Microsoft

Welcome to the Microsoft Security Newsletter - a monthly newsletter for IT professionals and developers bringing security news, guidance, updates, and community resources direct to your inbox. To view an online version of this newsletter, please click here. If you would like to receive less technical security news, guidance and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

Viewpoint

Building Security into Windows Vista and the Microsoft Culture

By Michael Howard, Principal Security Program Manager, Microsoft Corporation
At the end of the day, you improve security by focusing on security. Explore how -- and, more importantly, why -- the Security Development Lifecycle (SDL) has resulted in a reduction in vulnerabilities across major Microsoft products, including Windows Vista.

Top Stories

Microsoft Security Development Lifecycle (SDL) - Detailed Process Guidance Now Available!

As part of its commitment to a more secure and trustworthy computing ecosystem, Microsoft is making the details of the SDL process generally available online for the first time. IT policy makers and software development organizations can leverage this content to enhance and inform their own software security and privacy assurance programs.

News from RSA: Microsoft's Vision for a More Trusted Internet

Read Microsoft's End to End Trust whitepaper and join an online discussion forum about building a more secure and privacy enhanced Internet.

Try System Center Mobile Device Manager Today

See firsthand how Microsoft System Center Mobile Device Manager with Windows Mobile 6.1 can help improve mobile device security, simplify management, and lower costs. Download the 120-day Trial Evaluation software.

Forefront Codename "Stirling" Beta Now Available for Download

Microsoft Forefront codename "Stirling" is an integrated security system that delivers comprehensive, coordinated protection across endpoints, server applications, and the network edge. It provides simplified management and critical visibility that make security easier to manage and control. Register today and you'll automatically receive access to valuable beta resources throughout the evaluation experience.

Evaluate Microsoft Security Products and You Could Win a Windows Home Server

Download a free trial or take a virtual lab of Forefront Client Security, Forefront Security for Exchange Server or Forefront Security for SharePoint and be entered for a chance to win great prizes. Find out more at Evalu'08.

Security Guidance

Security Tip of the Month: Laying the Foundation for the Microsoft Security Development Lifecycle: Implementing the Principles

By Jeremy Dallman, Security Program Manager, Microsoft Security Engineering & Communications
Learn how to establish a baseline architectural understanding of your application security, one that identifies critical weaknesses and provides enough evidence to support the decision to move forward with a full SDL adoption.

Lessons Learned from Five Years of Building More Secure Software

Learn about prioritizing code by age, using analysis tools and automation, looking at threats from multiple angles, and the importance of education.

Eight Simple Rules for Developing More-Secure Code

This article presents that list of habits shared by developers of secure code. From taking responsibility to using the best tools available, these habits can help make you a more secure developer.

Protecting Your Code with Visual C++ Defenses

Read about some of the buffer overrun defenses available in Visual C++ 2005 and beyond.

Discover HelloSecureWorld

HelloSecureWorld.com provides a powerful experience for promoting security awareness and education in the developer community by surfacing existing content as well as new.

This Month's Security Bulletins

Critical:

•	MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)
•	MS08-021: Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
•	MS08-022: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
•	MS08-023: Security Update of ActiveX Kill Bits (948881)
•	MS08-024: Cumulative Security Update for Internet Explorer (947864)

Important:

•	MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)
•	MS08-020: Vulnerability in DNS Client Could Allow Spoofing (945553)
•	MS08-025: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)

Community / MVP Update

MVP of the Month: Reza Alirezaei

Reza Alirezaei is a principal architect with a background in Microsoft SharePoint technologies, BI, and .NET development. He has been involved with SharePoint since its Tahoe days (SPS 2001) and has worked with many large enterprises to help them realize the benefits from adopting this great platform. Originally from Iran, Reza moved to Canada in late 2004 and soon received his first MVP award in SQL Server Reporting Services. In 2007, he was nominated and awarded MVP status for the second time in Microsoft Office SharePoint Server.

MVP Article of the Month: Security and Application Development in SharePoint - First Steps

By Reza Alirezaei, Microsoft Office SharePoint Server 2007 MVP
Security principles in the world of programming using the SharePoint object model usually boil down to two key principles at design and development stages: know your threat model and know what security context your code runs on behalf of. Read this article for detailed security best practices that you can implement during the design and development stages of building business solutions on the SharePoint platform.

Partners with Expertise in Security Solutions

Cenzic

An innovative leader in automated application security assessment, Cenzic offers software that tests Web applications in a stateful manner and emulates a hacker, thereby producing manual penetration testing results in a cost-effective way. Cenzic solutions provide application security quality assurance that assists companies in detecting and managing security vulnerabilities, testing for application logic, and enforcing security policies throughout the Software Development Life Cycle (SDLC).

Visual Studio Industry Partners

A number of Visual Studio Industry Partners provide tools to help identify and resolve security vulnerabilities and enact secure development practices across the software development lifecycle. To reduce training times and enhance productivity, most tools designed to aid in the creation of secure code are integrated with the Visual Studio IDE, so developers can use these features from within a familiar environment.

Microsoft Product Lifecycle Information

Find information about your particular products on the Microsoft Product Lifecycle Web site.

•	See a List of Supported Service Packs: Microsoft provides free software updates for security and nonsecurity issues for all supported service packs.

Security Events and Training

Learn from Microsoft and industry experts, connect with your peers, and choose from over 1,000 learning opportunities including Security or Identity and Access track sessions. Tech-Ed is the premier technical education conference from Microsoft and now features separate conferences for IT professionals and developers. Plus, an online session catalog makes it easy for you to create a custom-fit schedule. Don't miss your opportunity. Register now.

MSDN Webcast: Overview of Developing for User Account Control (Level 200)

Discover how you can develop applications using the principle of least privilege with UAC. We explain how developing with UAC reduces the security exposure and the attack surface of both the operating system and user-developed applications. We also provide best practices for developing and managing UAC, ensuring compatibility with existing applications, and coding to take advantage of UAC protection

TechNet Webcast: 24 Hours of SQL Server 2008: Spotlight on Security

Learn how to secure your system and ensure your data is secure with a trusted platform with the security-focused webcasts in the 24 Hours of SQL Server miniseries. Explore such features as surface area configuration policies, external key management, Network Access Protection (NAP), Windows BitLocker Drive Encryption, and more.

Upcoming Security Webcasts

IT Manager Webcast: How Microsoft IT Secures Mobile Devices (Level 200)

Thursday, April 10, 9:30 AM Pacific Time
John Albertson, Microsoft IT Mobile Service Planner, Microsoft Corporation

Interactive Security Webcast Calendar

Upcoming security webcasts in a dynamic, interactive format.

For IT Professionals

•	TechNet Webcast: Windows Mobile Series: Device Management and Device Provisioning (Level 300) Thursday, April 10, 11:30 AM Pacific Time Vik Thairani, Senior Mobility Consultant, Microsoft Corporation
•	TechNet Webcast: All About Communications Server 2007 Security (Level 300) Wednesday, April 16, 8:00 AM Pacific Time Byron Spurlock, Consultant, Microsoft Consulting Services, Microsoft Corporation
•	TechNet Webcast: How Microsoft IT Managed Windows Server 2008 Network Security (Level 300) Tuesday, April 22, 9:30 AM Pacific Time Marius Apreutesei, Microsoft IT Systems Engineer, Microsoft Corporation
•	TechNet Webcast: Firewall Transversal in Communications Server 2007 (Level 300) Tuesday, April 29, 8:00 AM Pacific Time Byron Spurlock, Consultant, Microsoft Consulting Services, Microsoft Corporation
•	TechNet Webcast: What's New with ISA and IAG and a Road Map for the Future of Edge Security (Level 300) Wednesday, April 30, 1:00 PM Pacific Time Uri Lichtenfeld, Product Manager, Microsoft Corporation
•	TechNet Webcast: Information About Microsoft May Security Bulletins (Level 200) Wednesday, May 14, 11:00 AM Pacific Time Bill Sisk, Security Response Communications Manager, Microsoft Corporation, and Adrian Stone, Lead Security Program Manager, Microsoft Corporation
•	TechNet Webcast: Configuration Manager 2007 and Network Access Protection (Level 300) Wednesday, May 14, 11:30 AM Pacific Time Jeff Wettlauffer, Senior Technical Product Manager, Microsoft Corporation

For Developers

•	MSDN Webcast: IIS 7.0 in Windows Server 2008 for Developers (Level 200) Wednesday, April 16, 9:00 AM Pacific Time Mike Benkovich, MSDN Developer Evangelist, Microsoft Corporation
•	MSDN Webcast: Working with Membership Providers (Level 200) Wednesday, April 30, 9:00 AM Pacific Time Mike Benkovich, MSDN Developer Evangelist, Microsoft Corporation

Microsoft On-Demand Webcasts

•

IT Manager Webcast: Windows Mobile Series: Improving Mobile Security and Management (Level 100)
Mobile access should not compromise the security of your data nor should it be a burden for your IT organization to manage. Join this session to learn how Windows Mobile, combined with Microsoft System Center Mobile Device Manager 2008, provides a comprehensive solution for mobile device security and management.

•

TechNet Webcast: How to Overcome the Top 10 Mobile Device Security and Management Challenges (Level 200)
Learn how you can improve secure access to corporate data and line-of-business (LOB) applications and simplify management of Windows Mobile devices with Microsoft System Center Mobile Device Manager, a single, end-to-end solution for comprehensive mobile device security and management. We explain how System Center Mobile Device Manager provides integration into Active Directory, rich inventory and reporting tools, secure virtual private network (VPN) access, and more.

Volume 5, No. 4

April 2008

In This Issue:

	Viewpoint
	Top Stories
	Security Guidance
	This Month's Security Bulletins
	Community / MVP Update
	Partners with Expertise in Security Solutions
	Microsoft Product Lifecycle Information
	Security Events and Training
	Upcoming Security Webcasts

Security Program Guide

•	Security Awareness Materials Guidance, samples, and templates for creating a security-awareness program in your organization.
•	Learn Security On the Job
•	Learning Paths for Security - Microsoft Training References and Resources

Upcoming Chats

•	View a listing of upcoming technical chats.

Free In-Person Events

•	TechNet Events

Security Blogs

•	Michael Howard
•	Eric Lippert
•	Eric Fitzgerald
•	Steve Lamb
•	MSRC Blog
•	ACE Team
•	Jeff Jones
•	Windows Vista Security
•	Solution Accelerators - Security & Compliance
•	Kai Axford
•	Security Vulnerability Research & Defense
•	Steve Riley
•	Security Development Lifecycle (SDL)

Security Newsgroups

•	General Security issues/questions Open with newsreader
•	Virus issues/questions Open with newsreader
•	ISA Server Open with newsreader
•	Windows 2000: Security Open with newsreader
•	Windows XP: Security Administration Open with newsreader
•	SQL Server: Security Open with newsreader
•	Windows Server: Security Open with newsreader
•	Other Security Newsgroups

Community Web Sites

•	IT Pro Security Community
•	Security Newsgroups
•	Related Communities

Additional Security Resources

•	Security Help and Support for IT Professionals
•	TechNet Troubleshooting and Support Page
•	Microsoft Security Glossary
•	TechNet Security Center
•	MSDN Security Developer Center
•	Midsize Business Security Center
•	Sign-Up for the Microsoft Security Notification Service
•	Security Bulletin Search Page
•	Home Users: Protect Your PC
•	MCSE/MCSA: Security Certifications
•	Subscribe to TechNet
•	Register for TechNet Flash IT Newsletter
•	Subscribe to MSDN

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, BitLocker, Forefront, MSDN, SharePoint, Visual C++, Visual Studio, Windows, Windows Mobile, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies.

To cancel your subscription to this newsletter, reply to this message with the word *** in the Subject line. You can also *** at http://www.microsoft.com/info/***.htm. You can manage all your Microsoft.com communication preferences at this site.

Legal Information.

This newsletter was sent by the Microsoft Corporation
One Microsoft Way
Redmond, Washington, USA
98052

Back to newsletter list

Date:

From:

Subject:

Microsoft Security Newsletter - Volume 5, Issue 4