Microsoft Security Newsletter - June 2014



Trustworthy Computing | June 2014
Microsoft Security Newsletter



Welcome to June’s Security Newsletter!

Last month, we covered the top threats facing enterprise organizations and how to help protect against them. This month’s newsletter focuses on security guidance for data protection and, specifically, public key infrastructure (PKI), which many organizations have in place to support data protection and authentication.



If attackers successfully gain access to your organization’s PKI, this can expose your organization to serious risk. To help you design PKIs and protect this infrastructure from emerging threats, Microsoft IT, Microsoft’s IT department, has released a detailed technical reference document entitled “
http://aka.ms/securingpkidl
Securing Public Key Infrastructure .” Included in the document you will find guidance on:


-
Common vectors for PKI compromise

-
Planning cryptographic algorithms and certificate usages

-
Designing physical security

-
Implementing technical controls to secure PKI

-
Protecting PKI artifacts and assets

-
Monitoring PKI for malicious activity

-
Recovering from a compromise



If you are an IT professional and have a PKI running in your environment, I encourage you to download and read the paper—and consult the resources listed below for additional guidance. I hope you find these resources helpful.




Best regards,

Tim Rains, Director

Microsoft Trustworthy Computing



Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.



Top Stories



http://blogs.technet.com/b/security/archive/2014/06/12/who-exploits-vulnerabili ties-the-path-from-disclosure-to-mass-market-exploitation.aspx
Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation

Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Learn why the parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them—and what you can do to mitigate the risk rom exploits.


http://blogs.technet.com/b/security/archive/2014/06/17/when-vulnerabilities-are -exploited-the-timing-of-first-known-exploits-for-remote-code-execution-vulnera bilities.aspx
When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities

Every wonder how many days of risk exist between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Explore the Trustworthy Computing Security Science team’s new data from the recently released http://www.microsoft.com/security/sir/default.aspx
Microsoft Security Intelligence Report volume 16 .


http://blogs.technet.com/b/security/archive/2014/06/09/keeping-oracle-java-upda ted-continues-to-be-high-security-roi.aspx
Keeping Oracle Java Updated Continues to be High Security ROI

One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits. Learn why keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers.




Security Guidance

http://blogs.technet.com/b/yungchou/archive/2013/10/21/enterprise-pki-with-wind ows-server-2012-r2-active-directory-certificate-services-part-1-of-2.aspx Security Tip of the Month: Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services

PKI is heavily employed in cloud computing for encrypting data and securing transactions. While Windows Server 2012 R2 is developed as a building block for cloud solutions, there is an increasing demand for IT professionals to acquire proficiency on implementing PKI with Windows Server 2012 R2. This two-part blog post series ( http://blogs.technet.com/b/yungchou/archive/2013/10/22/enterprise-pki-with-wind ows-server-2012-r2-active-directory-certificate-services-part-2-of-2.aspx click here for Part 2 ) will help you implement a simple PKI for assessing or piloting solutions, and better understand and become familiar with the process.



http://www.microsoft.com/download/details.aspx?id=38785
Best Practices for Securing Active Directory

Download recommendations to enhance the security of Active Directory installations. Learn about common attacks against Active Directory, the countermeasures you can take to reduce the attack surface, and get recommendations for recovery.


http://technet.microsoft.com/library/jj889441.aspx
Trusted Platform Module (TPM) Fundamentals

Explore the components of the http://technet.microsoft.com/library/jj131725.aspx
Trusted Platform Module (TPM 1.2 and TPM 2.0) and learn how they are used to mitigate dictionary attacks. Looking for more TPM guidance? Check out these resources:


-
http://technet.microsoft.com/library/dn466538.aspx
Initialize and Configure Ownership of the TPM
-
http://technet.microsoft.com/library/jj679889.aspx
TPM Services Group Policy Settings
-
http://technet.microsoft.com/library/dn466534.aspx
Backup the TPM Recovery Information to Active Directory Domain Services (AD DS)

-
http://technet.microsoft.com/library/dn466537.aspx
Manage TPM Commands
-
http://technet.microsoft.com/library/dn466535.aspx
Manage TPM Lockout

http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92 d5d/default.aspx
TPM Platform Crypto-Provider Toolkit

Download sample code, utilities and documentation for using TPM-related functionality in Windows 8. Subsystems described include the TPM-backed Crypto-Next-Gen (CNG) platform crypto-provider, and how attestation-service providers can use the new Windows features. Both TPM1.2 and TPM2.0-based systems are supported.


http://technet.microsoft.com/library/gg699362.aspx
PKI Certificate Requirements for Configuration Manager

Find a list of the PKI certificates you might require for System Center 2012 Configuration Manager. This information assumes basic knowledge of PKI certificates. For step-by-step guidance and for an example deployment of these certificates, see
http://technet.microsoft.com/library/gg682023.aspx
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority .




Community Update

http://social.technet.microsoft.com/wiki/contents/articles/2901.public-key-infr astructure-design-guidance.aspx
Public Key Infrastructure Design Guidance

Before you configure a PKI and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). Explore your design options and find links to examples of policy statements if your organization does not currently have one.


http://social.technet.microsoft.com/wiki/contents/articles/7421.ad-cs-pki-desig n.aspx
Active Directory Certificate Services (AD CS) PKI Design Guide

While Windows Server 2012 products provides a variety of secure applications and business scenarios based on the use of digital certificates, you need to design a public key infrastructure (PKI) before you can use those certificates. Check out this step-by-step wiki guide for guidance on everything from identifying your AD CS deployment goals to creating a certificate management plan.




This Month's Security Bulletins


June 2014 Security Bulletins


Critical

-MS14-035:2969262
https://technet.microsoft.com/library/security/ms14-035

Cumulative Security Update for Internet Explorer

-MS14-036:2967487
https://technet.microsoft.com/library/security/ms14-036

Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution



Important

-MS14-034:2969261
https://technet.microsoft.com/library/security/ms14-034

Vulnerability in Microsoft Word Could Allow Remote Code Execution

-MS14-033:2966061
https://technet.microsoft.com/library/security/ms14-033

Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure


-MS14-032:2969258
https://technet.microsoft.com/library/security/ms14-032

Vulnerability in Microsoft Lync Server Could Allow Information Disclosure

-MS14-031:2962478
https://technet.microsoft.com/library/security/ms14-031

Vulnerability in TCP Protocol Could Allow Denial of Service

-MS14-030:2969259
https://technet.microsoft.com/library/security/ms14-030

Vulnerability in Remote Desktop Could Allow Tampering


June 2014 Security Bulletin Resources:

- http://blogs.technet.com/b/msrc/archive/2014/06/10/theoretical-thinking-and-the -june-2014-bulletin-release.aspx

Theoretical Thinking and the June 2014 Bulletin Release
-
http://www.youtube.com/watch?v=FgOfDCyAIXs
June 2014 Security Bulletin Webcast
-
http://blogs.technet.com/b/msrc/p/july-2014-security-bulletin-q-a.aspx
June 2014 Security Bulletin Webcast Q&A
- http://www.microsoft.com/en-us/download/malicious-software-removal-tool-details .aspx
Malicious Software Removal Tool: June 2014 Update



Security Events and Training



http://www.microsoftvirtualacademy.com/training-courses/defense-in-depth-window s-8-1-security
Defense in Depth: Windows 8.1 Security

See how Windows 8.1 addresses security as a whole system, one layer at a time with this seven-module course from Microsoft Virtual Academy. Explore methods of developing a secure baseline and learn how to harden your Windows enterprise architectures from pass-the-hash and other advanced attacks.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032590419
Office 365 Education Technical Overview
Wednesday, July 16, 2014 – 1:00PM Central Time

Better understand the technical tools and resources of Office 365 Education, and learn how to support the unique needs of your school without sacrificing identity management and other security and compliance measures. This session will also be conducted every Wednesday at this time in August.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032590429
Office 365 Education Deployment Overview
Thursday, July 24, 2014 – 1:00PM Central Time

Compare your Microsoft Office 365 for education deployment options and learn about the terminology and tools available to streamline your deployment. Topics will include networking, identity management, hybrid deployments, and synchronization. This session will also be conducted every Wednesday at this time in August.






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
Security Compliance Manager

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750
Microsoft Security Product Solution Centers


Additional Resources


-
http://www.microsoft.com/about/twc/en/us/blogs.aspx
Trustworthy Computing Security and Privacy Blogs

-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources

-
http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




microsoft.com/about/twcTrustworthy Computing




This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2014 Microsoft Corporation

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defau lt.aspx
Terms of Use |

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN-U S.aspx
Trademarks


Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .



If you would prefer to no longer receive this newsletter, please http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8263aa0b6bf339d3d5c2e4f6294a9e95f37a96893632270a5e3ca0083704a8c78&oneClick =newsletter
click here .



To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8263aa0b6bf339d3d5c2e4f6294a9e95f37a96893632270a5e3ca0083704a8c78
click here .



Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA






---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games