Monday, April 28, 2014

Microsoft Security Newsletter - April 2014



 
 
Trustworthy Computing | April 2014
Microsoft Security Newsletter
 
 
Welcome to April’s Security Newsletter!
Our newsletter this month focuses on guidance and tips for organizations that decide to embrace personal devices in the workplace, commonly referred to as Bring Your Own Device, or BYOD, scenarios. As recent research has illustrated, 78% of organizations are allowing employees to bring their own device to the office for work purposes. While the benefits such as cost savings and the adoption of newer technology are clear, BYOD scenarios can also raise important security and compliance considerations. Organizations that embrace a BYOD approach are faced with decisions such as which devices will be allowed, what kind of support will be provided, and what kind of security measures will be needed.

At Microsoft, a company with over 100,000 employees immersed in technology, embracing BYOD while continuing to meet enterprise security requirements, is a challenge. What we have learned over the years though is that having a principled approach that leverages effective standards and practices is essential to managing risk. For example, providing conditions for accessing corporate resources based on the trustworthiness of the device and identity used, can help determine the level of access provided.

In this fast moving technology market, BYOD scenarios are quickly becoming a reality for many organizations. In fact, 67% of employees in small and medium businesses indicate that they use their personal devices in the workplace regardless of whether or not their company has practices in place. If your organization has not already embraced BYOD, are you prepared?

Tim Rains Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing

Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas.
 
Top Stories
 
The Evolving Pursuit of Privacy
As technology and our reliance on data to enable rich services continue to evolve, we must also evolve how we think about data and the ways in which societies can protect the privacy of individuals, while also allowing for responsible, beneficial data use. Explore what Scott Charney, Corporate Vice President of Trustworthy Computing, had to say on this topic and see "We’re listening: Additional steps to protect your privacy" for information on some of the steps Microsoft takes to protect the privacy of its customers.

TechNet Radio: The Risk of Running Windows XP After Support Ends
In addition to his blog post entitled, "Cyber threats to Windows XP and guidance for Small Businesses and Individual Consumers," Tim Rains joined the hosts of TechNet Radio's IT Time series to discuss the many security risks that end users open themselves and their organizations to by continuing to run Windows XP. Guidance and resources for those looking to migrate their business PCs to a modern operating system, like Windows 8.1 can be found on the Windows XP End of Support page and on TechNet.

Microsoft Services Unaffected by OpenSSL "Heartbleed" Vulnerability
On April 8, 2014, security researchers announced a flaw in the OpenSSL encryption software library used by many websites to protect customers’ data. The vulnerability, known as “Heartbleed,” could potentially allow a cyberattacker to access a website’s customer data along with traffic encryption keys. After a thorough investigation, we determined that Microsoft Services are not impacted by the OpenSSL “Heartbleed” vulnerability. In addition, Windows’ implementation of SSL/TLS was not impacted.

 
Security Guidance
 
Security Tip of the Month: Reduce Risk and Identify Vulnerabilities with the Microsoft Threat Modeling Tool 2014
Threat modeling is a systematic way to find design-level security and privacy weaknesses in the systems, software, and services you build and operate—for BYOD scenarios or more traditional device management scenarios. The Microsoft Threat Modeling Tool 2014 is the newest version of the free Microsoft Security Development Lifecycle (SDL) Threat Modeling Tool released back in 2011. New and improved features include:

New drawing surface
 
STRIDE analysis per interaction
 
Migration for v3 threat models
 
Updated threat definitions

Ready to get started? Explore each of these improvements in more detail with the Microsoft SDL Blog, watch a short demo, and then download Microsoft Threat Modeling Tool 2014.

Bring Your Own Device (BYOD) Design Considerations Guide
Take a deep dive into the critical design considerations that need to be addressed in order to design a BYOD infrastructure that enables employees to use their own devices while protecting your company’s data. This guide covers user and device considerations, data access and protection, management scenarios, and app considerations.

Working with Web Application Proxy
Learn how to install and configure Web Application Proxy, a new remote access role service in Windows Server 2012 R2 that provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network.

Work Folders Overview
Find out how to enable users to store and access work files on personal computers and devices in addition to corporate PCs while maintaining control over corporate data.

Manage Risk with Multi-Factor Access Control
Learn how to manage risk by using Active Directory Federation Services and multiple factors for access control, including user, device, location, and authentication data.

Join to Workplace for SSO and Seamless Second Factor Authentication Across Company Applications
Find out how to utilize seamless second factor authentication and single-sign-on to provide personal devices users with secure access to workplace resources and applications.

Managing Windows 8 Devices in a Bring Your Own Device World
Quickly see how you can manage end-user owned devices running Windows 8 with this handy checklist.

Windows RT 8.1 in the Enterprise
Find out how you can utilize and manage Windows RT 8.1 devices, whether employee-owned or company-owned, in an enterprise environment.

Windows Phone 8.1 Mobile Device Management Overview
Download a guide to help you explore the built-in mobile device management client in Windows Phone 8.1 that lets you manage handsets with the mobile device management system of your choice. Looking to test the enterprise-grade capabilities delivered by Windows Phone 8.1—including S/MIME support and enhanced virtual private network (VPN) features—in your own environment? Get the Windows Phone 8.1 Enterprise Preview.

