Welcome to the Microsoft Security Newsletter - a
monthly newsletter for IT professionals and developers
bringing security news, guidance, updates, and community
resources direct to your inbox. If you have suggestions
or comments about the Microsoft Security Newsletter,
please
send us your feedback.
Viewpoint
|
|
By J.C. Cannon, Senior Program Manager,
Microsoft Corporation
Compliance can appear to be a complex and
overwhelming issue. Its scope spans regulatory
requirements (federal, state, and local),
corporate policy, industry standards, and
conformance to customer expectations. This
article looks at ways to address the many
aspects of compliance by boiling them down into
a single concept: "Are policies being followed
the way I expect them to be?"
|
Top Stories
|
|
On June 6, Microsoft announced the release of
Microsoft Antigen e-mail security products --
including Antigen for Exchange, Antigen for SMTP
Gateways, Antigen Spam Manager, and Antigen
Enterprise Manager -- available to customers
July 1, 2006. Microsoft Antigen products help
business protect their Exchange, Windows-based
SMTP gateway, Live Communications Server, and
SharePoint servers from viruses, worms, spam,
and inappropriate content. Read about
new product features or download the
new 90-day trials to see how Antigen can
help protect your messaging and collaboration
servers.
|
|
|
Following on the heels of the very successful
English Windows Defender (Beta 2) release, we
are proud to announce that German and Japanese
localized versions are now available.
|
|
|
Few of us "computer people" seem to think about
the people who use the services we provide, who
buy the software we are selling, and who
actually use the computers we manage as part of
the corporate, school, home, or
friendsneighborsandpeoplewemeetinthesupermarket
IT department. As is discussed in this article,
nowhere is this presenting a bigger problem than
in the security niche of the general IT
industry.
|
|
|
In this Q&A, Security, Access and Solutions
Division (SASD) Vice President Ted Kummert
discussed new security product announcements
from Microsoft Tech•Ed 2006, including the new
Microsoft Forefront brand, that reinforce a
broader business customer promise to "Protect
Information, Control Access."
|
Security Guidance
|
|
By Bill Canning, Program Manager, Microsoft
Corporation
Audits are a critical component of the
regulatory compliance process. Understanding how
the audit process works and how auditors operate
is important because it informs IT managers how
to establish an environment that is compliant
and easy to audit. This tip focuses on how
auditors conduct the IT audit process.
|
|
|
The Regulatory Compliance Planning Guide
is designed to help IT managers and Microsoft
customers meet specific IT compliance
obligations that directly relate to major
regulations and standards. The guide introduces
a framework-based approach that you can use as
part of your efforts to comply with these
regulations and standards. The guide also
describes Microsoft products and technology
solutions that you can use to implement a series
of IT controls to help meet your regulatory
obligations.
|
|
|
For a developer, understanding the issues around
regulatory compliance can be a difficult and
frustrating endeavor. This article makes sense
of regulatory compliance from a developer's
point of view. It examines Sarbanes-Oxley,
HIPAA, and other regulations, and covers the
most important best practices that are common
across multiple pieces of legislation.
|
|
|
Learn why organizations can and should bring
their security and management teams into the
process of building policies and procedures to
support their regulatory compliance and provide
system administrators with the flexibility
necessary to meet threats as they arise.
|
|
|
The purpose of this white paper is to share some
of the processes and tools that the Microsoft IT
group currently uses to systematize the approach
of supporting regulatory compliance activities
at Microsoft.
|
|
|
This report provides an in-depth perspective of
the malware landscape based on the data
collected by the MSRT, and highlights the impact
that the MSRT has had in reducing the impact of
malware on Windows users.
|
|
|
With the forthcoming release of Windows Vista,
Microsoft is delivering innovations that offer
IT administrators new ways to make their
companies' networks more resistant to attack
while preserving data confidentiality, integrity
and availability. This downloadable document
provides detailed descriptions of the security
enhancements in Windows Vista.
