Slashdot Mirror
IT Practice Within Microsoft
SilentChris writes "Good article over at CNet regarding Microsoft's internal IT practices. Some intriguing statements from the CIO, from the obvious ('It's an easy choice for me--to run Microsoft technology. We don't run Unix. We don't run Linux. We don't run Oracle.') to the not-so-obvious ('Our users are the admins of their machines. They can load whatever software they want on their machines, but we do audit the network continuously.') I wonder how much time is spent combatting spyware?"
I thought that it was normal corporate behaviour to look at their competitors. Long time ago there was a story here on /. where one of the lead devs of IE admitted that he ran firefox. But when this guy doesnt run *nix and oracle, how should he be able to compete with them?
"We get 10 million e-mails a day coming into Microsoft. We delete more than 9 million of those as spam." Well I wonder why you're so popular...
This is one of those witty signatures that you'll remember.
That's the only way to run a network of computer-savvy users. Imagine a metalworking shop that wouldn't let the machinists adjust their own wrenches. You'd have to put a call-ticket in to "Tool Technology Support" and after a few hours (if you are lucky) or days (if you aren't) some kid comes over who doesn't know anything and tries to adjust your hammer.
Because the various versions of Windows all reveal their bias as a single user operating system, and even it's creators despair at efficiently administering a Windows network.
So, if "We don't run Unix. We don't run Linux.", then WTF did Microsoft feel the need to pay SCO all those millions of dollars for UNIX licenses? Unless, of course, the money actually came out of the "Marketing/FUD" budget instead the "Software Licenses" budget...
UNIX? They're not even circumcised! Savages!
Some of the spyware that is out there will utilize known security vulnerabilities to install itself on the machine WITHOUT the user being an Administrator.
Also, quite a bit of spyware will simply install itself to the user profile (hotbar, etc.), the only way to combat these types of spyware is to utilize Mandatory Profiles.
Spyware is an ongoing problem with ANY Windows machine, whether it is "secured" or not.
Pardon me for standing up for them, but
Peeves me off when the people writing the software are not trusted to administrate their own computer which they are writing software for (or some equivalent thereto). What's with this growing American sentiment that nobody should be trusted with tools, that only someone special should be (without noting the perversity that if nobody can be trusted, then nobody can be trusted)?
Can we get a "-1 Wrong" moderation option?
We don't run Unix. We don't run Linux. We don't run Oracle. We're 100 percent Windows, SQL Server.
That makes for a great testing environment for Windows Services for UNIX, huh?
I have a hunch that a really good way for MS to make sure it only has (reasonably) computer savvy employees would be to - ahem - "terminate" anybody who couldn't keep their computer clean. I mean, if a guy is coding MS security stuff, and can't keep a single desktop safe, he doesn't belong there...
William George
With every user at MS an Administrator of their own machine, it's no wonder that it's so hard to implement any other security model using Windows.
... but wait, that doesn't work well in an enterprise using Active Directory, does it?
... but Microsoft doesn't make any.
...
I hope some of those users are smart enough to give themselves a luser account and run under it
Maybe they have an enforced policy of using anti-spyware and anti-virus software
Maybe they have extensive training classes with stock options going to those who don't spread viruses (sort of like those "accident free days" campaigns you see at some companies). But wait, no one wants their stock any more
Oh well, they're Microsoft -- they must know what they're doing.
sigs, as if you care.
The people often bitten the worst by Spyware/Malware are very smart, very computer savy people. The problem is they don't realize all of the tricks that they will use to get onto your system. Besides, it can't happen to them! Many times people will recognize they've been bitten right away by an accident misclick but by then its too late.
So while people might not be idiots, most should never be trusted with elevated privilages. But Windows does give you an option (or they are very painful) so load up the maintaince costs with all sorts of software and network monitoring because MS refuses to learn lessons painfully realized 20 years ago.
For the love of all that is good and holy, I wish MS would abandon certain technologies (Active X hosting in application frameworks), I wish MS would stop requiring user level tasks with elevated privilages, and I wish people would stop making excuses for MS. Reinstalling from a backup image is not the proper way to fix problems on a platform that is supposed to be "enterprise enabled".
but since the users admin their own machines, the CIO can deny any knowledge of it.
