|
Hello,
Welcome to the October Microsoft UK Security Newsletter
Congratulations to Phil Gillespie, Network Support Supervisor at Newman Business Solutions who was the winner of the Creative Zen player in the survey prize draw. If you are interested in what your fellow readers said then click here to visit Steve Lamb's blog where the results are posted. We had 76 responses which was more than the 50 I had expected so thank you! As I mentioned last time the feedback was generally pretty good so we won't be changing too much. There were some requests for more developer-focused content so we will look to include more as we move forward. Thanks again, and don't wait for surveys to give me feedback – you can email me at any time on phil.cross@microsoft.com.
I did notice an interesting article on the BBC news website which describes something I am sure most of us would not do but... a Cisco VPN box was sold on eBay for 99p and, when the buyer turned it on, it immediately connected to a local authority's internal network using the settings that a partner had configured a few years earlier when they managed the network! Disposal of equipment is an area we may do more on if this is of interest – let me know.
I have started to add more local content in the form of UK partner info and a white paper from a UK partner as, even though security is a global issue, there are lots of resources and people here in the UK who can help you. In the same vein we have negotiated a 10% discount on the London CyberCrime(TM) Security Forum 08, organised by Global Knowledge. Just quote 'Cyber10' when booking.
If you would like to receive less technical security news, guidance and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
Kind regards,
Phil Crossphilcr@microsoft.com
+44 (0) 118 909 3306
Ed Gibson's Feature Article
Windows Vista may be more secure but it is confusing
|
|
On 23 October 2008 Microsoft announced an Out-of-Band Security Update. This simply means that Microsoft has determined this security update needs to be applied NOW rather than wait to distribute it during the routine second Tuesday of the month security update cycle. Some will say this is "just another example of Microsoft not building secure products at the outset". Let me dispel that myth! But for miscreants, criminals and state-sponsored activities we wouldn't need to worry so much about security. Let me be very clear, there are people in this world who dedicate their lives to breaking systems; and they only need to get it right once. Microsoft needs to get it right every time, but despite our creative efforts to develop the best possible products which includes building in from the ground up security measures to defend against the most powerful attacks, someone will still find a way in. We know that and are prepared for such eventuality; thus an out-of-band security update. You can feel confident that Microsoft is your trusted provided of processes and technology; and I stand with you to help insure just that.
To find out more and download the update click here.
EDWARD P GIBSON
Chief Security Advisor
Microsoft Ltd UK EdGibson@Microsoft.com
Viewpoint
|
|
By Steve Riley, Senior Security Strategist, Microsoft Trustworthy Computing
In this article, Steve Riley outlines four classes of access requests, the usage scenarios related to each, and the kinds of information that should be made available to each class in order to help you understand the client security responsibilities associated with the ongoing quest to provide 'anywhere access'.
|
Top Stories
|
|
Wouldn't it be great if you had a report created for your business that detailed specific actions you should take to further secure your IT environment? Wouldn't it be great if that report was built from an assessment of your current security requirements cross-checked against an assessment of your current security investments? Wouldn't it be great if there was a free tool to do this? Guess what…? The Microsoft Security Assessment Tool (MSAT) is that free tool. We've just released a new version (v4) with a new UI and a new extended report. Download MSAT here.
|
|
|
This white paper, from Oxford Computer Group explores many of the business drivers for a Microsoft-centric Certificate and Card Management System (CCMS), a term coined to describe the conjoined capabilities of Active Directory Certificate Services and Identity Lifecycle Manager. It explores the challenges and opportunities of implementing a CCMS solution from the perspectives of design, implementation, operations, etc.
|
|
|
Identity theft is not only a threat faced by consumers but also a significant concern for organisations as they handle growing volumes of personally identifiable information (PII) and use it in more diverse ways. This paper outlines a set of near-term tactics for mitigating online identity theft as well as a longer-range strategic vision for fundamentally 'changing the game' with regard to how people assert their identity on the Internet and how such identity claims are verified by other parties during an online interaction or transaction.
|
|
|
As part of its commitment to make the Security Development Lifecycle (SDL) available to every developer, Microsoft is delivering three new SDL programmes and tools in November 2008: the SDL Pro Network, the SDL Optimisation Model, and the Microsoft SDL Threat Modelling Tool. These offerings will enable the industry to create more secure and privacy-enhanced technology for an online world. Learn more about these programmes or watch a demo about the SDL Threat Modelling Tool.
|
|
|
UrlScan version 3.0 is a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) 6.0 will process. UrlScan screens all incoming requests to the server by filtering the requests by rules that are set by the administrator. Filtering the requests helps secure the server by ensuring that only valid requests are processed.
|
|
|
Check out J. D. Meier's overview of the patterns & practices approach to security engineering, which covers – among other topics – the security frame used to perform security code and design inspections.
