Microsoft Security Newsletter - July 2015

July 2015 Microsoft Security Newsletter     Welcome to July's Security Newsletter! The focus of this month's newsletter is a topic that is top of mind for many of the CISOs and IT professionals I talk to these days—cloud security. With more and more organizations around the world leveraging cloud services, understanding how to protect your assets in the cloud and provide users with secure access to those assets is more important than ever. As a result, we have a great security tip from Tom Shinder on penetration testing applications hosted in Azure. Additionally, Windows 10 is now publicly available! Explore the business benefits of Windows 10, learn about the built-in security features, and take advantage of the free Windows 10 Home and Windows 10 Pro upgrade offer for those on Windows 7 or Windows 8.1. Then, when you're ready to start testing Windows 10 for your organization, download the Windows 10 Enterprise Evaluation to try Windows 10 Enterprise free for 90 days. Best regards, Tim Rains, Chief Security Advisor Cybersecurity & Cloud Strategy, Microsoft Want to share this newsletter with a friend or colleague? Click here for the online edition and subscription options. Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.com and share your ideas.   Top Stories   Cloud security controls series: multi-factor authentication In a world where hundreds of millions of leaked credentials are bought and sold regularly, and phishing attacks are common and effective, passwords, even complex passwords and passphrases, by themselves are no longer sufficient to protect resources and data. Find out how to use multi-factor authentication to help protect users, data, and applications in the cloud. Cloud security controls series: Azure Active Directory's access and usage reports Explore the types of information and security controls facilitated by Azure Active Directory (Azure AD) access and usage reports. Cloud security controls series: Azure AD Privileged Identity Management Using the principle of least privilege with Cloud resources makes as much sense as it does for on-premises resources. Learn how Azure AD Privileged Identity Management can help you discover the Azure AD privileged administrator roles and the user accounts they are assigned to, as well as enable you to revoke permanent privileged access and provide a mechanism that manages on-demand, time-limited access for Azure AD privileged accounts.   Security Guidance Security Tip of the Month: Pen Testing Your Applications Hosted In Microsoft Azure By Tom Shinder, Program Manager, Microsoft Azure Security Engineering One of the great things about using Microsoft Azure for application testing and deployment is that you don't need to put together an on-premises infrastructure to develop, test, and deploy your applications. All the infrastructure is taken care of by the Microsoft Azure platform services. You don't have to worry about requisitioning, acquiring, and "racking and stacking" your own on-premises hardware. Just dev and deploy! As a reader of this newsletter, you're likely a security-conscious person. While the dev and deploy mantra sounds great and makes you as agile as agile can be, that fact is that security needs to be job one, not only on-premises, but perhaps even more so in the cloud. That's fine, because you can handle it. You might already know that Microsoft performs regular internal penetration testing of our own Azure environment. This is a good thing, as it helps us improve our platform and guides our actions in terms of changing current security controls, introducing new security controls, and improving our security processes. We live by the principle of continuous business improvement, and with Azure platform security, it's our passion. If penetration testing is good for us, then it's good for you. No, we won't pen test your application for you, but we do understand that you will want to do perform pen testing on your own applications. That's a good thing, because when you enhance the security of your applications, you help make the entire Azure ecosystem more secure. The trick here is that when you pen test your applications, it might look like an attack to us. We continuously monitor for attack patterns and will initiate an incident response process if we need to. It doesn't help you and it doesn't help us if we trigger an incident response due to your own due diligence pen testing. What to do? That leads us to this month's security tip! When you're ready to pen test your Azure-hosted applications, all you need to do is let us know. Once we know that you're going to be performing specific tests, we'll have insight into what's going on and we won't shut you down, as long as your tests conform to the Azure pen testing terms and conditions. Standard tests that you can perform include:   • Tests on your endpoints to uncover the Open Web Application Security Project (OWASP) top 10 vulnerabilities   • Fuzz testing of your endpoints   • Port scanning of your endpoints   One type of test that you can't perform is any kind of Denial of Service (DoS) attack. This includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate or simulate any type of DoS attack. Are you ready to get started with pen testing your applications hosted in Microsoft Azure? If so, then head on over to the Penetration Test Overview page (which is also linked to from the Azure Trust Center) and click the Create a Testing Request button at the bottom of the page. You'll also find more information on the pen testing terms and conditions and helpful links on how you can report security flaws related to Azure or any other Microsoft service. To keep up to date on the latest security information and topics as related to Microsoft Azure, make sure to bookmark the Azure Security