Microsoft Security Newsletter - September 2014
Trustworthy Computing | September 2014
Microsoft Security Newsletter
Welcome to September’s Security Newsletter!
This month’s newsletter focuses on mobile security for the enterprise. With the explosion of devices available to people today, many of the organizations I talk with are interested in learning how they can better manage the security of those devices in an effort to keep company data protected. For organizations that might be grappling with this issue, there are a few security fundamentals which can go a long way in helping to protect data.
Enable multi-factor authentication. For devices or services that offer multi-factor authentication, this can be an effective way to help protect against some types of malicious activity. This feature can help protect accounts by making it more difficult for an attacker to hijack an account, even if they have somehow learned of the account's password. Microsoft devices and services offer the ability to enable multi factor authentication. For more information on how to add multi-factor authentication to Microsoft Windows, Office, and Online Services to better protect your corporate identities, see
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=29076 Windows Virtual Smartcards ,
http://azure.microsoft.com/en-us/services/multi-factor-authentication/
Azure Multi-Factor Authentication ,
http://channel9.msdn.com/Blogs/Windows-Azure/WA-MFA-Overview
Windows Azure Multi-Factor Authentication Overview , and
http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/ Multi-Factor Authentication for Office 365 .
Create strong passwords and diversify them. Account holders should avoid using the same password for multiple applications, websites, or services as they can expose an organization to increased risk. For example, I commonly hear that people use the same credentials for both social media accounts and line of business applications. This reduces the number of credentials that users need to remember, but increases the impact if the credentials are stolen. The problem with this scenario is that if one of those applications is compromised, the others are also at increased risk of compromise. Using a strong password that is unique for each application, website, and service can help reduce the risk should one of an employee’s accounts become compromised.
Keep your devices and applications up to date. The importance of keeping devices and all the applications they run up to date cannot be overstated. As past
http://www.microsoft.com/sir
cybersecurity reports have shown, this is one of the most common ways in which a cybercriminal will try and penetrate an organization's environment.
Of course these are just a few security fundamentals that can help prevent cybercriminals from successfully compromising a system or online accounts. For more in-depth information on mobile security for the enterprise, I encourage you to check out the many great resources included in this month’s newsletter.
Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing
Have feedback on how we can improve this newsletter? Email us at mailto:
secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.
Top Stories
http://blogs.technet.com/b/mmpc/archive/2014/09/22/microsoft-cloud-protection.a spx
Microsoft Cloud Protection: An Overview for Developers
Software developers often ask us how Microsoft cloud protection works and how they can improve our cloud’s impression of their software. Read this Microsoft Malware Protection Center blog post for helpful tips.
http://blogs.office.com/2014/09/23/microsoft-online-services-bug-bounty-program -launches-office-365/
Microsoft Online Services Bug Bounty Program Launches with Office 365
Microsoft recently launched a Bug Bounty program for Office 365, the first program of its type for Microsoft Online Services. Through the program, Microsoft will be able to reward and recognize security researchers by offering a bounty for qualifying security vulnerabilities that are reported to Microsoft. For more information, see
http://technet.microsoft.com/en-US/security/dn425036
Microsoft Bounty Programs and the
http://technet.microsoft.com/en-us/security/dn425055
Microsoft Bug Bounty Programs FAQ .
Security Guidance
http://technet.microsoft.com/security/dn764936.aspx
Security Tip of the Month: How to Disable SD Cards on Windows Phone Devices
By Robert Hoover, Project Management Professional, Technical Writer, Windows Phone
Many Windows Phone devices have an SD card slot that allows users to store apps and data on an SD card; the installation of apps on an SD card is a new feature in Windows Phone 8.1. Windows Phone stores the apps on an encrypted SD card partition that is specifically designated for apps and this feature is always enabled, so there is no need to explicitly set a policy to have this level of protection. While the app partition on the SD card is encrypted and hidden, other items that a user may have stored on the card are not. This can include music, videos, and pictures (with location data) as well as files that a user can store on the device and access using the Office apps or the recently released
http://www.windowsphone.com/en-us/store/app/files/762e837f-461d-4847-8399-3526f 54fc25e
Files app for Windows Phone, which allows users to manage the contents of their device.
