Roger's Security Blog : Microsoft

The New Bing Maps – Freaking Cool!!!

rhalbh — Wed, 02 Dec 2009 19:58:52 GMT

It has nothing to do with security – I know but it is very, very, very cool!!!!

We just released the new Bing Maps explorer! The first thing you will see is that we integrated Photosynth and Silverlight. So, no tiles anymore when loading a map. It just comes smoothly. And zooming in to photos is not possible as well – it rocks. But that’s just the start.

Remember the days, where you tried to understand which map version (Road, Aerial, Bird’s View) just fits best based on the data which is available? Well, when you are living outside the US, you will know what I am talking of… This time is definitely over. Bing Maps takes automatically care of this “problem” and it really works:

That’s the maps. But there is a cool API you can use to build integrated applications with Bing Maps. These are the ones for the Redmond Campus location:

So, using the Current Traffic now brings me to the well-known traffic map (in Sliverlight – of course):

And now you know the feeling. All these things work great – if you are in the US… But as soon as you are outside, the data is missing – wrong again. Let’s take the Today’s front pages as an example. I have been in Zagreb last week, so let’s see what we find there:

The front page of a local newspaper. And as this is an extensible platform, there is nothing which prohibits you from writing an additional add-in.

BTW: Did I tell you already that I think this new Bing Maps is really, really cool?

Roger

Security and Usability

rhalbh — Thu, 26 Nov 2009 21:04:39 GMT

It is not a new concept: The secure way is only secure if it is the easiest way. I have seen a lot of solutions which are extremely secure – in the eyes of the security people. However, the users find a lot of ways to circumvent the security measures because they are too complex to fulfill the business needs or it is simply not possible to run a business within the limits of the security policies. Do not get me wrong: Security always comes with a certain level of inconvenience – but the question is always whether we are able to find the balance between usability, the business needs and the risk management of a company.

Butler Lampson, a Technical Fellow with Microsoft Research, wrote an article on ACM called Usable Security: How to Get It which is definitely worth reading.

Roger

Security – A Feature Discussion? Some Thoughts on Google’s Chrome OS

rhalbh — Thu, 19 Nov 2009 21:18:21 GMT

To be clear upfront: This is not a “Microsoft versus Google” post. I cannot even judge how far Google pushed security with the Chrome OS. But the following article raised quite some questions how we look at security: Inside the Google Chrome OS security model. This article, like so many when security of an Operating System is to be discussed, is completely feature driven. So, we talk about Process Sandboxing, Toolchain Hardening, Kernel Hardening etc. But how relevant is this really?

Do not get me wrong: It is. But these features have to be the result of an engineering process. These features have to be designed to reduce a certain threat vector – a possible attack scenario and they have to be laid out in a way to reduce this vector. I recently had a discussion with somebody who wanted me to convince about their security software. My very first question was: How do you develop software? The answer was: We have a great CTO and good developers which engineer our software. My next question: OK, how do you do Threat Modeling? Answer: Our CTO does this since years and knows everything in and out…

To me Threat Modeling and a transparency with regards to the development process is key! Why shall I trust features? I have to know why and how they are engineered. I need process transparency – and not necessarily code transparency. There is no way I can review code. I am not a security development specialist on the one hand side nor do I have the time to look through the code anyway. The only thing I can build my trust on is the engineering and the response processes.

So, why do we not rather raise a process discussion than a feature discussion? When we had the initial press conference about SafeCode , I was asked a pretty interesting question by an analyst: As SafeCode is about sharing best practices with regards to secure development, other vendors who do not use such processes will become a target. Yes, and now? The industry has to learn that engineering and development processes are much more important than features! We use our Security Development Lifecycle – will this lead to absolutely secure code? No, not at all but to a much, much higher bar. We have great examples where we can show that this does not only reduce the number of code defects but also to a better defense framework adopting defense in depth concepts. This is what we need. Let’s shift the discussion from features to processes!

And a final comment: This discussion is even more important in the cloud!

Roger

COFEE freely downloadable on the Internet?

rhalbh — Tue, 10 Nov 2009 17:44:00 GMT

You definitely have heard of COFEE (Computer Online Forensic Evidence Extractor) which we make freely available to Law Enforcement through Interpol and NW3C. Now, the probably unavoidable happened and the tool leaked to the Internet. There was actually an interesting statement by ArsTechnica yesterday: Chances are you won't have any use for the tool, but pirates get a thrill from having something they shouldn't, and a forensics tool only distributed to police departments around the world is pretty high up on the list of things you shouldn't have on your computer.

To make our point clear, let me quote Richard Boscovich, senior attorney, Internet Safety at Microsoft Corporation:

We have confirmed that unauthorized and modified versions of Microsoft’s COFEE tool have been improperly posted to bit torrent networks for public download. We strongly recommend against downloading any technology purporting to be COFEE outside of authorized channels – both because any unauthorized technology may not be what it claims to be and because Microsoft has only granted legal usage rights for our COFEE technology for law enforcement purposes for which the tool was designed.

Note that contrary to reports, we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around’ to be a significant concern. COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals, its value is in the way COFEE brings those tools together in a simple and customizable format for law enforcement use in the field.

In cooperation with our partners, we will continue to work to mitigate unauthorized distribution of our technology beyond the means for which it’s been legally provided and, again, would strongly discourage people from downloading unauthorized versions of the tool. As always, law enforcement wishing to use COFEE can safely get the latest released version of the tool free of charge through the established channels with both NW3C and INTERPOL by contacting NW3C at www.nw3c.org or INTERPOL at cofee@interpol.int.

So, to be clear: It is not “only” illegal but it is modified as well. Do you really want to install that?

Roger

Power of Knowledge: Security Intelligence Report v7

rhalbh — Mon, 02 Nov 2009 16:06:00 GMT

It is a good tradition since quite a while that we make the intelligence we have available accessible to the broad public. This will help out customers to protect themselves much better. The Security Intelligence Report (SIR) is built on a unparalleled set of sensors out there in the Internet:

Malicious Software Removal Tool (MSRT): runs on 450 million computers worldwide each month.
BING: performs billions of Web-page scans per year.
Windows Live OneCare and Windows Defender: on 100 million + computers worldwide.
Forefront Online Protection for Exchange: scanning billions of emails yearly.
Windows Live Hotmail: 30 + countries - hundreds of millions of active e-mail users.

As there is nobody in the industry who is able to match this, we are convinced that it is of outmost importance that we share our intelligence with the broad industry.

Looking at the report itself, there are a few key findings this time:

Rogue Security Software is sill one of the biggest threats for our customers. Even though we found less rogue software on computers (13.4 million computers compared to 16.8 million in H208) it is still a significant threat to the ecosystem.
Worms are back: Worms rose from the fifth place to the number 2 with a 98.4% increase. This is largely due to Conficker and Tatef.

To visualize the second point, let’s look at the computers cleaned by threat category:

This is a pretty significant spike.

There are a few diagrams I usually like to look at as well. One is the geographical distribution in order to understand my region. So, let’s look at the malware infections globally:
So, you see there is quite some room for improvement.

Now, to close this very, very short summary of the report, it is definitely worth looking at two additional graphs. One is the malware distribution per Operating System:

This supports a statement I make so often: If I would have one wish to our customers, it would be: “Always stay on the latest version of all the software you have” – not from a business perspective but from a security view. And the second wish would be, cover all your software, when you do patch management. Remember my post called Patch Management – Cover the whole 9 yards? I told you that you should take care of the whole software stack – not “just” Microsoft. And the reason for that is the following diagram:

As you can easily see, our share in the overall vulnerability landscape is very, very small. So, we need a joint effort across the whole industry to write secure software from the bottom up with processes like the Security Development Lifecycle! And guess what – your problem will not become easier to solve when you move to the cloud.

