Skip to main content

Trustworthy Computing

Microsoft Security Newsletter

Stay up to date with security insights, resources, best practices, and events for IT professionals and developers. Browse past newsletters or subscribe to get the latest news delivered to your inbox.



Welcome to September's Security Newsletter!

The theme of this month’s newsletter is data security. The CISOs I meet are responsible for protecting their organization’s data whether it’s on-premises, on mobile devices or Internet of Things (IoT) devices, or in the cloud—or traveling anywhere between these points.

It’s interesting to see the different security strategies that different organizations are employing these days. The underlying assumption for some organizations’ security strategy is that since they aren’t managing all the devices that their information workers use, consistently, then all of those devices should be treated as if they are untrusted. These organizations tend to focus on protecting the data and not the devices used to access it – which is a reasonable strategy for some organizations. They leverage desktop and application virtualization technologies, data loss prevention, Rights Management Services, and identity services, and other controls to help them manage the risk to the data.

Other organizations have embraced new mobile device management offerings, like the Microsoft Enterprise Mobility Suite (which includes Microsoft Intune), that enable them to manage a wide range of devices in a consistent and predictable manner. Most of the customers I talk to in this category are also using the layered protections built into Windows 7 and 8.1 to protect data, and plan to leverage all the new and enhanced protections built into Windows 10 such as Enterprise Data Protection, BitLocker, Credential Guard, to name a few. For enterprise customers looking to evaluate these security features in Windows 10, please download the Windows 10 Enterprise Evaluation to try Windows 10 Enterprise free for 90 days.

It’s both a challenging time to be a CISO and a great time to be a CISO because of all the options organizations have to inform and support their security strategies. Please enjoy this month’s newsletter.

Tim Rains Best regards,
Tim Rains, Chief Security Advisor
Cybersecurity & Cloud Strategy, Microsoft

Want to share this newsletter with a friend or colleague? Click here for the online edition and subscription options.
Have feedback on how we can improve this newsletter? Email us at secnlfb@microsoft.comand share your ideas.

Top Stories
Cloud Security Controls Series: Encrypting Data at Rest
Learn about some of the controls that are available to help manage the security of data stored and processed in Microsoft’s cloud services, and Microsoft Azure in particular.

Privacy and Windows 10
In today’s connected world, maintaining our privacy is an incredibly important topic. Learn how Windows 10 was designed with straightforward privacy principles in mind.

What Makes a Good Microsoft Defense Bounty Submission?
One of Microsoft’s longstanding strategies toward improving software security continues to involve investing in defensive technologies that make it difficult and costly for attackers to exploit vulnerabilities. To cast a wider net for defensive ideas, Microsoft awarded the BlueHat Prize in 2012 and subsequently started the ongoing Microsoft Defense Bounty in June, 2013 which has offered up to $50,000 USD for novel defensive solutions. Last month, we announced that we will now award up to $100,000 USD for qualifying Microsoft Defense Bounty submissions. Learn how Microsoft evaluates defensive solutions and the characteristics that we look for in a good defense.

Security Guidance
Security Tip of the Month: Implement a Data-Driven Computer Security Defense
By Roger A. Grimes, Microsoft IT Information Security and Risk Management

In today’s environment, information security executives face a challenge of protecting company assets by optimally aligning defenses with an ever increasing number of threats and risks. Often, organizations have considerable investments in protection without using a risk-based approach to prioritizing investments. This approach leads to ineffective security controls and an inefficient use of resources. Information security organizations collect a tremendous amount of data about IT environments. For some organizations, activities occurring on those IT infrastructures exceed more than ten billion events on a daily basis. In other words, considerable information is available about the environments we manage and it’s that data that can help us make informed decisions.

In support of these challenges, considerable improvement in rigor and process is necessary to inform and make better business decisions. Drawing upon hundreds of engagements with Microsoft clients, as well as internal security operations, this guide outlines a framework for dramatically improving operational security posture. The framework utilizes a data-driven approach to optimize investment allocation for security defenses and significantly improve the management of risk for an organization.

Enabling Data Protection in Microsoft Azure
Find out how to control your data in Microsoft Azure through advanced technologies to encrypt, control and audit access, separate, and dispose of data according to your business needs. This video provides an overview of these technologies with a focus on encryption of data.

Client-Side Encryption and Azure Key Vault for Microsoft Azure Storage
The Azure Storage Client Library for .NET supports encrypting data within client applications before uploading to Azure Storage, and decrypting data while downloading to the client. The library also supports integration with Azure Key Vault for storage account key management. Explore these methods and learn about encryption and decryption via the envelope technique.

Transparent Data Encryption
Transparent Data Encryption (TDE) encrypts SQL Server and Azure SQL Database data files, known as encrypting data at rest. Learn how to use TDE including commands and functions, catalog views and dynamic management views, permissions, and other considerations.

