The Microsoft machine churns on

Redmond's elves are hammering on security -- and have the reports to show for it

I could do it. But we both know you’re hoping I don’t. It’s the very last column of 2005, so tradition says we should either talk about “The Top 10 Microsoft Somethings of 2005,” or I should skip straight ahead to “The Top 10 Microsoft New Somethings of 2006.”

Forget it. We’re not doing that. If you really, absolutely want to read Oliver’s Microsoft Predictions for 2006, then e-mail me, and if enough folks ask, I’ll write it for next week. Meantime, there’s too much good stuff to giggle about without requiring any conjecture at all.

Yes, Microsoft hasn’t been idle during the holiday season -- they’ve been working on security again. Really working. The result is several new documents, two of which are basically in-depth interview-style reports; the other two are more formal in-depth guides. The reports concern two articles published by Redmond about how Microsoft’s IT department has improved security using Microsoft products.

Now, I know what you’re thinking: “Sure they use Microsoft products. I bet they have a whole bunch of Unix servers in a secret cave beneath the Redmond Starbucks that really run things.” That’s what you’re thinking. 

Well, I’ve been up there and talked to Microsoft IT, after signing my name in my own blood promising never to speak of specifics regarding that interview or the datacenter tour that followed.

Turns out, Microsoft’s got a hell of a NOC -- and it wasn’t even its flagship NOC, but an older NOC that's now a backup operation to the primary one. I don’t rate high enough to tour the primary NOC, where I would have been frisked, violated in my nether regions, and subsequently shot simply for walking through the door.

But even without the flagship experience, one thing was obvious: Microsoft eats its own dog food. I know this because they kept repeating it to me like some pre-Kool-Aid mantra. From the PR folks to the IT managers down to the IT workers, everyone said it: “We eat our own dog food.” I was going to make the gourmet Alpo crack, but I managed to hold my tongue.

Meantime, the tour showed pretty much beyond a reasonable doubt that Microsoft does run its 20,000-plus node, international network on 99 percent Windows technology, including servers, workstations, and edge security. (I’m hedging on that last 1 percent in case some starved whistle-blower covered in torture welts stumbles out of Redmond next week clutching a 1U running Debian.)

It’s the edge security bit that was the focus of Microsoft IT's announcement about this past Saturday. As Santa was hitching up his sleigh, Redmond posted a document discussing how Microsoft IT has made significant remote access security improvements using new Microsoft technology. Or should I say “technologies”? Because once you're all up in that doc, the sheer amount of new product CDs being thrown around could have decorated my tree.

This latest generation of Microsoft security products -- all of which was required to make the remote access improvements -- goes like this: Windows Server 2003, Internet Authentication Service, Internet Security Accelerator 2004, Microsoft Operations Manager 2005, SQL Server 2000, Public Key Infrastructure & Certificate Services, and Connection Manager. Hey, if Santa got into Bill’s chimney, that much stuff should have alerted U.S. Homeland Security.

But we’re still not done: All those changes required as an underlying platform to deploy a final piece, called SRU (Secure Remote User), which is what Microsoft's security doc is really about. Redmond’s IT department says SRU allows it to control specific remote desktops and their configurations. This, in turn, lets it be absolutely certain of every remote desktop’s kosherness, and that in turn means a reduced threat of external malware attacks.

Microsoft IT also published a document about how it manages inbound e-mail traffic, with a specific concentration on spam and malware-infected messages. The paper touts its use of Exchange and Outlook with its new beefed-up spam filters, but does make specific references to third-party products that are also required. It's worth reading, especially if you’re an Exchange admin. You can get the second paper here.

And if that’s not enough reading for you, Microsoft’s busy elves also spent the weekend delivering The Microsoft Windows Server 2003 Security Guide and the Microsoft Threats and Countermeasures Guide (Version 2.0).

I actually like the first one. Windows Server 2003 really is a huge step up from a security standpoint over previous Windows server iterations, and finding all the relevant features -- and managing them when you do -- can be difficult. For those in that boat, this is the guide for you.

The Threats and Countermeasures Guide, however, should have been held back until Version 3 because, although it’s up to date for threat settings for Windows Server 2003, its threat settings for Windows XP Pro cover only SP1. Hey, SP2 isn’t all that new, folks. I don’t think it’s too much to ask that new documentation, especially from All-Seeing Redmond itself, should take that into account.

Want a prediction for 2006? This is only the start of Microsoft’s security push: By year’s end, these folks want to be considered frontrunners in the network security market. Love the attitude, but Oliver doesn’t think they’ll be able to pull off that kind of perception shift in that kind of timeframe. Let’s talk again in 2007.

Copyright © 2005 IDG Communications, Inc.

How to choose a low-code development platform