Welcome to the Microsoft Security Newsletter - a monthly newsletter for IT professionals and developers bringing security news, guidance, updates, and community resources direct to your inbox. If you have suggestions or comments about the Microsoft Security Newsletter, please send us your feedback. To view an online version of this newsletter, please click here. If you would like to receive less technical security news, guidance and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

Viewpoint

Who Can You Trust to Help You Secure and Manage Your Microsoft IT Infrastructure?

By Mark Hassall, Director, Microsoft Security Product Management
IT environments are often complex, with a myriad of management, monitoring, and reporting tools and processes, some industry-specific and some not. Maintaining this requires expertise across multiple specialties -- and it often requires solutions and services provided by specialists. The question becomes: which partners can you trust to help you secure and manage your IT infrastructure?

Top Stories

Microsoft Launches Malware Protection Center

Get the latest information about malware and potentially unwanted software on the Microsoft Malware Protection Center Portal. Browse the MMPC’s malware encyclopedia, download the latest virus/spyware definitions, submit malware samples, and find links to additional content.

Securing a Better Future for Electronic Medical Records

For reasons both technical and cultural, the manila file folder has remained the platform of choice for caregivers and their patients -- until now. Learn the healthcare industry is taking advantage of plentiful wireless connections and sophisticated mobile technologies running smoothly on handheld devices. New security enhancements for those devices help ensure patient confidentiality and usher health records into the digital era.

A Powerful New Tool for Certificate Management

Certificates are a key component in your infrastructure -- when one expires, productivity can come to a halt. If you rely on a Microsoft PKI environment, the new Identity Lifecycle Manager Certificate Management (ILM-CM) solution can help keep things running smoothly. Find out how this tool can help you improve authentication processes and reduce certificate management costs.

Security Guidance

Six Easy Pieces for Computer Security

By Mike Danseglio, Senior Group Program Manager, Security & Compliance Solution Accelerators, Microsoft Corporation
This article presents six easy steps that every company should take to enhance computer security in terms of getting the proverbial biggest bang for the security buck. Each suggestion is described in some detail with links to more in-depth treatments, templates, and tools.

Security Guidelines for Professional Services Firms

When it comes to security, professional services companies are hampered by tight IT budgets, an ever-increasing amount of content, and a lack of dedicated security personnel. Protecting data at services firms may require a melding of technology and services to get the job done. This article offers some guidelines to help midsize professional service firms.

Key Steps to Protecting a Financial Services Company

Few organizations face more or greater security threats than financial services companies. Here are the first and most important steps every financial services business should take to safeguard its customers, protect its assets, and comply with regulations.

How to Evaluate Your Supply Chain's Security

Is your IT network's security at risk from outside partners and suppliers? Learn how you can help protect your business.

Government Security Computer Checklist

This checklist outlines the seven security matters that every government organization should address in attempting to protect its computer systems.

Government's Big Security Challenge: Keeping Data Private

The realm of government IT security is expanding into the realm of secure and reliable communications in times of citizen crisis. IT teams must guard against security failures that will erode public trust. This article outlines the key components that comprise the ever-growing task list of government IT teams and provides three areas those teams should focus on when it comes to security -- both now and in the future.

Security Guidance Center for Education

Get the prescriptive technical guidance, tools, training, and updates you need to plan and manage a security strategy that’s right for your school or university.

Inspect Your Gadget

Today, the Windows Vista Sidebar hosts Gadgets built from HTML, JavaScript, and potentially ActiveX controls. Because Gadgets are HTML, they are subject to Cross-site Scripting style bugs. These bugs are extremely serious because script in the Sidebar is capable of running arbitrary code in the context of the locally logged-on user. This article outlines some of the secure programming best practices that should be considered when building Windows Vista Sidebar Gadgets.

This Month's Security Bulletins

Critical:

•	MS07-036: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)
•	MS07-039: Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)
•	MS07-040: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)

Important:

•	MS07-037: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (936548)
•	MS07-041: Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)

Moderate:

•	MS07-038: Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)

MVP Update

MVP of the Month: Harry L. Waldron

Harry started in the security profession in 1996. He provides security news, articles, and best practices for several technical forums, including McAfee, My IT Forums, Aumha, Calendar of Updates, MVS Help Forums, CNET, Tech Republic, and Bleeping Computers. Professionally, he works as a senior developer for Fairfax Information Technology Services, where he provides technical support, applications development support, project planning, and leadership on key projects.

