Microsoft Security Newsletter - November 2014



Trustworthy Computing | November 2014
Microsoft Security Newsletter



Welcome to November 2014’s Security Newsletter!

This month our newsletter focuses on data encryption in MicrosoftÆs products and services. Encryption is typically used when you want a strong level of protection for your information. When it comes to the application of encryption, there are essentially four types of scenarios:



At Microsoft, we are committed to using best-in-class encryption technologies when appropriate to protect the confidentiality of customer data, to maintain data integrity, and to help assure its appropriate availability. We use cutting- edge technologies to protect our customers’ data from being breached and improperly disclosed, both while the data is at-rest and when it is in-transit. To learn more about how Microsoft manages data encryption in
its products and services, and how you can better product your organization’s data, please read on and check out the resources available.



Best regards,

Tim Rains, Director

Cybersecurity & Cloud Strategy, Microsoft



Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.



Top Stories


http://blogs.microsoft.com/cybertrust/2014/11/12/billions-of-data-one-cybersec urity-report-now-available-sirv17/

Billions of Data, One Cybersecurity Report: SIRv17 Now Available

Understand the latest threat trends, recent shifts in cybercriminal behavior, the new techniques that are being used, and the malware families that are most prevalent—plus get actionable guidance to help you protect your organization and customers. Download Volume 17 of the Microsoft Security Intelligence Report (SIR).

http://blogs.microsoft.com/cybertrust/2014/11/19/new-report-enhancing-cybersec urity-with-big-data/

Enhancing Cybersecurity with Big Data

Protecting the information of individuals and organizations from online
threats remains an urgent priority so using big data tools and techniques to enhance cybersecurity is a natural development. Explore the new Microsoft-commissioned study to better understand how organizations are using big data to improve cybersecurity, and to get recommendations on how to
address both the security and privacy concerns of big data solutions.

http://blogs.microsoft.com/cybertrust/2014/11/11/hundreds-of-millions-of-micro soft-customers-now-benefit-from-best-in-class-encryption/

Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption

Microsoft is bringing encryption technologies currently available in Windows 8.1 and Windows Server 2012 R2 to older versions of our platforms. Find out
how this will enable you to take advantage of the best cryptography already available in Microsoft’s most modern operating systems and servers when connecting to a cloud service or operating system that supports the encryption technology known as Perfect Forward Secrecy (PFS). Not familiar with PFS? Read https://blogs.iis.net/erez/archive/2013/08/22/perfect-secrecy-in-an-imperfect-w orld.aspx

Perfect Secrecy in an imperfect world for more information.




Security Guidance
http://social.technet.microsoft.com/wiki/contents/articles/11520.bitlocker-pas swords-should-be-less-than-100-characters-in-length.aspx

Security Tip of the Month: BitLocker Passwords Should Be Less Than 100 Characters

You can specify BitLocker passwords using the following methods:


-
BitLocker Setup Wizard

-
Manage BitLocker Control Panel

-
Manage-bde command-line tool

-
Windows PowerShell cmdlet



When using either the setup wizard or the control panel the user interface limits passwords to 100 characters. The command-line tool and Windows PowerShell cmdlets, on the other hand, do not enforce that limit and passwords up to 256 characters can be specified. However; if a password is specified
that is greater than 100 characters, BitLocker truncates the password to the first 100 characters. If you attempt to use the longer password to unlock the drive, you will receive the error message: "The password you typed is not correct" and will be asked to provide your recovery key to unlock the drive.



Resolution? Specify passwords that are 100 characters or less to avoid encountering this issue. If you have used a longer password, after unlocking the drive using the recovery key go to the BitLocker Control Panel and set a new password that is 100 characters or less.




http://technet.microsoft.com/library/jj592683.aspx
BitLocker Planning and Policies

BitLocker helps prevent unauthorized access to data on lost or stolen
computers by encrypting the entire Windows operating system volume and any associated data volumes, and by verifying the integrity of early boot components and boot configuration data. Learn how to prepare for BitLocker deployment in your organization. Once youÆre ready to deploy BitLocker, check out these resources:


-
http://technet.microsoft.com/library/dn383581.aspx
BitLocker Basic Deployment
-
http://technet.microsoft.com/library/jj612864.aspx
BitLocker: How to Deploy on Windows Server 2012
-
http://technet.microsoft.com/windows/jj983729.aspx
Try It Out: Encrypt Used Space Only

http://technet.microsoft.com/library/dn632181.aspx
Choose the Right BitLocker Countermeasure

Find out how to protect your Windows 7, Windows 8, and Windows 8.1 PCs from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA)
attacks, Hyberfil.sys attacks, and memory remanence attacks.




http://technet.microsoft.com/library/dn375961.aspx
Protecting Against Weak Cryptographic Algorithms

Learn how about the software update available for Windows 8.1, Windows 8, Windows 7, Windows Vista, windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 that allows deprecation of weak cryptographic algorithms.




http://technet.microsoft.com/library/hh831348.aspx
Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy

Find out how to create a two-tier public key infrastructure (PKI) hierarchy using Windows Server 2012 and Active Directory Certificate Services (AD CS).




http://technet.microsoft.com/en-us/library/bb510663(v=sql.110).aspx
SQL Server Encryption

Find out how to use encryption in SQL Server for connections, data, and stored procedures. Explore the encryption hierarchy in SQL Server, learn how to
choose an encryption algorithm, and find information on how to help secure the SQL Server platform, and how to work with users and securable objects.




http://msdn.microsoft.com/en-us/library/windows/apps/hh487164(v=vs.105).aspx How to Encrypt Data for Windows Phone 8

Saving confidential data in a phone’s isolated storage is not secure. Encrypting the data will not increase the security if the decryption key resides on the phone, no matter how well the key is hidden. Learn how to encrypt and decrypt confidential data such as passwords, connection strings, and PINs in a Windows Phone app by using the Data Protection API (DPAPI).




http://msdn.microsoft.com/en-us/library/windows/apps/hh465012.aspx
Windows App Development: Encrypting Data and Working with Certificates

Learn how to encode and decode data, how to encrypt and decrypt data, and how to work with certificates.




http://msdn.microsoft.com/library/azure/dn440572.aspx
How To: Azure Backup

Learn how to use Azure Backup to help protect important server data offsite with automated backups to Azure, where they are available for easy data restoration, and how to manage cloud backups from the familiar backup tools in Windows Server 2012, Windows Server 2012 Essentials, or System Center 2012
Data Protection Manager.




Community Update
http://social.technet.microsoft.com/wiki/contents/articles/1254.database-engin e-security-checklist-encrypt-sensitive-data.aspx

SQL Server Database Engine Security Checklist: Encrypt Sensitive Data

Use this checklist to confirm that encryption is used appropriately in your environment and to periodically audit your use of encryption with the SQL Server Database Engine. To review how you limit access to data in your organization and audit how users access information stored in Database Engine, see http://social.technet.microsoft.com/wiki/contents/articles/1259.database-engine -security-checklist-limit-access-to-data.aspx

Database Engine Security Checklist: Limit Access to Data .




This Month's Security Bulletins


November 2014 Security Bulletins


Critical

-MS14-064:3011443
https://technet.microsoft.com/library/security/ms14-064

Vulnerabilities in Windows OLE Could Allow Remote Code Execution

-MS14-065:3003057
https://technet.microsoft.com/library/security/ms14-065

Cumulative Security Update for Internet Explorer

-MS14-066:2992611
https://technet.microsoft.com/library/security/ms14-066

Vulnerability in Schannel Could Allow Remote Code Execution

-MS14-067:2993958
https://technet.microsoft.com/library/security/ms14-067

Vulnerability in XML Core Services Could Allow Remote Code Execution

-MS14-068:3011780
https://technet.microsoft.com/library/security/ms14-068

Vulnerability in Kerberos Could Allow Elevation of Privilege



Important

-MS14-069:3009710
https://technet.microsoft.com/library/security/ms14-069

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

-MS14-070:2989935
https://technet.microsoft.com/library/security/ms14-070

Vulnerability in TCP/IP Could Allow Elevation of Privilege

-MS14-071:3005607
https://technet.microsoft.com/library/security/ms14-071

Vulnerability in Windows Audio Service Could Allow Elevation of Privilege

-MS14-072:3005210
https://technet.microsoft.com/library/security/ms14-072

Vulnerability in .NET Framework Could Allow Elevation of Privilege

-MS14-073:3000431
https://technet.microsoft.com/library/security/ms14-073

Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege

-MS14-074:3003743
https://technet.microsoft.com/library/security/ms14-074

Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass

-MS14-076:2982998
https://technet.microsoft.com/library/security/ms14-076

Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass

-MS14-077:3003381
https://technet.microsoft.com/library/security/ms14-077

Vulnerability in Active Directory Federation Services Could Allow Information Disclosure

-MS14-078:2992719
https://technet.microsoft.com/library/security/ms14-078

Vulnerability in IME (Japanese) Could Allow Elevation of Privilege

-MS14-079:3002885
https://technet.microsoft.com/library/security/ms14-079

Vulnerability in Kernel Mode Driver Could Allow Denial of Service


November 2014 Security Bulletin Resources:

-
http://blogs.technet.com/b/msrc/archive/2014/11/11/november-2014-updates.aspx

November 2014 Bulletin Release Blog Post "November 2014 Security Updates"
- http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-novemb er-2014-security-updates.aspx

Assessing Risk for the November 2014 Security Updates
- http://www.microsoft.com/en-us/download/malicious-software-removal-tool-details .aspx

Malicious Software Removal Tool: November 2014 Update



Security Events and Training


http://www.microsoftvirtualacademy.com/training-courses/what-s-new-in-windows- 8-1-security

Microsoft Virtual Academy (MVA): Windows 8.1 Security

Learn about core investments in security for Windows 8.1, including authentication, multifactor access control, pervasive encryption, and protecting corporate data in a "bring your own device" (BYOD) world.


http://www.microsoftvirtualacademy.com/training-courses/windows-8-1-to-go MVA: Windows 8.1 To Go

Windows To Go is a full fidelity desktop that includes touch, virtualization technologies, secure connection via DirectAccess, and data encryption with BitLocker. Find out how to use Windows To Go to create a bootable USB that turns almost any PC into a secure Windows 8.1 corporate PC—without requiring network connectivity.


https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032598914
The Hybrid Cloud: A Balancing Act between Benefits and Security
Thursday, December 4, 2014 – 10:00 AM Pacific Time

Learn how to extend your datacenter to the cloud in a secure and automated
way, how to secure your information in the cloud, how to manage security in a mix of private and public clouds, why a hosted private cloud can be the best solution for sensitive data and mission critical workloads.






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750 Microsoft Security Product Solution Centers


Additional Resources


-
http://blogs.microsoft.com/cybertrust/
Microsoft Cybertrust Blog

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources

-
http://www.microsoft-careers.com/go/Trustworthy-Computing-Jobs/194701/ Trustworthy Computing Careers




microsoft.com/about/twcTrustworthy Computing




This is a monthly newsletter for IT professionals and
developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2014 Microsoft Corporation
http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defa ult.aspx

Terms of Use |
http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Trademarks/EN- US.aspx

Trademarks


Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .



If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8dc003c00be261a9c72594a3586d81d7286e98b0b1a8ee27e29d2b77d01db35e3&oneClick =newsletter

click here . These settings will not affect any other newsletters youÆve requested or any mandatory service communications that are considered part of certain Microsoft services.



To set your contact preferences for other Microsoft communications http://click.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b 6311d344a0079e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31 618dc8dc003c00be261a9c72594a3586d81d7286e98b0b1a8ee27e29d2b77d01db35e3

click here .



Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA
---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games