Skip to main content

Trustworthy Computing

Microsoft Security Newsletter

Stay up to date with security insights, resources, best practices, and events for IT professionals and developers. Browse past newsletters or subscribe to get the latest news delivered to your inbox.



Welcome to November’s Security Newsletter!

This month our newsletter focuses on data encryption in Microsoft’s products and services. Encryption is typically used when you want a strong level of protection for your information. When it comes to the application of encryption, there are essentially four types of scenarios:

At Microsoft, we are committed to using best-in-class encryption technologies when appropriate to protect the confidentiality of customer data, to maintain data integrity, and to help assure its appropriate availability. We use cutting- edge technologies to protect our customers’ data from being breached and improperly disclosed, both while the data is at-rest and when it is in-transit. To learn more about how Microsoft manages data encryption in its products and services, and how you can better product your organization’s data, please read on and check out the resources available.

Tim Rains Best regards,
Tim Rains, Director
Cybersecurity & Cloud Strategy, Microsoft

Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.comand share your ideas.

Top Stories
Billions of Data, One Cybersecurity Report: SIRv17 Now Available
Understand the latest threat trends, recent shifts in cybercriminal behavior, the new techniques that are being used, and the malware families that are most prevalent—plus get actionable guidance to help you protect your organization and customers. Download Volume 17 of the Microsoft Security Intelligence Report (SIR).

Enhancing Cybersecurity with Big Data
Protecting the information of individuals and organizations from online threats remains an urgent priority so using big data tools and techniques to enhance cybersecurity is a natural development. Explore the new Microsoft-commissioned study to better understand how organizations are using big data to improve cybersecurity, and to get recommendations on how to address both the security and privacy concerns of big data solutions.

Hundreds of Millions of Microsoft Customers Now Benefit from Best-in-Class Encryption
Microsoft is bringing encryption technologies currently available in Windows 8.1 and Windows Server 2012 R2 to older versions of our platforms. Find out how this will enable you to take advantage of the best cryptography already available in Microsoft’s most modern operating systems and servers when connecting to a cloud service or operating system that supports the encryption technology known as Perfect Forward Secrecy (PFS). Not familiar with PFS? Read Perfect Secrecy in an imperfect world for more information.

Security Guidance

Security Tip of the Month: BitLocker Passwords Should Be Less Than 100 Characters
You can specify BitLocker passwords using the following methods:

BitLocker Setup Wizard
Manage BitLocker Control Panel
Manage-bde command-line tool
Windows PowerShell cmdlet

When using either the setup wizard or the control panel the user interface limits passwords to 100 characters. The command-line tool and Windows PowerShell cmdlets, on the other hand, do not enforce that limit and passwords up to 256 characters can be specified. However; if a password is specified that is greater than 100 characters, BitLocker truncates the password to the first 100 characters. If you attempt to use the longer password to unlock the drive, you will receive the error message: "The password you typed is not correct" and will be asked to provide your recovery key to unlock the drive.

Resolution? Specify passwords that are 100 characters or less to avoid encountering this issue. If you have used a longer password, after unlocking the drive using the recovery key go to the BitLocker Control Panel and set a new password that is 100 characters or less.

BitLocker Planning and Policies
BitLocker helps prevent unauthorized access to data on lost or stolen computers by encrypting the entire Windows operating system volume and any associated data volumes, and by verifying the integrity of early boot components and boot configuration data. Learn how to prepare for BitLocker deployment in your organization. Once you’re ready to deploy BitLocker, check out these resources:

BitLocker Basic Deployment
BitLocker: How to Deploy on Windows Server 2012
Try It Out: Encrypt Used Space Only

Choose the Right BitLocker Countermeasure
Find out how to protect your Windows 7, Windows 8, and Windows 8.1 PCs from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.

Protecting Against Weak Cryptographic Algorithms
Learn how about the software update available for Windows 8.1, Windows 8, Windows 7, Windows Vista, windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 that allows deprecation of weak cryptographic algorithms.

Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy
Find out how to create a two-tier public key infrastructure (PKI) hierarchy using Windows Server 2012 and Active Directory Certificate Services (AD CS).

SQL Server Encryption
Find out how to use encryption in SQL Server for connections, data, and stored procedures. Explore the encryption hierarchy in SQL Server, learn how to choose an encryption algorithm, and find information on how to help secure the SQL Server platform, and how to work with users and securable objects.

