Trustworthy Computing | June 2014
Microsoft Security Newsletter
Welcome to June’s Security Newsletter!
Last month, we covered the top threats facing enterprise organizations and how to help protect against them. This months newsletter focuses on security guidance for data protection and, specifically, public key infrastructure (PKI), which many organizations have in place to support data protection and authentication.
If attackers successfully gain access to your organization’s PKI, this can expose your organization to serious risk. To help you design PKIs and protect this infrastructure from emerging threats, Microsoft IT, Microsofts IT department, has released a detailed technical reference document entitled “
http://aka.ms/securingpkidl
Securing Public Key Infrastructure .” Included in the document you will find guidance on:
-
Common vectors for PKI compromise
-
Planning cryptographic algorithms and certificate usages
-
Designing physical security
-
Implementing technical controls to secure PKI
-
Protecting PKI artifacts and assets
-
Monitoring PKI for malicious activity
-
Recovering from a compromise
If you are an IT professional and have a PKI running in your environment, I encourage you to download and read the paper—and consult the resources listed below for additional guidance. I hope you find these resources helpful.
Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing
Have feedback on how we can improve this newsletter? Email us at
mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.
Top Stories
http://blogs.technet.com/b/
Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation
Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Learn why the parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them—and what you can do to mitigate the risk rom exploits.
http://blogs.technet.com/b/
When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities
Every wonder how many days of risk exist between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Explore the Trustworthy Computing Security Science team’s new data from the recently released
http://www.microsoft.com/
Microsoft Security Intelligence Report volume 16 .
http://blogs.technet.com/b/
Keeping Oracle Java Updated Continues to be High Security ROI
One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits. Learn why keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers.
Security Guidance
http://blogs.technet.com/b/
Security Tip of the Month: Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services
PKI is heavily employed in cloud computing for encrypting data and securing transactions. While Windows Server 2012 R2 is developed as a building block for cloud solutions, there is an increasing demand for IT professionals to acquire proficiency on implementing PKI with Windows Server 2012 R2. This two-part blog post series (
http://blogs.technet.com/b/
click here for Part 2 ) will help you implement a simple PKI for assessing or piloting solutions, and better understand and become familiar with the process.
http://www.microsoft.com/
Best Practices for Securing Active Directory
Download recommendations to enhance the security of Active Directory installations. Learn about common attacks against Active Directory, the countermeasures you can take to reduce the attack surface, and get recommendations for recovery.
http://technet.microsoft.com/
Trusted Platform Module (TPM) Fundamentals
Explore the components of the
http://technet.microsoft.com/
Trusted Platform Module (TPM 1.2 and TPM 2.0) and learn how they are used to mitigate dictionary attacks. Looking for more TPM guidance? Check out these resources:
-
http://technet.microsoft.com/
Initialize and Configure Ownership of the TPM
-
http://technet.microsoft.com/
TPM Services Group Policy Settings
-
http://technet.microsoft.com/
Backup the TPM Recovery Information to Active Directory Domain Services (AD DS)
-
http://technet.microsoft.com/
Manage TPM Commands
-
http://technet.microsoft.com/
Manage TPM Lockout
http://research.microsoft.com/
TPM Platform Crypto-Provider Toolkit
Download sample code, utilities and documentation for using TPM-related functionality in Windows 8. Subsystems described include the TPM-backed Crypto-Next-Gen (CNG) platform crypto-provider, and how attestation-service providers can use the new Windows features. Both TPM1.2 and TPM2.0-based systems are supported.
http://technet.microsoft.com/
PKI Certificate Requirements for Configuration Manager
Find a list of the PKI certificates you might require for System Center 2012 Configuration Manager. This information assumes basic knowledge of PKI certificates. For step-by-step guidance and for an example deployment of these certificates, see
http://technet.microsoft.com/
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority .
Community Update
http://social.technet.
Public Key Infrastructure Design Guidance
Before you configure a PKI and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). Explore your design options and find links to examples of policy statements if your organization does not currently have one.
http://social.technet.