For maximum data and information protection, disabling the AllowStorageCard either in your mobile device management (MDM) solution or Exchange ActiveSync policy can prevent users from using SD cards altogether. This can be done easily in the Exchange Management Shell by using the following command:
Set-MobileDeviceMailboxPolicy -Identity:Default -AllowStorageCard:$False
Figure. AllowStorageCard option set to False
Editor’s note: In case you are unfamiliar with the
http://technet.microsoft.com/library/bb123778(v=exchg.150).aspx
Exchange Management Shell , it is based on Windows PowerShell and provides a powerful command-line interface for executing and automating administrative tasks for Exchange Server.
http://www.microsoft.com/download/details.aspx?id=42509
Windows Phone 8.1 Security Overview
From highly secure identity features, such as Multi-Factor Authentication (MFA) with virtual smart cards and PINs to its defense-in-depth, multilayered approach that addresses organizational security requirements in numerous ways, Windows Phone 8.1 is designed with security in mind. Download this guide to explore these features in more detail and learn how Windows Phone 8.1 devices can be securely used and managed in an enterprise environment.
http://www.microsoft.com/download/details.aspx?id=42508
Windows Phone 8.1 Mobile Device Management Overview
Download a guide to the built-in mobile device management client in Windows Phone 8.1 that lets you manage your Windows Phone devices with the mobile device management system of your choice.
http://social.technet.microsoft.com/Forums/en-US/home?forum=winphonesecurity Windows Phone Security Forum for IT Pros
Have a technical question about Windows Phone security? Visit the security forum for Windows Phone on TechNet. Here you can find assistance with your specific issue, or browse insights and best practices from IT pros familiar with Windows Phone or who've deployed it in their corporate environment.
http://blogs.microsoft.com/cybertrust/2014/08/25/create-stronger-passwords-and- protect-them/
Create Stronger Passwords and Protect Them
A good reminder for IT professionals and end users alike, this article offers tips on creating passwords that are "difficult to crack" and offers a link to a free online tool offered by Microsoft Research, called
https://telepathwords.research.microsoft.com/
Telepathwords , for those that would rather have a randomly generated strong password created for them.
http://technet.microsoft.com/library/jj916649.aspx
Two-Factor Authentication for Office 365
Typical authentication practices that require only a password to access IT resources may not provide the appropriate level of protection for information that is sensitive or vulnerable. Two-factor authentication is an authentication method that applies a stronger means of identifying the user. It requires a user to submit two of the following three types of identify proofs. Explore a few two-factor authentication options for Office 365.
http://msdn.microsoft.com/library/dn383636.aspx
Multi-Factor Authentication for Office 365
Multi-Factor Authentication for Office 365, powered by Azure Multi-Factor Authentication, works exclusively with Microsoft Office 365 applications at no additional cost and is managed from the Office 365 portal. Learn how to enable and enforce multi-factor authentication for end users, and set up additional authentication factors.
http://technet.microsoft.com/library/dn308567.aspx
Configuring Two-Factor Authentication in Lync Server 2013
Get step-by-step guidance on how to configure smart card authentication, virtual smart cards, Active Directory Federation Services, and other possible components of a two-factor authentication solution for Lync.
http://msdn.microsoft.com/library/dn249466.aspx
Adding Multi-Factor Authentication to Azure Active Directory
With multiple out-of-band methods and a one-time passcode option, Azure Multi-Factor Authentication provides flexibility for users and backup options in the event the user is not able to authenticate using their preferred method. Learn how to secure Microsoft and 3rd party applications hosted in Azure using Azure Multi-Factor Authentication.
Unfamiliar with Azure Multi-Factor Authentication?
http://msdn.microsoft.com/library/dn249471.aspx
Learn more .
http://msdn.microsoft.com/library/dn249467.aspx
Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server
Find on how to secure your on premise resources and Active Directory using Azure Multi-Factor Authentication Server and integrate with IIS authentication to secure Microsoft IIS web applications, RADIUS authentication, LDAP authentication, and Windows authentication.
http://msdn.microsoft.com/library/dn249464.aspx
Building Multi-Factor Authentication into Custom Apps
Developers: learn how to build multi-factor authentication into your Azure application sign-in or transaction processes with the Azure Multi-Factor Authentication Software Development Kit (SDK).
http://technet.microsoft.com/library/dn579260.aspx?ocid=wc-nl-secnews
Get Started with Virtual Smart Cards
Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. Learn how to use and deploy virtual smart cards in your organization.
Community Update
http://social.technet.microsoft.com/wiki/contents/articles/22322.office-365-mul ti-factor-authentication-and-password-security-gotchas.aspx
Office 365: Multi-Factor Authentication and Password Security Gotcha’s
Explore some best practices around passwords for Office 365 users, including guidance on how to set up a temporary password for a specific user, and how to set password policy.
