Microsoft Security Newsletter – April 2011

	NOTE FROM THE EDITOR Welcome to April's Security Newsletter. The theme of this month's newsletter is security for small and midsized business. One of the things these businesses need to be concerned with is the security of the applications they use. The long term trend that we have observed is that most (~85%) security vulnerability disclosures across the software industry are in applications versus operating systems or web browsers (~15% combined). Since many small and medium-sized businesses take advantage of applications written primarily for consumers, these businesses should demand that the security of those applications be as good as applications written for enterprises. April 2011 Edition IN THIS ISSUE • Top Stories • Security Guidance • Community/MVP Update • Cloud Security Corner • This Month's Security Bulletins • Microsoft Product Lifecycle Information • Security Events and Training • Upcoming Security Webcasts COMMUNITY WEBSITES • IT Pro Security Community

In a new report we just released called The SDL Progress Report, we tested the 41 most popular consumer applications running on Windows to see if they were taking advantage of the security mitigations built into the platform. The news is mixed: while 71% of the applications surveyed fully enabled support for Data Execution Prevention (DEP), only 34% of the applications fully enabled support for Address space layout randomization (ASLR). These are important exploit mitigations that can be valuable tools in helping to mitigate risks posed by both known and unknown vulnerabilities. Please check out the report and draw your own conclusions. Another useful new piece of content is the second edition of the Microsoft Security Update Guide. The big delta between the second edition of the Security Update Guide and the first edition is the inclusion of a bunch of guidance on how to test security updates before deploying them. This includes guidance from Microsoft internal practices as well as guidance from customers that have solid test processes. This is something many people have asked us for over the years. Best regards, Tim Rains, Director, Product Management, Microsoft Trustworthy Computing Follow the Microsoft Security Response team on Twitter @MSFTSecResponse for the latest information on the threat landscape. Windows Intune Now Available - Get Started With A 30-Day Trial Windows Intune helps simplify how businesses manage and secure PCs using Windows cloud services and the Windows 7 operating system. Download a free 30-day trial to see how Windows Intune can better enable your computers and users to operate at peak performance from virtually anywhere. The visit the Windows Intune Resource Zone on TechNet for technical guidance to help you get the most out of your trial. Sign Up for Solution Accelerator Notifications Looking for tools and guidance that help build your organization's security and compliance infrastructure? Microsoft Solution Accelerators provide tested guidance and automated tools to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. To stay up-to-date, subscribe to the Solution Accelerators Newsletter. Inside Security Compliance Manager with Chase Carpenter When we hear about a disaster like the earthquake in Japan, many of us try to think of ways we can help. Read this Security Tips & Talk blog post for valuable tips you can pass on to your end users to help them avoid online donation scams. Security Tip of the Month: 5 Security Tips for Windows Intune Learn how to use Attack Surface Analyzer, a free tool from Microsoft, to better understand the aggregate attack surface change that may result from the introduction of line-of-business (LOB) applications to the Windows platform. Microsoft Security Update Guide, Second Edition The Microsoft Security Update Guide Second Edition is a valuable source of in-depth information and guidance that helps IT professionals deploy Microsoft security updates and create a safer, more secure computing and Internet environment. Windows Security Survival Guide Many companies invest a good amount of money trying to protect their resources by adding more software to provide additional layers of protection, and by enhancing policies and procedures to enforce security. Get a better understanding of the core principles of Windows Security and how to take advantage of Windows operating system security capabilities to achieve your company's security goals. Security and Compliance in the Cloud, Part 1 Join Jim Reavis of the Cloud Security Alliance, Pete Boden of Microsoft and Allan A. Friedman of the Brookings Institution to see what you need to consider as you move to data and applications to the cloud. Watch Part 2 of the discussion for additional insights and tips for organizations of all sizes. Windows Azure: Understanding Security Account Management in Windows Azure Cloud computing relieves some of the security burden, but you still have an active role in managing access, securing communications and ensuring data protection. Learn what you need to know about account management, certificate management, and employee transitions. SQL Server: Protect Data at All Costs Maintaining high availability to corporate data stores managed with SQL Server is an essential element of any data management strategy. Get tips on how to work through the requirements and limitations, align your strategy to those requirements, and test the effectiveness of your approach. Security MVP Spotlight: Denis Batrankov Enterprise Security MVP Denis Batrankov has worked in the security industry for 18 years, starting as a programmer and security administrator and eventually landing in his current role as Solution Architect for HP TippingPoint. Denis specializes in practical ways to protect corporate IT systems against emerging IT threats and enjoys delivering information about the various tools available to today's IT professional from firewalls and intrusion prevention systems to security scanners, deep packet inspections, and Web filtering. From Denis Batrankov: Why Now is the Time to Review Corporate Email Security Many IT professional assume that internal employees use corporate email to do their jobs. But is this a reality? This article explores considerations that can help you keep corporate email effective and help maintain safe email habits for your employees and your customers or partners. Security MVP Spotlight: Miha Pihler Miha Pihler (MCSE, MCT, CISSP) currently works as independent Security Consultant. Pihler has many years of experience in security field and holds many of the most prestigious qualifications. He is a respected and recognized speaker with a wealth of experience. He has worked on the deployment of firewalls for some of the largest organizations in Slovenia, set up of public key infrastructure (PKI) and designed secure authentication systems. From Miha Pihler: Simple Firewall Best Practices for Small and Midsize Businesses All servers require regular maintenance, and their firewalls are no exception. Firewalls involve daily maintenance tasks such as reviewing logs, checking for any alerts, and changing policies—and less frequent tasks such as reviewing policies. Explore several important considerations as well as suggested best practices for effectively maintaining firewalls. How to Collaborate Securely with Business Partners through SharePoint Online Explore the process of using SharePoint Online as a secure collaboration tool for use with not only business partners, but also different business units within your own organization. Critical: •MS11-018: Cumulative Security Update for Internet Explorer (2497640) •MS11-019: Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455) •MS11-020: Vulnerability in SMB Server Could Allow Remote Code Execution (2508429) •MS11-027: Cumulative Security Update of ActiveX Kill Bits (2508272) •MS11-028: Vulnerability in .NET Framework Could Allow Remote Code Execution (2484015) •MS11-029: Vulnerability in GDI+ Could Allow Remote Code Execution (2489979) •MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) •MS11-031: Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution (2514666) •MS11-032: Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2507618) Important: •MS11-021: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2489279) •MS11-022: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2489283) •MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293) •MS11-024: Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution (2527308) •MS11-025: Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution (2500212) •MS11-026: Vulnerability in MHTML Could Allow Information Disclosure (2503658) •MS11-033: Vulnerability in WordPad Text Converters Could Allow Remote Code Execution (2485663) •MS11-034: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2506223) Security Bulletin Overview for April 2011 Microsoft Security Response Center (MSRC) Blog Post Monthly Security Bulletin Webcast Q&A Windows Media Video (WMV) iPod Video (MP4) SECURITY PROGRAM GUIDE • Microsoft SDL - Developer Starter Kit • Security Awareness Materials • Learn Security On the Job SECURITY BLOGS • Trustworthy Computing Security/Privacy Blogs • Michael Howard • Eric Lippert • Eric Fitzgerald • MSRC Blog • ACE Team • Windows Security • Forefront Team • Solution Accelerators - Security & Compliance • Security Vulnerability Research & Defense • Security Development Lifecycle (SDL) UPCOMING CHATS • View a listing of upcoming technical chats ADDITIONAL SECURITY RESOURCES • Security Help and Support for IT Professionals • TechNet Troubleshooting and Support Page • Microsoft Security Glossary • TechNet Security Center • MSDN Security Developer Center • Sign-Up for the Microsoft Security Notification Service • Security Bulletin Search Page • Microsoft Security Center • Home Users: Protect Your PC • MCSE/MCSA: Security Certifications • Subscribe to TechNet • Register for TechNet Flash IT Newsletter