Active Directory Certificate Services (AD CS) PKI Design Guide
While Windows Server 2012 products provides a variety of secure applications and business scenarios based on the use of digital certificates, you need to design a public key infrastructure (PKI) before you can use those certificates. Check out this step-by-step wiki guide for guidance on everything from identifying your AD CS deployment goals to creating a certificate management plan.
This Month's Security Bulletins
June 2014 Security Bulletins
Critical
-MS14-035:2969262
https://technet.microsoft.com/
Cumulative Security Update for Internet Explorer
-MS14-036:2967487
https://technet.microsoft.com/
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution
Important
-MS14-034:2969261
https://technet.microsoft.com/
Vulnerability in Microsoft Word Could Allow Remote Code Execution
-MS14-033:2966061
https://technet.microsoft.com/
Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure
-MS14-032:2969258
https://technet.microsoft.com/
Vulnerability in Microsoft Lync Server Could Allow Information Disclosure
-MS14-031:2962478
https://technet.microsoft.com/
Vulnerability in TCP Protocol Could Allow Denial of Service
-MS14-030:2969259
https://technet.microsoft.com/
Vulnerability in Remote Desktop Could Allow Tampering
June 2014 Security Bulletin Resources:
-
http://blogs.technet.com/b/
Theoretical Thinking and the June 2014 Bulletin Release
-
http://www.youtube.com/watch?
June 2014 Security Bulletin Webcast
-
http://blogs.technet.com/b/
June 2014 Security Bulletin Webcast Q&A
-
http://www.microsoft.com/en-
Malicious Software Removal Tool: June 2014 Update
Security Events and Training
http://www.
Defense in Depth: Windows 8.1 Security
See how Windows 8.1 addresses security as a whole system, one layer at a time with this seven-module course from Microsoft Virtual Academy. Explore methods of developing a secure baseline and learn how to harden your Windows enterprise architectures from pass-the-hash and other advanced attacks.
https://msevents.microsoft.
Office 365 Education Technical Overview
Wednesday, July 16, 2014 – 1:00PM Central Time
Better understand the technical tools and resources of Office 365 Education, and learn how to support the unique needs of your school without sacrificing identity management and other security and compliance measures. This session will also be conducted every Wednesday at this time in August.
https://msevents.microsoft.
Office 365 Education Deployment Overview
Thursday, July 24, 2014 – 1:00PM Central Time
Compare your Microsoft Office 365 for education deployment options and learn about the terminology and tools available to streamline your deployment. Topics will include networking, identity management, hybrid deployments, and synchronization. This session will also be conducted every Wednesday at this time in August.
Essential Tools
-
http://technet.microsoft.com/
Microsoft Security Bulletins
-
http://technet.microsoft.com/
Microsoft Security Advisories
-
http://technet.microsoft.com/
Security Compliance Manager
-
http://www.microsoft.com/
Microsoft Security Development Lifecycle Starter Kit
-
http://support.microsoft.com/
Enhanced Mitigation Experience Toolkit
-
http://www.microsoft.com/
Malicious Software Removal Tool
-
http://technet.microsoft.com/
Microsoft Baseline Security Analyzer
Security Centers
-
http://technet.microsoft.com/
Security TechCenter
-
http://msdn.microsoft.com/
Security Developer Center
-
http://www.microsoft.com/
Microsoft Security Response Center
-
http://www.microsoft.com/
Microsoft Malware Protection Center
-
http://www.microsoft.com/
Microsoft Privacy
-
http://support.microsoft.com/
Microsoft Security Product Solution Centers
Additional Resources
-
http://www.microsoft.com/
Trustworthy Computing Security and Privacy Blogs
-
http://www.microsoft.com/
Microsoft Security Intelligence Report
-
http://www.microsoft.com/
Microsoft Security Development Lifecycle
-
http://technet.microsoft.com/
Malware Response Guide
-
http://technet.microsoft.com/
Security Troubleshooting and Support Resources
-
http://www.microsoft-careers.
Trustworthy Computing Careers
microsoft.com/about/
This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
(c) 2014 Microsoft Corporation
http://www.microsoft.com/
Terms of Use |
http://www.microsoft.com/
Trademarks
Microsoft respects your privacy. To learn more please read our online
http://go.microsoft.com/
Privacy Statement .
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA
Microsoft Security Newsletter
Welcome to June’s Security Newsletter!
Last month, we covered the top threats facing enterprise organizations and how to help protect against them. This months newsletter focuses on security guidance for data protection and, specifically, public key infrastructure (PKI), which many organizations have in place to support data protection and authentication.
If attackers successfully gain access to your organization’s PKI, this can expose your organization to serious risk. To help you design PKIs and protect this infrastructure from emerging threats, Microsoft IT, Microsofts IT department, has released a detailed technical reference document entitled “
http://aka.ms/securingpkidl
Securing Public Key Infrastructure .” Included in the document you will find guidance on:
-
Common vectors for PKI compromise
-
Planning cryptographic algorithms and certificate usages
-
Designing physical security
-
Implementing technical controls to secure PKI
-
Protecting PKI artifacts and assets
-
Monitoring PKI for malicious activity
-
Recovering from a compromise
If you are an IT professional and have a PKI running in your environment, I encourage you to download and read the paper—and consult the resources listed below for additional guidance. I hope you find these resources helpful.
Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing
Have feedback on how we can improve this newsletter? Email us at
mailto:secnlfb@microsoft.com
secnlfb@microsoft.com and share your ideas.
Top Stories
http://blogs.technet.com/b/
Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation
Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Learn why the parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them—and what you can do to mitigate the risk rom exploits.
http://blogs.technet.com/b/
When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities
Every wonder how many days of risk exist between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Explore the Trustworthy Computing Security Science team’s new data from the recently released
http://www.microsoft.com/
Microsoft Security Intelligence Report volume 16 .
http://blogs.technet.com/b/
Keeping Oracle Java Updated Continues to be High Security ROI
One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits. Learn why keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers.
Security Guidance
http://blogs.technet.com/b/
Security Tip of the Month: Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services
PKI is heavily employed in cloud computing for encrypting data and securing transactions. While Windows Server 2012 R2 is developed as a building block for cloud solutions, there is an increasing demand for IT professionals to acquire proficiency on implementing PKI with Windows Server 2012 R2. This two-part blog post series (
http://blogs.technet.com/b/
click here for Part 2 ) will help you implement a simple PKI for assessing or piloting solutions, and better understand and become familiar with the process.
http://www.microsoft.com/
Best Practices for Securing Active Directory
Download recommendations to enhance the security of Active Directory installations. Learn about common attacks against Active Directory, the countermeasures you can take to reduce the attack surface, and get recommendations for recovery.
http://technet.microsoft.com/
Trusted Platform Module (TPM) Fundamentals
Explore the components of the
http://technet.microsoft.com/
Trusted Platform Module (TPM 1.2 and TPM 2.0) and learn how they are used to mitigate dictionary attacks. Looking for more TPM guidance? Check out these resources:
-
http://technet.microsoft.com/
Initialize and Configure Ownership of the TPM
-
http://technet.microsoft.com/
TPM Services Group Policy Settings
-
http://technet.microsoft.com/
Backup the TPM Recovery Information to Active Directory Domain Services (AD DS)
-
http://technet.microsoft.com/
Manage TPM Commands
-
http://technet.microsoft.com/
Manage TPM Lockout
http://research.microsoft.com/
TPM Platform Crypto-Provider Toolkit
Download sample code, utilities and documentation for using TPM-related functionality in Windows 8. Subsystems described include the TPM-backed Crypto-Next-Gen (CNG) platform crypto-provider, and how attestation-service providers can use the new Windows features. Both TPM1.2 and TPM2.0-based systems are supported.
http://technet.microsoft.com/
PKI Certificate Requirements for Configuration Manager
Find a list of the PKI certificates you might require for System Center 2012 Configuration Manager. This information assumes basic knowledge of PKI certificates. For step-by-step guidance and for an example deployment of these certificates, see
http://technet.microsoft.com/
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority .
Community Update
http://social.technet.
Public Key Infrastructure Design Guidance
Before you configure a PKI and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). Explore your design options and find links to examples of policy statements if your organization does not currently have one.
http://social.technet.
Active Directory Certificate Services (AD CS) PKI Design Guide
While Windows Server 2012 products provides a variety of secure applications and business scenarios based on the use of digital certificates, you need to design a public key infrastructure (PKI) before you can use those certificates. Check out this step-by-step wiki guide for guidance on everything from identifying your AD CS deployment goals to creating a certificate management plan.
This Month's Security Bulletins
June 2014 Security Bulletins
Critical
-MS14-035:2969262
https://technet.microsoft.com/
Cumulative Security Update for Internet Explorer
-MS14-036:2967487
https://technet.microsoft.com/
Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution
Important
-MS14-034:2969261
https://technet.microsoft.com/
Vulnerability in Microsoft Word Could Allow Remote Code Execution
-MS14-033:2966061
https://technet.microsoft.com/
Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure
-MS14-032:2969258
https://technet.microsoft.com/
Vulnerability in Microsoft Lync Server Could Allow Information Disclosure
-MS14-031:2962478
https://technet.microsoft.com/
Vulnerability in TCP Protocol Could Allow Denial of Service
-MS14-030:2969259
https://technet.microsoft.com/
Vulnerability in Remote Desktop Could Allow Tampering
June 2014 Security Bulletin Resources:
-
http://blogs.technet.com/b/
Theoretical Thinking and the June 2014 Bulletin Release
-
http://www.youtube.com/watch?
June 2014 Security Bulletin Webcast
-
http://blogs.technet.com/b/
June 2014 Security Bulletin Webcast Q&A
-
http://www.microsoft.com/en-
Malicious Software Removal Tool: June 2014 Update
Security Events and Training
http://www.
Defense in Depth: Windows 8.1 Security
See how Windows 8.1 addresses security as a whole system, one layer at a time with this seven-module course from Microsoft Virtual Academy. Explore methods of developing a secure baseline and learn how to harden your Windows enterprise architectures from pass-the-hash and other advanced attacks.
https://msevents.microsoft.
Office 365 Education Technical Overview
Wednesday, July 16, 2014 – 1:00PM Central Time
Better understand the technical tools and resources of Office 365 Education, and learn how to support the unique needs of your school without sacrificing identity management and other security and compliance measures. This session will also be conducted every Wednesday at this time in August.
https://msevents.microsoft.
Office 365 Education Deployment Overview
Thursday, July 24, 2014 – 1:00PM Central Time
Compare your Microsoft Office 365 for education deployment options and learn about the terminology and tools available to streamline your deployment. Topics will include networking, identity management, hybrid deployments, and synchronization. This session will also be conducted every Wednesday at this time in August.
Essential Tools
-
http://technet.microsoft.com/
Microsoft Security Bulletins
-
http://technet.microsoft.com/
Microsoft Security Advisories
-
http://technet.microsoft.com/
Security Compliance Manager
-
http://www.microsoft.com/
Microsoft Security Development Lifecycle Starter Kit
-
http://support.microsoft.com/
Enhanced Mitigation Experience Toolkit
-
http://www.microsoft.com/
Malicious Software Removal Tool
-
http://technet.microsoft.com/
Microsoft Baseline Security Analyzer
Security Centers
-
http://technet.microsoft.com/
Security TechCenter
-
http://msdn.microsoft.com/
Security Developer Center
-
http://www.microsoft.com/
Microsoft Security Response Center
-
http://www.microsoft.com/
Microsoft Malware Protection Center
-
http://www.microsoft.com/
Microsoft Privacy
-
http://support.microsoft.com/
Microsoft Security Product Solution Centers
Additional Resources
-
http://www.microsoft.com/
Trustworthy Computing Security and Privacy Blogs
-
http://www.microsoft.com/
Microsoft Security Intelligence Report
-
http://www.microsoft.com/
Microsoft Security Development Lifecycle
-
http://technet.microsoft.com/
Malware Response Guide
-
http://technet.microsoft.com/
Security Troubleshooting and Support Resources
-
http://www.microsoft-careers.
Trustworthy Computing Careers
microsoft.com/about/
This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.
(c) 2014 Microsoft Corporation
http://www.microsoft.com/
Terms of Use |
http://www.microsoft.com/
Trademarks
Microsoft respects your privacy. To learn more please read our online
http://go.microsoft.com/
Privacy Statement .
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA
