Skip to main content



 

 
 
Trustworthy Computing | June 2014
Microsoft Security Newsletter
 
 
 
 
Welcome to June’s Security Newsletter!

Last month, we covered the top threats facing enterprise organizations and how to help protect against them. This month’s newsletter focuses on security guidance for data protection and, specifically, public key infrastructure (PKI), which many organizations have in place to support data protection and authentication.

If attackers successfully gain access to your organization’s PKI, this can expose your organization to serious risk. To help you design PKIs and protect this infrastructure from emerging threats, Microsoft IT, Microsoft’s IT department, has released a detailed technical reference document entitled “ Securing Public Key Infrastructure.” Included in the document you will find guidance on:

Common vectors for PKI compromise
Planning cryptographic algorithms and certificate usages
Designing physical security
Implementing technical controls to secure PKI
Protecting PKI artifacts and assets
Monitoring PKI for malicious activity
Recovering from a compromise


If you are an IT professional and have a PKI running in your environment, I encourage you to download and read the paper—and consult the resources listed below for additional guidance. I hope you find these resources helpful.

Tim Rains Best regards,
Tim Rains, Director
Microsoft Trustworthy Computing


Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.comand share your ideas.

 

Top Stories
 
Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation
Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of the software or the data that it processes. Learn why the parties that initially disclose vulnerabilities are not always the same parties that go on to develop and use exploits that take advantage of them—and what you can do to mitigate the risk rom exploits.

When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities
Every wonder how many days of risk exist between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Explore the Trustworthy Computing Security Science team’s new data from the recently released Microsoft Security Intelligence Report volume 16.

Keeping Oracle Java Updated Continues to be High Security ROI
One of the most popular tactics attackers use to try to exploit vulnerabilities in Java is using exploit kits. Learn why keeping Java up-to-date with security updates is one of the most effective ways to protect environments from attackers.

 

Security Guidance

Security Tip of the Month: Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services
PKI is heavily employed in cloud computing for encrypting data and securing transactions. While Windows Server 2012 R2 is developed as a building block for cloud solutions, there is an increasing demand for IT professionals to acquire proficiency on implementing PKI with Windows Server 2012 R2. This two-part blog post series ( click here for Part 2) will help you implement a simple PKI for assessing or piloting solutions, and better understand and become familiar with the process.

Best Practices for Securing Active Directory
Download recommendations to enhance the security of Active Directory installations. Learn about common attacks against Active Directory, the countermeasures you can take to reduce the attack surface, and get recommendations for recovery.

Trusted Platform Module (TPM) Fundamentals
Explore the components of the Trusted Platform Module(TPM 1.2 and TPM 2.0) and learn how they are used to mitigate dictionary attacks. Looking for more TPM guidance? Check out these resources:

Initialize and Configure Ownership of the TPM
TPM Services Group Policy Settings
Backup the TPM Recovery Information to Active Directory Domain Services (AD DS)
Manage TPM Commands
Manage TPM Lockout


TPM Platform Crypto-Provider Toolkit
Download sample code, utilities and documentation for using TPM-related functionality in Windows 8. Subsystems described include the TPM-backed Crypto-Next-Gen (CNG) platform crypto-provider, and how attestation-service providers can use the new Windows features. Both TPM1.2 and TPM2.0-based systems are supported.

PKI Certificate Requirements for Configuration Manager
Find a list of the PKI certificates you might require for System Center 2012 Configuration Manager. This information assumes basic knowledge of PKI certificates. For step-by-step guidance and for an example deployment of these certificates, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority.

 

Community Update
Public Key Infrastructure Design Guidance
Before you configure a PKI and certification authority (CA) hierarchy, you should be aware of your organizations security policy and certificate practice statement (CPS). Explore your design options and find links to examples of policy statements if your organization does not currently have one.

Active Directory Certificate Services (AD CS) PKI Design Guide
While Windows Server 2012 products provides a variety of secure applications and business scenarios based on the use of digital certificates, you need to design a public key infrastructure (PKI) before you can use those certificates. Check out this step-by-step wiki guide for guidance on everything from identifying your AD CS deployment goals to creating a certificate management plan.

 

This Month's Security Bulletins
 

June 2014 Security Bulletins

Critical

 
MS14-035:2969262 Cumulative Security Update for Internet Explorer
 
MS14-036:2967487 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution


Important

 
MS14-034:2969261 Vulnerability in Microsoft Word Could Allow Remote Code Execution
 
MS14-033:2966061 Vulnerability in Microsoft XML Core Services Could Allow Information Disclosure
 
MS14-032:2969258 Vulnerability in Microsoft Lync Server Could Allow Information Disclosure
 
MS14-031:2962478 Vulnerability in TCP Protocol Could Allow Denial of Service
 
MS14-030:2969259 Vulnerability in Remote Desktop Could Allow Tampering
 

June 2014 Security Bulletin Resources:

 
Theoretical Thinking and the June 2014 Bulletin Release
June 2014 Security Bulletin Webcast
June 2014 Security Bulletin Webcast Q&A
Malicious Software Removal Tool: June 2014 Update


 

Security Events and Training
 
Defense in Depth: Windows 8.1 Security
See how Windows 8.1 addresses security as a whole system, one layer at a time with this seven-module course from Microsoft Virtual Academy. Explore methods of developing a secure baseline and learn how to harden your Windows enterprise architectures from pass-the-hash and other advanced attacks.

Office 365 Education Technical Overview
Wednesday, July 16, 2014 – 1:00PM Central Time
Better understand the technical tools and resources of Office 365 Education, and learn how to support the unique needs of your school without sacrificing identity management and other security and compliance measures. This session will also be conducted every Wednesday at this time in August.

Office 365 Education Deployment Overview
Thursday, July 24, 2014 – 1:00PM Central Time
Compare your Microsoft Office 365 for education deployment options and learn about the terminology and tools available to streamline your deployment. Topics will include networking, identity management, hybrid deployments, and synchronization. This session will also be conducted every Wednesday at this time in August.

 
 

Essential Tools

 
Microsoft Security Bulletins
 
Microsoft Security Advisories
 
Security Compliance Manager
 
Microsoft Security Development Lifecycle Starter Kit
 
Enhanced Mitigation Experience Toolkit
 
Malicious Software Removal Tool
 
Microsoft Baseline Security Analyzer
 

Security Centers

 
Security TechCenter
 
Security Developer Center
 
Microsoft Security Response Center
 
Microsoft Malware Protection Center
 
Microsoft Privacy
 
Microsoft Security Product Solution Centers
 

Additional Resources

 
Trustworthy Computing Security and Privacy Blogs
 
Microsoft Security Intelligence Report
 
Microsoft Security Development Lifecycle
 
Malware Response Guide
 
Security Troubleshooting and Support Resources
 
Trustworthy Computing Careers
 
 
 
 
 microsoft.com/about/twcTrustworthy Computing 
 
 
 This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

© 2014 Microsoft Corporation Terms of Use | Trademarks

Microsoft respects your privacy. To learn more please read our online Privacy Statement.