One big thing I heard comes from Oracle. Oracle (the company) runs Oracle (the database). It was a mandate put down from on high and seems to make at least a modest amount of sense.
Think of it this way. The biggest way that you figure out that something should be tweaked is if you are the user of the system. Those admins that never use the systems that they deploy and work on have quite a big harder a time trying to understand just what the program is trying to do, and what to do about it when it fails. To add to that, they never come across bad quirks that noone mentions because they're just that, quirks. It doesn't cause the system to fail or halt or mangle any data, but it sure is annoying when it does it.
To live and die by your own software is not a bad thing. It gives you not only the developer's perspective of design and impliment a solution, but also allows you to see whether or not what you made is actually useful. Don't read too much into this post, like I support Microsoft totally (they can be quite an ass of a company), but the mentality is sound and used in more companies than just Microsoft.
We do [...] have an open-source client running--just for competitive analysis. As an IT organization, I have no skills and no ability and no purchasing of those products.
So he's an IT manager with no skills in the IT industry other than MS-related? Someone could call this "to be blind and overconfident".
Me, I call him a lucky guy that is probably paid >= 4000€ a month to say to the world "I don't know a thing about IT, but with MS my income has doubled". Heck, being on Bill's bill, McBride can say that too!
42.
"We're 100 percent Windows, SQL Server" Hold up a second, now. How the heck do they expect to know if their products are good or not, if they have nothing for comparison? You've got to be -very- familiar with both sides of an argument if you expect to win it.
Unpleasantries.
Here I am, as an admin, trying to make sure all of our applications work on XP with regular user ID's, and it's so frustrating.
I get so pissed when I hear that some third party application requires admin to run... now I find out the people writing the OS are running it as admins. So much for these bugs coming out in the wash... then again, for MS, the end user is considered "the wash".
For someone who has to deal with these problems all the time, reading something like this is very discouraging.
I'll bet you anything that they have unix servers and oracles databases for comparison purposes though.
Probably they do, but how mcuh real comparison can you do without running production systems? It could be just a small piece, but to ignore what it's like to maintain other products in production is short-sighted, I would say.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I work for an Electrical and Computer Engineering department. Now one would think that the Computer Engineers at least would be competent. Well, not so much actually. Most of them are... how to put this... MORONS when it comes to computers.
We have a Internet Technologies Lab. This is the lab where they study networking and so on. These are the engineers taht study this, they have degrees in this. However they have the most piss poor understanding of network fundimentals and security I've ever seen. They get boxes hacked all the time, they continually have problems with simple things like getting their subnet set correctly, and if their switch goes down plugging it in is too complecated a concept.
Just because somone works ina computer related field, doesn't mean they are good at the support end of computers. I'd like to think that programmers and engineers ought to know enough to avoid spyware and such, but I know from experience that's not the case. Just because they can write good code doesn't mean they are good system administrators.
Whose to blame for that?
Microsoft has a publicly available set of guidelines for writing applications that run under limited privileges. If John Carmack didn't follow those specs and requires you to run Doom 3 as admin, is it Microsoft's fault?
GCC is included in Interix because it's the only compiler that can make UNIX-style executables in PE/COFF format, and because most applications either explicitely require GCC or require shared objects. But Microsoft doesn't use GCC for the tools that weren't originally GNU (most aren't, they come from some BSD), and GCC and GNU are optional components, not included in a standard installation
Make a difference - use Windows! (open source clone of Windows NT)
A gazillion out of work and a gazillion that I'd want to employ are two very different things. I have a hard enough time recruiting for a department of 15, let alone trying to do it at the sort of scale he's talking about. The truth is that Sturgeon's Law holds just as well for IT staff as for anything else. In fact, if my experiences are anything to go by, he was being optimistic...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Obligatory rant here...how do they know it's the best product if they never run anything non-microsoft.
The point is they're eating their own dogfood. They may not have the absolute best product in the world, but it does everything they need it to do. If the only way to get feature X is to install Oracle WhizBangPro 5.0, they refuse to do it: they just write that feature into their own software. And thus, their software has all the features they need.
Given that the IT needs of Microsoft probably rival or surpass almost any other organization, I'd say that probably qualifies their products as at the very least among the best.
I don't like Microsoft products, overall, but purely for technical reasons. There's no place for emotions or politics in solid-state circuitry. (I've heard that stressed silicon does better than regular, but I don't think that's the kind of stress they mean.)
However, Windows is still a good system to use, for a lot of things. X is way behind on supersampling, anti-aliasing and other similar techniques for smoothing out graphics. It has improved, but Windows is the better of the two. For related reasons, it would be hard to develop a top-of-the-line GUI Desktop Publishing system for X. There are stacks of them for Windows and the Mac.
Where Windows is strong is in presentation. Apple were there first, but since they keep reinventing the wheel, they don't get to build much on what they already have. I'd say Apple is still the best, there, in terms of absolute quality, but Microsoft is able to leverage their experience in a way Apple doesn't.
There is no fundamental reason why Linux can't be good there, too. The hardware doesn't give a damn what OS is being used. Why should it? Although there is some work on improving X and developing better represenational systems, it remains essentially a stack of bitmaps on a pixel-based virtual screen.
(I also hate the fact that X is horribly generic, with acceleration largely being done by high-end vendors for their own private distributions. Very few - if any - Linux distros have optimized X binaries for their platforms.)
Berlin (now Fresco) offered the potential for busting out of a lot of the old, less useful, paradigms, but it's dead. Dead as a doornob.
I use both Linux AND Windows. (And OpenBSD and Plan9.) There are technical things I resent about all of them, and there are personality quirks I dislike about proponents for each.
Some people say all OS' suck. Well, if the OS developers stopped worrying about how much their rivals sucked, they might be able to learn from what they've done right.
Evolution is asymtotic to perfection (ie: it tends to it, even though it'll never actually reach it). Learning from others will advance you along the line. Rejecting outright what others have learned, purely because they learned it first (the "Not Invented Here" syndrome) WILL push you further back.
There's only one way to get closer to the goal, and it's not through excessive pride in one's achievements, or prejudices against those of others. Pride and Prejudice makes a great book title, but a really lousy corporate strategy.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I know it's a joke, but when you need to do stuff like kernel debugging, testing stuff with GDI, yes, you need Admin privileges. It's unavoidable. However (I worked there as an intern this past summer), they do emphasize non-admin accounts when possible, and certainly for application-level work it's doable. I did it at work, and I do it at home.
A lot of people complain about Microsoft making Windows unusable with non-admin privileges, but I honestly am using it fine with such privileges. Sure, every once in a while I need to install an application, in which case I right-click the installer and select Run As (I think press Shift if you don't see that menuitem), and games are notoriously bad for requiring admin privileges to do CD checking, but stuff like running Word, coding in VS.NET, and surfing are entire doable without admin privileges.
As an aside, I've found that with games, cracking the game and making their entire directory world writable works almost all the time if you want to run as non-admin. Although it's even nicer when they don't require CD checking such as *ducks* Steam HL2 and UT2004.
I recall that MS used to use Akamai to mirror their website. If they still are, that would explain the non-Windows OSes in the list (which I can't see right now, as Netcraft isn't responding for some reason).
Xfce: Lighter than some, heavier than others. Just right.
A: "It's hard to capture the overall time spent on security, but 10 percent is probably about right."
This is exactly what is wrong with Microsoft Security. It needs to be the total responsibility of a few individuals who work closely with the larger security community, clearly when security is everyone's problem and they spend 10% of their time on it, then it is really nobody's problem. (Except that then it is everybodys problem! )
Microsoft could save money and improve it by outsourcing security. Rather than trying again to fix a broken culture, why not just admit it's broken and realize that other companies use outside resources and it works fine for them. For example, would you but an extension cord without it first having been researched by Underwriters Labs? Would you go to a hospital that was not inspected by JCAHO?
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"