Blog. Thanks!!! -Tom. How Microsoft Azure Active Directory helps prevent, detect and remediate attacks to your enterprise Explore a set of solutions across Active Directory and Azure AD that can help your organization easily identify key risks, and learn how to implement mechanisms across the hybrid enterprise to prevent, detect, and remediate the attacks your organizations may face. Azure Active Directory: Identity Management as a Service for modern applications Identity Management as a Service (IDMaaS) is an emerging capability to help developers and organizations manage access to modern applications. Learn more in this on demand session from //build. Administer your Azure AD directory Find out how Azure AD can help you manage identities. Azure AD Privileged Identity Management Azure AD Privileged Identity Management lets you manage, control, and monitor your privileged identities and their access to resources in Azure AD, and in other Microsoft online services such as Office 365 or Microsoft Intune. Walk through the core scenarios for Azure AD Privileged Identity Management and learn how to put it to work for you. Manage passwords in Azure AD Explore the full set of password management capabilities that Azure Active Directory supports, which include self-service password change and reset, administrator-initiated password reset, password management activity reports, and password writeback.   Community Update Cybersecurity and the cloud Watch Gartner VP of Research Lawrence Orans present details on the current cyber threat landscape and the latest trends in security and the cloud.   This Month's Security Bulletins   July 2015 Security Bulletins Critical   • MS15-065: 3076321 Security Update for Internet Explorer   • MS15-066: 3072604 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution   • MS15-067: 3073094 Vulnerability in RDP Could Allow Remote Code Execution   • MS15-068: 3072000 Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution   • MS15-078: 3079904 Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution Important   • MS15-058: 3065718 Vulnerabilities in SQL Server Could Allow Remote Code Execution   • MS15-069: 3072631 Vulnerabilities in Windows Could Allow Remote Code Execution   • MS15-070: 3072620 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution   • MS15-071: 3068457 Vulnerability in Netlogon Could Allow Elevation of Privilege   • MS15-072: 3069392 Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege   • MS15-073: 3070102 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege   • MS15-074: 3072630 Vulnerability in Windows Installer Service Could Allow Elevation of Privilege   • MS15-075: 3072633 Vulnerabilities in OLE Could Allow Elevation of Privilege   • MS15-076: 3067505 Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege   • MS15-077: 3077657 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege   July 2015 Security Bulletin Resources:   • July 2015 Bulletin Release Blog Post • Malicious Software Removal Tool: July 2015 Update   Security Events and Training   Getting started with Azure security for the IT professional Do IT security concerns keep you up at night? You're not alone! Many IT pros want to extend their organization's infrastructure but need reassurance about security. Whether you are researching a hybrid or a public cloud model with Microsoft Azure, the question remains the same: Does the solution meet your own personal and your organization's bar for security, including industry standards, attestations, and ISO certifications? In this demo-filled Microsoft Virtual Academy course, you can explore these and other hot topics, as a team of security experts and Azure engineers takes you beyond the basic certifications and explores what's possible inside Azure. See how to design and use various technologies to ensure that you have the security and architecture you need to successfully launch your projects in the cloud. Dive into datacenter operations, virtual machine (VM) configuration, network architecture, and storage infrastructure. Get the information and the confidence you need, from the pros who know, as they demystify security in the cloud. Active Directory core skills jump start Constantly resetting customer passwords? Want to extend your on-premises Active Directory? Join this Microsoft Virtual Academy session to explore Azure Active Directory (Azure AD) as part of the Enterprise Mobility Core Skills series, arming you with key knowledge to enable enterprise mobility management and to prepare your environment for Windows 10.     Essential Tools   • Microsoft Security Bulletins   • Microsoft Security Advisories   • Microsoft Security Development Lifecycle Starter Kit   • Enhanced Mitigation Experience Toolkit   • Malicious Software Removal Tool   • Microsoft Baseline Security Analyzer Security Centers   • Security TechCenter   • Security Developer Center   • Microsoft Security Response Center   • Microsoft Malware Protection Center   • Microsoft Privacy   • Microsoft Security Product Solution Centers Additional Resources   • Microsoft Cybertrust Blog   • Microsoft Azure Security Blog   • Microsoft Security Intelligence Report   • Microsoft Security Development Lifecycle   • Malware Response Guide   • Security Troubleshooting and Support Resources     technet.microsoft.com/security       This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter. © 2015 Microsoft Corporation Terms of Use | Trademarks Microsoft respects your privacy. To learn more please read our online Privacy Statement. If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please click here. These settings will not affect any other newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services. To set your contact preferences for other Microsoft communications click here. Microsoft Corporation One Microsoft Way Redmond, WA 98052 USA