Slashdot Mirror
IT Practice Within Microsoft
SilentChris writes "Good article over at CNet regarding Microsoft's internal IT practices. Some intriguing statements from the CIO, from the obvious ('It's an easy choice for me--to run Microsoft technology. We don't run Unix. We don't run Linux. We don't run Oracle.') to the not-so-obvious ('Our users are the admins of their machines. They can load whatever software they want on their machines, but we do audit the network continuously.') I wonder how much time is spent combatting spyware?"
I thought that it was normal corporate behaviour to look at their competitors. Long time ago there was a story here on /. where one of the lead devs of IE admitted that he ran firefox. But when this guy doesnt run *nix and oracle, how should he be able to compete with them?
Aha! So that's why longhorn is taking so many years to write..
feh. stuff.
I'm sure his relatives call him up constantly when their computer has problems.
"We get 10 million e-mails a day coming into Microsoft. We delete more than 9 million of those as spam." Well I wonder why you're so popular...
This is one of those witty signatures that you'll remember.
"We don't run Linux....we run GNU/Linux"
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
users are the admins of their machines.
So even Microsoft has realized you can't do crap under a limited login in XP.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
Of COURSE they allow users to admin their own machines at Microsoft. Half of their software won't run correctly in XP unless the user has Administrator privileges.
If you follow blogs.msdn.com, you'll find that while many people are admins of their own machine, they rarely actually run as admin. I think all they are saying is that they don't take away the power of the user to be able to install their own hardware or software. But the vast majority of people working at MS seem to understand the risk involved as running as an admin at all time.
Our 800+ users all have local admin rights on their machine. Why? We run some software that doesn't work otherwise. It's an AS400 client that needs admin rights to install updates to the client.
Now, in all fairness, there is a way around it (and we're exploring it). The problem is, that while revoking local admin rights for our users would save us lots of time and effort in combatting spyware, etc, we'll use that time manually updating the AS400 client software.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
That's the only way to run a network of computer-savvy users. Imagine a metalworking shop that wouldn't let the machinists adjust their own wrenches. You'd have to put a call-ticket in to "Tool Technology Support" and after a few hours (if you are lucky) or days (if you aren't) some kid comes over who doesn't know anything and tries to adjust your hammer.
"Well Johnson, we found the latest build of Firefox on your machine and a copy of OpenOffice. Clear out your desk by noon"
They can load whatever software they want on their machines, but we do audit the network continuously.') I wonder how much time is spent combatting spyware?
I am a software consultant. The first thing I usually need when I go to a new client is to have local admin to run various coding tools (app servers, for example).
Do those clients have spyware running rampant? No, because the people that have local admin aren't idiots. I'm sure MS spends time educating non-techies on what to d/l and what not to. Its not surprising nor do I necessarily think its a bad thing for people to have local admin on their machines.
Of course, if this wasn't about MS, I'm sure no one would care... but some people simply need someway to stick it to MS....
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I guess that means they finally upgraded the phone system. Back when I worked there in Developer Suppport (98-03) the phone system for our incoming customer calls ran on a Unix system. To run the phone monitoring application and see the various queues you had to run an X-desktop emulator (Hummingbird I think) to run the monitoring app. I always thought that was funny at the time.
We were allowed to pretty much install anything we wanted to. I had tons of command line tools, perl and other stuff installed along the way.
Oh, and lots of guys had Linux boxes running at their desks along the way as well.
This space for rent.
So, if "We don't run Unix. We don't run Linux.", then WTF did Microsoft feel the need to pay SCO all those millions of dollars for UNIX licenses? Unless, of course, the money actually came out of the "Marketing/FUD" budget instead the "Software Licenses" budget...
UNIX? They're not even circumcised! Savages!
If you read MSDN blogs you occasionally come across references to people using non-Microsoft software, including Firefox, Apache, and *nix. Hotmail uses UNIX tools running on Interix... which includes the "viral" GCC.
We start with the product group that developed the product, so they feel the pain first. Man, truer words have never been spoken (at least by an MS executive.)
Some of the spyware that is out there will utilize known security vulnerabilities to install itself on the machine WITHOUT the user being an Administrator.
Also, quite a bit of spyware will simply install itself to the user profile (hotbar, etc.), the only way to combat these types of spyware is to utilize Mandatory Profiles.
Spyware is an ongoing problem with ANY Windows machine, whether it is "secured" or not.
Pardon me for standing up for them, but
Peeves me off when the people writing the software are not trusted to administrate their own computer which they are writing software for (or some equivalent thereto). What's with this growing American sentiment that nobody should be trusted with tools, that only someone special should be (without noting the perversity that if nobody can be trusted, then nobody can be trusted)?
Can we get a "-1 Wrong" moderation option?
We don't run Unix. We don't run Linux. We don't run Oracle. We're 100 percent Windows, SQL Server.
That makes for a great testing environment for Windows Services for UNIX, huh?
I have a hunch that a really good way for MS to make sure it only has (reasonably) computer savvy employees would be to - ahem - "terminate" anybody who couldn't keep their computer clean. I mean, if a guy is coding MS security stuff, and can't keep a single desktop safe, he doesn't belong there...
William George
With every user at MS an Administrator of their own machine, it's no wonder that it's so hard to implement any other security model using Windows.
... but wait, that doesn't work well in an enterprise using Active Directory, does it?
... but Microsoft doesn't make any.
...
I hope some of those users are smart enough to give themselves a luser account and run under it
Maybe they have an enforced policy of using anti-spyware and anti-virus software
Maybe they have extensive training classes with stock options going to those who don't spread viruses (sort of like those "accident free days" campaigns you see at some companies). But wait, no one wants their stock any more
Oh well, they're Microsoft -- they must know what they're doing.
sigs, as if you care.
Is it not true that they use Suns to compile windows itself? Because they need the huge multiprocessor power of a real computer (130+ cpu's)? What about (noso)hotmail? There are still BSD systems running there. I guess the article is only talking about workstations?
=-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
The people often bitten the worst by Spyware/Malware are very smart, very computer savy people. The problem is they don't realize all of the tricks that they will use to get onto your system. Besides, it can't happen to them! Many times people will recognize they've been bitten right away by an accident misclick but by then its too late.
So while people might not be idiots, most should never be trusted with elevated privilages. But Windows does give you an option (or they are very painful) so load up the maintaince costs with all sorts of software and network monitoring because MS refuses to learn lessons painfully realized 20 years ago.
For the love of all that is good and holy, I wish MS would abandon certain technologies (Active X hosting in application frameworks), I wish MS would stop requiring user level tasks with elevated privilages, and I wish people would stop making excuses for MS. Reinstalling from a backup image is not the proper way to fix problems on a platform that is supposed to be "enterprise enabled".
One big thing I heard comes from Oracle. Oracle (the company) runs Oracle (the database). It was a mandate put down from on high and seems to make at least a modest amount of sense.
Think of it this way. The biggest way that you figure out that something should be tweaked is if you are the user of the system. Those admins that never use the systems that they deploy and work on have quite a big harder a time trying to understand just what the program is trying to do, and what to do about it when it fails. To add to that, they never come across bad quirks that noone mentions because they're just that, quirks. It doesn't cause the system to fail or halt or mangle any data, but it sure is annoying when it does it.
To live and die by your own software is not a bad thing. It gives you not only the developer's perspective of design and impliment a solution, but also allows you to see whether or not what you made is actually useful. Don't read too much into this post, like I support Microsoft totally (they can be quite an ass of a company), but the mentality is sound and used in more companies than just Microsoft.
Quoted from the article "I have no skills and no ability..." Yep, sounds like Microsoft to me.
Loren Osborn
We do [...] have an open-source client running--just for competitive analysis. As an IT organization, I have no skills and no ability and no purchasing of those products.
So he's an IT manager with no skills in the IT industry other than MS-related? Someone could call this "to be blind and overconfident".
Me, I call him a lucky guy that is probably paid >= 4000€ a month to say to the world "I don't know a thing about IT, but with MS my income has doubled". Heck, being on Bill's bill, McBride can say that too!
42.
"We're 100 percent Windows, SQL Server" Hold up a second, now. How the heck do they expect to know if their products are good or not, if they have nothing for comparison? You've got to be -very- familiar with both sides of an argument if you expect to win it.
Unpleasantries.
I'm a former MS developer/employee and we could install anything we wanted period. There were never any restrictions other than the stuff you'd expect such as no pirated software, etc. There were login scripts which ran every time you signed into corpnet and you were required to run anti-virus software (eTrust). Bridging to the public internet from corpnet was also prohibited for obvious reasons. Beyond that, it was a very trusting environment. Even WiFi was deployed many years ago on campus, something a friend at Oracle says they aren't allowed to have to this day.
Neither our admin. assistants or QA people had any restrictions either, but I don't know about the receptionists. They sure seemed to play a lot of those boring built-in Windows games, so maybe they weren't allowed to install other software. I never asked them.
Yes, well, the gentlemen in question manages infrastructure. General purpose services. What you mention are products, and obviously, the development groups would handle those as appropriate.
I'll bet you anything that they have unix servers and oracles databases for comparison purposes though.
Probably they do, but how mcuh real comparison can you do without running production systems? It could be just a small piece, but to ignore what it's like to maintain other products in production is short-sighted, I would say.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I work for an Electrical and Computer Engineering department. Now one would think that the Computer Engineers at least would be competent. Well, not so much actually. Most of them are... how to put this... MORONS when it comes to computers.
We have a Internet Technologies Lab. This is the lab where they study networking and so on. These are the engineers taht study this, they have degrees in this. However they have the most piss poor understanding of network fundimentals and security I've ever seen. They get boxes hacked all the time, they continually have problems with simple things like getting their subnet set correctly, and if their switch goes down plugging it in is too complecated a concept.
Just because somone works ina computer related field, doesn't mean they are good at the support end of computers. I'd like to think that programmers and engineers ought to know enough to avoid spyware and such, but I know from experience that's not the case. Just because they can write good code doesn't mean they are good system administrators.
Note the subtle line of reasoning there -- what he implied to say is "Our users are the admins of their machines *so* they can load whatever software they want on their machines". Which is perfectly obvious, because it appears that on Windows, to do anything even slightly more advanced (like, say, installing new non-trivial software), you have to be an admin. Personally, I don't know of any Windows development shop where the programmers aren't admins and don't each have their own personal single-user PC...
Considering that "billg@microsoft.com" is hard-wired into quite a few tools for use with anonymous FTP ...
Lacking <sarcasm> tags,
None of those systems belong to Microsoft...you can see that clearly by looking at the Netblock column. Skip ahead until you get to systems that actually belong to MS and they are all running Windows variants.
Do you use any Linux?
As a policy, I don't run anything that competes with Microsoft. My goal is to make sure Microsoft products are the best products in the world.
Ah, the old 'bury your head in the sand' technique. It works well. Maybe if they actually *tried* linux they could see what pisses disenfranchised Windows users off or where these TCO numbers come from.
LilMikey.com... I'll stop doing it when you sto
Disks are duplicated on a variety of industrial strength, quality focused systems. Most of these systems are UNIX-based. The UNIX-based duplication systems used in manufacturing are impervious to MS-DOS-based, Windows- based, and Macintosh-based viruses. The few MS-DOS-based and Windows-based standalone duplication systems do not allow MS-DOS-based operating systems to access the duplication system. Virus protection systems used by these MS-DOS-based and Windows-based duplication systems strictly govern the duplication process, even when they are not running.
That KB article has since disappeared... smirk... ;-)
GCC is included in Interix because it's the only compiler that can make UNIX-style executables in PE/COFF format, and because most applications either explicitely require GCC or require shared objects. But Microsoft doesn't use GCC for the tools that weren't originally GNU (most aren't, they come from some BSD), and GCC and GNU are optional components, not included in a standard installation
Make a difference - use Windows! (open source clone of Windows NT)
A gazillion out of work and a gazillion that I'd want to employ are two very different things. I have a hard enough time recruiting for a department of 15, let alone trying to do it at the sort of scale he's talking about. The truth is that Sturgeon's Law holds just as well for IT staff as for anything else. In fact, if my experiences are anything to go by, he was being optimistic...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
phozz
I don't like Microsoft products, overall, but purely for technical reasons. There's no place for emotions or politics in solid-state circuitry. (I've heard that stressed silicon does better than regular, but I don't think that's the kind of stress they mean.)
However, Windows is still a good system to use, for a lot of things. X is way behind on supersampling, anti-aliasing and other similar techniques for smoothing out graphics. It has improved, but Windows is the better of the two. For related reasons, it would be hard to develop a top-of-the-line GUI Desktop Publishing system for X. There are stacks of them for Windows and the Mac.
Where Windows is strong is in presentation. Apple were there first, but since they keep reinventing the wheel, they don't get to build much on what they already have. I'd say Apple is still the best, there, in terms of absolute quality, but Microsoft is able to leverage their experience in a way Apple doesn't.
There is no fundamental reason why Linux can't be good there, too. The hardware doesn't give a damn what OS is being used. Why should it? Although there is some work on improving X and developing better represenational systems, it remains essentially a stack of bitmaps on a pixel-based virtual screen.
(I also hate the fact that X is horribly generic, with acceleration largely being done by high-end vendors for their own private distributions. Very few - if any - Linux distros have optimized X binaries for their platforms.)
Berlin (now Fresco) offered the potential for busting out of a lot of the old, less useful, paradigms, but it's dead. Dead as a doornob.
I use both Linux AND Windows. (And OpenBSD and Plan9.) There are technical things I resent about all of them, and there are personality quirks I dislike about proponents for each.
Some people say all OS' suck. Well, if the OS developers stopped worrying about how much their rivals sucked, they might be able to learn from what they've done right.
Evolution is asymtotic to perfection (ie: it tends to it, even though it'll never actually reach it). Learning from others will advance you along the line. Rejecting outright what others have learned, purely because they learned it first (the "Not Invented Here" syndrome) WILL push you further back.
There's only one way to get closer to the goal, and it's not through excessive pride in one's achievements, or prejudices against those of others. Pride and Prejudice makes a great book title, but a really lousy corporate strategy.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I once read that Apple were using a Cray to design a computer or something, and Seymore Cray was amused, because he used an Apple to design the next Cray.
We foreigners can only laugh when we hear that a guy at Coca Cola was fired because his wife had bought him a Pepsi.
Bert
Who wonders how hard it would be for Slashdot to detect themselves that if a message doesn't contain HTML it is POT and should be formatted accordingly.
Thats such a pessimistic way of looking at it. You never know until you ask; some secretaries boxes might be much more readily available then you would first think.
;)
You're allowed to run whatever the heck you want as long as there's a business reason to do so. In fact, at one time I had a RedHat box under my desk and ran MySQL on it, and I used MySQL quite extensively on Windows as well, until I figured out the architecture that allowed me to do bulk inserts into MS SQL backend. I know for a fact that lots of folks run unix command line tools, emacs, firefox, etc.
I recall that MS used to use Akamai to mirror their website. If they still are, that would explain the non-Windows OSes in the list (which I can't see right now, as Netcraft isn't responding for some reason).
Xfce: Lighter than some, heavier than others. Just right.
A: "It's hard to capture the overall time spent on security, but 10 percent is probably about right."
This is exactly what is wrong with Microsoft Security. It needs to be the total responsibility of a few individuals who work closely with the larger security community, clearly when security is everyone's problem and they spend 10% of their time on it, then it is really nobody's problem. (Except that then it is everybodys problem! )
Microsoft could save money and improve it by outsourcing security. Rather than trying again to fix a broken culture, why not just admit it's broken and realize that other companies use outside resources and it works fine for them. For example, would you but an extension cord without it first having been researched by Underwriters Labs? Would you go to a hospital that was not inspected by JCAHO?
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
Obviously you don't spend 5 minutes with a customer and ask a customer, "hey, what do you want to do" and then go off and do exactly that. You figure out what problem it is they're trying to solve, and get an understanding of the core issues at play. Then you talk to more customers and repeat the process. From there you can organize that information to get an idea of how much need there is for a certain set of functionality. If one customer wants one feature, but 800 want another one, you start working on the solution to the problem 800 of your customers want.
This is customer oriented/focused development.
If you just go out and solve random problems that nobody has a need for, you risk losing focus on what really matters -- the people who buy your software. Nobody upgrades because a package does something new they don't care about -- they upgrade because it solves a problem they're having.
This kind of development isn't "catchup" -- it isn't "bug fixing". It's identifying what people need, and then coming up with a solution for them that solves the problem they're having; this doesn't mean that it solves only that narrowly defined problem. The thing is, when you do this kind of work, you ARE solving problems people have before they encounter them (in addition to solving problems some of your customers already have).
There is plenty of innovation that can occur by doing this, and I personally think you get a lot more useful innovation following this process. You'll certainly do better than copying the features in competing products.
Ah, why have they then bought 200 (in words: two-hundred) boxes of Caldera's Linux distribution (forgot the name, it was before Caldera was the new SCO) a few years ago...?
A monkey is doing the real work for me.
Is it just me, or is the word "administering" being slowly replaced by "administrating"? Administrating seems to be the wrong tense to me.
I'm an accountant for an insurance firm and I admin my own machine AND the dead rat mail/dns/webserver as well.
That's because all our "technical" people only know how to admin Microsloth products. If a couple of reboots doesn't fix it they re-install from scratch.
root@urquell:/home/jwblack# nmap -vv -sS -O -P0 -T Insane microsoft.com
... good.1 2/14%Time=41BF 8F81%O=80%C=-1)R esp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT) p =N)e sp=N)
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-12-14 18:11 MST
Initiating SYN Stealth Scan against cps.microsoft.com (207.46.130.108) [1660 ports] at 18:11
Discovered open port 80/tcp on 207.46.130.108
Discovered open port 443/tcp on 207.46.130.108
The SYN Stealth Scan took 29.36s to scan 1660 total ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
For OSScan assuming that port 80 is open and port 36502 is closed and neither are firewalled
For OSScan assuming that port 80 is open and port 36846 is closed and neither are firewalled
For OSScan assuming that port 80 is open and port 35462 is closed and neither are firewalled
Host cps.microsoft.com (207.46.130.108) appears to be up
Interesting ports on cps.microsoft.com (207.46.130.108):
(The 1658 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Device type: general purpose|router|firewall
Running (JUST GUESSING) : NetBSD (89%), Cisco IOS 11.X (88%), DEC IOS 10.X (88%), Microsoft Windows 95/98/ME (88%), Cabletron embedded (88%), HP HP-UX 11.X (85%), IBM AIX 4.X (85%), Secure Computing embedded (84%)
Aggressive OS guesses: NetBSD 1.5_ALPHA i386 (89%), Cisco 4500 router running IOS 11.2(2) (88%), Cisco 1601 (IOS 11.0) or DECbrouter90T1 (Runs Cisco IOS 10.2(5)) (88%), Microsoft Windows 98SE + IE5.5sp1 (88%), Cabletron Smart Switch Router 8600 (88%), HP-UX B11.00 U 9000/839 (85%), IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/* (85%), Secure Computing SECUREZone Firewall Version 2.0 (84%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=3.70%P=i686-pc-linux-gnu%D=
TSeq(Class=TR%IPID=RD%TS=0)
T1(
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Res
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(R
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: C39D59C2 61104197 94FC38E7 8CA9A951 6EF250A1 CBBC3177
IPID Sequence Generation: Randomized
Nmap run completed -- 1 IP address (1 host up) scanned in 69.782 seconds
root@urquell:/home/jwblack#
I personally consider 89% a good bet.