|
|
|
This guide helps customers of all types plan,
build, and maintain a successful security risk
management program. In a four-phase process, the
guide explains how to conduct each phase of a
risk management program and how to build an
ongoing process to measure and drive security
risks to an acceptable level.
|
|
|
When you manage security you must strive to
reduce unacceptable risk while keeping the
impact on workflow of the organization and total
cost of ownership of the infrastructure to a
minimum. Here are 10 key points an administrator
should keep in mind while working on a security
management plan.
|
|
|
Delegating power within any organization is not
a trivial matter. When it concerns group policy,
you need to decide just who creates group policy
objects (GPOs) and who can link them to areas in
Active Directory. This article discusses how,
even though the Domain Administrators are the
only people who can create GPOs by default,
these permissions can be delegated to deputy
administrators so they can create GPOs,
alleviating some of the burden.
|
|
|
Every Windows Mobile-based device implements a
set of security policies that determine whether
an application is allowed to run and, if
allowed, with what level of trust. To develop an
application for a Windows Mobile-based device,
you need to know what the security configuration
of your device is. Read this article and learn
how to develop an application for a Windows
Mobile-based device, including how to determine
the security configuration of your device and
how to sign your application with the
appropriate certificate.
|
|
|
The free Microsoft Threat Analysis and Modeling
tool allows nonsecurity subject matter experts
to enter already-known information, including
business requirements and application
architecture, to produce a feature-rich threat
model. Along with automatically identifying
threats, the tool can produce valuable security
artifacts such as data control, component access
control, and subject-object matrices as well as
data flows and focused reports.
|
This Month's Security Bulletins
Critical:
Important:
Moderate:
MVP Update
|
|
|
|
Robert Williams is managing partner of
Enterprise Certified Corporation, a Microsoft
security solutions provider. He was CEO of
publicly traded Manakoa Services Corporation, a
company supplying solutions for risk management,
IT security, and regulatory compliance. Williams
has more than 20 years of senior-level IT
management experience with companies ranging
from start-ups to large technology firms and
consultancies. He was also instrumental in
recent anthrax terrorist attack crisis
management and is active in continuing
anti-terrorism efforts. A recognized technology
expert, he was also the featured speaker in the
international road shows sponsored by Microsoft,
Hewlett Packard, Compaq, and Tech Data on UNIX
and Windows NT interoperability. He is the
coauthor of Ultimate Windows Server 2003
Administrator's Guide (Addison Wesley, 2002) and
other best-selling books.
|
|
|
In this article, Robert Williams and Mark Walla
examine the management of event log data when
responding to regulatory auditors. Specifically,
the discussion focuses on how organizations can
audit and report IT security-related events when
complying with regulations like Sarbanes-Oxley,
FISMA, HIPAA, and GLBA with tools like Microsoft
Operations Manager (MOM) and SQL Server
Reporting Services combined with third-party
applications like Enterprise Certified
Corporation’s Enterprise Compliance Auditing and
Reporting (ECC ECAR).
|
Partners with Expertise in Security Solutions
|
|
As a Gold Certified Partner, Configuresoft works
with Microsoft to deliver the best continuous
compliance solution for our customers. The
recently released Microsoft Windows Security and
Hardening Toolkit was designed to ensure the
security configuration of Windows 2000, 2003,
and XP systems in accordance with Microsoft
recommended best practices. The toolkit
translates the Microsoft Windows Security
Hardening Guides into actionable, continuous
compliance rules to ensure that your actual
enterprise security configuration settings
correspond with the recommended hardening value.
|
|
|
Full Armor's PolicyPortal supports the
requirements of enterprises that have deployed
Active Directory and want to enforce policy on
disconnected machines; small-medium businesses
that have not deployed Active Directory, but
need to centrally enforce security policies; and
managed service providers that need to manage
and enforce customized security policies for
multiple customers..
|
|
|
NetIQ Group Policy Guardian minimizes the risks
associated with Group Policy Object (GPO) change
management and helps determine and document all
authorized and unauthorized Group Policy changes
to the live environment. This product automates
and simplifies the process of monitoring changes
to Active Directory GPOs by displaying what
changes were made and by whom. With NetIQ Group
Policy Guardian, you can easily monitor, verify,
and track Group Policy changes in real time
while capturing the changes in an auditing
database. This advanced change-monitoring
capability allows you to prove to auditors that
corporate policies implemented for regulatory
compliance have not deviated over time.
|
Microsoft Product Lifecycle Information
Security Events and Training
|
|
July 29-August 3, Las Vegas, Nevada, U.S.
Featuring some 14 tracks with 90 speakers, Black
Hat Briefings bring together a unique mix in
security: the best minds from government
agencies and global corporations with the
underground's most respected hackers. These
forums take place regularly in Las Vegas,
Amsterdam, Tokyo, and Singapore. Registration
closes July 26.
|
|
|
From tight perimeter security to ensuring secure
collaboration environments and messaging, a good
security plan should include multiple layers of
defense. Use these webcasts, guides, and virtual
labs to discover the latest defense strategies
to help reduce the complexity of securing your
network while driving comprehensive protection.
|
Upcoming Security Webcasts
|
|
Explore our library of more than 130 free live and on-demand Tech-Ed webcasts and get up to speed on Windows Vista, the 2007 Microsoft Office system, management and operations, security, server infrastructure, and more.
|
Microsoft On-Demand Security Webcasts
|
• |
Policy Enforcement and Regulatory Compliance
with Exchange Server 2007 (Level 300)
Many companies struggle to meet the changing
interpretations of "compliance," whereas others
have created new business opportunities by
implementing tighter controls and increasing the
transparency of their business processes. This
webcast explains how the new features in the
next version of Microsoft Exchange Server,
code-named “Exchange Server 2007,” can help your
company enforce policies and comply with
regulations.
|
|
• |
Active Directory and Compliance Standards (Level
300)
This webcast presents the "Five A’s" of
compliance as it relates to Active Directory. We
also cover best practice standards outlined by
the Information Technology Infrastructure
Library (ITIL), the Control Objectives for
Information and Related Technology (COBIT), and
the International Organization for
Standardization (ISO).
|
|
• |
|
|
• |
Bonus: Attend any live webcast through June
2006 and you could win a 40 GB MP3/WMA player.
See
official rules for more details. Offer open
to residents of the United States and Canada
only.
|
|
• |
|
For IT Professionals: TechNet Webcasts
For Developers: MSDN Webcasts
|
|
|
Volume 3, No. 6 
June 2006 |
|
Additional Security Resources
|
|
|
© 2006 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Outlook, SharePoint, Windows,
Windows Mobile, Windows Server, and Windows Vista are either
registered trademarks or trademarks of Microsoft Corporation
in the United States and/or other countries. All trademarks
are the property of their respective owners.
Digital Signatures Help Make Microsoft Security Newsletters
More Secure
To help increase your security, Microsoft will soon begin
digitally signing all of its security newsletters with the
Internet standard, Secure Multipurpose Internet Mail
Extensions (S/MIME). This means that if you use Microsoft
Outlook, or another full-featured e-mail program, you have
an added assurance that the e-mail newsletter came from
Microsoft and has not been tampered with. However, many
Web-based e-mail programs and some other e-mail programs do
not support digital signing with S/MIME. To learn more,
please see
how digital signatures help make Microsoft security
newsletters more secure.
To cancel your subscription to this newsletter, reply to
this message with the word UNSUBSCRIBE in the Subject line.
You can also unsubscribe at
http://www.microsoft.com/info/unsubscribe.htm. You can
manage all your Microsoft.com communication preferences at
this site.
Legal
Information.
This newsletter was sent by the Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052 |
|
|
| |