Extensible Key Management (EKM)
While not available in every edition of SQL Server, Extensible Key Management (EKM) enables third-party EKM/HSM vendors to register their modules in SQL Server so that users can use the encryption keys stored on EKM modules. Find out how this enables SQL Server to access the advanced encryption features these modules support such as bulk encryption and decryption, and key management functions such as key aging and key rotation.

SQL Server Backup Encryption
Starting in SQL Server 2014, SQL Server has the ability to encrypt the data while creating a backup. Explore usage scenarios, benefits, and recommended practices for encrypting during backup.

Encryption Controls in Office 365: Across Devices and Platforms
Whether it is at rest or in transit, Office 365 protects your data using a variety of encryption mechanisms. In addition to what's baked into the platform, you have several options for customer-controlled encryption features to meet the business needs of your organization. Learn about the different types of encryption technologies in Office 365 that you can use and how they work seamlessly across devices and platforms. This video talks about Information Rights Management (IRM) with RMS, S/MIME, and Office 365 Message Encryption and how these encryption technologies help keep your data safe and secure.

BitLocker in Windows 10
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. Find out what’s new in BitLocker in Windows 10, then find answers to frequently asked questions, planning tips, deployment guidance and much more.

Community Update
Database Engine Security Checklist: Database Engine Security Configuration
Get a quick list of key security configuration options for the SQL Server Database Engine. Use this checklist to periodically audit your Database Engine environment. These recommended settings should be adjusted based on your security and business needs.

This Month's Security Bulletins

September Security Bulletins


MS15-094:3089548 Cumulative Security Update for Internet Explorer
MS15-095:3089665 Cumulative Security Update for Microsoft Edge
MS15-097:3089656 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution
MS15-098:3089669 Vulnerabilities in Windows Journal Could Allow Remote Code Execution
MS15-099:3089664 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution


MS15-096:3072595 Vulnerability in Active Directory Service Could Allow Denial of Service
MS15-100:3087918 Vulnerability in Windows Media Center Could Allow Remote Code Execution
MS15-101:3089662 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
MS15-102:3089657 Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege
MS15-103:3089250 Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure
MS15-104:3089952 Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege
MS15-105:3091287 Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass

September Security Bulletin Resources:

September 2015 Security Update Release Summary
Malicious Software Removal Tool: September 2015 Update and blog summary

Security Events and Training
Azure, The Trusted Cloud
Thursday, October 1, 2015 – 10:00 AM Pacific Time
Microsoft understands that for you to realize the benefits of the cloud, you must be willing to entrust your cloud provider with one of your most valuable assets—your data. Learn how Microsoft’s long experience running online services has involved extensive investment in foundational technology that builds security and privacy into the development process.

Security, Compliance and IRM in Office 365
Thursday, October 15, 2015 – 11:00 AM Central Time
Explore the different regulations to which Office 365 and, more specifically, SharePoint Online and OD4B are compliant. You’ll also find out what IRM means and how you can utilize it to secure your cloud data.

TechNet Virtual Lab: Exploring Row Level Security
On demand
This hands on lab will familiarize you with the new Row Level Security (RLS) in SQL Server 2016, which allows you to store data for different customers, departments, or tenants in the same table, while restricting access to rows based on a query’s execution context.

TechNet Virtual Lab: On-Prem and Cloud App and Data Protection with Azure RMS
On demand
Learn how to protect files from unauthorized access by using Microsoft Azure Rights Management, the Microsoft Rights Management connector, the Rights Management sharing app, and Microsoft Office 2013. These technologies help protect data on devices that are domain-joined or standalone regardless of whether they are owned by the organization or a user.

TechNet Virtual Lab: Protecting Your Data with System Center 2012 R2 Data Protection Manager
On demand
In this introductory lab, you will learn how to use the Data Protection Manager console to protect and recover data. You will learn how to allocate local storage, configure protection for files and SQL Server databases, create recovery points, and recover data. You will also learn how to recover a database to a SQL Server cluster.


Essential Tools

Microsoft Security Bulletins
Microsoft Security Advisories
Microsoft Security Development Lifecycle Starter Kit
Enhanced Mitigation Experience Toolkit
Malicious Software Removal Tool
Microsoft Baseline Security Analyzer

Security Centers

Security TechCenter
Security Developer Center
Microsoft Security Response Center
Microsoft Malware Protection Center
Microsoft Privacy
Microsoft Security Product Solution Centers

Additional Resources

Microsoft Cybertrust Blog
Microsoft Azure Security Blog
Microsoft Security Intelligence Report
Microsoft Security Development Lifecycle
Malware Response Guide
Security Troubleshooting and Support Resources Computing 
 This is a monthly newsletter for IT professionals and developers–bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive less technical security news, guidance, and updates, please subscribe to the Microsoft Security for Home Computer Users Newsletter.

© 2014 Microsoft Corporation Terms of Use | Trademarks

Microsoft respects your privacy. To learn more please read our online Privacy Statement.