How to Encrypt Data for Windows Phone 8
Saving confidential data in a phone’s isolated storage is not secure. Encrypting the data will not increase the security if the decryption key resides on the phone, no matter how well the key is hidden. Learn how to encrypt and decrypt confidential data such as passwords, connection strings, and PINs in a Windows Phone app by using the Data Protection API (DPAPI).

Windows App Development: Encrypting Data and Working with Certificates
Learn how to encode and decode data, how to encrypt and decrypt data, and how to work with certificates.

How To: Azure Backup
Learn how to use Azure Backup to help protect important server data offsite with automated backups to Azure, where they are available for easy data restoration, and how to manage cloud backups from the familiar backup tools in Windows Server 2012, Windows Server 2012 Essentials, or System Center 2012 Data Protection Manager.

Community Update
SQL Server Database Engine Security Checklist: Encrypt Sensitive Data
Use this checklist to confirm that encryption is used appropriately in your environment and to periodically audit your use of encryption with the SQL Server Database Engine. To review how you limit access to data in your organization and audit how users access information stored in Database Engine, see Database Engine Security Checklist: Limit Access to Data.

This Month's Security Bulletins

November Security Bulletins


MS14-064:3011443 Vulnerabilities in Windows OLE Could Allow Remote Code Execution
MS14-065:3003057 Cumulative Security Update for Internet Explorer
MS14-066:2992611 Vulnerability in Schannel Could Allow Remote Code Execution
MS14-067:2993958 Vulnerability in XML Core Services Could Allow Remote Code Execution
MS14-068:3011780 Vulnerability in Kerberos Could Allow Elevation of Privilege


MS14-069:3009710 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
MS14-070:2989935 Vulnerability in TCP/IP Could Allow Elevation of Privilege
MS14-071:3005607 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege
MS14-072:3005210 Vulnerability in .NET Framework Could Allow Elevation of Privilege
MS14-073:3000431 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege
MS14-074:3003743 Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass
MS14-076:2982998 Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass
MS14-077:3003381 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure
MS14-078:2992719 Vulnerability in IME (Japanese) Could Allow Elevation of Privilege
MS14-079:3002885 Vulnerability in Kernel Mode Driver Could Allow Denial of Service

November Security Bulletin Resources:

November Bulletin Release Blog Post "November Security Updates"
Assessing Risk for the November 2014 Security Updates
Malicious Software Removal Tool: November Update

Security Events and Training
Microsoft Virtual Academy (MVA): Windows 8.1 Security
Learn about core investments in security for Windows 8.1, including authentication, multifactor access control, pervasive encryption, and protecting corporate data in a "bring your own device" (BYOD) world.

MVA: Windows 8.1 To Go
Windows To Go is a full fidelity desktop that includes touch, virtualization technologies, secure connection via DirectAccess, and data encryption with BitLocker. Find out how to use Windows To Go to create a bootable USB that turns almost any PC into a secure Windows 8.1 corporate PC—without requiring network connectivity.

The Hybrid Cloud: A Balancing Act between Benefits and Security
Thursday, December 4, 2014 – 10:00 AM Pacific Time
Learn how to extend your datacenter to the cloud in a secure and automated way, how to secure your information in the cloud, how to manage security in a mix of private and public clouds, why a hosted private cloud can be the best solution for sensitive data and mission critical workloads.


Essential Tools

Microsoft Security Bulletins
Microsoft Security Advisories
Microsoft Security Development Lifecycle Starter Kit
Enhanced Mitigation Experience Toolkit
Malicious Software Removal Tool
Microsoft Baseline Security Analyzer

Security Centers

Security TechCenter
Security Developer Center
Microsoft Security Response Center
Microsoft Malware Protection Center
Microsoft Privacy
Microsoft Security Product Solution Centers

Additional Resources

Microsoft Cybertrust Blog
Microsoft Security Development Lifecycle
Malware Response Guide
Security Troubleshooting and Support Resources
Trustworthy Computing Careers Computing 
 This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

© 2014 Microsoft Corporation Terms of Use | Trademarks

Microsoft respects your privacy. To learn more please read our online Privacy Statement.