Microsoft Security Newsletter - July 2013

Trustworthy Computing | July 2013 Microsoft Security Newsletter Welcome to July’s Security Newsletter! This month our newsletter focuses on the Bring Your Own Device (BYOD) trend in the workplace and the implications it has for IT professionals. For many organizations, allowing employees to bring in personal computing devices—such as smart phones, tablets and PCs—can improve productivity and reduce the costs associated with deploying and supporting company-issued assets. As a result, BYOD has become a popular trend that is gaining wide acceptance in locations around the world. Microsoft recently commissioned the Trust in Computing survey to help uncover current attitudes and perceptions related to security and privacy. The study found that 78% of organizations allow employees to bring their own computing devices to the office for work purposes. There were also some interesting regional variations that can been seen in the below chart. While the immediate benefits of BYOD might seem clear, they also come with IT security and management implications as IT departments can lose some of the control they traditionally exercised over managed resources. The security challenges of BYOD include enforcing policies like the use of strong passwords on multiple devices, ensuring that every device has up-to-date patches and robust anti-malware protection, the encryption of sensitive data, and mitigating other risks such as the loss of devices and the use of unsecured third-party data connections. Recognizing the benefits that BYOD can provide, Microsoft has designed its products and services with BYOD-friendly policies in mind. There are a few resources I suggest for diving deeper if you are interested in learning more about the topic and Microsoft’s approach: • Trust in Computing Survey, Part 1: Consumerization of IT Goes Mainstream • Managing Windows 8 Devices in a Bring Your Own Device World • How to Embrace BYOD: Guidance for Enterprises Finally, I’d like to thank those of you who sent us your ideas on how to improve this newsletter moving forward. We are always looking for additional feedback so email us at secnlfb@microsoft.com and share your ideas. Best regards, Tim Rains, Director Microsoft Trustworthy Computing Top Stories What’s New in Windows Server 2012 R2: Making Device Users Productive and Protecting Corporate Information The modern workforce isn’t just better connected and more mobile than ever before, it’s also more discerning (and demanding) about the hardware and software used on the job. Get a helpful overview of the architecture and critical components of People-centric IT (PCIT), learn how to embrace the consumerization of IT, and get insight into the technologies that will help you enable BYOD scenarios in your organization. Trust in Computing Survey, Part 2: Less Than Half of Developers Use a Security Development Process The threat landscape is continually evolving. Attackers are constantly seeking out new ways to compromise potential victims on a broad or targeted scale. They attempt to exploit unpatched vulnerabilities, use deceitful tactics to trick users into installing malicious software, attempt to guess weak passwords, and employ other dirty tricks. Despite this reality, a large number of organizations are still not developing applications with security in mind. Explore the reasons behind this concerning trend. Trustworthy Computing Blog App Now Available for Windows Phone 8 Learn about the improvements available in the new version of our Trustworthy Computing Blogs Windows Phone application, which include optimization for Windows Phone 8 users, live tile notifications, and improved graphics. Security Guidance Windows Server 2012 R2 Preview: What's New in Access and Information Protection In Windows Server 2012 R2 Preview, Active Directory has been enhanced to allow IT risk management while also enabling IT to empower their users to be productive from a variety of devices. Learn about these enhancements, then get step-by-step guidance with these walkthroughs: • Workplace Join with a Windows Device • Workplace Join with an iOS Device • Connect to Applications and Services from Anywhere with Web Application Proxy • Manage Risk with Multi-factor Access Control • Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications How to Manage Mobile Devices by Using Configuration Manager and Windows Intune Learn how to manage apps for Windows Phone 8, Windows RT, iOS, and Android devices by using the Windows Intune service and the System Center Configuration Manager console. Ensure the Compliance of Devices with Configuration Manager System Center 2012 Configuration Manager SP1 contains new capabilities you can use to manage roaming profiles, offline files, and folder redirection on computers that run Windows 8 in your organization. Learn how to create configuration data, and deploy and manage configuration baselines, in order to ensure that your devices all contain consistent configurations and settings, and even automatically remediate settings found to be noncompliant. When to Use AppLocker AppLocker is an application control feature in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7 that helps you control which applications and files users can run. Find out how AppLocker can help you to protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. Windows RT in the Enterprise: Security Technologies Windows RT is designed to leverage all of the security technologies present in Windows 8, several of which are new. Explore why Windows RT not only supports these technologies, but requires many of them for all Windows RT devices to help ensure that the devices are protected from the first time they are turned on. Messaging Policy and Compliance in Exchange Server 2013 Messaging stores and mailboxes have become repositories of valuable data. Explore the messaging policy and compliance features in Exchange Server 2013, then get step-by-step guidance to help you configure key features such as Data Loss Prevention (DLP) and messaging records management (MRM). Cloud Security Corner Cloud Security: Best Practices and Recommended Resources As cloud computing begins to mature, organizations are looking at ways to understand the opportunities and assess their own current IT environment with regard to security, privacy and reliability practices, policies and compliance. To help organizations make informed security decisions and evaluate IT readiness for moving assets to the cloud, check out the top two resources recommended by Microsoft Trustworthy Computing General Manager Adrienne Hall. This Month’s Security Bulletins Microsoft Security Bulletin Summary for June 2013 Critical • MS13-052: 2861561 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution • MS13-053: 2850851 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution • MS13-054: 2848295 Vulnerability in GDI+ Could Allow Remote Code Execution • MS13-055: 2846071 Cumulative Security Update for Internet Explorer • MS13-056: 2845187 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution • MS13-057: 2847883 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution Important • MS13-058: 2847927 Vulnerability in Windows Defender Could Allow Elevation of Privilege July 2013 Security Bulletin Resources: • Microsoft Security Response Center (MSRC) Blog Post • Security Bulletin Quick Overview (MP4) – 3000k | 600k | 400k • Security Bulletin Webcast (MP4) – 3000k | 600k | 400k • Security Bulletin Webcast Q&A Security Events and Training Virtual Lab: Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control Windows Server 2012 provides new, features to easily implement secure remote user features. In this lab, you will begin by leveraging both RemoteApp and VDI to allow users to work securely on remote applications from home computers. Next, you will grant those users access to corporate resources by enabling them to leverage DirectAccess. Finally, you will grant those users access to secure files via Dynamic Access Control by modifying properties of the user accounts. Microsoft Webcast: Information about the August 2013 Security Bulletin Release Wednesday, August 14, 2013 Join this webcast for a brief overview of the technical details of August’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts. Microsoft Webcast: Information about the September 2013 Security Bulletin Release Wednesday, September 11, 2013 Join this webcast for a brief overview of the technical details of September’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts. Essential Tools • Microsoft Security Bulletins • Microsoft Security Advisories • Security Compliance Manager • Microsoft Security Development Lifecycle Starter Kit • Enhanced Mitigation Experience Toolkit • Malicious Software Removal Tool • Microsoft Baseline Security Analyzer Security Centers • Security TechCenter • Security Developer Center • Microsoft Security Response Center • Microsoft Malware Protection Center • Microsoft Privacy • Microsoft Security Product Solution Centers Additional Resources • Trustworthy Computing Security and Privacy Blogs • Microsoft Security Intelligence Report • Microsoft Security Development Lifecycle • Malware Response Guide • Security Troubleshooting and Support Resources microsoft.com/about/twc Trustworthy Computing This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2013 Microsoft Corporation. All rights reserved. Microsoft, MSDN, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer to no longer receive this newsletter, please click here. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA