1. Forum
  2. League10
  3. Microsoft Sec. Bulletin

  • Microsoft Security Newsletter - September 2014

    From Lord Time@TIME to All on Fri Sep 26 09:04:47 2014
    Microsoft Security Newsletter - September 2014



    Trustworthy Computing | September 2014
    Microsoft Security Newsletter



    Welcome to September’s Security Newsletter!

    This month’s newsletter focuses on mobile security for the enterprise. With the explosion of devices available to people today, many of the organizations I talk with are interested in learning how they can better manage the security of those devices in an effort to keep company data protected. For organizations that might be grappling with this issue, there are a few security fundamentals which can go a long way in helping to protect data.


    Enable multi-factor authentication. For devices or services that offer multi-factor authentication, this can be an effective way to help protect against some types of malicious activity. This feature can help protect accounts by making it more difficult for an attacker to hijack an account, even if they have somehow learned of the account's password. Microsoft devices and services offer the ability to enable multi factor authentication. For more information on how to add multi-factor authentication to Microsoft Windows, Office, and Online Services to better protect your corporate identities, see

    http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=29076 Windows Virtual Smartcards ,

    http://azure.microsoft.com/en-us/services/multi-factor-authentication/
    Azure Multi-Factor Authentication ,

    http://channel9.msdn.com/Blogs/Windows-Azure/WA-MFA-Overview
    Windows Azure Multi-Factor Authentication Overview , and

    http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/ Multi-Factor Authentication for Office 365 .


    Create strong passwords and diversify them. Account holders should avoid using the same password for multiple applications, websites, or services as they can expose an organization to increased risk. For example, I commonly hear that people use the same credentials for both social media accounts and line of business applications. This reduces the number of credentials that users need to remember, but increases the impact if the credentials are stolen. The problem with this scenario is that if one of those applications is compromised, the others are also at increased risk of compromise. Using a strong password that is unique for each application, website, and service can help reduce the risk should one of an employee’s accounts become compromised.


    Keep your devices and applications up to date. The importance of keeping devices and all the applications they run up to date cannot be overstated. As past

    http://www.microsoft.com/sir
    cybersecurity reports have shown, this is one of the most common ways in which a cybercriminal will try and penetrate an organization's environment.



    Of course these are just a few security fundamentals that can help prevent cybercriminals from successfully compromising a system or online accounts. For more in-depth information on mobile security for the enterprise, I encourage you to check out the many great resources included in this month’s newsletter.



    Best regards,

    Tim Rains, Director

    Microsoft Trustworthy Computing



    Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
    secnlfb@microsoft.com and share your ideas.



    Top Stories



    http://blogs.technet.com/b/mmpc/archive/2014/09/22/microsoft-cloud-protection.a spx
    Microsoft Cloud Protection: An Overview for Developers

    Software developers often ask us how Microsoft cloud protection works and how they can improve our cloud’s impression of their software. Read this Microsoft Malware Protection Center blog post for helpful tips.


    http://blogs.office.com/2014/09/23/microsoft-online-services-bug-bounty-program -launches-office-365/
    Microsoft Online Services Bug Bounty Program Launches with Office 365

    Microsoft recently launched a Bug Bounty program for Office 365, the first program of its type for Microsoft Online Services. Through the program, Microsoft will be able to reward and recognize security researchers by offering a bounty for qualifying security vulnerabilities that are reported to Microsoft. For more information, see

    http://technet.microsoft.com/en-US/security/dn425036
    Microsoft Bounty Programs and the

    http://technet.microsoft.com/en-us/security/dn425055
    Microsoft Bug Bounty Programs FAQ .




    Security Guidance

    http://technet.microsoft.com/security/dn764936.aspx
    Security Tip of the Month: How to Disable SD Cards on Windows Phone Devices
    By Robert Hoover, Project Management Professional, Technical Writer, Windows Phone


    Many Windows Phone devices have an SD card slot that allows users to store apps and data on an SD card; the installation of apps on an SD card is a new feature in Windows Phone 8.1. Windows Phone stores the apps on an encrypted SD card partition that is specifically designated for apps and this feature is always enabled, so there is no need to explicitly set a policy to have this level of protection. While the app partition on the SD card is encrypted and hidden, other items that a user may have stored on the card are not. This can include music, videos, and pictures (with location data) as well as files that a user can store on the device and access using the Office apps or the recently released

    http://www.windowsphone.com/en-us/store/app/files/762e837f-461d-4847-8399-3526f 54fc25e
    Files app for Windows Phone, which allows users to manage the contents of their device.



    For maximum data and information protection, disabling the AllowStorageCard either in your mobile device management (MDM) solution or Exchange ActiveSync policy can prevent users from using SD cards altogether. This can be done easily in the Exchange Management Shell by using the following command:


    Set-MobileDeviceMailboxPolicy -Identity:Default -AllowStorageCard:$False

    Figure. AllowStorageCard option set to False

    Editor’s note: In case you are unfamiliar with the

    http://technet.microsoft.com/library/bb123778(v=exchg.150).aspx
    Exchange Management Shell , it is based on Windows PowerShell and provides a powerful command-line interface for executing and automating administrative tasks for Exchange Server.

    http://www.microsoft.com/download/details.aspx?id=42509
    Windows Phone 8.1 Security Overview

    From highly secure identity features, such as Multi-Factor Authentication (MFA) with virtual smart cards and PINs to its defense-in-depth, multilayered approach that addresses organizational security requirements in numerous ways, Windows Phone 8.1 is designed with security in mind. Download this guide to explore these features in more detail and learn how Windows Phone 8.1 devices can be securely used and managed in an enterprise environment.


    http://www.microsoft.com/download/details.aspx?id=42508
    Windows Phone 8.1 Mobile Device Management Overview

    Download a guide to the built-in mobile device management client in Windows Phone 8.1 that lets you manage your Windows Phone devices with the mobile device management system of your choice.


    http://social.technet.microsoft.com/Forums/en-US/home?forum=winphonesecurity Windows Phone Security Forum for IT Pros

    Have a technical question about Windows Phone security? Visit the security forum for Windows Phone on TechNet. Here you can find assistance with your specific issue, or browse insights and best practices from IT pros familiar with Windows Phone or who've deployed it in their corporate environment.


    http://blogs.microsoft.com/cybertrust/2014/08/25/create-stronger-passwords-and- protect-them/
    Create Stronger Passwords and Protect Them

    A good reminder for IT professionals and end users alike, this article offers tips on creating passwords that are "difficult to crack" and offers a link to a free online tool offered by Microsoft Research, called

    https://telepathwords.research.microsoft.com/
    Telepathwords , for those that would rather have a randomly generated strong password created for them.


    http://technet.microsoft.com/library/jj916649.aspx
    Two-Factor Authentication for Office 365

    Typical authentication practices that require only a password to access IT resources may not provide the appropriate level of protection for information that is sensitive or vulnerable. Two-factor authentication is an authentication method that applies a stronger means of identifying the user. It requires a user to submit two of the following three types of identify proofs. Explore a few two-factor authentication options for Office 365.


    http://msdn.microsoft.com/library/dn383636.aspx
    Multi-Factor Authentication for Office 365

    Multi-Factor Authentication for Office 365, powered by Azure Multi-Factor Authentication, works exclusively with Microsoft Office 365 applications at no additional cost and is managed from the Office 365 portal. Learn how to enable and enforce multi-factor authentication for end users, and set up additional authentication factors.


    http://technet.microsoft.com/library/dn308567.aspx
    Configuring Two-Factor Authentication in Lync Server 2013

    Get step-by-step guidance on how to configure smart card authentication, virtual smart cards, Active Directory Federation Services, and other possible components of a two-factor authentication solution for Lync.


    http://msdn.microsoft.com/library/dn249466.aspx
    Adding Multi-Factor Authentication to Azure Active Directory

    With multiple out-of-band methods and a one-time passcode option, Azure Multi-Factor Authentication provides flexibility for users and backup options in the event the user is not able to authenticate using their preferred method. Learn how to secure Microsoft and 3rd party applications hosted in Azure using Azure Multi-Factor Authentication.
    Unfamiliar with Azure Multi-Factor Authentication?

    http://msdn.microsoft.com/library/dn249471.aspx
    Learn more .


    http://msdn.microsoft.com/library/dn249467.aspx
    Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server

    Find on how to secure your on premise resources and Active Directory using Azure Multi-Factor Authentication Server and integrate with IIS authentication to secure Microsoft IIS web applications, RADIUS authentication, LDAP authentication, and Windows authentication.


    http://msdn.microsoft.com/library/dn249464.aspx
    Building Multi-Factor Authentication into Custom Apps

    Developers: learn how to build multi-factor authentication into your Azure application sign-in or transaction processes with the Azure Multi-Factor Authentication Software Development Kit (SDK).


    http://technet.microsoft.com/library/dn579260.aspx?ocid=wc-nl-secnews
    Get Started with Virtual Smart Cards

    Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. Learn how to use and deploy virtual smart cards in your organization.




    Community Update

    http://social.technet.microsoft.com/wiki/contents/articles/22322.office-365-mul ti-factor-authentication-and-password-security-gotchas.aspx
    Office 365: Multi-Factor Authentication and Password Security Gotcha’s

    Explore some best practices around passwords for Office 365 users, including guidance on how to set up a temporary password for a specific user, and how to set password policy.




    This Month's Security Bulletins


    September 2014 Security Bulletins


    Critical

    -MS14-052:2977629
    https://technet.microsoft.com/library/security/ms14-052

    Cumulative Security Update for Internet Explorer



    Important

    -MS14-053:2990931
    https://technet.microsoft.com/library/security/ms14-053

    Vulnerability in .NET Framework Could Allow Denial of Service

    -MS14-054:2988948
    https://technet.microsoft.com/library/security/ms14-054

    Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege

    -MS14-055:2990928
    https://technet.microsoft.com/library/security/ms14-055

    Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service


    September 2014 Security Bulletin Resources:

    - http://blogs.technet.com/b/msrc/archive/2014/09/09/the-september-2014-security- updates.aspx

    September 2014 Bulletin Release Blog Post "September 2014 Security Updates"
    -
    http://www.youtube.com/watch?v=Yh0p75mM3Vs
    September 2014 Security Bulletin Webcast
    - http://blogs.technet.com/b/msrc/p/september-2014-security-bulletin-release-webc ast-q-a.aspx
    September 2014 Security Bulletin Webcast Q&A
    - http://www.microsoft.com/en-us/download/malicious-software-removal-tool-details .aspx
    Malicious Software Removal Tool: September 2014 Update



    Security Events and Training



    http://www.microsoftvirtualacademy.com/training-courses/mdop-user-experience-vi rtualization-deep-dive
    Microsoft Virtual Academy (MVA): User Experience Virtualization Deep Dive

    Microsoft User Experience Virtualization (UE-V) makes it easier to give mobile users access to their unique profiles, data, and settings across their Windows PC devices. It provides users with a consistent, personal, Windows experience that matches their unique work style, while making it easy for you to deliver this user-defined experience across many devices. In this 300-level course, you’ll take a deep dive into the latest version of UE-V, and learn how to plan for deployment, use UE-V templates to synchronize application settings, and leverage best practices for managing your UE-V infrastructure.


    http://www.microsoftvirtualacademy.com/training-courses/enable-the-consumerizat ion-of-it-jump-start
    MVA: Enable the Consumerization of IT Jump Start