|
Security Guidance
|
|
How do you know who is accessing what in your IT environment? This vital question is often faced by security administrators, and many IT organisations have challenges identifying and understanding patterns of client access to enterprise resources. This article offers some quick tips and tools to help you understand which users or system accounts have access to which resources, and when.
|
|
|
This collection of software components and guidance helps you configure a compliance health policy for computers that run Microsoft Forefront Client Security. Network administrators can use this kit to assess the health of these computers before they are granted network access. If a computer is not compliant with the health policy for Forefront Client Security, it can be isolated to a restricted network until it is properly remediated.
|
|
|
This guide provides you with specific recommendations and automated tools to help strengthen the security of desktop and laptop computers running Windows Vista in a domain with the Active Directory service. You'll also learn how to use the GPOAccelerator tool that accompanies the guide to help you automatically deploy security settings in minutes instead of hours.
|
|
|
Benefit from tested guidance and powerful tools to help you protect your most vulnerable information – the data residing on your laptops. This toolkit shows you how to use two key encryption technologies: BitLocker Drive Encryption, which is included with specific versions of Windows Vista, and the Encrypting File System, which is included with Windows XP Professional and Windows Vista.
|
|
|
This toolkit provides you with best practices to plan, deploy, monitor and remediate a security baseline for your organisation. It also offers a proven method that you can use to effectively monitor the compliance state of a security baseline for Windows Vista, Windows XP Service Pack 2 (SP2) and Windows Server 2003 SP2.
|
|
|
In this podcast, Paul Cooke, Director in the Windows Client division specialising in security, discusses BitLocker Drive Encryption, and how it has been extended in Windows Vista SP1.
|
|
|
Learn how to effectively use the new Group Policy objects in Windows Vista to improve manageability and strengthen security with this podcast by Derek Melber, author, IT consultant and Microsoft MVP for Group Policy.
|
UK Partners
|
|
Wordfish is a specialist security partner combining the experience of more than 20 years in the IT industry. WordFish employees have previously worked for major blue-chip organisations such as BT and Norwich Union and delivered multi-million pound solutions. Recent clients include the BBC, the Cabinet Office and the MoD (working on behalf of Fujitsu).
Wordfish has extended the capabilities of IAG using its built-in filtering capabilities to create custom policy-based application optimisers that can strip out confidential information from everyday web applications such as Outlook Web Access and MOSS. This unique feature allows organisations to reduce the risk of data leakage when delivering fully functional applications to their end users.
|
This Month's Security Bulletins
Critical
Important
Moderate
Microsoft Product Lifecycle Information
Security Events and Training
|
|
Delve into Windows Vista secure deployment strategies, configurations and best practices with Mark Russinovich and a panel of Microsoft MVPs and IT pros from multiple industries.
|
|
|
Learn how to help keep your security environment operational and effective even during a disaster. Use the resources in this learning path to help you lock down your infrastructure and harden security to prevent PC and desktop disruption.
|
|
|
Tuesday 2 and Wednesday 3 December
Odeon Leicester Square, London
Identity theft may not be your fault, but it could be your problem. At the CyberCrime Security Forum 2008, the Global Knowledge team will help you understand the threats of social engineering and hacker methodologies. The speakers will explain considerations and tools you can use to see whether you have been hacked and how to prevent future occurrences. For more detail on the CyberCrime Security Forum 08 and to register, please visit http://www.globalknowledge.co.uk/cybercrime. There's a 10% discount on the event for Security Newsletter subscribers – just quote 'Cyber10' when contacting Global Knowledge.
|
Upcoming Security Webcasts (available on demand if date has passed)
|
|
Upcoming security webcasts in a dynamic, interactive format.
|
For IT Professionals
For Developers
MSDN Webcast: BenkoTIPS Live and On-Demand: 10 Ways Your Applications Can Be More Secure on Windows Vista (Level 100)
Wednesday, 22 October, 7:00 p.m. BST Mike Benkovich, Developer Evangelist, Microsoft CorporationMSDN Webcast: More Secure Online Services Powered by the Microsoft Security Development Lifecycle (Level 300)
Friday, 31 October, 5:00 p.m. GMT Bryan Sullivan, Security Programme Manager, Microsoft CorporationMSDN Webcast: Convincing Management: The Business Case for Adding Security to the Development Life Cycle (Level 200)
Monday, 3 November, 6:00 p.m. GMT Joe Stagner, Senior Programme Manager, Microsoft CorporationMSDN Webcast: Security Development Lifecycle: Building an Intentionally Secure Development Process (Level 200)
Monday, 10 November, 6:00 p.m. GMT Joe Stagner, Senior Programme Manager, Microsoft Corporation
Microsoft On-Demand Webcasts
|
