Microsoft Security Newsletter
Welcome to the Microsoft Security Newsletter - a monthly newsletter for IT professionals and developers bringing security news, guidance, updates, and community resources direct to your inbox. If you have suggestions or comments about the Microsoft Security Newsletter, please send us your feedback. To view an online version of this newsletter, please click here. If you would like to receive less technical security news, guidance and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

Security Viewpoint   
By Ido Dubrawsky, Security Advisor, Microsoft Communications Sector
In this month’s Viewpoint, learn how and why the hardened perimeter is giving way to a process known as “de-perimeterization” -- the slow disappearance of the perimeter network (also known as DMZ, demilitarized zone, and screened subnet) in order to accommodate the reality of today’s business networks and environment.

Top Stories
For as much coverage as it gets, there are still a lot of questions and misconceptions about User Account Control (UAC). Here’s a frank discussion about what UAC is, what it is not, and how it should affect the way you manage systems.
Businesses need to eliminate the damaging effects of malicious software (also called malware) and attackers by using comprehensive tools for scanning and blocking harmful content, files, and Web sites. Learn how Microsoft Internet Security and Acceleration (ISA) Server helps provide access protection with intrusion detection, flood mitigation, spoof detection, and other sophisticated attack detection features.
Choose one of several options for evaluating Microsoft Internet Security and Acceleration (ISA) Server 2006 and Microsoft Intelligent Application Gateway (IAG) 2007. Check out a demonstration toolkit, download free ISA Server 2006 trial software, or test drive products through TechNet Virtual Labs.
By enabling the widest possible set of interactions between clients and services, WCF security introduces a degree of complexity that is difficult to master. In this article, Juval Lowy offers a declarative security framework designed to eliminate that complexity without decreasing security or configuration flexibility for the supported scenarios.

Security Guidance
By Uri Lichtenfeld, IAG Product Manager, Microsoft Corporation
Having access from anywhere can drive productivity, but it is challenging for companies to create a user experience that is both easy to manage and that helps to protect against security risks. This article describes how Microsoft Intelligent Application Gateway 2007 provides tools to help companies publish applications in a more secure and user-friendly manner and achieve a better balance between access and security.
Increased connectivity means that domain members on an internal network are increasingly exposed to significant risks from other computers on the internal network, in addition to breaches in perimeter security. This guide presents a concept of logical isolation that embodies two solutions: server isolation to ensure that a server accepts network connections only from trusted domain members or a specific group of domain members; and domain isolation to isolate domain members from untrusted connections. These solutions can be used separately or together as part of an overall logical isolation solution.
This guide provides you with essential information about how to harden and securely administer computers running ISA Server 2006 Enterprise Edition or ISA Server 2006 Standard Edition. In addition to practical, specific configuration recommendations, this guide includes ISA Server deployment strategies.
This guide provides in-depth information about IAG 2007 functionality and how to use its various components and options. It includes step-by-step instructions on how to configure, maintain, monitor, and control IAG servers.
This guide provides details on advanced configuration and capabilities of IAG, including security management tools, customizing Web pages, access control, session settings, and more.
Windows Firewall with Advanced Security, a Microsoft Management Console (MMC) snap-in tool in Windows Vista is a stateful, host-based firewall that filters incoming and outgoing connections based on its configuration. IPsec and firewall configuration can now be done together in this snap-in. This article describes how Windows Firewall with Advanced Security works, what the common troubleshooting situations are, and which tools you can use for troubleshooting.
Windows Server System Reference Architecture (WSSRA) is an integrated set of service solutions based on architectural guidance for typical enterprise scenarios. This section of the WSSRA guide provides information on the design used in the CDC scenario to provide a secure firewall solution between the Internet and the perimeter networks of the CDC infrastructure.
This guide helps you to select a suitable firewall product for your organization's perimeter network. It presents the different classes of available firewalls and highlights their significant features. It also gives you guidance in determining your own requirements and helps you to select the most appropriate product for your perimeter firewall.
This white paper explains how to get replication to function properly in environments where an Active Directory forest is distributed among internal perimeter networks and external (Internet-facing) networks.
Most firewalls are used to control "inbound traffic" to the server; they generally do not control "outbound traffic" to clients. However, ports in your firewall for outbound traffic may be closed if a more stringent security policy is implemented on your server network. This article describes how to allocate ports for Windows Media Services and configure Windows Firewall for Windows Media Services, and it also gives firewall and registry settings for Distributed Component Object Model (DCOM).

This Month's Security Bulletins

MVP Update
MVP of the Month: Chema Alonso   
Chema Alonso is a computer engineer currently working on a Ph.D. at the Rey Juan Carlos University, who also works as a Security Consultant for Informática64. He presents at more than 100 speaking engagements each year and has participated in Security Days, MSDN events, DotNet Club, Training Days, TechNet events, and other IT pro events together with the local Microsoft Developer & Platform Evangelism teams. Chema also writes technical articles for specialized press outlets such as IT Magazine and PCWorld. You can contact him via his blog at
By Chema Alonso, Microsoft MVP - Windows Security
This article describes how attackers take advantage of SQL injection vulnerabilities by using time-based, blind SQL injection with heavy queries. The goal is to highlight the need for establishing secure development best practices for Web applications instead of relying only on the security provided by perimeter defenses.

Partners with Expertise in Security Solutions
BitDefender Security for ISA Servers offers antivirus and antispyware protection for web traffic, including protection for data received through webmail. BitDefender Security for ISA Servers integrates with the Microsoft ISA Servers through two application filters (ISAPI) offering antivirus and antispyware protection for HTTP, FTP, and FTP through HTTP traffic.
McAfee’s Internet gateway suites, services, and appliances help you stop malicious attacks at the gateway to your network, before they harm your business-critical systems. McAfee SecurityShield for Microsoft ISA Server combines anti-virus, anti-spam, and content filtering in an integrated security solution for Microsoft ISA Servers.
Trend Micro can help you protect your users from viruses and malicious code by blocking them at the Internet gateway -- before they reach endpoint devices and slow your network. InterScan WebProtect for ISA is an easy-to-install addition to Microsoft ISA Server that offers high performance and simplified management via a Web-based console, and requires no additional hardware purchases.

Microsoft Product Lifecycle Information
Find information about your particular products on the Microsoft Product Lifecycle Web site.
See a list of supported service packs: Microsoft provides free software updates for security and nonsecurity issues for all supported service packs.

Security Events and Training
After completing this lab, you will be more familiar with Remote Access with IAG 2007, Secure Remote Access with ISA 2006, use configuration, Branch Office Security with ISA 2006, BITS Caching Functionality of ISA Server, new DFS Replication (DFS-R) Functionality in Windows Server 2003 R2, Internet Access Protection with ISA 2006, and Flood Resiliency Functionality of ISA Server.
After completing this lab, you will be better able to create an IAG portal Web site, add Microsoft Office Outlook Web Access to the IAG portal Web site, configure endpoint policies, add a non-Web application to the SSL-based portal Web site, and configure a secure socket layer virtual private network (SSL VPN) connection using IAG Network Connector.
This online clinic provides students with knowledge and skills essential for the creation of applications with enhanced security. Students will learn about the need for implementing security at every stage of the development process and best practices for applying security principles. Students will also learn how to use established threat-modeling methodologies and tools with other best practices to minimize vulnerabilities and limit damage from attacks. Finally, students will learn how to implement security features to enhance security for Web applications and Web services that are built by using Microsoft ASP.NET.

