Microsoft Security Newsletter - April 2014



Trustworthy Computing | April 2014
Microsoft Security Newsletter



Welcome to April’s Security Newsletter!

Our newsletter this month focuses on guidance and tips for organizations that decide to embrace personal devices in the workplace, commonly referred to as Bring Your Own Device, or BYOD, scenarios. As http://blogs.technet.com/b/security/archive/2013/07/10/trust-in-computing-surve y-part-i-consumerization-of-it-goes-mainstream.aspx
recent research has illustrated, 78% of organizations are allowing employees to bring their own device to the office for work purposes. While the benefits such as cost savings and the adoption of newer technology are clear, BYOD scenarios can also raise important security and compliance considerations. Organizations that embrace a BYOD approach are faced with decisions such as which devices will be allowed, what kind of support will be provided, and what kind of security measures will be needed.



At Microsoft, a company with over 100,000 employees immersed in technology, embracing BYOD while continuing to meet enterprise security requirements, is a challenge. What we have learned over the years though is that having a principled approach that leverages effective standards and practices is essential to managing risk. For example, providing conditions for accessing corporate resources based on the trustworthiness of the device and identity used, can help determine the level of access provided.



In this fast moving technology market, BYOD scenarios are quickly becoming a reality for many organizations. In fact, http://blogs.technet.com/b/security/archive/2012/07/26/byod-is-it-good-bad-or-u gly-from-the-user-viewpoint.aspx
67% of employees in small and medium businesses indicate that they use their personal devices in the workplace regardless of whether or not their company has practices in place. If your organization has not already embraced BYOD, are you prepared?



Best regards,

Tim Rains, Director

Microsoft
Trustworthy
Computing



Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.



Top Stories



http://blogs.technet.com/b/trustworthycomputing/archive/2014/04/15/the-evolving -pursuit-of-privacy.aspx
The Evolving Pursuit of Privacy

As technology and our reliance on data to enable rich services continue to evolve, we must also evolve how we think about data and the ways in which societies can protect the privacy of individuals, while also allowing for responsible, beneficial data use. Explore what Scott Charney, Corporate Vice President of Trustworthy Computing, had to say on this topic and see " http://blogs.technet.com/b/microsoft_on_the_issues/archive/2014/03/28/we-re-lis tening-additional-steps-to-protect-your-privacy.aspx
We’re listening: Additional steps to protect your privacy " for information on some of the steps Microsoft takes to protect the privacy of its customers.


http://blogs.technet.com/b/security/archive/2014/04/10/technet-radio-it-time-th e-risk-of-running-windows-xp-after-support-ends2.aspx
TechNet Radio: The Risk of Running Windows XP After Support Ends

In addition to his blog post entitled, " http://blogs.technet.com/b/security/archive/2014/03/24/cyber-threats-to-windows -xp-and-guidance-for-small-businesses-and-individual-consumers.aspx
Cyber threats to Windows XP and guidance for Small Businesses and Individual Consumers ," Tim Rains joined the hosts of TechNet Radio's IT Time series to discuss the many security risks that end users open themselves and their organizations to by continuing to run Windows XP. Guidance and resources for those looking to migrate their business PCs to a modern operating system, like Windows 8.1 can be found on the http://www.microsoft.com/en-us/windows/enterprise/end-of-support.aspx
Windows XP End of Support page and on

http://technet.microsoft.com/windows/bb264763.aspx?ocid=wc-nl-secnews
TechNet .


http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-se rvices-and-the-openssl-heartbleed-vulnerability.aspx
Microsoft Services Unaffected by OpenSSL "Heartbleed" Vulnerability

On April 8, 2014, security researchers announced a flaw in the OpenSSL encryption software library used by many websites to protect customers’ data. The vulnerability, known as “Heartbleed,” could potentially allow a cyberattacker to access a website’s customer data along with traffic encryption keys.After a thorough investigation, we determined that Microsoft Services are not impacted by the OpenSSL “Heartbleed” vulnerability. In addition, Windows’ implementation of SSL/TLS was not impacted.




Security Guidance



http://blogs.msdn.com/b/sdl/archive/2014/04/15/introducing-microsoft-threat-mod eling-tool-2014.aspx
Security Tip of the Month: Reduce Risk and Identify Vulnerabilities with the Microsoft Threat Modeling Tool 2014

Threat modeling is a systematic way to find design-level security and privacy weaknesses in the systems, software, and services you build and operate—for BYOD scenarios or more traditional device management scenarios. The Microsoft Threat Modeling Tool 2014 is the newest version of the free Microsoft Security Development Lifecycle (SDL) Threat Modeling Tool released back in 2011. New and improved features include:


-
New drawing surface


-
http://msdn.microsoft.com/en-us/library/ff648641.aspx#c02618429_005
STRIDE analysis per interaction


-
Migration for v3 threat models


-
Updated threat definitions



Ready to get started? Explore each of these improvements in more detail with the

http://blogs.msdn.com/b/sdl/archive/2014/04/15/introducing-microsoft-threat-mod eling-tool-2014.aspx
Microsoft SDL Blog , watch a

https://www.youtube.com/watch?v=G2reie1skGg
short demo , and then download

http://www.microsoft.com/download/details.aspx?id=42518
Microsoft Threat Modeling Tool 2014 .



http://technet.microsoft.com/library/dn656905.aspx
Bring Your Own Device (BYOD) Design Considerations Guide

Take a deep dive into the critical design considerations that need to be addressed in order to design a BYOD infrastructure that enables employees to use their own devices while protecting your company’s data. This guide covers user and device considerations, data access and protection, management scenarios, and app considerations.


http://technet.microsoft.com/library/dn584107.aspx
Working with Web Application Proxy

Learn how to install and configure Web Application Proxy, a new remote access role service in Windows Server 2012 R2 that provides reverse proxy functionality for web applications inside your corporate network to allow users on any device to access them from outside the corporate network.


http://technet.microsoft.com/library/dn265974.aspx?ocid=wc-nl-secnews
Work Folders Overview

Find out how to enable users to store and access work files on personal computers and devices in addition to corporate PCs while maintaining control over corporate data.


http://technet.microsoft.com/library/dn280937.aspx
Manage Risk with Multi-Factor Access Control

Learn how to manage risk by using Active Directory Federation Services and multiple factors for access control, including user, device, location, and authentication data.


http://technet.microsoft.com/library/dn280945.aspx
Join to Workplace for SSO and Seamless Second Factor Authentication Across Company Applications

Find out how to utilize seamless second factor authentication and single-sign-on to provide personal devices users with secure access to workplace resources and applications.


http://technet.microsoft.com/windows/jj874384.aspx?ocid=wc-nl-secnews
Managing Windows 8 Devices in a Bring Your Own Device World

Quickly see how you can manage end-user owned devices running Windows 8 with this handy checklist.


http://technet.microsoft.com/library/dn736045.aspx?ocid=wc-nl-secnews
Windows RT 8.1 in the Enterprise

Find out how you can utilize and manage Windows RT 8.1 devices, whether employee-owned or company-owned, in an enterprise environment.


http://www.microsoft.com/download/details.aspx?id=42508
Windows Phone 8.1 Mobile Device Management Overview

Download a guide to help you explore the built-in mobile device management client in Windows Phone 8.1 that lets you manage handsets with the mobile device management system of your choice. Looking to test the enterprise-grade capabilities delivered by Windows Phone 8.1—including S/MIME support and enhanced virtual private network (VPN) features—in your own environment? Get the
http://technet.microsoft.com/windows/dn691269.aspx?ocid=wc-nl-secnews
Windows Phone 8.1 Enterprise Preview .


http://www.microsoft.com/download/details.aspx?id=42259
Consumerization of IT at Microsoft: Adapting to Change

Learn how, to effectively manage both users’ expectations and the mandates of information security, Microsoft IT developed a programmatic approach to technology adoption—one that would foster innovation without increasing risks by introducing uncontrolled technologies. For more insight, see Microsoft Solves BYOD Using http://www.microsoft.com/download/details.aspx?id=41150
Microsoft System Center Configuration Manager and Windows Intune .




Community Update

New Security Baselines for Microsoft Security Compliance Manager

Two new security baselines for http://www.microsoft.com/download/details.aspx?id=16776
Microsoft Security Compliance Manager (SCM) , Microsoft’s popular free security and compliance tool, are now available. The first is a final, release-to manufacturing (RTM) baseline for SQL Server 2012. The second is a beta version of the baseline for Office 2013.



As with all security baselines included in Microsoft SCM, these new baselines have been created and reviewed by Microsoft security experts as well as vetted by a select group of security conscious customers as well as the Center for Internet Security (CIS). The Microsoft SCM team works closely with the CIS to ensure that both Microsoft and CIS offer clear, consistent guidance to customers on how to utilize these baselines to better secure their infrastructures.



