tools to help develop more secure and privacy enhanced applications.) Securing mobile phones and mobile apps are just one aspect of providing your users with secure anywhere access to company data, applications, and services. Read on for guidance on more secure branch office scenarios, access control, identity management, and more. Best regards, Tim Rains, Group Product Manager, Microsoft Trustworthy Computing Follow the Microsoft Security Response team on Twitter @MSFTSecResponse for the latest information on the threat landscape. January 2011 Edition IN THIS ISSUE •  Top Stories •  Security Guidance •  Community/MVP Update •  Cloud Security Corner •  This Month's Security Bulletins •  Microsoft Product Lifecycle Information •  Security Events and Training •  Upcoming Security Webcasts SECURITY PROGRAM GUIDE •  Microsoft SDL - Developer Starter Kit •  Security Awareness Materials •  Learn Security On the Job

How the Security Intelligence Report Affects Microsoft Corporate Network Protection Policies Check out TechNet Edge's recent interview with Microsoft Chief Information Security Officer Bret Arsenault to learn how the Security Intelligence Report (SIR) affects policies and decisions he makes to protect the Microsoft corporate network. Protecting and Consuming RES-based Resources with Windows Azure Access Control Service (ACS), Windows Identity Foundation (WIF), and OAuth 2.0 Windows Azure ACS recently added support for the OAuth 2.0 protocol. If you haven't heard of it, OAuth is an open protocol that is being developed by members of the identity community to solve the problem of allowing third-party applications to access their data without providing their passwords. See how this can be done with WIF and ACS with a sample end-to-end scenario available from Microsoft Connect. Security Tip of the Month: Forefront Unified Access Gateway (UAG) Deployment Checklist Get a quick list to help you plan your Forefront Unified Access Gateway (UAG) deployment. This article lists the tasks you should do to install and deploy Forefront UAG successfully—and provides links to where you can find step-by-step instructions and planning considerations for each task. Understanding Security for Outlook Anywhere There are several methods available to help secure Outlook Anywhere (formerly known as RPC over HTTP). This article provides a quick overview of advanced firewall server, Secure Sockets Layer (SSL), and authentication solutions, and includes links to step-by-step guidance for each option. Active Directory Federation Services (AD FS) 2.0 Step-by-Step and How To Guides Walk through the process of setting up a small test lab environment that you can use to evaluate the next generation of Microsoft federated identity technologies including AD FS 2.0. Don't have AD FS 2.0? Download it here. Single Sign-On (SSO) from Active Directory to a Windows Azure Application Find step-by-step instructions for using Windows Identity Foundation, Windows Azure, and Active Directory Federation Services (AD FS) 2.0 for achieving SSO across web applications that are deployed both on premises and in the cloud. Microsoft Forefront Identity Manager (FIM) 2010 Capacity Planning Guide Explore the ways in which topology, hardware, policy configuration, scale, and load can affect the overall capacity and performance of your FIM 2010 deployment. Cross-Forest Management Deployment Guide for FIM 2010 Find instructions for planning and implementing a cross-forest management solution in an enterprise environment using FIM 2010. Windows Server 2008 R2 Remote Desktop Services Resource Kit In-depth and comprehensive, this official Microsoft Resource Kit delivers the information you need to plan, deploy, and administer Remote Desktop Services in Windows Server 2008 R2. You get authoritative technical guidance from those who know the technology best—leading industry experts and members of the Microsoft Desktop Virtualization Team. Looking for online guidance? Visit the TechNet Library. Getting Started with Microsoft Security Compliance Manager (SCM) Getting Started with Microsoft Security Compliance Manager (SCM) Security MVP of the Month: Dana Epp Dana Epp, Scorpion Software Corp's founder and CEO, researches software security and sets the vision in the convergence of information security principles and practices with digital information asset protection for small business. As a computer security software architect, Mr. Epp has spent the last 15 years focusing on computer programming with a particular emphasis on security engineering to offer a safer computing environment for business. His latest research has been on risk-based authentication, focusing on strong two-factor authentication for small business. The Napkin Sketch: An Overview of Secure Anywhere Access with Remote Desktop Services By Dana Epp, Microsoft MVP - Enterprise and Developer Security Explore the evolution of Terminal Services, now called Remote Desktop Services, and learn how to use this framework to help provide secure anywhere access to applications, remote desktops, and virtual desktop environments. Applying Microsoft SDL Implementation Practices within Windows Azure Explore how the Implementation phase of the Microsoft SDL applies to building Windows Azure applications. In this video, we define both the similarities and key differences between implementation of on-premises solutions and Windows Azure-based applications. We then dive into specific tools that can be of use to secure implementation of applications on Windows Azure, including Checkmarx, Coverity and Veracode. The conversation then moves to properly implementing defenses against usual web threats (SQL injection, XSS, authentication, etc.) in the Windows Azure web applications. Applying Microsoft SDL Release Practices within Windows Azure Learn how to apply the Microsoft SDL release phase practices to applications built on top of Windows Azure. Find out how the Microsoft SDL can apply to any cloud-based deployment with similar steps to those used for a typical on-premises application (File an Incident Response Plan, Perform a Final Security Review and Release Archive). Because Windows Azure makes it so simple to deploy applications, this video emphasizes the importance of reviewing the deployment and securing deployment-related artifacts such as management accounts, access to Service Management API and SSL certificates used by applications. Critical: • MS11-002: Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910) Important: • MS11-001: Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935) Security Bulletin Overview for January 2011 Microsoft Security Response Center (MSRC) Blog Post Monthly Security Bulletin Webcast Q&A Windows Media Video (WMV) Windows Media Audio (WMA) iPod Video (MP4) MP3 Audio COMMUNITY WEBSITES •  IT Pro Security Community SECURITY BLOGS •  Trustworthy Computing Security/Privacy Blogs  •  Michael Howard  •  Eric Lippert  •  Eric Fitzgerald  •  MSRC Blog  •  ACE Team  •  Windows Security  •  Forefront Team  •  Solution Accelerators - Security & Compliance  •  Security Vulnerability Research & Defense  •  Security Development Lifecycle (SDL)  UPCOMING CHATS •  View a listing of upcoming technical chats COMMUNITY SITES •  IT Pro Security Community ADDITIONAL SECURITY RESOURCES •  Security Help and Support for IT Professionals •  TechNet Troubleshooting and Support Page •  Microsoft Security Glossary •  TechNet Security Center •  MSDN Security Developer Center •  Sign-Up for the Microsoft Security Notification Service •  Security Bulletin Search Page •  Microsoft Security Center •  Home Users: Protect Your PC •  MCSE/MCSA: Security Certifications •  Subscribe to TechNet •  Register for TechNet Flash IT Newsletter

Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of Supported Service Packs: Microsoft provides free software updates for security and non-security issues for all supported service packs. Microsoft SDL Release Phase: Security Practices Get familiar with the three security practices of the Microsoft SDL Release phase. Learn how to plan for post-release contingencies by creating a well thought-out incident response plan, then explore the importance of the application of a Final Security Review, its outcomes and mitigation of any outstanding issues. You'll also find out how to archive all pertinent information and data to allow for post-release servicing of the software. Ramp Up: Implementing Forefront Threat Management Gateway 2010 Gain the knowledge and skills to envision, design, and deploy web access, remote access and mail protection solutions using Microsoft Forefront Threat Management Gateway 2010 (TMG). This online course will teach you to identify requirements and make the appropriate design decisions related to the deployment process, as well as provide you hands-on experience with the products involved. For IT Professionals TechNet Webcast: Windows PowerShell Basics for IT Professionals (Part 2) (Level 200) Thursday, January 27, 2011 11:00 AM Pacific Time TechNet Webcast: Information About Microsoft February Security Bulletins (Level 200) Wednesday, February 09, 2011 11:00 AM Pacific Time For Developers MSDN Webcast: Security Talk: Fending Off Attacks by Reducing an Application's Attack Surface (Level 300) Thursday, January 27, 2011 8:00 AM Pacific Time MSDN Webcast: SharePoint Ecosystem: Integrating SharePoint with Windows Phone 7 (Level 200) Monday, January 31, 2011 9:00 AM Pacific Time MSDN Webcast: Windows Azure Boot Camp: Connecting with AppFabric (Level 200) Monday, February 07, 2011 11:00 AM Pacific Time For Decision Makers Business Insights Webcast: Deploying a Secure and Productive Windows 7 (Level 200) Thursday, January 27, 2011 9:00 AM Pacific Time Business Insights Webcast: High Value Way to Extend Identity Management to the Entire Business (Level 200) Thursday, February 03, 2011 10:00 AM Pacific Time Business Insights Webcast: How Are You Handling Your Identity Management Transition to the Cloud? (Level 100) Tuesday, February 08, 2011 11:00 AM Pacific Time Now on Demand TechNet Webcast: Windows 7 Enhanced Security and Control (Level 300) Learn how Windows 7 can help the foundation for a secure and reliable desktop platform, and secure anywhere access. Topics discussed in this webcast include User Account Control improvements, enhanced auditing, Network Access Protection (NAP), firewall improvements, AppLocker, BitLocker and BitLocker To Go enhancements, Direct Access, Windows Internet Explorer 8 security improvements, and Encrypting File System (EFS) enhancements. TechNet Webcast: Connect Remotely Using Direct Access (Level 300) Dive deep into the Direct Access feature in the Windows 7 operating system, which provides secure anywhere access on the network. We explore how Direct Access makes it easier for IT professionals to manage the network infrastructure and how it helps reduces IT costs. We also discuss how Direct Access works and how to set up and configure Direct Access in the network infrastructure. The session includes demonstrations on how to setup and configure Direct Access on Windows 7-based clients and the Windows Server 2008 R2 operating system. TechNet Webcast: Enabling Secure Messaging - Forefront Online Protection for Exchange Deployment Best Practices (Level 200) Learn about the best practices for enabling Secure Messaging by deploying Microsoft Forefront Online Protection for Exchange (FOPE), how to use virtual domains and the directory sync tool, and how to engage with technical support to troubleshoot FOPE. We also describe the latest features for the 10.2 release of FOPE and explain how protection and identity can come together to give you easy integration with an existing infrastructure while maintaining a high level of protection. Interactive Security Webcast Calendar Upcoming security webcasts in a dynamic, interactive format.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2010 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information. This newsletter was sent by the Microsoft Corporation One Microsoft Way Redmond, WA, 98052, USA

Sign up for this newsletter | Unsubscribe | Update your profile © 2011 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement