June 2009 - Technical Rollup Mail - Security



Impersonation and the Access Control List http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918230&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
By John Steer, Security Architect, Microsoft Application Consulting & Engineering (ACE) Team Security is a foundational component that needs to be integrated from the ground up in the development lifecycle. This article provides insight into impersonation and access control lists (ACLs) from a developer’s perspective.

GS Enhancements Planned for Visual Studio 2010 http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918231&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
First provided in Visual Studio .NET 2002, the Visual C++ compiler’s GS switch, which is on by default, is one of the built-in defenses designed to mitigate the buffer overrun attacks. Learn what Microsoft’s VC++ compiler team is proactively working on to refine and enhance the abilities of the GS switch.

Now On Demand: Scott Charney's Keynote from RSA Conference 2009 http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918232&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
Join Scott Charney, Corporate Vice President of Microsoft’s Trustworthy Computing Group, as he discusses the trusted Internet experience of the future and the need for technological innovation, global public policy, and societal shifts around the issues of privacy and security.

What's New in Windows 7 RC http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918233&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
Watch this quick video to learn about features and improvements in the Windows 7 Release Candidate (RC) in areas like performance, networking, security, and PC management—then download the Release Candidate http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918154&s1=68628015-2ccc-cbc7-31b9-0e76c3415474 and take a test drive.

Evaluate Microsoft Forefront codename “Stirling” Beta 2 http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918234&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
By delivering simplified management and providing critical visibility into threats, vulnerabilities, and configuration risks, Forefront codename “Stirling” helps you protect your business with greater confidence and efficiency.

Download the Latest Microsoft Security Intelligence Report http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11838615&s1=68628015-2ccc-cbc7-31b9-0e76c3415474

Forefront Anti-Spam Portal Now Live http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11863106&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
The Microsoft Forefront team has released an anti-spam portal to provide the latest news and tools about anti-spam resources. This portal is a “one-stop” resource for anti-spam information, including risks and business impacts associated with spam, blogs, forums and communities, evidence, and related technical and product information.

Download the New Capacity Planning Tool for Forefront Security for Exchange Server http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11863107&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
The new Forefront Security for Exchange Server capacity planning tool helps you understand what hardware, architecture, and configuration settings will produce recommended system performance and message throughput results for comprehensive protection your Exchange servers.

Geneva Whitepapers and Datasheet
Whitepaper: "Geneva" Claims Based Access Platform
Learn about Microsoft's new "Geneva" claims based access platform. Read about the three main components of "Geneva" and how they work together to help solve application access problems with a single simplified access model. Understand how claims can be used across a wide variety of scenarios including enterprise, federation and Web. In this paper new concepts and terminology are introduced to help architects, developers and IT professionals understand the benefits and concepts behind the claims-based model of identity. A background in developing, deploying or managing web applications and services that entail user authentication is expected. By David Chappell

Whitepaper: "Geneva" Framework - Updated for Beta 2
Get started building claims-aware applications using Microsoft code-named "Geneva" Framework. In this paper concepts and terminology are introduced to help developers understand the benefits and concepts behind the claims-based model of identity. Security expertise is not required but familiarity with ASP.NET or WCF programming is. A background in building web applications or services that care about authentication and authorization is expected. As such, the focus of the paper is on building relying parties using the framework. By Keith Brown

Microsoft Code Name "Geneva" Beta 2

Microsoft Security Bulletin Summary for May, 2009
Microsoft Internet Security and Acceleration Server

Forefront Edge Security TechCenter
Please note that if you have feedback on documentation or wish to request new documents - email isadocs@microsoft.com

Forefront Edge Security Community

Forefront TMG (ISA Server) Product Team Blog
The ISA Server Product Team Blog (http://blogs.technet.com/isablog/) is updated on a regular basis. Latest entries include:

Web Farm IP Affinity Load Balancing Algorithm

TechEd 2009: A Preview of Forefront TMG and URL Filtering

Announcing the Availability of ISA/TMG Best Practices Analyzer Version 7

Quick Report From TechEd 2009: A 360-Degree View of Microsoft Forefront TMG and UAG

TechEd 2009: Post Show Feedback

High CPU Utilization by Wspsrv.exe Process

Fun with ISA Server and AES Cipher Suites

Intelligent Application Gateway 2007

Intelligent Application Gateway 2007 Technical Resources

Forefront Edge Security Community

Intelligent Application Gateway Product Team Blog
The IAG Product Team Blog (http://blogs.technet.com/edgeaccessblog) is updated on a regular basis. Latest entries include:

How to configure Active Synch Trunk for Non-Windows Mobile phones sending out large email attachments

How to configure IAG to use AES 256 encryption


Secure Your Desktop PCs – Start a Free Security Assessment Today http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918235&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
Download the Microsoft Assessment and Planning (MAP) Toolkit, and assess your PCs’ virus and spyware vulnerability, and readiness for implementing Forefront Client Security.

Database Encryption in SQL Server 2008 Enterprise Edition http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918236&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
With the introduction of transparent data encryption (TDE) in SQL Server 2008, users now have the choice between cell-level encryption as in SQL Server 2005, full database-level encryption by using TDE, or the file-level encryption options provided by Windows. This white paper compares TDE with these other encryption methods for application developers and database administrators.

Deep Dive: Security and Protection for SQL Server 2008 http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918237&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
SQL Server includes a variety of precise, configurable security features. These features empower administrators to implement defense-in-depth that is optimized for the specific security risks of their environment. Get up to speed on security for the SQL Server Database Engine.

Administering SQL Server 2008 Servers by Using Policy-Based Management http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918238&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
Policy-Based Management is a system for managing one or more instances of SQL Server 2008. Learn monitoring and enforcement best practices and policy-based management scenarios, then get a tutorial on administering servers using Policy-Based Management.

Protect E-Mail with Forefront Security http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918239&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
Learn how to install and configure Forefront Security for Exchange Server using Windows PowerShell, fight spam with connection and content filtering, and configure multiple scanning engines and scanning policies.

ISA Server 2006 Enterprise Edition Quick Start Guide http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11918240&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
Get the necessary information and resources that you need before you start the installation and configuration of ISA Server 2006. With this information, your deployment of ISA Server 2006 will be more efficient. The information in this document focuses on a few of the many features in ISA Server 2006, to enable you to quickly prepare for deployment.


Active Directory Domain Services in the Perimeter Network (Windows Server 2008)
This guide contains direction for determining whether Active Directory Domain Services (AD DS) is appropriate for your perimeter network (also known as the DMZs or extranets), the various models for deploying AD DS in perimeter networks, and planning and deployment information for Read Only Domain Controllers (RODCs) in the perimeter network.

2007 Microsoft Office Security Guide
The 2007 Microsoft Office Security Guide provides prescriptive Group Policy setting and security configuration recommendations to help strengthen the security of computers running the 2007 Microsoft Office release on computers that run Windows Vista or Windows XP in domain–based environments.

The GPOAccelerator creates all the Group Policy objects (GPOs) that you need to deploy recommended security settings for your environment to save you hours of work that you would otherwise need to configure these settings. This Solution Accelerator includes guidance to assist you with this tool.

Local Security Authority Merged IDL File - English
This file contains the complete set of IDL definitions for the lsarpc interface, which is associated with the [MS-LSAD] and [MS-LSAT] protocol documents. It has been created by merging the "Full IDL" sections of said documents.

2007 Office system (SP2) Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool
This download includes updated Group Policy Administrative Template and Office Customization Tool OPA files; an updated Office Customization Tool; and ADMX and ADML versions of the Administrative Template files. This update assumes that you have updated your 2007 Office System applications with the 2007 Office System Service Pack 2 (SP2).

ADMX Migrator
ADMX Migrator is a snap-in for the Microsoft Management Console (MMC) that simplifies the process of converting your existing Group Policy ADM Templates to the new ADMX format and provides a graphical user interface for creating and editing Administrative templates.

Group Policy Settings Reference for Windows Internet Explorer 8
This spreadsheet lists the policy settings for computer and user configurations included in the administrative template files (admx/adml) delivered with Windows Internet Explorer 8.

Microsoft Internet Security and Acceleration (ISA) Server Best Practices Analyzer (BPA) Tool
The ISA Server Best Practices Analyzer Tool is designed for administrators who want to determine the overall health of their ISA Server computers and to diagnose current problems. The tool scans the configuration settings of the local ISA Server computer and reports issues that do not conform to the recommended best practices.

Microsoft Online Services Sign In
Use this Sign In application to access Microsoft Online Services.

Microsoft Online Services Directory Synchronization
Use this tool to synchronize local directory services to Microsoft Online Services

Update for Windows Mail Junk E-mail Filter [May 2009] (KB905866)
Install this update for Windows Mail to revise the definition files that are used to detect e-mail messages that should be considered junk e-mail or that may contain phishing content.

Update for Windows Mail Junk E-mail Filter for x64-based Systems [May 2009] (KB905866)
Install this update for Windows Mail to revise the definition files that are used to detect e-mail messages that should be considered junk e-mail or that may contain phishing content.

Microsoft® Windows® Malicious Software Removal Tool (KB890830) x64
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

Microsoft® Windows® Malicious Software Removal Tool (KB890830)
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

Microsoft Code Name "Geneva" SbS Guides and VMs
"Geneva" Step by Step Guides and Virtual Machines

Geneva Interop Whitepapers

Security, Identity, and Access Management Datasheet
This offering provides an end-to-end security solution that allows you to move toward a dynamic IT infrastructure while ensuring better security integration, manageability, and efficiency.

Internet Explorer 8 Desktop Security Guide
Guidance for Enhancing Internet Explorer Security for Desktop Users
This white paper examines new features and settings that you can modify to provide a more "locked down" security configuration for Internet Explorer 8.

Microsoft Security Development Lifecycle (SDL) - Version 4.1
Microsoft Security Development Lifecycle v4.1 Process Guidance

Microsoft SDL Process Template for Visual Studio Team System
The SDL Process Template is a downloadable template that integrates the Microsoft Security Development Lifecycle (SDL) directly into your Visual Studio Team System (VSTS) software development environment.

Forefront Identity Manager 2010 RC0 Demo Virtual Hard Disk Image
This package contains a Hyper-V-based demo of Forefront Identity Manager 2010 RC0 (formerly code-named ILM "2").

The Business Value of Extended Validation SSL Certificates
Understand the Business Value of EV Certificates
Learn about the business value of EV Certificates, and the process for obtaining the certificates for your websites.

Increasing Your Organization’s Security and Privacy with Internet Explorer 8
Guidance for Enhancing Internet Explorer Security for Desktop Users
Learn about the emerging threat types on the web today and how Internet Explorer 8’s new security features help protect against them.

Forefront Threat Management Gateway and ISA Server

Announcing the Availability of ISA/TMG Best Practices Analyzer Version 7
What is new in Version 7 of IsaBPA?
• New Checks –15 new IsaBPA rules added, now collecting almost all ISA/TMG properties as well as environmental properties (now around 1500 settings collected). These settings are compared against ~235 rules. The focus on this release was targeting Configuration Storage Server and Active Directory authentication issues. This new suite joins Hardware, OS, Authentication, OWA, SSL Certificates; Site-to-site VPN with IPsec, WPLB, logging, NLB related issues and 3rd party software suites that were introduced in previous versions of IsaBPA.
• Enhanced IsaBPA viewer - It is now possible for Microsoft support engineers and the technically savvy ISA/TMG engineer to view the server configuration from the BPA report itself.
• New ISA Data Packager scenarios – The ISA Data Packager was enhanced to gather both IAG data as well as the ISA/TMG Firewall Client data. Data collection from Forefront TMG Medium Business Edition and above is now supported and also Configuration Change Tracking data is collected.
• BPA2Visio enhancement – The BPA2Visio visualization tool now includes BPA warnings and errors on the pictorial representation of the deployment in question, next to the violating links. Each node in the diagram contains now more data.
• More documentation – The IsaBPA help file has been augmented to over 130 pages. You can easily find information about how to operate IsaBPA, information about specific checks, and how to fix issues that IsaBPA has detected.
• Bug fixes –fixed several bugs and issues that were discovered in previous versions.
IsaBPAv7 is available now online at http://isabpa.com


Security Webcast Calendar http://go.microsoft.com/fwlink/?LinkId=37910 
Find security webcasts listed in an easy-to-use calendar format.

Upcoming Security Webcasts

Register for the following Webcasts on the link above

TechNet Webcast: Fundamentals of Third-Party Security Management (Level 300)
Monday, June 01, 2009 10:00 A.M.-11:00 A.M. Pacific Time

TechNet Webcast: Microsoft Forefront code name “Stirling” - The next generation of Forefront Security for SharePoint (Level 200)
Tuesday, June 02, 2009 1:00 P.M.-2:00 P.M. Pacific Time

TechNet Webcast: Forefront code name “Stirling” - The next generation of Forefront Security for Exchange Server (Level 200)
Thursday, June 04, 2009 1:00 P.M.-2:00 P.M. Pacific Time