Now, if you want to read the report, here are the important links:

The Security Intelligence Report landing page
The download page for the report
And the video with Ken and Vinny

Have fun

Roger

Security Compliance Management Toolkit Series for IE 8 and Windows 7

rhalbh — Fri, 30 Oct 2009 16:09:53 GMT

Just a brief one: the Security Compliance Management Toolkit Series has been updated to incorporate Internet Explorer 8 and Windows 7. So, to help you to manage security and compliance in your environment, you should have a look at it: http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Roger

Look at the Enhanced Mitigation Evaluation Toolkit

rhalbh — Thu, 29 Oct 2009 12:26:56 GMT

Recently we announced the availability of the Enhanced Mitigation Evaluation Toolkit. This is a toolkit which makes it easier to defend your application on different levels – free of charge. Read the post done by our Security Research and Defense guys: Announcing the release of the Enhanced Mitigation Evaluation Toolkit

Roger

Why it pays to be secure – Chapter 3 – But how do I?

rhalbh — Sun, 18 Oct 2009 18:20:00 GMT

Our EMEA Security Program Manager, Henk van Roest, started this series internally and with his consent I am publishing it here in my blog as I think it contains a lot of great information for you to use.

Security — you hear about it every day. Being responsible for information security can be a daunting task, so where do you begin?

From the design of acceptable use policies to preventing insiders from stealing data, the job can be a challenging one. Join Senior Security Strategist with the Microsoft Trustworthy Computing Group Kai Axford, as he explores each layer of Defense in Depth during this eight-part webcast series. Kai shows you how mitigate the new risks in security and may have you rethinking the methods you’re using. He also spends time talking about your hot topics of the day.

Specifically there is an 8 part series as detailed below:

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200) Original Air Date: January 7, 2008

In the first session of the series, we discuss risk and the impact of security on the business. We look at some popular methods to assess risk and identify the need for an overall security strategy. We also explore why you should care about information security, how to measure the success of your program, and how to prove it to your boss using the concept of Return on Security Investment (ROSI). Learn how security impacts the cash flow of your business. Bring your CFO to this one!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200) Original Air Date: January 8, 2008

In our second session, we take a look at what is considered to be the most important aspect of information security: security policies. We discuss the policies that exist within your company and how to strengthen them. After all, what good is a policy if it is not enforceable? We also investigate the most cost-effective way for you to increase the security posture of your business. What is it? You have to tune in to see! You will not be disappointed.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200) Original Air Date: January 9, 2008

Today we look at an aspect of information security that is often overlooked by technical folks. It is the physical security aspect of our job. Are you aware that every year at DEFCON there is a lock picking contest? In this session, we dive into various techniques and methods that we should be considering when it comes to providing physical security around our datacenters. We discuss some of the recent trends in this area, such as IP video surveillance, and also discuss resources that can assist you in coming up with a good overall physical security plan. (No locks were harmed in preparation of this session.)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200) Original Air Date: January 10, 2008

In case you are not aware, the Internet is not a safe and happy place. Have you thought about all the other branch offices and partners you are connected too? Bad things are going on and you would like to do what you can to keep them out in the wild. In today's session, we look at some of those risks, and also discuss some technologies you should be considering when looking at securing the perimeter. You know about Intrusion Protection Systems (IPS), Intrusion Detection Systems (IDS), and firewalls, but are they doing any good? Is the DMZ as we know it today…dead?

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200) Original Air Date: January 14, 2008

We start the week by discussing a problem that is close to your heart: your network. But how can we even begin to take on that challenge? What are some of the things on the horizon that we need to be aware of? In this session, we look at technologies and concepts such as IP Security (IPSec) Domain Isolation and Network Access Protection (NAP). We also look into some practical things that you should be doing right now to protect one of your most valuable assets.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200) Original Air Date: January 15, 2008

Servers. We all love them. Wouldn't it be so much easier if we simply did away with everything else? There is no argument that the multitude of desktops, laptops, and mobile devices has created headaches for the IT security professional. Just when you lock down a desktop, the sales guy gets a new laptop, and then a new mobile phone. We cannot (legally) eliminate the users, but join us to see what we can do to stay ahead of the risks!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won't Come (Level 200) Original Air Date: January 16, 2008

Grab the caffeine and pizza! Today we step into the dark underground of AppDev and discuss methods for securing applications that run inside your infrastructure. As we harden the network and hosts, the bad guys are looking for other ways in, and often it is the applications being written by your own developers. Do your developers have the time and tools required to build their applications securely, or is security merely an afterthought? What tools are available to assist them? We show you today. No coding required.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 8 of 8): If a Terabyte Falls in the Middle of the (Active Directory) Forest (Level 200) Original Air Date: January 17, 2008

Got data? Sure you do, but how much? Where is it? How is it protected? What is it worth to you? Which is the most important? If you could save only one database, which would it be? Answers to all these burning questions, as well as some closing thoughts from Kai, are going to be covered in this final session. You do not want to miss this electrifying and intense final webcast!

Henk and Roger

COFEE now distributed via a NW3C as well

rhalbh — Fri, 16 Oct 2009 09:15:00 GMT

COFEE is a tool available to Law Enforcement only to capture online evidence with a little training as possible. The idea behind the tool is, that there is little need for high-trained staff to be available during e.g. house searches and that a normal, much less trained officer can capture all the data. Until today, Interpol was the only channel for distribution. Now, the US National White Collar Crime Center is the second organization being able to distribute it.

If you are a Law Enforcement Agency/Officer and want access to the tool, you may contact Interpol or NW3C

Roger

SharePoint External Collaboration Toolkit moved to Codeplex

rhalbh — Wed, 14 Oct 2009 11:20:59 GMT

Quite a while ago I blogged about the SharePoint External Collaboration Toolkit. I just wanted to make you aware that this toolkit is now moved to Codeplex and can be found here: http://cks.codeplex.com/

Roger

When it comes to security, who do you trust more - Microsoft or Google?

rhalbh — Sat, 26 Sep 2009 05:18:00 GMT

I started to read the article and actually just wanted to Tweet about it but then I voted and had to publish at least the current state:

When it comes to security, who do you trust more?

Microsoft (44%)
Google (32%)
Neither (22%)
Both (3%)

Total Votes: 716

This is just now – might change but it is very good to see.

Take your vote (if you need help where to click, let me know…)

Roger

Moving to the Cloud: Where it worked and where I was challenged

rhalbh — Mon, 21 Sep 2009 10:46:09 GMT

I am running a whole environment at home to experience our technology. However, up to now it was all “on premise”, no Cloud integration. This has to change. Therefore I was more than happy to join our internal Hosted Exchange 14 beta program. We are offering the hosted Exchange program to Live@Edu – but we can use it for Friends and Families as well – which I wanted to do. There were a few requirements I had:

As I am hosting (or better: was hosting) quite some mailboxes for my family ending on @halbheer.ch and @halbheer.info, I needed a migration which is smooth and easy and gives me the possibility to move back on premise, whenever I feel like it
Due to historical reasons, I am hosting two domains for one mailbox. So, roger@halbheer.ch and roger@halbheer.info – that’s just me
I want to have Outlook 2007 and Outlook 2010 Technical Preview as the client
My users are real end-users, so I do not want to have any impact on them (well I have but that’s something for later)

This was my starting point. I then looked at outlook.com. The information about outlook.com is on help.outlook.com. After studying the webiste (yes, I read the manual) I decided to go for it - and started this Friday.

The migration by itself was basically straight-forward:

Signing up for the service for halbheer.ch
Adding the mailboxes, which are needed (this can be automated via scripts – samples are included on the help-site)
Adding a few DNS records (e.g. SRV, autodiscovery)
Changing all the DNS records (MX, SPV)
Confirming the setup and making sure it is active
Signing up for the service for halbheer.info (as a secondary domain)

The admin website just looks like this:

So, it is easy to do and straight-forward. You can even have a joint address book with external people you want to have in your organization.

It was time to get ready for the first Outlook client. As the environment requests – well, even requires – autodiscovery, this is only a matter of setting the DNS-servers right. The reason why autodiscovery is required is simple: When our Exchange Online people decide to move our mailboxes to a different server, Outlook shall automatically change the configuration. After a few hiccups, this simply worked. Take Outlook, add an account, use your e-mail address and the password and the rest is done by Outlook.

And that was it! I was pretty much impressed – it took me a little bit more than an hour and then I switched off my Exchange server. This sound too good to be true – well, it is not that easy…

Let’s briefly look into a few considerations when doing something like this:

Basically, there are different levels of could services. Christofer Hoff, Cisco made a good distinction based on the OSI model:
and then he maps it to the security controls:

Clearly I use Software as a Service in this model. I move my whole mail-system to the cloud. Therefore I have to address a few questions:

Compliance, Policy Enforcement and Risk Mitigation: This is not a big deal in my case – however, it might be one for you. I am using here a free, beta service. There are some policy options you can enforce in this given service through Powershell. However, if you enter a deal to outsource a service, make sure you understand how you can ensure policy compliance. From a risk perspective, I significantly reduced the risks with regards to availability – which was my goal. I actually transferred it.

Data Security and Control: From my point of view, this is probably the “easiest” of all challenges for an e-mail application. There are basically two options to protect the confidentiality of your mails: You can use S/MIME and encrypt the mails or use Rights Management Services, which does much more than to encrypt the mail – it protects if from forwarding, copying etc. As long as you control the key and/or access to the services (in the case of RMS), you are pretty much safe. The problem stays with the contacts, tasks and calendar which you cannot encrypt nor RMS-protect. In my case, this is not a problem and we have to see –again – the scope of the service I use.

Service Availability and Reliability: Well, this was the real reason, why I moved to the cloud. This is now not my problem anymore and I guess that Microsoft has more experience running such a service and a little bit more capacity than me…

Application Security: In the case of mail, there is no real difference on the application layer security between on-premise and in the Cloud as we both use Exchange. The only discussion point here is about patch management. This is now outsourced as well. I guess we are on par here as my servers are usually updated(and rebooted!) within a few days after the release of a security update.

Identity and Interoperability: Leaves the biggest one in the cloud in my opinion – the identity (interoperability is not really a problem in the mail scenario). As this offering is targeted at a service we call Live@Edu, where we offer Live services to the education sector, the identity management problem is solved as it bases transparently on LiveID to deliver the service. The accounts are generated if necessary as soon as you create the mailbox. Transparent and easy. In my case it was a bigger challenge as I am running my on-premise domain. Currently in this environment we would need to be able to federate my on-premise identity out to the Live environment, which is not a scenario, which is supported with the mail service offered. What you can do is a GAL sync to synchronize your Active Directory environment with the Exchange environment, which already helps you to keep the accounts in line. However, to me the whole area of federated identities and claims-based identities will most probably be the big theme of the cloud.

A few final challenges and remarks: So, after the migration, everything works well and fine and smooth – well, until I realized that there are a lot of internal services, which count of an accessible SMTP-server which does not require authentication (sometimes this is solvable) but for sure no encryption. SCOM, WSUS, SharePoint, my NAS, my Access Points, my Photo Gallery – just to name a few. All of a sudden a service, which was offered internally, is not offered anymore… I finally solved this as well – but honestly, this was the biggest junk of work at the end of the day. The whole planning of the migration did not consider such dependencies – or better: My planning of the migration… The dependencies in your network should not be underestimated. Especially the ones you never knew of…

Roger

Is the “Managed Desktop” the ultimate solution?

rhalbh — Tue, 01 Sep 2009 11:39:09 GMT

When I talk about the big trends, one of them is about the call of the younger generation for more flexibility. Flexibility in this context is about where you work, when you work and how you organize yourself. If you take this as a given, you have to wonder whether today’s IT is able to cope with that. In a lot of companies, they roll out a “one size fits all”-image to the desktop and therefore making sure everybody has the same image. This has definitely a good side as the management of it is kind of less expensive as you know how the image looks like (or should look like).

The longer the more I question that for a limited set of users. Just to be very clear: I do not say that you should change this policy completely but it might be worth considering change it for a defined set of users. Let me give you a few examples:

There was one company (a worldwide company) who decided to let you take a test (if you want) and if you prove to be able to handle your computer yourself, you get money to buy what you think you need.
I used to work for a consulting company which was running Windows XP back then. You had basically two options: You could get a standard image loaded and completely managed by IT. Or you could get a standard image loaded, get the local admin and take care of it yourself. If you had problems, they tried to help you a little bit but pretty soon decided to flatten your computer and install the standard image – that was your risk you had to deal with but it worked fairly well (except for a lot of people being local admin on their box).
Last but definitely not least – look at Microsoft. You can get the Microsoft IT image if you want (even over the network you can do it yourself) or install and join the machine to the domain yourself. This makes sense as a lot of people have a different appetite for betas and beta testing. Additionally a Country Manager might have a different need than me. The key thing in here is about policy compliance and ensuring policy compliance – this is where Network Access Protection comes into play (something I want to blog about later).