Upcoming Security Webcasts
Wednesday, October 3, 11:00 AM Pacific Time
Kapil Tandon, Senior Product Manager, Microsoft Corporation
Find upcoming security webcasts in a dynamic, interactive format.
For IT Professionals
TechNet Webcast: Technical Overview of Forefront Security for Exchange Server (Level 200)
Friday, September 14, 9:30 - 11:00 AM Pacific Time
Matthew Hester, IT Pro Evangelist, Microsoft Corporation
TechNet Webcast: Deploying Forefront Client Security (Part 2 of 2) (Level 200)
Wednesday, September 19, 11:30 AM -1:00 PM Pacific Time
Chris Avis, IT Pro Evangelist, Microsoft Corporation
TechNet Webcast: Security and Enterprise Features of System Center Operations Manager 2007 (Level 200)
Wednesday, September 26, 9:30 AM Pacific Time
John Baker, IT Pro Evangelist, Microsoft Corporation
TechNet Webcast: Securing and Tuning Internet Information Services 7.0 (Level 300)
Tuesday, October 9, 11:30 AM Pacific Time
Wade Hilmo, Senior Development Lead, Microsoft Corporation
TechNet Webcast: Information About Microsoft October Security Bulletins (Level 200)
Wednesday, October 10, 11:00 AM Pacific Time
Christopher Budd, Security Program Manager, Microsoft Corporation, and Mike Reavey, Group Manager MSRC, Microsoft Corporation
For Developers
Microsoft On-Demand Webcasts
TechNet Webcast: Overview of Microsoft Edge Secure Access Technologies (Level 200)
From proxy to tunneling, Microsoft Internet Security and Acceleration (ISA) Server 2006 and Intelligent Application Gateway (IAG) 2007 facilitate and secure remote access for enterprises and small businesses alike. In this webcast, we explore the architecture of both solutions in detail, analyzing each feature and describing how the technologies dive into packet flow. Learn how both ISA Server and IAG can provide secure, remote access. We examine real-world scenarios to see how ISA Server and IAG can deliver comprehensive solutions for any customer's needs.
TechNet Webcast: Overview of Forefront Edge Secure Access Technologies (Level 300)
From proxy to tunneling, Microsoft Forefront edge security and access products -- Microsoft Internet Security and Acceleration (ISA) Server 2006 and Intelligent Application Gateway (IAG) 2007 -- facilitate and secure remote access for enterprises and small businesses alike. In this webcast, we explore the architecture of both solutions in detail, analyzing each feature and describing how the technologies dive into packet flow. Learn how both ISA Server and IAG can provide secure, remote access. Join us as we examine real-world scenarios to see how ISA and IAG can deliver comprehensive solutions for any customer's needs.
TechNet Webcast: How to Define and Configure Endpoint Security Policies with the Intelligent Application Gateway (Level 300)
As security and compliance regulations require more in-depth information, many organizations are turning their focus from who is accessing to where they are accessing from. Given today’s proliferation of connectivity, this question is not a networking issue, but rather an understanding of a client computer’s statement of health. In this webcast, we discuss real customer examples of how endpoint security is defined and configured on an IAG 2007 solution.

Security Newsletter
Volume 4, No. 9

September 2007
In This Issue:
Top Stories
Security Guidance
This Month's Security Bulletins
MVP Update
Partners with Expertise in Security Solutions
Microsoft Product Lifecycle Information
Security Events and Training
Upcoming Security Webcasts
Security Program Guide
Microsoft Security Awareness Toolkit
Guidance, samples, and templates for creating a security-awareness program in your organization.
Learn Security On the Job
Learning Paths for Security - Microsoft Training References and Resources
Upcoming Chats
Free In-Person Events
TechNet Events
Security Blogs
Michael Howard RSS
Eric Lippert RSS
Eric Fitzgerald RSS
Steve Lamb RSS
Jeff Jones RSS
Windows Vista Security RSS
User Account Control Team RSS
Solution Accelerators - Security & Compliance RSS
Kai Axford RSS
Security Newsgroups
General Security issues/questions
Open with newsreader
Virus issues/questions 
Open with newsreader
ISA Server
Open with newsreader
Windows 2000: Security
Open with newsreader
Windows XP: Security Administration
Open with newsreader
SQL Server: Security
Open with newsreader
Windows Server: Security
Open with newsreader
Other Security Newsgroups
Community Web Sites
IT Pro Security Community
Security Newsgroups
Related Communities
Additional Security Resources
Security Help and Support for IT Professionals
TechNet Troubleshooting and Support Page
Microsoft Security Glossary
TechNet Security Center
MSDN Security Developer Center 
Midsize Business Security Center
Sign-Up for the Microsoft Security Notification Service
Security Bulletin Search Page
Home Users: Protect Your PC
MCSE/MCSA: Security Certifications
Subscribe to TechNet
Register for TechNet Flash IT Newsletter
Subscribe to MSDN
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Forefront, MSDN, Outlook, Visio, Windows, Windows Media, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at You can manage all your communication preferences at this site.

Legal Information.

This newsletter was sent by the Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA

Sign up for other newsletters | Unsubscribe | Update your profile
© 2007 Microsoft Corporation  Terms of Use | Trademarks | Privacy Statement