Security Is a Business Requirement

By Harry L. Waldron, CPCU, AAI, Microsoft MVP
Security is a challenging corporate function for every business to ensure safety, privacy, and confidentiality. In this article, Microsoft MVP Harry L. Waldron uses the insurance industry as an example of how information security is a necessary consideration for businesses across all industries.

Partners with Expertise in Security Solutions

Brabeion

Brabeion Software helps organizations achieve and sustain compliance through a full lifecycle policy, standards and IT control management software platform powered by comprehensive information risk and audit content. Over 300,000 users across a wide range of vertical markets including financial services, oil and gas, healthcare, government, and transportation have deployed Brabeion solutions to accelerate time to compliance, protect information assets and mission-critical systems, lower costs, and optimize IT controls.

SecureWave

SecureWave Sanctuary ensures confidentiality and integrity of sensitive financial information by enforcing encryption when that information is copied to removable media. Sanctuary also provides detailed audit information to prove GLBA compliance, which requires all financial institutions to protect the security and confidentiality of customers’ nonpublic personal information.

SPI Dynamics

SPI Dynamics’ comprehensive suite of products and services identify and remediate Web application and Web services security vulnerabilities throughout the application development lifecycle. These award-winning solutions also enable security professionals, QA testers, and developers to work together to verify compliance with over 22 security policies such as SOX, HIPAA, and PCI. SPI Dynamics has the most application security testing customers worldwide with clients in the financial, government, accounting, telecommunications, technology hardware, and healthcare industries.

Microsoft Product Lifecycle Information

Find information about your particular products on the Microsoft Product Lifecycle Web site.

•	See a list of supported service packs: Microsoft provides free software updates for security and nonsecurity issues for all supported service packs.

Security Events and Training

Learn More About Developing Secure and Manageable Applications

Combined, Microsoft Forefront and Microsoft System Center help make security and manageability a seamless part of your development experience. Attend a launch event in your area to test-drive the new products, receive trial software, and network with technology partners, peers and experts.

Managing Network Security Challenges

With an increasing number of endpoint devices connecting to your network today, IT workers face increasing challenges around security. Learn how to gain more control over your servers and desktops, as well as your endpoint devices. The solutions and technologies in this month’s Learning Path for Security will help you address challenges such as malware, breaches, and other security threats.

Upcoming Security Webcasts

Microsoft Webcast: Windows Server 2008 Security Enhancements (Level 200)
Thursday, August 9, 11:00 A.M. Pacific Time
Ward Ralston, Senior Technical Product Manager, Microsoft Corporation

Interactive Security Webcast Calendar
Upcoming security webcasts in a dynamic, interactive format.

Microsoft On-Demand Webcasts

•

Microsoft Webcast: Optimize Your Identity and Access Management Infrastructure
Due to security issues, privacy concerns, and regulatory compliance, identity and access management projects have become one of the top IT priorities in organizations across all industries. Join this webcast as we explain conceptual identity and access management projects and solutions in the context of an IT infrastructure optimization model that would allow your organization to plan and deploy these solutions in a phased manner. We also evaluate Microsoft and partner identity and access management solutions against the same framework.

For IT Professionals

•	TechNet Webcast: Troubleshooting Forefront Client Security (Level 200) Friday, July 13, 9:30 A.M. Pacific Time Shawn Travers, IT Pro Evangelist, Microsoft Corporation
•	TechNet Webcast: Security and Enterprise Features of System Center Operations Manager 2007 (Level 200) Monday, July 16, 11:30 A.M. Pacific Time John Baker, IT Pro Evangelist, Microsoft Corporation
•	TechNet Webcast: Deploying IPSec with Windows Vista (Level 200) Wednesday, July 25, 9:30 A.M. Pacific Time John Baker, IT Pro Evangelist, Microsoft Corporation
•	TechNet Webcast: Technical Overview of Forefront Security for Exchange Server (Level 200) Wednesday, July 25, 1:00 P.M. Pacific Time Bryan Von Axelson, IT Pro Evangelist, Microsoft Corporation
•	TechNet Webcast: Recipient Management, Policies, and Permissions in Exchange Server 2007 (Level 200) Friday, July 27, 11:30 A.M. Pacific Time Kevin Remde, IT Pro Evangelist, Microsoft Corporation
•	TechNet Webcast: Windows Server 2008 Technical Overview (Part 2 of 2) (Level 200) Friday, August 10, 11:30 A.M. Pacific Time Michael Murphy, IT Pro Evangelist, Microsoft Corporation
•	TechNet Webcast: Group Policy in Windows Vista (Level 200) Monday, August 13, 9:30 A.M. Pacific Time John Baker, IT Pro Evangelist, Microsoft Corporation
•	TechNet Webcast: Painless Data Protection (Level 200) Monday, August 13, 1:00 P.M. Pacific Time Bryan Von Axelson, IT Pro Evangelist, Microsoft Corporation
•	TechNet Webcast: Information About Microsoft August Security Bulletins (Level 200) Wednesday, August 15, 11:00 A.M. Pacific Time Christopher Budd, Security Program Manager, Microsoft Corporation, and Mike Reavey, Group Manager MSRC, Microsoft Corporation