So, giving the next generation the right tools to be productive rather than limit their productivity will be a real key challenge I guess.

For quite some time I felt like being the lonely guy in the desert. I actually had a CSO once leaving the room when I said this (about 3-4 years ago). I now just stumbled across an article: Unchain the Office Computers!Why corporate IT should let us browse any way we want.

Well, I do not like the Firefox example ;-) but basically this will be the future – I am convinced. Rather than walking around and telling everybody that this is not possible due to security reasons we have to think about how to make it possible. What would this mean? E.g. persistent protection of information (Rights Management), enforcing policy compliance on the network, the perimeter will probably be between client and server (or between trusted and un-trusted systems or between complaint and non-compliant systems)…

At least there will be a lot of interesting stuff to do…

Roger

Why it pays to be secure - Introduction

rhalbh — Sat, 22 Aug 2009 13:06:40 GMT

Henk van Roest, our EMEA Security Program Manager is running a pretty successful internal blog. Before summer vacation he started a series called “Why it pays to be secure” which I think has some great information in it. I asked him then to go public with it but he told me that he is not doing this kind of outside communication but that I should feel free to use the content, which I am going to do – thank you Henk.

I will basically copy/paste his series over time. So I do not want to take the credit for the great work he did. Let’s start with his introduction today.

In the Security Incident Response Team we are often faced with support cases from customers compromised through some malware which is wreaking havoc in their environment.

Usually the customer says that deploying updates to software (not just MS Software) is too time consuming, too expensive and too disruptive to their environment. Of course the resulting issue is usually also quite disruptive e.g. Conficker.

Microsoft has done a great deal of research into managing an IT environment as well as numerous studies with some of our customers to discover the “True” cost of a managed environment.

I thought it was useful to start a series of posts under on the subject of Update Management and Infrastructure Optimization that might allow you to have good conversations with your customers on the subject.

So for the purpose of this introduction I’ll just copy one little piece from a study done in 2006 (so this is not a ‘new’ thing):

WINDOWS DESKTOP BEST PRACTICES

In this research, IDC evaluated more than 20 potential best practices and identified three that are consistently used by top-performing IT departments for optimizing Windows desktops.

Standard desktop strategy (savings of $110/PC). Deploying a standardized desktop by minimizing hardware and software configurations.
Centrally managed PC settings and configuration (savings of $190/PC): Keeping deployed PCs standardized by preventing users from making changes that compromise security, reliability and the application portfolio.
Comprehensive PC security (savings of $130/PC): Proactively addressing security with antivirus, antispyware, patching, and quarantine.

http://download.microsoft.com/download/a/4/4/a4474b0c-57d8-41a2-afe6-32037fa93ea6/IDC_windesktop_IO_whitepaper.pdf

Henk and Roger

The Microsoft Security Update Guide

rhalbh — Thu, 13 Aug 2009 15:30:23 GMT

I know that these news are not new but I was away when we announced it and to me it is important enough to take it up afterwards.

Over the last few months we worked on a document explaining everything which is going on around an Update Tuesday. So, what is an Advanced Notification, what information do you find an a Security Bulletin and how should you handle this kind of information etc. We announced this document during Blackhat. To quote from the download page:

This Guide was designed to help IT professionals better understand and use Microsoft security release information, processes, communications, and tools. Our goal is to help IT professionals manage organizational risk and develop a repeatable, effective deployment mechanism for security updates. In this Guide, you will find a convenient glossary of terms, an overview of the Microsoft Security Bulletin process, and a stage-by-stage review of Microsoft Security Updates.

I think Michael Grady did an outstanding job pulling this all together.

It can be found and downloaded here: The Microsoft Security Update Guide

Roger