Consumerization of IT at Microsoft: Adapting to Change
Learn how, to effectively manage both users’ expectations and the mandates of information security, Microsoft IT developed a programmatic approach to technology adoption—one that would foster innovation without increasing risks by introducing uncontrolled technologies. For more insight, see Microsoft Solves BYOD Using Microsoft System Center Configuration Manager and Windows Intune.

 
Community Update
New Security Baselines for Microsoft Security Compliance Manager
Two new security baselines for Microsoft Security Compliance Manager (SCM), Microsoft’s popular free security and compliance tool, are now available. The first is a final, release-to manufacturing (RTM) baseline for SQL Server 2012. The second is a beta version of the baseline for Office 2013.

As with all security baselines included in Microsoft SCM, these new baselines have been created and reviewed by Microsoft security experts as well as vetted by a select group of security conscious customers as well as the Center for Internet Security (CIS). The Microsoft SCM team works closely with the CIS to ensure that both Microsoft and CIS offer clear, consistent guidance to customers on how to utilize these baselines to better secure their infrastructures.

If you are already using the latest version of Microsoft SCM, you can download the SQL Server 2012 baselines by clicking the "download Microsoft baselines automatically" link on the front page of the SCM user interface. You can also download the baseline directly:

SQL Server 2012 Baseline
 
SQL Server 2012 Baseline Attachments

To get the Office 2013 Beta baseline you will need to join the Microsoft Connect program, which requires a Microsoft Account. To sign up, please visit https://connect.microsoft.com/WindowsServer/InvitationUse.aspx?ProgramID=8455&InvitationID=8455-764K-9HVG.

The Microsoft SCM team will also be releasing security baselines for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11 in the near future. In the interim, you can access a preview of the new settings and recommendations from Microsoft by downloading the .zip package referenced at the end of the “Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11” blog post.

 
This Month's Security Bulletins
 
April 2014 Security Bulletins

Critical
 
MS14-017: 2949660 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution
 
MS14-018: 2950467 Cumulative Security Update for Internet Explorer

Important
 
MS14-019: 2922229 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
 
MS14-020: 2950145 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution
 
April 2014 Security Bulletin Resources:
 
Microsoft Security Response Center (MSRC) Blog Post
 
Security Bulletin Webcast
 
Security Bulletin Webcast Q&A
 
Security Events and Training
 
Microsoft Virtual Academy: What’s New in Windows 8.1 Security
Learn from the Windows Engineering team about the advances in security for Windows 8.1 with regard to access control, malware protection, and information protection. The course will dive into authentication and multifactor access control as well as tamper resistance hardware through UEFI, TPM, pervasive encryption, and protecting corporate data in a BYOD world.

Microsoft Virtual Academy: Windows Server 2012 R2 Access and Information Protection
Learn how Windows Server 2012 R2 can help you provision, manage and secure user-owned devices while creating a seamless experience for the user.

Microsoft Webcast: Information about the June 2014 Security Bulletin Release
Wednesday, June 11, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of June 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.

FastTrack Office 365 Deployments with Centrify Single Sign-on
Wednesday, April 30, 2014 – 11:00AM Pacific Time
Explore Centrify for Office 365, a Microsoft-tested and Azure-powered solution for Active Director-based single sign-on, user provisioning and mobile management for Office 365.

Microsoft Webcast: Information about the May 2014 Security Bulletin Release
Wednesday, May 14, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of May 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.

Microsoft Webcast: Information about the June 2014 Security Bulletin Release
Wednesday, June 11, 2014 – 11:00AM Pacific Time
Join this webcast for a brief overview of the technical details of June 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.

 
 
Essential Tools
 
Microsoft Security Bulletins
 
Microsoft Security Advisories
 
Security Compliance Manager
 
Microsoft Security Development Lifecycle Starter Kit
 
Enhanced Mitigation Experience Toolkit
 
Malicious Software Removal Tool
 
Microsoft Baseline Security Analyzer
Security Centers
 
Security TechCenter
 
Security Developer Center
 
Microsoft Security Response Center
 
Microsoft Malware Protection Center
 
Microsoft Privacy
 
Microsoft Security Product Solution Centers
Additional Resources
 
Trustworthy Computing Security and Privacy Blogs
 
Microsoft Security Intelligence Report
 
Microsoft Security Development Lifecycle
 
Malware Response Guide
 
Security Troubleshooting and Support Resources
 
Trustworthy Computing Careers
 
 
microsoft.com/about/twc Trustworthy Computing
 
 
This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

© 2014 Microsoft Corporation Terms of Use | Trademarks

Microsoft respects your privacy. To learn more please read our online Privacy Statement.

If you would prefer to no longer receive this newsletter, please click here.

To set your contact preferences for other Microsoft communications click here.

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA
 
 

Your cOmment"s Here! Hover Your cUrsOr to leave a cOmment.


Subscribe to: Post Comments (Atom)