Skip to main content

Trustworthy Computing

Microsoft Security Newsletter

Stay up to date with security insights, resources, best practices, and events for IT professionals and developers. Browse past newsletters or subscribe to get the latest news delivered to your inbox.



Welcome to July 2015's Security Newsletter!

The focus of this month's newsletter is a topic that is top of mind for many of the CISOs and IT professionals I talk to these days—cloud security. With more and more organizations around the world leveraging cloud services, understanding how to protect your assets in the cloud and provide users with secure access to those assets is more important than ever. As a result, we have a great security tip from Tom Shinder on penetration testing applications hosted in Azure.

Additionally, Windows 10 is now publicly available! Explore the business benefits of Windows 10, learn about the built-in security features, and take advantage of the free Windows 10 Home and Windows 10 Pro upgrade offer for those on Windows 7 or Windows 8.1. Then, when you're ready to start testing Windows 10 for your organization, download the Windows 10 Enterprise Evaluation to try Windows 10 Enterprise free for 90 days.

Tim Rains Best regards,
Tim Rains, Chief Security Advisor
Cybersecurity & Cloud Strategy, Microsoft

Want to share this newsletter with a friend or colleague? Click here for the online edition and subscription options.
Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.comand share your ideas.

Top Stories
Cloud security controls series: multi-factor authentication
In a world where hundreds of millions of leaked credentials are bought and sold regularly, and phishing attacks are common and effective, passwords, even complex passwords and passphrases, by themselves are no longer sufficient to protect resources and data. Find out how to use multi-factor authentication to help protect users, data, and applications in the cloud.

Cloud security controls series: Azure Active Directory‘s access and usage reports
Explore the types of information and security controls facilitated by Azure Active Directory (Azure AD) access and usage reports.

Cloud security controls series: Azure AD Privileged Identity Management
Using the principle of least privilege with Cloud resources makes as much sense as it does for on-premises resources. Learn how Azure AD Privileged Identity Management can help you discover the Azure AD privileged administrator roles and the user accounts they are assigned to, as well as enable you to revoke permanent privileged access and provide a mechanism that manages on-demand, time-limited access for Azure AD privileged accounts.

Security Guidance

Security Tip of the Month: Pen Testing Your Applications Hosted In Microsoft Azure
By Tom Shinder, Program Manager, Microsoft Azure Security Engineering
One of the great things about using Microsoft Azure for application testing and deployment is that you don't need to put together an on-premises infrastructure to develop, test, and deploy your applications. All the infrastructure is taken care of by the Microsoft Azure platform services. You don't have to worry about requisitioning, acquiring, and "racking and stacking" your own on-premises hardware. Just dev and deploy!

As a reader of this newsletter, you're likely a security-conscious person. While the dev and deploy mantra sounds great and makes you as agile as agile can be, that fact is that security needs to be job one, not only on-premises, but perhaps even more so in the cloud. That's fine, because you can handle it.

You might already know that Microsoft performs regular internal penetration testing of our own Azure environment. This is a good thing, as it helps us improve our platform and guides our actions in terms of changing current security controls, introducing new security controls, and improving our security processes. We live by the principle of continuous business improvement, and with Azure platform security, it's our passion.

If penetration testing is good for us, then it's good for you. No, we won't pen test your application for you, but we do understand that you will want to do perform pen testing on your own applications. That's a good thing, because when you enhance the security of your applications, you help make the entire Azure ecosystem more secure.

The trick here is that when you pen test your applications, it might look like an attack to us. We continuously monitor for attack patterns and will initiate an incident response process if we need to. It doesn't help you and it doesn't help us if we trigger an incident response due to your own due diligence pen testing. What to do?

That leads us to this month's security tip! When you're ready to pen test your Azure-hosted applications, all you need to do is let us know. Once we know that you're going to be performing specific tests, we'll have insight into what's going on and we won't shut you down, as long as your tests conform to the Azure pen testing terms and conditions.

Standard tests that you can perform include:

Tests on your endpoints to uncover the Open Web Application Security Project (OWASP) top 10 vulnerabilities
Fuzz testing of your endpoints
Port scanning of your endpoints

One type of test that you can't perform is any kind of Denial of Service (DoS) attack. This includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate or simulate any type of DoS attack.

Are you ready to get started with pen testing your applications hosted in Microsoft Azure? If so, then head on over to the Penetration Test Overview page (which is also linked to from the Azure Trust Center) and click the Create a Testing Request button at the bottom of the page. You'll also find more information on the pen testing terms and conditions and helpful links on how you can report security flaws related to Azure or any other Microsoft service.