If you are already using the latest version of Microsoft SCM, you can download the SQL Server 2012 baselines by clicking the "download Microsoft baselines automatically" link on the front page of the SCM user interface. You can also download the baseline directly:


-
http://go.microsoft.com/fwlink/?LinkID=392581&clcid=0x409
SQL Server 2012 Baseline

-
http://go.microsoft.com/fwlink/?LinkID=392582&clcid=0x409
SQL Server 2012 Baseline Attachments


To get the Office 2013 Beta baseline you will need to join the Microsoft Connect program, which requires a Microsoft Account. To sign up, please visit https://connect.microsoft.com/WindowsServer/InvitationUse.aspx?ProgramID=8455&I nvitationID=8455-764K-9HVG https://connect.microsoft.com/WindowsServer/InvitationUse.aspx?ProgramID=8455&I nvitationID=8455-764K-9HVG .



The Microsoft SCM team will also be releasing security baselines for Windows 8.1, Windows Server 2012 R2, and Internet Explorer 11 in the near future. In the interim, you can access a preview of the new settings and recommendations from Microsoft by downloading the .zip package referenced at the end of the “ http://blogs.technet.com/b/secguide/archive/2014/04/07/security-baselines-for-w indows-8-1-windows-server-2012-r2-and-internet-explorer-11.aspx
Security baselines for Windows 8.1, Windows Server 2012 R2 and Internet Explorer 11 ” blog post.




This Month's Security Bulletins


April 2014 Security Bulletins


Critical

-MS14-017:2949660
https://technet.microsoft.com/library/security/ms14-017

Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution

-MS14-018:2950467
https://technet.microsoft.com/library/security/ms14-018

Cumulative Security Update for Internet Explorer



Important

-MS14-019:2922229
https://technet.microsoft.com/library/security/ms14-019

Vulnerability in Windows File Handling Component Could Allow Remote Code Execution

-MS14-020:2950145
https://technet.microsoft.com/library/security/ms14-020

Vulnerability in Microsoft Publisher Could Allow Remote Code Execution


April 2014 Security Bulletin Resources:

- http://blogs.technet.com/b/msrc/archive/2014/04/08/the-april-2014-security-upda tes.aspx

Microsoft Security Response Center (MSRC) Blog Post

-
https://www.youtube.com/watch?v=DpKwsISWMjA
Security Bulletin Webcast

-
http://blogs.technet.com/b/msrc/p/april-2014-security-bulletin-q-a.aspx

Security Bulletin Webcast Q&A



Security Events and Training



http://www.microsoftvirtualacademy.com/training-courses/what-s-new-in-windows-8 -1-security
Microsoft Virtual Academy: What’s New in Windows 8.1 Security

Learn from the Windows Engineering team about the advances in security for Windows 8.1 with regard to access control, malware protection, and information protection. The course will dive into authentication and multifactor access control as well as tamper resistance hardware through UEFI, TPM, pervasive encryption, and protecting corporate data in a BYOD world.


http://www.microsoftvirtualacademy.com/training-courses/windows-server-2012-r2- access-and-information-protection
Microsoft Virtual Academy: Windows Server 2012 R2 Access and Information Protection

Learn how Windows Server 2012 R2 can help you provision, manage and secure user-owned devices while creating a seamless experience for the user.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572980 Microsoft Webcast: Information about the June 2014 Security Bulletin Release Wednesday, June 11, 2014 - 11:00AM Pacific Time

Join this webcast for a brief overview of the technical details of June 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032586485 FastTrack Office 365 Deployments with Centrify Single Sign-on
Wednesday, April 30, 2014 - 11:00AM Pacific Time

Explore Centrify for Office 365, a Microsoft-tested and Azure-powered solution for Active Director-based single sign-on, user provisioning and mobile management for Office 365.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572979 Microsoft Webcast: Information about the May 2014 Security Bulletin Release Wednesday, May 14, 2014 - 11:00AM Pacific Time

Join this webcast for a brief overview of the technical details of May 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032572980 Microsoft Webcast: Information about the June 2014 Security Bulletin Release Wednesday, June 11, 2014 - 11:00AM Pacific Time

Join this webcast for a brief overview of the technical details of June 2014’s Microsoft security bulletins. Ask questions and get answers from Microsoft security experts.






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
Security Compliance Manager

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750
Microsoft Security Product Solution Centers


Additional Resources


-
http://www.microsoft.com/about/twc/en/us/blogs.aspx
Trustworthy Computing Security and Privacy Blogs

-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources

-
http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




microsoft.com/about/twcTrustworthy Computing




This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2014 Microsoft Corporation

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defau lt.aspx
Terms of Use |

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN-U S.aspx
Trademarks


Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .



If you would prefer to no longer receive this newsletter, please http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc883b7ccd38e2e4a73fd1413b79eac375a85d15c691f78850c25c9f0db09ba2bfc&oneClick =newsletter
click here .



To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc883b7ccd38e2e4a73fd1413b79eac375a85d15c691f78850c25c9f0db09ba2bfc
click here .



Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA






---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games