Microsoft Security Newsletter - August 2015



August 2015
Microsoft Security Newsletter



Welcome to August's Security Newsletter!

In this month's newsletter, we are focusing on network security. We have a great security tip article written by Tom Shinder on ";Locking down network access to virtual machines on Azure Virtual Networks."; You'll also see information about Azure Network Security Groups, the new networking features coming in Windows Server 2016, and networking best practices for Windows Server 2012 R2.



And don't forget that Windows 10 is now available! Hurry to take advantage of https://www.microsoft.com/en-us/windows/windows-10-upgrade
the free Windows 10 Home and Windows 10 Pro upgrade offer for those of you on Windows 7 or Windows 8.1. For enterprise customers looking to evaluate Windows 10, please download the

https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise Windows 10 Enterprise Evaluation to try Windows 10 Enterprise free for 90 days.



Best regards,

Tim Rains, Chief Security Advisor

Cybersecurity & Cloud Strategy, Microsoft



Want to share this newsletter with a friend or colleague? https://technet.microsoft.com/en-us/security/cc307424.aspx
Click here for the online edition and subscription options .


Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.




Top Stories



http://blogs.microsoft.com/cybertrust/2015/08/10/cloud-security-controls-series -encrypting-data-in-transit/

Cloud Security Controls Series: Encrypting Data in Transit

Learn why, whether you store and process data on-premise, in the cloud, or use a combination of both, it is important to protect that data when it is transmitted across networks to information workers, partners and customers.




Security Guidance

https://technet.microsoft.com/security/mt450419.aspx
Security Tip of the Month: Lock Down Network Access to Virtual Machines on Azure Virtual Networks
By Tom Shinder, Program Manager, Microsoft Azure Security Engineering


When you
http://azure.microsoft.com/en-us/services/virtual-machines/
run virtual machines in Azure Infrastructure as a Service (IaaS) , there are a number of things you can do from a network perspective to lock down your installation. The good news is that network security on Microsoft Azure has a lot in common with the network security concepts and implementation that you use on premises. The trick is to know the names of the relevant features and services in Azure and map them to what you already know.



Here's three tips that you might find useful when thinking about network security for your IaaS virtual machines in Azure.


Control endpoint access

Virtual machines located on an http://azure.microsoft.com/en-us/services/virtual-network/
Azure Virtual Network can be configured as ";endpoints";. When you configure a virtual machine to be an endpoint, you make it possible for devices located on the Internet or on other Azure Virtual Networks to connect to the virtual machine.



For example, if you configured a virtual machine to be a web server and you wanted users located on the Internet to reach that virtual machine, you would configure that virtual machine to be an ";endpoint"; that's reachable through HTTP or HTTPS.



When you use the ";classic";
https://manage.windowsazure.com/
Azure Portal and create a new virtual machine with the graphical interface, you'll notice that there are default endpoints offered to you. These allow access to the virtual machine for Remote Desktop, Windows PowerShell Remoting, and Secure Shell (SSH). If you want to allow per virtual machine access using these protocols, that's fine. But if you don't, make sure that you disable endpoint access for these protocols.



You can learn a lot about endpoints and how to configure or disable them by reading https://azure.microsoft.com/en-us/documentation/articles/virtual-machi nes-set-up-endpoints/

How to set up endpoints to a virtual machine .


Use point-to-site VPN for management

When you allow endpoint access to virtual machines for the purpose of managing them, you still have to authenticate. You'll use credentials that are appropriate to the virtual machine you're connecting to. If the machine is domain joined, you might use domain credentials. If the machine is standalone, then you'll be using local credentials.



A more secure method for remote management would be remove the management endpoints and use a https://azure.microsoft.com/en-us/documentation/articles/v pn-gateway-cross-premises-options/#point-to-site-connections

point-to-site VPN connection from your management workstation to connect to the Azure Virtual Network. While the name ";point-to-site"; might be new to you if you're a virtual networking veteran, rest assured that's it's nothing more than a remote access client VPN connection to the Azure Virtual Network, no different than the remote access VPN client connections enterprises have been using for years. The VPN protocol uses the https://technet.microsoft.com/en-us/library/dd349022(v=ws.10).aspx
Secure Socket Tunneling Protocol (SSTP) , which uses HTTPS as its transport and allows the connection to traverse firewalls and web proxies that allow outbound HTTPS (SSL/TLS).



The reason why this is considered more secure is that you have to authenticate to the VPN gateway at the edge of the Azure Virtual Network before you're allowed access to the virtual machines on that network. For the point-to-site connection, certificate-based authentication is used. This means that in order to reach the VMs for management, you have to authenticate twice, using two different authentication methods:


-
First, you need to authenticate with the Azure VPN gateway using certificate-based authentication.

-
After you are authorized and allowed access to the network, you need to authenticate with the virtual machines you want to manage, using your preferred management protocol (

https://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx

RDP ,

https://en.wikipedia.org/wiki/Secure_Shell
SSH or

http://blogs.technet.com/b/heyscriptingguy/archive/2011/11/17/learn-how-to-mana ge-remote-powershell-sessions.aspx

Remote PowerShell ).



For more information on Azure point-to-site configuration, check out https://a zure.microsoft.com/en-us/documentation/articles/vpn-gateway-cross-premises-opti ons/

About secure cross-premises connectivity for virtual networks .


Segment your network based on roles and use Network Security Groups

Network segmentation is standard practice on-premises and you can do the same on Azure Virtual Networks. When you create an Azure Virtual Network, you're asked for an address space. After you define the address space, you can subnet it. You can reduce your operational overhead and improve security (by reducing complexity) by assigning network-based roles to your subnets.



For example, you might want to put all your web front-ends in the same subnet. This allows you to simplify network access controls by allowing only HTTP/HTTPS to servers on that subnet (although you might want to also allow protocols for management traffic). When you add more front-end virtual machines to the subnet, you don't need to change your network access controls.



This begs the question ";how do I enforce network access controls to and from Azure Virtual Network subnets?";



The answer is Network Security Groups. You can think of a Network Security Group as a type of stateful packet inspection network device, where you can create up to 200 network access control rules. Rules can be created to control inbound and outbound traffic to and from a virtual machine or all virtual machines on an Azure Virtual Network subnet. Using the example in the previous paragraph, you can create a Network Security Group with a rule that allows inbound access to HTTP/HTTPS for your web front-end virtual machine subnet.



The article https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/ What is a Network Security Group (NSG) ? has a ton of excellent information on how to use Network Security Groups. For a comprehensive view on all things related to security on Azure networks, download the

http://download.microsoft.com/download/C/A/3/CA3FC5C0-ECE0-4F87-BF4B-D74064A008 46/AzureNetworkSecurity_v3_Feb2015.pdf

Azure Network Security guide.



Stay up to date with what's happening in Azure Security by visiting the http://blogs.msdn.com/b/azuresecurity/
Azure Security Blog . Thanks! -Tom


https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/ What is a Network Security Group (NSG)?

You can use an NSG to control traffic to one or more virtual machine instances in your virtual network. A network security group is a top level object that is associated to your subscription An NSG contains access control rules that allow or deny traffic to virtual machine instances. The rules of an NSG can be changed at any time, and changes are applied to all associated instances. Learn how to associate NSGs, find planning and design considerations, then get PowerShell cmdlets to help you create, configure, and manage your NSGs.


https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-multi-site /
Connect Multiple On-premises Sites to a Virtual Network

Connecting multiple on-premises sites to a single virtual network is especially attractive for building hybrid cloud solutions. In fact, creating a multi-site connection to your Azure virtual network gateway is very similar to creating other site-to-site connections. Get step-by-step instructions on how to create your virtual network and gateway, and verify your connections.


https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-confi gure-vnet-to-vnet-connection/

Configure a VNet-to-VNet connection in the Azure Portal

Connecting a virtual network to another virtual network (VNet-to-VNet) is very similar to connecting a virtual network to an on-premises site location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. The VNets you connect can be in different subscriptions and different regions. You can even combine VNet to VNet communication with multi-site configurations. This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity. Learn how to connect virtual networks together in the classic deployment mode by using a combination of the Azure Portal and Windows PowerShell.


https://technet.microsoft.com/library/dn823752.aspx
What's New in Networking in Windows Server 2016 Technical Preview

Explore the new networking technologies in https://technet.microsoft.com/evalcenter/dn781243.aspx
Windows Server 2016 Technical Preview , such as

https://technet.microsoft.com/en-us/library/dn765485.aspx
GRE tunneling ,

https://technet.microsoft.com/en-us/library/dn859239.aspx
Network Controller , and the enhancements to DHCP, DNS, IPAM, and Hyper-V Network Virtualization.


https://technet.microsoft.com/en-us/library/mt282165.aspx
Deploy Network Controller using Windows PowerShell

Get instructions on using Windows PowerShell to deploy Network Controller on one computer or virtual machine running Windows Server 2016 Technical Preview.


https://technet.microsoft.com/en-us/library/dn641937.aspx
Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide

Learn how to use Windows PowerShell to deploy RRAS as a virtual machine-based software gateway and router that allows cloud service providers (CSPs) and enterprises to enable datacenter and cloud network traffic routing between virtual and physical networks, including the Internet. Looking for more information on Windows Server Gateway? See the https://technet.microsoft.com/en-us/library/dn313101.aspx
Windows Server Gateway documentation in the TechNet Library.


http://www.microsoft.com/en-us/download/details.aspx?id=39284
Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM

If you're using System Center Virtual Machine Manager (SC VMM), you can use SC VMM to deploy Windows Server Gateway; however even if you are using SC VMM, you can manage the gateway with the same Windows PowerShell commands that are used for the RRAS Multitenant Gateway. Learn how by downloading this test lab guide.




Community Update

http://social.technet.microsoft.com/wiki/contents/articles/29707.secure-your-ne twork-connection-by-using-your-own-private-vpns-hosted-in-azure.aspx

Secure Your Network Connection By Using Your Own Private VPNs Hosted In Azure

Walk through the steps necessary to create a virtual machine hosted in one of Azure's data centers so that all your Internet traffic goes through a secure VPN tunnel to the datacenter.




This Month's Security Bulletins


August 2015 Security Bulletins


Critical

-MS15-079:3082442
https://technet.microsoft.com/library/security/MS15-079
Cumulative Security Update for Internet Explorer

-MS15-080:3078662
https://technet.microsoft.com/library/security/MS15-080
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution

-MS15-081:3080790
https://technet.microsoft.com/library/security/MS15-081
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

-MS15-091:3084525
https://technet.microsoft.com/library/security/MS15-091
Cumulative Security Update for Microsoft Edge

-MS15-093:3088903
https://technet.microsoft.com/library/security/MS15-093
Security Update for Internet Explorer



Important

-MS15-082:3080348
https://technet.microsoft.com/library/security/MS15-082
Vulnerabilities in RDP Could Allow Remote Code Execution

-MS15-083:3073921
https://technet.microsoft.com/library/security/MS15-083
Vulnerability in Server Message Block Could Allow Remote Code Execution

-MS15-084:3080129
https://technet.microsoft.com/library/security/MS15-084
Vulnerabilities in XML Core Services Could Allow Information Disclosure

-MS15-085:3082487
https://technet.microsoft.com/library/security/MS15-085
Vulnerability in Mount Manager Could Allow Elevation of Privilege

-MS15-086:3075158
https://technet.microsoft.com/library/security/MS15-086
Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege

-MS15-087:3082459
https://technet.microsoft.com/library/security/MS15-087
Vulnerability in UDDI Services Could Allow Elevation of Privilege

-MS15-088:3082458
https://technet.microsoft.com/library/security/MS15-088
Unsafe Command Line Parameter Passing Could Allow Information Disclosure

-MS15-089:3076949
https://technet.microsoft.com/library/security/MS15-089
Vulnerability in WebDAV Could Allow Information Disclosure

-MS15-090:3060716
https://technet.microsoft.com/library/security/MS15-090
Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege

-MS15-092:3086251
https://technet.microsoft.com/library/security/MS15-092
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege


August 2015 Security Bulletin Resources:

- http://blogs.technet.com/b/msrc/archive/2015/08/11/august-2015-security-updat e-release-summary.aspx


August 2015 Bulletin Release Blog Post
- http://www.microsoft.com/en-us/download/malicious-software-removal-tool-detai ls.aspx

Malicious Software Removal Tool: August 2015 Update



Security Events and Training



https://channel9.msdn.com/Series/Networking-Fundamentals/08
Networking Fundamentals: Defining Network Infrastructure and Network Security

Once you have a good understanding of

http://channel9.msdn.com/series/Networking-Fundamentals/01
local area networking ,

http://channel9.msdn.com/series/Networking-Fundamentals/02
defining networks with the OSI model ,

http://channel9.msdn.com/series/Networking-Fundamentals/03
wired and wireless networks ,

http://channel9.msdn.com/series/Networking-Fundamentals/04
Internet Protocol ,

http://channel9.msdn.com/series/Networking-Fundamentals/05
implementing TCP/IP in the command line , and

http://channel9.msdn.com/series/Networking-Fundamentals/06
working with networking services , and

http://channel9.msdn.com/series/Networking-Fundamentals/07
wide area networks , find out how to use your knowledge to build a functional, secure network. This session will also help you understand networking outside the LAN, as well as security devices and zones.


https://www.microsoftvirtualacademy.com/en-us/training-courses/azure-networking -fundamentals-for-it-pros-8917

Azure Networking Fundamentals for IT Pros

Need guidance on configuring Azure multi-site virtual private networks (VPNs)? This course provides a general overview of networking in Azure, and cover all the steps required to set up VPNs in Azure. Explore deployment planning, connectivity testing, monitoring, and more.






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750 Microsoft Security Product Solution Centers


Additional Resources


-
http://blogs.microsoft.com/cybertrust/
Microsoft Cybertrust Blog

-
http://blogs.msdn.com/b/azuresecurity/
Microsoft Azure Security Blog

-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources




technet.microsoft.com/security




This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2015 Microsoft Corporation

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defau lt.aspx

Terms of Use |

http://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/en-us.aspx Trademarks


Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .



If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please http://click.email.microsoftemail .com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b6311d344a0079e5cc587f4d16330b7c3c c8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31618dc84856723b79aad9dc141ac1b2d1f f65f5658655cd5a21e807165d187314f8b635&oneClick=newsletter

click here . These settings will not affect any other newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services.



To set your contact preferences for other Microsoft communications http://clic k.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b6311d344a00 79e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31618dc848567 23b79aad9dc141ac1b2d1ff65f5658655cd5a21e807165d187314f8b635

click here .



Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA
---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games