Reminder: Windows Vista Service Pack 1 End of Support Windows Vista Service Pack 1 will reach the end of support on July 12, 2011. From that date onward, Microsoft will no longer provide support or free security updates for Windows Vista SP1. In order to stay secure and continue support, you must upgrade to Service Pack 2 (SP2). Find information about your particular products on the Microsoft Product Lifecycle Web site. See a List of Supported Service Packs: Microsoft provides free software updates for security and non-security issues for all supported service packs. Tech•Ed North America 2011: Security, Identity, Access & More May 16-19, 2011 - Atlanta, GA Join us in Atlanta for Tech•Ed 2011 and take advantage of over 1,000 learning opportunities. Check out the Security, Identity and Access track, which provides guidance and technical detail on Microsoft Forefront products, identity-based access technologies, Windows security technologies, and more. Visit our content catalog to see which sessions and pre-conference seminars interest you. Register now. Windows Azure Security Essentials: Secure Networking using Windows Azure Connect Dive deep into Windows Azure Connect, a new mechanism for establishing, managing and securing IP-level connectivity between on-premises and Windows Azure resources. In this MSDN Channel 9 webcast, you'll learn about potential usage scenarios, the different components of Windows Azure Connect, how to join your cloud-based virtual machines to Active Directory, and more. For IT Professionals Talk TechNet with Keith Combs and Matt Hester: Guy Yardeni on Group Policy (Level 100) Friday, April 29, 2011 9:00 AM Pacific Time IT Manager Chats with Kevin Remde: What Every IT Manager Should Know About Internet Explorer 9 Monday, May 02, 2011 10:00 AM Pacific Time TechNet Webcast: Information About Microsoft May Security Bulletins (Level 200) Wednesday, May 11, 2011 11:00 AM Pacific Time Now on Demand Business Insights Webcast: The Cloud's Silver Lining: Identity Management (Level 100) Identity management with Microsoft Forefront Identity Manager (FIM), Active Directory Federation Services (AD FS), and Microsoft Forefront Unified Access Gateway (Forefront UAG) is a key component to realizing the value of the cloud (Microsoft Office 365, Business Productivity Online Standard Suite (BPOS), and using software as a service (SaaS) vendors. If you are planning to migrate applications to the cloud, learn how to first address provisioning and Single Sign-On (SSO) to enable a seamless transition. Interactive Security Webcast Calendar Upcoming security webcasts in a dynamic, interactive format.

This is a monthly newsletter for IT professionals and developers—bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2011 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site. Legal Information. This newsletter was sent by the Microsoft Corporation Microsoft Corporation One Microsoft Way Redmond, WA, 98052, USA

Sign up for this newsletter | Unsubscribe | Update your profile 2011 Microsoft Corporation Terms of Use | Trademarks | Privacy Statement