For Developers

•	Explore Web Development with ASP.NET 2.0 Various dates in July and on-demand Tune in and learn about the improvements in Microsoft ASP.NET 2.0 and see how you can use ASP.NET 2.0 to create faster, more secure Web applications with fewer lines of code.

Volume 4, No. 7

July 2007

In This Issue:

	Viewpoint
	Top Stories
	Security Guidance
	This Month's Security Bulletins
	MVP Update
	Partners with Expertise in Security Solutions
	Microsoft Product Lifecycle Information
	Security Events and Training
	Upcoming Security Webcasts

Security Program Guide

•	Microsoft Security Awareness Toolkit Guidance, samples, and templates for creating a security-awareness program in your organization.
•	Learn Security On the Job
•	Learning Paths for Security - Microsoft Training References and Resources

Upcoming Chats

•	Understanding Windows Server 2008 Networking and Network Access Protection July 16, 10:00 A.M. Pacific Time Join our experts and ask your pressing questions about key networking features and roles, like Network Access Protection, in Windows Server 2008.
•	SystemCenter Configuration Manager 2007 Internet Based Client Management and Native Mode July 24, 10:00 A.M. Pacific Time This Q&A with the SCCM 2007 Client team will focus on Internet-Based Client Management and Native Mode Security Configuration.
•	Get Ready for Data Protection Manager 2007 Beta 2 July 31, 8:00 A.M. Pacific Time Join this webcast to be among the first to discuss the new features in DPM 2007 beta 2, including protection of virtual servers, SharePoint, and Windows desktops, along with disaster recovery capabilities.
•	Windows Server 2008: Management, Security, and Improved Performance for Your Remote Infrastructure August 14, 10:00 A.M. Pacific Time Join us for a Q&A on the new features in Windows Server 2008 that will help you manage and secure your remote infrastructure. The WAN performance improvements included in the new TCP and SMB protocols will also be covered. Ask our experts about Windows BitLocker Drive Encryption, improvements in Active Directory, Server Core, the Next-Generation TCP stack, and SMB 2.0.

View a listing of upcoming technical chats.

Free In-Person Events

•	TechNet Events

Security Blogs

•	Michael Howard
•	Eric Lippert
•	Eric Fitzgerald
•	Steve Lamb
•	MSRC Blog
•	ACE Team
•	Jeff Jones
•	Windows Vista Security
•	User Account Control Team
•	Solution Accelerators - Security & Compliance
•	Kai Axford

Security Newsgroups

•	General Security issues/questions Open with newsreader
•	Virus issues/questions Open with newsreader
•	ISA Server Open with newsreader
•	Windows 2000: Security Open with newsreader
•	Windows XP: Security Administration Open with newsreader
•	SQL Server: Security Open with newsreader
•	Windows Server: Security Open with newsreader
•	Other Security Newsgroups

Community Web Sites

•	IT Pro Security Community
•	Security Newsgroups
•	Related Communities

Additional Security Resources

•	Security Help and Support for IT Professionals
•	TechNet Troubleshooting and Support Page
•	Microsoft Security Glossary
•	TechNet Security Center
•	MSDN Security Developer Center
•	Midsize Business Security Center
•	Sign-Up for the Microsoft Security Notification Service
•	Security Bulletin Search Page
•	Home Users: Protect Your PC
•	MCSE/MCSA: Security Certifications
•	Subscribe to TechNet
•	Register for TechNet Flash IT Newsletter
•	Subscribe to MSDN

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, BitLocker, Forefront, SharePoint, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft Group of companies. All other trademarks are property of their respective owners.

To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at http://www.microsoft.com/info/unsubscribe.htm. You can manage all your Microsoft.com communication preferences at this site.

Legal Information.

This newsletter was sent by the Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052