Microsoft Security Newsletter - July 2015



July 2015
Microsoft Security Newsletter



Welcome to July's Security Newsletter!

The focus of this month's newsletter is a topic that is top of mind for many of the CISOs and IT professionals I talk to these days—cloud security. With more and more organizations around the world leveraging cloud services, understanding how to protect your assets in the cloud and provide users with secure access to those assets is more important than ever. As a result, we have a great security tip from Tom Shinder on penetration testing applications hosted in Azure.



Additionally, Windows 10 is now publicly available! Explore the http://blogs.w indows.com/business/2015/07/28/windows-10-available-for-business-today/

business benefits of Windows 10 , learn about the http://blogs.windows.com/bloggingwindows/2015/07/24/security-in-windows-10/ built-in security features , and take advantage of the free https://www.microsoft.com/en-us/windows/windows-10-upgrade
Windows 10 Home and Windows 10 Pro upgrade offer for those on Windows 7 or Windows 8.1. Then, when you're ready to start testing Windows 10 for your organization, download the http://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise Windows 10 Enterprise Evaluation to try Windows 10 Enterprise free for 90 days.



Best regards,

Tim Rains, Chief Security Advisor

Cybersecurity & Cloud Strategy, Microsoft



Want to share this newsletter with a friend or colleague? https://technet.microsoft.com/en-us/security/cc307424.aspx
Click here for the online edition and subscription options .


Have feedback on how we can improve this newsletter? Email us at mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.




Top Stories



http://blogs.microsoft.com/cybertrust/2015/07/20/cloud-security-controls-series -multi-factor-authentication/

Cloud security controls series: multi-factor authentication

In a world where hundreds of millions of leaked credentials are bought and sold regularly, and phishing attacks are common and effective, passwords, even complex passwords and passphrases, by themselves are no longer sufficient to protect resources and data. Find out how to use multi-factor authentication to help protect users, data, and applications in the cloud.


http://blogs.microsoft.com/cybertrust/2015/07/13/cloud-security-controls-series -azure-active-directorys-access-and-usage-reports/

Cloud security controls series: Azure Active Directoryæs access and usage reports

Explore the types of information and security controls facilitated by Azure Active Directory (Azure AD) access and usage reports.


http://blogs.microsoft.com/cybertrust/2015/07/23/cloud-security-controls-series -azure-ad-privileged-identity-management/

Cloud security controls series: Azure AD Privileged Identity Management

Using the principle of least privilege with Cloud resources makes as much sense as it does for on-premises resources. Learn how Azure AD Privileged Identity Management can help you discover the Azure AD privileged administrator roles and the user accounts they are assigned to, as well as enable you to revoke permanent privileged access and provide a mechanism that manages on-demand, time-limited access for Azure AD privileged accounts.




Security Guidance

https://technet.microsoft.com/security/mt346049.aspx
Security Tip of the Month: Pen Testing Your Applications Hosted In Microsoft Azure
By Tom Shinder, Program Manager, Microsoft Azure Security Engineering

One of the great things about using Microsoft Azure for application testing and deployment is that you don't need to put together an on-premises infrastructure to develop, test, and deploy your applications. All the infrastructure is taken care of by the Microsoft Azure platform services. You don't have to worry about requisitioning, acquiring, and "racking and stacking" your own on-premises hardware. Just dev and deploy!



As a reader of this newsletter, you're likely a security-conscious person. While the dev and deploy mantra sounds great and makes you as agile as agile can be, that fact is that security needs to be job one, not only on-premises, but perhaps even more so in the cloud. That's fine, because you can handle it.



You might already know that Microsoft performs regular http://download.microso ft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise _Cloud_Red_Teaming.pdf

internal penetration testing of our own Azure environment. This is a good thing, as it helps us improve our platform and guides our actions in terms of changing current security controls, introducing new security controls, and improving our security processes. We live by the principle of continuous business improvement, and with Azure platform security, it's our passion.



If penetration testing is good for us, then it's good for you. No, we won't pen test your application for you, but we do understand that you will want to do perform pen testing on your own applications. That's a good thing, because when you enhance the security of your applications, you help make the entire Azure ecosystem more secure.



The trick here is that when you pen test your applications, it might look like an attack to us. We http://blogs.msdn.com/b/azuresecurity/archive/2015/07/05/b est-practices-to-protect-your-azure-deployment-against-cloud-drive-by-attacks.a spx

continuously monitor for attack patterns and will initiate an incident response process if we need to. It doesn't help you and it doesn't help us if we trigger an incident response due to your own due diligence pen testing. What to do?



That leads us to this month's security tip! When you're ready to pen test your Azure-hosted applications, all you need to do is let us know. Once we know that you're going to be performing specific tests, we'll have insight into what's going on and we won't shut you down, as long as your tests conform to the Azure pen testing terms and conditions.



Standard tests that you can perform include:



-
Tests on your endpoints to uncover the https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Open Web Application Security Project (OWASP) top 10 vulnerabilities

-
https://en.wikipedia.org/wiki/Fuzz_testing"
Fuzz testing of your endpoints


-
https://en.wikipedia.org/wiki/Port_scanner
Port scanning of your endpoints




One type of test that you can't perform is any kind of https://en.wikipedia.org/wiki/Denial-of-service_attack
Denial of Service (DoS) attack. This includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate or simulate any type of DoS attack.



Are you ready to get started with pen testing your applications hosted in Microsoft Azure? If so, then head on over to the https://security-forms.azure.com/penetration-testing/terms
Penetration Test Overview page (which is also linked to from the http://azure.microsoft.com/en-us/support/trust-center/security/
Azure Trust Center ) and click the Create a Testing Request button at the bottom of the page. You'll also find more information on the pen testing terms and conditions and helpful links on how you can report security flaws related to Azure or any other Microsoft service.



To keep up to date on the latest security information and topics as related to Microsoft Azure, make sure to bookmark the http://blogs.msdn.com/b/azuresecurity/
Azure Security Blog . Thanks!!! -Tom.


https://channel9.msdn.com/Events/Ignite/2015/BRK3865
How Microsoft Azure Active Directory helps prevent, detect and remediate attacks to your enterprise

Explore a set of solutions across Active Directory and Azure AD that can help your organization easily identify key risks, and learn how to implement mechanisms across the hybrid enterprise to prevent, detect, and remediate the attacks your organizations may face.


http://azure.microsoft.com/en-us/documentation/videos/build-2015-azure-active-d irectory-identity-management-as-a-service-for-modern-applications/

Azure Active Directory: Identity Management as a Service for modern applications

Identity Management as a Service (IDMaaS) is an emerging capability to help developers and organizations manage access to modern applications. Learn more in this on demand session from //build.


https://azure.microsoft.com/en-us/documentation/articles/active-directory-admin ister/

Administer your Azure AD directory

Find out how Azure AD can help you manage identities.


https://azure.microsoft.com/en-us/documentation/articles/active-directory-privi leged-identity-management-configure/

Azure AD Privileged Identity Management

Azure AD Privileged Identity Management lets you manage, control, and monitor your privileged identities and their access to resources in Azure AD, and in other Microsoft online services such as Office 365 or Microsoft Intune. Walk through the core scenarios for Azure AD Privileged Identity Management and learn how to put it to work for you.


https://azure.microsoft.com/en-us/documentation/articles/active-directory-manag e-passwords/

Manage passwords in Azure AD

Explore the full set of password management capabilities that Azure Active Directory supports, which include self-service password change and reset, administrator-initiated password reset, password management activity reports, and password writeback.




Community Update

https://channel9.msdn.com/blogs/Microsft-Services-Showcase/Cybersecurity-and-th e-Cloud

Cybersecurity and the cloud

Watch Gartner VP of Research Lawrence Orans present details on the current cyber threat landscape and the latest trends in security and the cloud.




This Month's Security Bulletins


July 2015 Security Bulletins


Critical

-MS15-065:3076321
https://technet.microsoft.com/library/security/MS15-065

Security Update for Internet Explorer

-MS15-066:3072604
https://technet.microsoft.com/library/security/MS15-066
Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

-MS15-067:3073094
https://technet.microsoft.com/library/security/MS15-067
Vulnerability in RDP Could Allow Remote Code Execution

-MS15-068:3072000
https://technet.microsoft.com/library/security/MS15-068
Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution

-MS15-078:3079904
https://technet.microsoft.com/library/security/MS15-078
Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution



Important

-MS15-058:3065718
https://technet.microsoft.com/library/security/MS15-058
Vulnerabilities in SQL Server Could Allow Remote Code Execution

-MS15-069:3072631
https://technet.microsoft.com/library/security/MS15-069
Vulnerabilities in Windows Could Allow Remote Code Execution

-MS15-070:3072620
https://technet.microsoft.com/library/security/MS15-070
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

-MS15-071:3068457
https://technet.microsoft.com/library/security/MS15-071
Vulnerability in Netlogon Could Allow Elevation of Privilege

-MS15-072:3069392
https://technet.microsoft.com/library/security/MS15-072
Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege

-MS15-073:3070102
https://technet.microsoft.com/library/security/MS15-073
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

-MS15-074:3072630
https://technet.microsoft.com/library/security/MS15-074
Vulnerability in Windows Installer Service Could Allow Elevation of Privilege

-MS15-075:3072633
https://technet.microsoft.com/library/security/MS15-075
Vulnerabilities in OLE Could Allow Elevation of Privilege

-MS15-076:3067505
https://technet.microsoft.com/library/security/MS15-076
Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege

-MS15-077:3077657
https://technet.microsoft.com/library/security/MS15-077
Vulnerability in ATM Font Driver Could Allow Elevation of Privilege


