| | | | Trustworthy Computing | June 2014 |  | | Microsoft Security Newsletter | | | | | | | | | | Welcome to June’s Security Newsletter! | Last month, we covered the top threats facing enterprise organizations and how to help protect against them. This month’s newsletter focuses on security guidance for data protection and, specifically, public key infrastructure (PKI), which many organizations have in place to support data protection and authentication.
If attackers successfully gain access to your organization’s PKI, this can expose your organization to serious risk. To help you design PKIs and protect this infrastructure from emerging threats, Microsoft IT, Microsoft’s IT department, has released a detailed technical reference document entitled “Securing Public Key Infrastructure.” Included in the document you will find guidance on:
| • | Common vectors for PKI compromise | | • | Planning cryptographic algorithms and certificate usages | | • | Designing physical security | | • | Implementing technical controls to secure PKI | | • | Protecting PKI artifacts and assets | | • | Monitoring PKI for malicious activity | | • | Recovering from a compromise |
If you are an IT professional and have a PKI running in your environment, I encourage you to download and read the paper—and consult the resources listed below for additional guidance. I hope you find these resources helpful.
 | | Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing |
Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas. | | |  | | Top Stories |  |  | | | | Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation
Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Learn why the parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them—and what you can do to mitigate the risk rom exploits.
When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities
Every wonder how many days of risk exist between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Explore the Trustworthy Computing Security Science team’s new data from the recently released Microsoft Security Intelligence Report volume 16.
Keeping Oracle Java Updated Continues to be High Security ROI
One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits. Learn why keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers.
| | | | | Security Guidance | | | | Security Tip of the Month: Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services
PKI is heavily employed in cloud computing for encrypting data and securing transactions. While Windows Server 2012 R2 is developed as a building block for cloud solutions, there is an increasing demand for IT professionals to acquire proficiency on implementing PKI with Windows Server 2012 R2. This two-part blog post series (click here for Part 2) will help you implement a simple PKI for assessing or piloting solutions, and better understand and become familiar with the process.
Best Practices for Securing Active Directory
Download recommendations to enhance the security of Active Directory installations. Learn about common attacks against Active Directory, the countermeasures you can take to reduce the attack surface, and get recommendations for recovery.
Trusted Platform Module (TPM) Fundamentals
Explore the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and learn how they are used to mitigate dictionary attacks. Looking for more TPM guidance? Check out these resources:
TPM Platform Crypto-Provider Toolkit
Download sample code, utilities and documentation for using TPM-related functionality in Windows 8. Subsystems described include the TPM-backed Crypto-Next-Gen (CNG) platform crypto-provider, and how attestation-service providers can use the new Windows features. Both TPM1.2 and TPM2.0-based systems are supported.
PKI Certificate Requirements for Configuration Manager
Find a list of the PKI certificates you might require for System Center 2012 Configuration Manager. This information assumes basic knowledge of PKI certificates. For step-by-step guidance and for an example deployment of these certificates, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority.
| | | | | Community Update | | | | Public Key Infrastructure Design Guidance
Before you configure a PKI and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). Explore your design options and find links to examples of policy statements if your organization does not currently have one.
Active Directory Certificate Services (AD CS) PKI Design Guide
While Windows Server 2012 products provides a variety of secure applications and business scenarios based on the use of digital certificates, you need to design a public key infrastructure (PKI) before you can use those certificates. Check out this step-by-step wiki guide for guidance on everything from identifying your AD CS deployment goals to creating a certificate management plan.
| | | | | This Month's Security Bulletins | | | | | | June 2014 Security Bulletins
| | | June 2014 Security Bulletin Resources:
| | | | | Security Events and Training | | | | | | Defense in Depth: Windows 8.1 Security
See how Windows 8.1 addresses security as a whole system, one layer at a time with this seven-module course from Microsoft Virtual Academy. Explore methods of developing a secure baseline and learn how to harden your Windows enterprise architectures from pass-the-hash and other advanced attacks.
Office 365 Education Technical Overview
Wednesday, July 16, 2014 – 1:00PM Central Time
Better understand the technical tools and resources of Office 365 Education, and learn how to support the unique needs of your school without sacrificing identity management and other security and compliance measures. This session will also be conducted every Wednesday at this time in August.
Office 365 Education Deployment Overview
Thursday, July 24, 2014 – 1:00PM Central Time
Compare your Microsoft Office 365 for education deployment options and learn about the terminology and tools available to streamline your deployment. Topics will include networking, identity management, hybrid deployments, and synchronization. This session will also be conducted every Wednesday at this time in August.
| | | | | | | | | | | | | | | | | microsoft.com/about/twc | Trustworthy Computing | | | | | | | | This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
© 2014 Microsoft Corporation Terms of Use | Trademarks
Microsoft respects your privacy. To learn more please read our online Privacy Statement.
If you would prefer to no longer receive this newsletter, please click here.
To set your contact preferences for other Microsoft communications click here.
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA | | | | | | | | |
