Welcome to the Microsoft Security Newsletter - a
monthly newsletter for IT professionals and developers
bringing security news, guidance, updates, and community
resources direct to your inbox. To view an online
version of this newsletter, please click
here. If you would like to receive less technical
security news, guidance and updates, please subscribe to
the
Microsoft Security for Home Computer Users Newsletter.
Viewpoint
|
|
By John Steer, CISSP, Senior Security
Consultant, Microsoft ACE Services
Corporate security policies are a critical part
of securing your corporate assets. This article
covers the role of the security policy as a
driver in the application development lifecycle,
and explains why it is important to imbed
security processes and policies into the
software development process.
|
Top Stories
|
|
Deploy Forefront Client Security in large enterprises with more than 10,000
users with the use of Forefront Client Security Enterprise Manager. This tool
allows you to aggregate reporting and management of up to 10 Client Security
down-level deployment, allowing you to manage up to 100,000 client computers
from a single Client Security console.
|
|
|
System Center Configuration Manager represents a tremendous advance over its
well-regarded predecessor, now providing the control necessary to more
effectively manage change in today's dynamic IT infrastructures. Manage the full
deployment and update lifecycle with streamlined, policy-based automation; with
enhanced insight into, and control over, assets and systems compliance; and with
optimization for Windows -- particularly Windows Server 2008 and Windows Vista.
When you download the 120-day trial software, you're automatically registered to
receive valuable resources delivered at strategic intervals throughout the
software evaluation period.
|
|
|
Now with support for Exchange Server 2007 SP1 and Windows Server 2008, Forefront
Security for Exchange Server SP1 helps provide comprehensive protection for
Exchange Server 2007 environments through the integration of multiple
industry-leading antivirus scan engines, content filtering, and enhanced
manageability. Begin your evaluation today.
|
Security Guidance
|
|
IT administrators can use Group Policy and the Active Directory services
infrastructure in Windows Server 2008 to automate one-to-many management of
users and computers -- simplifying administrative tasks and reducing IT costs.
These resources will help you to efficiently implement security settings,
enforce IT policies, and distribute software consistently across a given site,
domain, or range of organizational units.
|
|
|
The number of Group Policy settings has increased from approximately 1,800 in
Windows Server 2003 Service Pack 1 to approximately 2,500 in Windows Vista and
Windows Server 2008. This gives you more than 700 new policies to help you
manage desktops, security, and all other aspects of running your network. This
document will help you sort through the new and updated features available in
Windows Vista, and provides a number of best practices to help you deploy Group
Policy.
|
|
|
Learn about key areas of Group Policy through answers to frequently asked
questions and links to related information.
|
|
|
USB thumb-disk keys and other removable devices can make your personal life
easier but your professional life harder. For improved security, you need a way
to control what hardware devices your users are installing on their work
systems. Learn how you can use Group Policy to control which devices they can
use and which ones they can't.
|
|
|
This section provides technical reference information for the security settings
and privacy options in the 2007 Microsoft Office system. Learn what each setting
does, the default configuration for a setting, which tool to use to configure a
setting, and where to find the setting in the Office Customization Tool (OCT) or
the Group Policy Object Editor.
|
|
|
Security Policy settings on Windows Mobile devices are configurable and provide
the flexibility to control access to the device. This article contains a concise
table that shows how you can use security policies to protect devices.
|
|
|
Security Configuration Wizard (SCW) is an attack surface reduction tool for
computers running a member of the Windows Server 2003 family with Service Pack 1
(SP1). SCW guides you through the process of creating a security policy, based
on the roles performed by a given server. Learn how you can use SCW, to create a
policy , which then can be edited or applied to one or more similarly configured
servers while applied policies can be rolled back in order to undo changes that
have caused problems.
|
|
|
Security policy is the configurable set of rules that the common language
runtime follows when determining the permissions to grant to code. The runtime
examines identifiable characteristics of the code, such as the Web site or zone
where the code originates, to determine the access that code can have to
resources. During execution, the runtime ensures that code accesses only the
resources that it has been granted permission to access. This part of the guide
explores the .NET Framework security policy model, permission grants, security
policy administration, security policy best practices, and much more.
|
|
|
Security is an important consideration when building applications. The common
language runtime grants varying levels of trust to code based on certain
attributes, called evidence, that the code possesses. When the runtime
establishes that code has a certain level of trust, the code can access
protected resources appropriate to that level of trust. Learn how to configure
security policy using the .NET Framework Configuration Tool (Mscorcfg.msc) and
the Code Access Security Policy Tool (Caspol.exe).
|
This Month's Security Bulletins
Critical:
Important:
MVP Update
|
|
By Harry L. Waldron, CPCU, AAI, Microsoft MVP
Good security requires a balance of
technological and human behavioral controls.
Corporate policies promote the best behavioral
standards for users, which can complement
technical defense systems. In this month’s MVP
Article of the Month, Harry Waldron explores why
the overall effectiveness of policies relates
directly to how well those policies are
communicated, promoted, and evaluated in terms
of continuous improvement.
|
Partners with Expertise in Security Solutions
|
|
FullArmor Corporation is a leading provider of enterprise policy management
software. FullArmor
Endpoint Policy Manager automates the delivery, enforcement, and auditing of
critical security policies on mobile, disconnected, and unmanaged endpoint
devices, including guest machines with temporary access to the network.
|
|
|
NetIQ is a leading provider of integrated systems and security management
solutions that empower IT organizations with the knowledge and ability necessary
to assure IT service Customers can use
NetIQ Group Policy Administrator to better plan, manage, troubleshoot, and
report on Group Policy Objects (GPOs), a key component of Active Directory
service. At the same time
NetIQ Group Policy Guardian minimizes the risks associated with GPO change
management and helps identify and document all authorized and unauthorized Group
Policy changes to the live environment.
|
Microsoft Product Lifecycle Information
Security Events and Training
|
|
Registration for the 2008 Microsoft Office Visio Conference is closing soon.
Don’t miss the opportunity to learn how Visio 2007 can enhance visualization and
complement your existing security solutions.
Register today to maximize your efficiency and effectiveness with Visio,
hear about the updated product roadmap, and make the connections to grow your
Visio business.
|
|
|
Register today to join us at this Security Virtual Conference where you can
discuss the danger of not having good software development security skills and
also learn about concrete actions you can take to help improve your own skills.
Security skills can have a very positive effect on your value as a developer and
take you to a whole new level when having security discussions with stakeholders
in any application development lifecycle.
|
|
|
This 90-minute lab provides hands-on experience with the following security and
Policy enforcement functionality in Windows Server 2008. Topics covered include
security enhancements in Windows Server 2008 and Network Access Protection
(NAP).
|
|
|
Network Access Protection (NAP) is a policy enforcement platform built into
Microsoft Windows Vista and Windows Server 2008 that you can use to better
protect your private network by enforcing compliance with computer health
requirements. These requirements include having a firewall installed and enabled
and having the latest operating system updates installed. Use the resources in
this learning path to better understand how NAP can improve the overall health
compliance of your network. The tools provided will also help you set up NAP so
you can create customized policies and limit access for unhealthy devices.
|
Upcoming Security Webcasts
|
|
Being responsible for information security can be a daunting task, so where do
you begin? From the design of acceptable use policies to preventing insiders
from stealing data, the job can be a challenging one. Join Kai Axford, Senior
Security Strategist with the Trustworthy Computing Group, as he explores each
layer of Defense in Depth during this eight-part webcast miniseries in January.
Kai will show you how to mitigate the new risks in security and may have you
rethinking the methods you are using. He will also spend time talking about hot
topics of the day.
|
|
|
View upcoming security webcasts in a dynamic, interactive format.
|
For IT Professionals
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
|
• |
|
For Developers
Microsoft On-Demand Webcasts
|
• |
SQL Server 2005 Security for Administrators
In this webcast you learn the principles and
methodology of designing SQL Server security.
You also learn the benefits of having a security
policy in place and the process of creating a
security policy. We will also cover aspects of
design for SQL Server instance-level,
database-level, and object-level security
policies.
|
|
• |
|
|