    Learn how to responsibly support Bring Your Own Device (BYOD) scenarios in your environment, and safely enable users to work and communicate anywhere, anytime, on a device of their choice. This course will paint the entire picture at a 200 level, then provide some 300-level knowledge on specific scenarios across the various Microsoft products that support BYOD options, such as how to configure mobile device management (MDM) in System Center Configuration Manager.


    https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032596544&culture= en-US
    Dimension Data Series - Transform your Datacenter through the Cloud OS based Off-Premise Hosted Private Cloud (Part 1)
    Thursday, October 2, 2014 - 10:00 AM Pacific Time

    Are you an IT professional looking for cloud-based services that offer the dual advantage of security and ownership of traditional solutions? Join us for the two part webinar series and learn how you can move workloads off-premise to the cloud via the Microsoft Cloud OS approach with Windows Server 2012 R2, System Center 2012 R2, Microsoft Azure, and SQL Server 2014. In the first webinar we will cover an overview of Microsoft Cloud OS and the Dimension Data Hosted Private Cloud solutions that complement Azure to deliver a security enhanced hosted environment for high-performance enterprise cloud computing.


    https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032596545&culture= en-US
    Dimension Data Series - Transform your Datacenter through the Cloud OS based Off-Premise Hosted Private Cloud (Part 2)
    Thursday, October 16, 2014 - 10:00 AM Pacific Time

    In this second webinar, we will expand on webinar 1 by providing a deep dive (level 200) into Dimension Data’s Hosted Private Cloud solutions that offer an enterprise-class hosted database solution with business continuity to meet complex SLA’s.






    Essential Tools


    -
    http://technet.microsoft.com/security/bulletin
    Microsoft Security Bulletins

    -
    http://technet.microsoft.com/security/advisory
    Microsoft Security Advisories

    -
    http://technet.microsoft.com/solutionaccelerators/cc835245.aspx
    Security Compliance Manager

    -
    http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
    Microsoft Security Development Lifecycle Starter Kit

    -
    http://support.microsoft.com/kb/2458544
    Enhanced Mitigation Experience Toolkit

    -
    http://www.microsoft.com/security/pc-security/malware-removal.aspx
    Malicious Software Removal Tool

    -
    http://technet.microsoft.com/security/cc184924.aspx
    Microsoft Baseline Security Analyzer


    Security Centers


    -
    http://technet.microsoft.com/security
    Security TechCenter

    -
    http://msdn.microsoft.com/security
    Security Developer Center

    -
    http://www.microsoft.com/security/msrc/default.aspx
    Microsoft Security Response Center

    -
    http://www.microsoft.com/security/portal/
    Microsoft Malware Protection Center

    -
    http://www.microsoft.com/privacy
    Microsoft Privacy

    -
    http://support.microsoft.com/select/default.aspx?target=hub&c1=10750
    Microsoft Security Product Solution Centers


    Additional Resources


    -
    http://www.microsoft.com/about/twc/en/us/blogs.aspx
    Trustworthy Computing Security and Privacy Blogs

    -
    http://www.microsoft.com/security/sir
    Microsoft Security Intelligence Report

    -
    http://www.microsoft.com/security/sdl
    Microsoft Security Development Lifecycle

    -
    http://technet.microsoft.com/library/cc162838.aspx
    Malware Response Guide

    -
    http://technet.microsoft.com/security/bb980617.aspx
    Security Troubleshooting and Support Resources

    -
    http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




    microsoft.com/about/twcTrustworthy Computing




    This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



    (c) 2014 Microsoft Corporation

    http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defau lt.aspx
    Terms of Use |

    http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN-U S.aspx
    Trademarks


    Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
    Privacy Statement .



    If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8d20fe7dea87e3fcf68d44a34c7305d00d97e570157ea24908674de89d6026dc6&oneClick =newsletter
    click here . These settings will not affect any other newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services.



    To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8d20fe7dea87e3fcf68d44a34c7305d00d97e570157ea24908674de89d6026dc6
    click here .



    Microsoft Corporation

    One Microsoft Way

    Redmond, WA 98052 USA
    ---
    ■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games