July 2015 Security Bulletin Resources:

- http://blogs.technet.com/b/msrc/archive/2015/07/14/july-2015-security-updates .aspx

July 2015 Bulletin Release Blog Post
- http://www.microsoft.com/en-us/download/malicious-software-removal-tool-detai ls.aspx

Malicious Software Removal Tool: July 2015 Update



Security Events and Training



https://www.microsoftvirtualacademy.com/en-US/training-courses/getting-started- with-azure-security-for-the-it-professional-11165

Getting started with Azure security for the IT professional

Do IT security concerns keep you up at night? You're not alone! Many IT pros want to extend their organization's infrastructure but need reassurance about security. Whether you are researching a hybrid or a public cloud model with Microsoft Azure, the question remains the same: Does the solution meet your own personal and your organization's bar for security, including industry standards, attestations, and ISO certifications?



In this demo-filled Microsoft Virtual Academy course, you can explore these and other hot topics, as a team of security experts and Azure engineers takes you beyond the basic certifications and explores what's possible inside Azure. See how to design and use various technologies to ensure that you have the security and architecture you need to successfully launch your projects in the cloud. Dive into datacenter operations, virtual machine (VM) configuration, network architecture, and storage infrastructure. Get the information and the confidence you need, from the pros who know, as they demystify security in the cloud.


http://www.microsoftvirtualacademy.com/training-courses/azure-active-directory- core-skills-jump-start

Active Directory core skills jump start

Constantly resetting customer passwords? Want to extend your on-premises Active Directory? Join this Microsoft Virtual Academy session to explore Azure Active Directory (Azure AD) as part of the Enterprise Mobility Core Skills series, arming you with key knowledge to enable enterprise mobility management and to prepare your environment for Windows 10.






Essential Tools


-
http://technet.microsoft.com/security/bulletin
Microsoft Security Bulletins

-
http://technet.microsoft.com/security/advisory
Microsoft Security Advisories

-
http://www.microsoft.com/security/sdl/adopt/starterkit.aspx
Microsoft Security Development Lifecycle Starter Kit

-
http://support.microsoft.com/kb/2458544
Enhanced Mitigation Experience Toolkit

-
http://www.microsoft.com/security/pc-security/malware-removal.aspx
Malicious Software Removal Tool

-
http://technet.microsoft.com/security/cc184924.aspx
Microsoft Baseline Security Analyzer


Security Centers


-
http://technet.microsoft.com/security
Security TechCenter

-
http://msdn.microsoft.com/security
Security Developer Center

-
http://www.microsoft.com/security/msrc/default.aspx
Microsoft Security Response Center

-
http://www.microsoft.com/security/portal/
Microsoft Malware Protection Center

-
http://www.microsoft.com/privacy
Microsoft Privacy

-
http://support.microsoft.com/select/default.aspx?target=hub&c1=10750
Microsoft Security Product Solution Centers


Additional Resources


-
http://blogs.microsoft.com/cybertrust/
Microsoft Cybertrust Blog

-
http://blogs.msdn.com/b/azuresecurity/
Microsoft Azure Security Blog

-
http://www.microsoft.com/security/sir
Microsoft Security Intelligence Report

-
http://www.microsoft.com/security/sdl
Microsoft Security Development Lifecycle

-
http://technet.microsoft.com/library/cc162838.aspx
Malware Response Guide

-
http://technet.microsoft.com/security/bb980617.aspx
Security Troubleshooting and Support Resources




technet.microsoft.com/security




This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.



(c) 2015 Microsoft Corporation

http://www.microsoft.com/About/Legal/EN/US/IntellectualProperty/Copyright/defau lt.aspx

Terms of Use |

http://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/en-us.aspx Trademarks


Microsoft respects your privacy. To learn more please read our online http://go.microsoft.com/fwlink/?LinkId=248681
Privacy Statement .



If you would prefer not to receive the Microsoft Security Newsletter from Microsoft and its family of companies please http://click.email.microsoftemail .com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b6311d344a0079e5cc587f4d16330b7c3c c8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31618dc81de3497427fc4e7b96125265d46 2c55d9b9e1bfa8c94da7e35321aa1e11b03a0&oneClick=newsletter

click here . These settings will not affect any other newsletters you've requested or any mandatory service communications that are considered part of certain Microsoft services.



To set your contact preferences for other Microsoft communications http://clic k.email.microsoftemail.com/m_hcp.aspx?qs=0bb7f39debca1b0ad10fb2e924b6311d344a00 79e5cc587f4d16330b7c3cc8e7aa3d48879950d85d33a47e9a9586dfefd285dcac31618dc81de34 97427fc4e7b96125265d462c55d9b9e1bfa8c94da7e35321aa1e11b03a0

click here .



Microsoft Corporation

One Microsoft Way

Redmond, WA 98052 USA
---
■ Synchronet ■ Time Warp of the Future BBS - Home of League 10 IBBS Games