Microsoft Security Whitepaper

An anonymous reader writes "Microsoft last week published a document on its Web site that describes how the company manages security on its own 300,000 node corporate network. The document is basically a dry discussion of IT risk management strategy, with lots of references to 'asset classes' and 'stakeholders,' and about five, nearly identical 'cycle of life' type diagrams showing how one risk management strategy leads to the next and so on, in a never-ending process. However, the document does open a window on how the biggest, richest software company in the world does security: from the deployment of 65,000 smart cards (let's see, at $50 a piece, that comes to....?), to MS's admission that 'there is a medium to high probability that within the next year, a successful attack will occur that could compromise the High Value and/or Highest Value data class.' According to the document, that includes things such as source code or human resources data."

they

[AnonymousCowheart]

they recently published the bug list too

Good to see

[H.G.+Pennypacker]

It is encouraging to see a big security industry leader such as Microsoft make such a public display of its unwavering belief that security through obscurity is not security at all - by publishing an open document on its security infrastructure. Perhaps other large players could take a cue from this (IBM, Sun)?

Re:Smart cards $50???

I was thinking along similar lines, then I has a look at the linked document which states:

"OTG estimated that at a price range of approximately $55-75 per user, including labor for deployment and tool development as well as hardware such as cards and readers, Smart Cards were an inexpensive way to significantly strengthen corporate security."

So evidently $55-75 per user is a reasonable amount for them to pay for each user inclusive of hardware and software development.

To be honest it sounds a lot to roll that out to 65,000 users, but when you consider that this cost is tiny compared to what those guys get paid, the actual investment across the workforce is negligible. I mean if you can afford to pay 65,000 employees, you can afford to spend $55+ on each of them. And considering that a network instrusion might be the outcome of not doing it (See Valve for more information) it's incredibly cheap.

Re:Real discussion

Thank you! I too tire of the 'ms sucks' posts.

I work with MS once and awhile to get a bug fixed. Like ANY major software out there they have bugs just like the rest of us. Worked with a nice gentleman yesterday. He traced through their code for me. I have done if I had the code. But its their code, and I respect that. They were looking into why an API I use in my code changed after a 'security' hotfix. After an hour of tracing he found that it was wrong. I knew that, but thats ok too, he had to prove it to himself. After all that he told me 'if its a security hotfix it will not be fixed your lucky the code ever worked the way you were using it'. He was right, I knew what they had done and its a good thing.

The moral here? They are deadly serious about security. They will not back out a fix just 'cause'. They are fixing the holes that are there.

I am convinced they are enduring some of the most punishing testing on the face of the planet. To use a term from open source, 'many eyes make all bugs shallow'. They are on a much larger number of desktops then any other OS out there.

I have never found them 'arrogant', 'loud mouthed', or 'bullying'. Like I find on slashdot sometimes about open source. I have found them to bend over backwards to fix ANY bug they have. They do not pounce on it. But they DO fix it. They do not 'hack' it into the code. They test it and make sure its good. If you act like an ass to them they respond in kind. They have THOUSANDS of bugs to fix and they have prioritized them. They only have so many 'core' developers and they are trying to write new stuff and retrofit old stuff.

They have a serious challange. The code is basicly done. They now have to go through it ALL and fix things that were never a priority for them. I would cringe at someone coming up to me and saying my code has the same serious problem in every module, and every function. That is basicly the problem MS has. And making the code 'open source' would make the problem better in some ways, but much worse in others. Also would you want them to rush out a fix for something? Or test it and make sure it works? Also if you want top shelf support out of MS you need to talk in the language of the corporate world. You need money to wave at them. Otherwise get in line with the thousands of other people.

Also do not be fooled by that linux has no 'serious' bugs. They exist, can you say 'root kit'. If you belive that linux is secure by default your living in a dream world neo.

I look at the two systems as tools for me to do things. I have both types of boxs. I use both for many things all the time.

Some people at Microsoft are smart.

And don't you forget that. Microsoft DOES have people with considerable technical skill and knowledge. I'm guessing that the probability of a security breach was calculated by the people who know what they're doing.

The problem is that you don't get to be the biggest software company in the world without selling products. (And Microsoft is arguably the most important software company - although I think overall Linux is more important in it's potential as an equalizer - there is no one single Linux company).

Selling products implies marketing. This is where it goes wrong. The second that product development is driven by marketing telling customers what features they want - things explode. I mean, really - half the crap in Windows and Office was never wanted by customers in the first place.

I'd still prefer to be using BeOS (I loved 5.0, but lack of support for new hardware meant I had to move on), so Windows 2000 is a pretty good compromise for my needs.

Re:more of the same, over and over and over

[mao+che+minh]

We are always scarcastic when it comes to Microsoft's relationship with security because of the many unpaid hours of overtime it has cost us.

I, like many here I would imagine, have to manage a lot of computers. In any common enterprise environment systems tend to range from old Windows 95 systems whom's only purpose is to drive some old piece of software with a very specific function, to Windows 98 and 2000 workstations, to Macintosh boxes for the marketing folk, to Linux servers running enterprise anti-virus solutions, to Netware servers running ZENworks, to 16 processor HP-UX beasts for databases, to OS/2 servers that run physical security systems (like magnetic card readers that grant access to the NOC for certain people/staff).

Of all of these operating systems that we people manage, a disturbing trend of insecurity has always plagued the Windows operating system(s) and the applications that Microsoft pushes for it. For years. Email clients, mail servers, web servers, core OS compenents, or just plain bad OS design that leads to the easy proliferation of things like viruses and worms. ANd worst of all: there is no escape from it. Everyone uses it, the management only wants stuff that is "supported" and/or "warrantied", and let's face it, it gives us job security.

So, when we relax, unwind, and gripe, we tend to end up taking a stab at the shitty software that has absorbed so many of our hours - time that could have been better spent having fun, or with our families, or responding to morons on web forums. You know.

Re:is it ALL white?

[Lost+Dragon]

No, no, silly. It's white text on a white background. That's part of their security layer.

Than why the hell are you reading slashdot?

[xeno-cat]

Oh those MS guys are'nt bad people their just misunderstood!

For some reason you wrote:
"Realisticly, what is the point of trying to exploit linux? Why exploit the little guy when you can go after the big fish?"

Apache is the single most prevalent web server on the internet. Why then is it that hackers "target" IIS? Maybe because it's easier?

and decided to continue:
" they do employ some of the best and brightest in the world. I imagine some of you may not believe that, but I do."

Have you seen Balmer lately? The problem with working for MS is that, even though you may be smart your just wasting your time. Who cares that you can give a lecture on some brilliant way to link corporate data to business users if your entire architecture needs to fit into a proprietary MS 5 year plan for the enterprise?

MS has had 20 years and billions in funding and the best they can come up with is Windows XP. XP solves problems that Unix, Apple, X, NeXT, Amiga, et als. solved a decade ago. MS produces over architected under engineered gaming consoles that are'nt even compatable with themselves.

If your looking for "fair and balanced" where are you going to go? Read a frigin Windows rag if you want to "balance" Slashdot. I'm sure there are plenty of fine articles on .NET just waiting to provide you with hour of fun filled and objective learning experiences.

Kind Regards