To keep up to date on the latest security information and topics as related to Microsoft Azure, make sure to bookmark the Azure Security Blog. Thanks!!! -Tom.

How Microsoft Azure Active Directory helps prevent, detect and remediate attacks to your enterprise
Explore a set of solutions across Active Directory and Azure AD that can help your organization easily identify key risks, and learn how to implement mechanisms across the hybrid enterprise to prevent, detect, and remediate the attacks your organizations may face.

Azure Active Directory: Identity Management as a Service for modern applications
Identity Management as a Service (IDMaaS) is an emerging capability to help developers and organizations manage access to modern applications. Learn more in this on demand session from //build.

Administer your Azure AD directory
Find out how Azure AD can help you manage identities.

Azure AD Privileged Identity Management
Azure AD Privileged Identity Management lets you manage, control, and monitor your privileged identities and their access to resources in Azure AD, and in other Microsoft online services such as Office 365 or Microsoft Intune. Walk through the core scenarios for Azure AD Privileged Identity Management and learn how to put it to work for you.

Manage passwords in Azure AD
Explore the full set of password management capabilities that Azure Active Directory supports, which include self-service password change and reset, administrator-initiated password reset, password management activity reports, and password writeback.

Community Update
Cybersecurity and the cloud
Watch Gartner VP of Research Lawrence Orans present details on the current cyber threat landscape and the latest trends in security and the cloud.

This Month's Security Bulletins

July 2015 Security Bulletins


MS15-065:3076321 Security Update for Internet Explorer
MS15-066:3072604 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
MS15-067:3073094 Vulnerability in RDP Could Allow Remote Code Execution
MS15-068:3072000 Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution
MS15-078:3079904 Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution


MS15-058:3065718 Vulnerabilities in SQL Server Could Allow Remote Code Execution
MS15-069:3072631 Vulnerabilities in Windows Could Allow Remote Code Execution
MS15-070:3072620 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
MS15-071:3068457 Vulnerability in Netlogon Could Allow Elevation of Privilege
MS15-072:3069392 Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege
MS15-073:3070102 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege
MS15-074:3072630 Vulnerability in Windows Installer Service Could Allow Elevation of Privilege
MS15-075:3072633 Vulnerabilities in OLE Could Allow Elevation of Privilege
MS15-076:3067505 Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege
MS15-077:3077657 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege

July 2015 Security Bulletin Resources:

July 2015 Bulletin Release Blog Post
Malicious Software Removal Tool: July 2015 Update

Security Events and Training
Getting started with Azure security for the IT professional
Do IT security concerns keep you up at night? You're not alone! Many IT pros want to extend their organization's infrastructure but need reassurance about security. Whether you are researching a hybrid or a public cloud model with Microsoft Azure, the question remains the same: Does the solution meet your own personal and your organization's bar for security, including industry standards, attestations, and ISO certifications?

In this demo-filled Microsoft Virtual Academy course, you can explore these and other hot topics, as a team of security experts and Azure engineers takes you beyond the basic certifications and explores what's possible inside Azure. See how to design and use various technologies to ensure that you have the security and architecture you need to successfully launch your projects in the cloud. Dive into datacenter operations, virtual machine (VM) configuration, network architecture, and storage infrastructure. Get the information and the confidence you need, from the pros who know, as they demystify security in the cloud.

Active Directory core skills jump start
Constantly resetting customer passwords? Want to extend your on-premises Active Directory? Join this Microsoft Virtual Academy session to explore Azure Active Directory (Azure AD) as part of the Enterprise Mobility Core Skills series, arming you with key knowledge to enable enterprise mobility management and to prepare your environment for Windows 10.


Essential Tools

Microsoft Security Bulletins
Microsoft Security Advisories
Microsoft Security Development Lifecycle Starter Kit
Enhanced Mitigation Experience Toolkit
Malicious Software Removal Tool
Microsoft Baseline Security Analyzer

Security Centers

Security TechCenter
Security Developer Center
Microsoft Security Response Center
Microsoft Malware Protection Center
Microsoft Privacy
Microsoft Security Product Solution Centers

Additional Resources

Microsoft Cybertrust Blog
Microsoft Azure Security Blog
Microsoft Security Intelligence Report
Microsoft Security Development Lifecycle
Malware Response Guide
Security Troubleshooting and Support Resources  
 This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

© 2015 Microsoft Corporation Terms of Use | Trademarks

Microsoft respects your privacy. To learn more please read our online Privacy Statement.