IT Manager Webcast: Platform Solution Blueprints: Security (Level 200)
Thursday, June 04, 2009 1:00 P.M.-2:30 P.M. Pacific Time

TechNet Webcast: Microsoft Exchange Hosted Filtering is now Forefront Online Security for Exchange (Level 200)
Tuesday, June 09, 2009 1:00 P.M.-2:00 P.M. Pacific Time

TechNet Webcast: Information About Microsoft June Security Bulletins (Level 200)
Wednesday, June 10, 2009 11:00 A.M.-12:30 P.M. Pacific Time

TechNet Webcast: Best Practices for Security with SQL Server 2008 and SafeNet Luna HSM Support (Level 300)
Thursday, June 18, 2009 8:00 A.M.-9:00 A.M. Pacific Time

On-Demand Security Webcasts

Security Awareness Materials http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11524381&s1=68628015-2ccc-cbc7-31b9-0e76c3415474
Guidance, samples, and templates for creating a security-awareness program in your organization.

Learn Security On the Job http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11524382&s1=68628015-2ccc-cbc7-31b9-0e76c3415474

Learning Paths for Security - Microsoft Training References and Resources http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11524383&s1=68628015-2ccc-cbc7-31b9-0e76c3415474

Visit TechNet Spotlight: www.microsoft.com/technetspotlight   
Video on Demand, Video Downloads, PowerPoint Presentations, Audio and more

New or updated KB’s

Microsoft Internet Security and Acceleration Server

FIX: An error occurs when a Web server reads cookies that are sent from a client through ISA Server 2006

FIX: Forms-based authentication in ISA Server 2006 still does not change a password on the second attempt if the user typed inconsistent passwords in the password confirmation of the first attempt

FIX: The ISA Server Control service cannot start after you install the MS09-012 update on a computer that is running Windows Server 2003 and that has more than 4 CPU cores

FIX: VPN client access through ISA Server 2006 stops unexpectedly and Event ID 21122 is logged in the Application log

FIX: The wspsrv process in ISA Server 2006 randomly crashes and an Application Error event is logged

FIX: A user who enters an empty user name or password on a customized logon form is redirected to the default error page of ISA Server 2006 instead of a customized error page

FIX: The ISA Server Firewall service crashes when a third-party Web filter calls the WriteClient function

Description of the ISA Server 2006 hotfix package: April 21, 2009

Microsoft Intelligent Application Gateway 2007

Support for Citrix XenApp5 applications is added to Intelligent Application Gateway 2007

Full support for unattended installation and uninstallation is added to Intelligent Application Gateway 2007 Client Components setup

Users cannot log on again after the automatic logoff period has elapsed if you use ADFS as the authentication scheme in Intelligent Application Gateway 2007

Intelligent Application Gateway 2007 cannot parse cookies that contain comma characters

FIX: The logon fails when you try to access IAG 2007 portals by using a user account whose name contains multibyte characters

FIX: Error message when IAG checks the password expiration and you use the Active Directory repository on LDAPS: "Server Not Operational"

FIX: IAG 2007 Detection Center (WMI Detection) does not detect some security products that are installed on a Windows Vista SP1-based client computer

FIX: The operation fails and the user receives an error message when a user tries to add an attachment in Exchange 2003 OWA that is published by using the IAG 2007 default template

FIX: The formatting on the portal is lost when you try to use a customized cascading style sheet for an IAG 2007 portal

FIX: Error message when you run a statistics report in Intelligent Application Gateway 2007 Web Monitor: "Active Server Pages, ASP 0113"

Windows Mobile users cannot synchronize, or synchronization causes messages to be resent when you publish ActiveSync in Intelligent Application Gateway 2007

FIX: You cannot connect to the IAG Web site by using Internet Explorer on a client that is running Windows 2000 after you install the IAG 2007 Service Pack 2 client components

Users receive an error message when they change their signatures in an Exchange Server 2003 OWA site that is published in an Intelligent Application Gateway 2007 portal trunk

FIX: The changes to the URL Set level are applied to an incorrect application in Intelligent Application Gateway 2007

A custom endpoint detection script that uses the Whale.System.IsCertValid function in Intelligent Application Gateway 2007 cannot detect client certificates by their Subject Alternative Names

Web Monitor pages are not displayed appropriately in IAG 2007 when an apostrophe character (') exists in a user name

Events that are in the Application category are not logged to the Syslog server in Intelligent Application Gateway 2007 (968315)