This Month's Security Bulletins
September 2014 Security Bulletins
Critical
-MS14-052:2977629
https://technet.microsoft.com/library/security/ms14-052
Cumulative Security Update for Internet Explorer
Important
-MS14-053:2990931
https://technet.microsoft.com/library/security/ms14-053
Vulnerability in .NET Framework Could Allow Denial of Service
-MS14-054:2988948
https://technet.microsoft.com/library/security/ms14-054
Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege
-MS14-055:2990928
https://technet.microsoft.com/library/security/ms14-055
Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service
September 2014 Security Bulletin Resources:
-
http://blogs.technet.com/b/msrc/archive/2014/09/09/the-september-2014-security- updates.aspx
September 2014 Bulletin Release Blog Post "September 2014 Security Updates"
-
http://www.youtube.com/watch?v=Yh0p75mM3Vs
September 2014 Security Bulletin Webcast
-
http://blogs.technet.com/b/msrc/p/september-2014-security-bulletin-release-webc ast-q-a.aspx
September 2014 Security Bulletin Webcast Q&A
-
http://www.microsoft.com/en-us/download/malicious-software-removal-tool-details .aspx
Malicious Software Removal Tool: September 2014 Update
Security Events and Training
http://www.microsoftvirtualacademy.com/training-courses/mdop-user-experience-vi rtualization-deep-dive
Microsoft Virtual Academy (MVA): User Experience Virtualization Deep Dive
Microsoft User Experience Virtualization (UE-V) makes it easier to give mobile users access to their unique profiles, data, and settings across their Windows PC devices. It provides users with a consistent, personal, Windows experience that matches their unique work style, while making it easy for you to deliver this user-defined experience across many devices. In this 300-level course, you’ll take a deep dive into the latest version of UE-V, and learn how to plan for deployment, use UE-V templates to synchronize application settings, and leverage best practices for managing your UE-V infrastructure.
http://www.microsoftvirtualacademy.com/training-courses/enable-the-consumerizat ion-of-it-jump-start
MVA: Enable the Consumerization of IT Jump Start
Learn how to responsibly support Bring Your Own Device (BYOD) scenarios in your environment, and safely enable users to work and communicate anywhere, anytime, on a device of their choice. This course will paint the entire picture at a 200 level, then provide some 300-level knowledge on specific scenarios across the various Microsoft products that support BYOD options, such as how to configure mobile device management (MDM) in System Center Configuration Manager.
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032596544&culture= en-US
Dimension Data Series - Transform your Datacenter through the Cloud OS based Off-Premise Hosted Private Cloud (Part 1)
Thursday, October 2, 2014 - 10:00 AM Pacific Time
Are you an IT professional looking for cloud-based services that offer the dual advantage of security and ownership of traditional solutions? Join us for the two part webinar series and learn how you can move workloads off-premise to the cloud via the Microsoft Cloud OS approach with Windows Server 2012 R2, System Center 2012 R2, Microsoft Azure, and SQL Server 2014. In the first webinar we will cover an overview of Microsoft Cloud OS and the Dimension Data Hosted Private Cloud solutions that complement Azure to deliver a security enhanced hosted environment for high-performance enterprise cloud computing.
https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032596545&culture= en-US
Dimension Data Series - Transform your Datacenter through the Cloud OS based Off-Premise Hosted Private Cloud (Part 2)
Thursday, October 16, 2014 - 10:00 AM Pacific Time
In this second webinar, we will expand on webinar 1 by providing a deep dive (level 200) into Dimension Data’s Hosted Private Cloud solutions that offer an enterprise-class hosted database solution with business continuity to meet complex SLA’s.
Essential Tools
-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins
-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories
-
http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
Security Compliance Manager
-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit
-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit
-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool
-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer
Security Centers
-
http://technet.microsoft.com/security
Security TechCenter
-
http://msdn.microsoft.com/security
Security Developer Center
-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center
-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center
-
http://www.microsoft.com/privacy
Microsoft Privacy
-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750
Microsoft Security Product Solution Centers
Additional Resources
-
http://www.microsoft.com/about/twc/en/us/blogs.aspx
Trustworthy Computing Security and Privacy Blogs
-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report
-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle
-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide
-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources
-
http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers
microsoft.com/about/twcTrustworthy Computing
This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
(c) 2014 Microsoft Corporation
http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defau lt.aspx
Terms of Use |
http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN-U S.aspx
Trademarks
Microsoft respects your privacy. To learn more please read our online
http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .
If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please
http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8d20fe7dea87e3fcf68d44a34c7305d00d97e570157ea24908674de89d6026dc6&oneClick =newsletter
click here . These settings will not affect any other newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services.
To set your contact preferences for other Microsoft communications
http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8d20fe7dea87e3fcf68d44a34c7305d00d97e570157ea24908674de89d6026dc6
click here .
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA
---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games