The Setup Behind Microsoft.com

Toreo asesino writes "Jeff Alexander gives an insight into how Microsoft runs its main sites. Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.

Mostly how they run it

is have some crazy sys admins throw chairs around.

Re:Mostly how they run it

[Midnight+Thunder]

Mostly how they run it is have some crazy sys admins throw chairs around.

I thought that was the QA process. Then again I can imagine Microsoft using chair names as the code names to their products:
    - Cogswell
    - Caquetoire
    - Glastonbury
    - Morris
And no I don't know chair names by heart. I am computer geek, not a chair geek, since that would be Balmer ;)

source: http://en.wikipedia.org/wiki/List_of_chairs

Re:Mostly how they run it

[ObsessiveMathsFreak]

With Microsoft Windows Server 2008, chairs practically throw themselves!

Re:Mostly how they run it

[dwywit]

This is last century's news, and I couldn't find the link, only the text, but, well, judge for yourselves:

Dr. Frank Soltis, the IBM engineer who has been called "the AS/400's Elvis," recently shared a success story during a keynote speech at a user conference in Florida. This particular company was in the software distribution business and at one point had 23 AS/400s located around the world. The company was a very good customer, went from CISC to RISC, and was always one of the first to upgrade to new technology, he said. Then came the Year 2000 problem, and despite five years of dedicated service during a period of great revenue growth, the company decided that it was time to move off the AS/400. So in June of 1999, the company unplugged its AS/400s and powered up 1200 NT servers it needed to replace them. But things didn't quite go as planned. "They found they couldn't make it work," Soltis told the crowd. "Today, one year after unplugging their AS/400s, they're back on the AS/400." That company is Microsoft. "They viewed that as a point of embarrassment," Soltis said. "We thought it was kind of fun....Can you think of a company with greater incentive to move to NT, and they couldn't do it?"

Beta in production environment.

[LordSkippy]

"Windows Server 2008 in a production environment."

So even MS has given up on Vista.

Re:Beta in production environment.

[EvanED]

Vista was never meant as a server. Same as XP isn't used as a server, it's Server 2003.

Re:Beta in production environment.

[LordSkippy]

Funny, that's what I thought was the entire reason for having Home and Professional versions.

Re:Beta in production environment.

[schnikies79]

Funny, but you're wrong. Pro is for networking enviorments where you need RDP, policies, ability to join a domain, file encryption, etc. Home lacks these.

Re:Beta in production environment.

[JCSoRocks]

Tis a sad day when the fanbois can't even get their insults right. shameful.

Re:Beta in production environment.

[EvanED]

No, the pro version is more intended toward business users. Not servers, but the sort of thing workers have on their desktop. That's why it has tunings for corporate networks and ACLs and quotas and such.

You can debate the drawbacks and benefits of having so many versions, but XP was never intended to be a substantial server.

Re:Beta in production environment.

No, professional versions offer business-required desktop features that are stripped out of the home version. If it mirrors XP, this would include things like the ability to manage security for accounts on a per-file level.

But it's not intended for servers, either on Vista or XP, as the GP said.

Re:Beta in production environment.

where's that "-1 clueless idiot" mod?

Re:Beta in production environment.

[ByOhTek]

Windows Server 2008 is (or rather, will be) effectively "Windows Vista Server Edition", just as Windows Server 2003 is effectively "Windows XP Server Edition".

Re:Beta in production environment.

[vtscott]

And of course it's already been modded up (at least only as funny). To clarify why the GP is wrong, from the wikipedia entry on Windows server 2008:

Windows Server 2008 introduces most of the new features from Windows Vista to Windows Server. This is a similar relationship to that between Windows Server 2003 and Windows XP.

Gotta give credit to MS for eating their own dog food...

Allow incoming connection on port 80? Confirm/deny

Re:Beta in production environment.

Maybe it's next to the "-1 Can't take a joke" mod?

Re:Beta in production environment.

Mod parent up. That was the funniest comment I've read in a while :)

Re:Beta in production environment.

what's funny is to see obvious know-nothings who try to compare what they're using as a file server at home to what lies behind those big fireproof security doors.

i guess pizza delivery bois can only take a meager guess at what the pros use. next time use google and educate yourself.

Re:Beta in production environment.

[xtracto]

Allow incoming connection on port 80? Confirm/deny

Mmm... it would be worthwhile for someone to audit the code from Microsoft to see if by any chance they have implemented the code of the yes program in their servers...

Heck, I am going to create a WinYes! to automatically respond to those annoying (but security increasing) questions!

Re:Beta in production environment.

[Amouth]

i resent that - i personaly feel that xp and server 2003 have next to nothing in common with each other - XP is annoying crap - server 2003 on the other hand is quite nice and one of the first server implementations i have seen MS push out that i actualy look forward to installing on something - because it realy does jsut work. 2008 seems intresting but i am going to hold off migration till 2003 is in the stages to stop reciving updates.

Re:Beta in production environment.

[ashridah]

Which we do on a regular basis. Every few weeks I see emails going around from higher-ups asking us to test their team's RC or beta stuff at home for them, and the project I'm working on has been dependent on VS2008 since beta2. Everyone here has their favourite project they like to keep tabs on. I've got longhorn server 2008 running on one of my machines here.

That said, the choice to use longhorn server in production isn't actually a bad one. It's really, REALLY stable. I keep hearing (from people both inside and outside the company) that it's more stable than 2003 is (and 2003 has the benefits of multiple service packs). It's also a lot more configurable about what it runs, and how much of it it enables when it's installed. I wouldn't bet the entire stable on it, but I'd be willing to put money on it getting a place.

All in all, it's pretty sweet, if you look at it from the sysadmin perspective. Also, the stuff you can setup when you couple it with vista is really nice (from a security standpoint, particularly). That said, some of that functionality is being backported to XP with SP3 or whatever.

Re:Beta in production environment.

[jherrick]

I've never, ever heard any reference to these made up names. Searching Microsoft only returns one match from a blog entry.

Re:Beta in production environment.

No, the pro version is more intended toward business users. Not servers, but the sort of thing workers have on their desktop. That's why it has tunings for corporate networks and ACLs and quotas and such.

It doesn't have tunings and ACLs, so much as Home was gimped out of those features for no good reason other than greed. Welcome to the future!

Re:Beta in production environment.

Probably right next to the "-1 Oh my fuckin god you numbnuts windows vista was NEVER INTENDED to be used as a server-side OS you dumb cunt" mod.

Thank you, thank you, I'll be here until Tuesday.

Re:Beta in production environment.

[Sandbags]

Actually, where many aspects of XP were inhereted from the development team behind the kernel of 2003 server, they have little in common and are not the same thing. In fact, Vista credits much of it's internals to 2003 server's kernel, almost as many is it inhereted from 2008, but it got very little from XP. Sure, 2008 and Vista were developed together, but they work very differently. Many things (control panel redesigns, Aero, security model, etc) were built into 2008 server, and it's look and feel will be a similar experience, but much else the core does is very different, much faster, and better threaded than Vista will ever be capable of. they're simply designed and optimised for 2 very different purposes. Sure, they can run the same code and drivers, but underneath that is a very different engine interfacing the code and you.

Re:Beta in production environment.

[somersault]

Program WinYes! is trying to perform an action on a dialog box. Allow/Deny?

Re:Beta in production environment.

[misleb]

Ok, but is the OS *still* organized like crap? I mean, is C:\Windows still a dumping ground for a bunch of arbitrarily named data files, log files, drivers, and libraries using, for the most part, the old 8.3 naming convention?

Re:Beta in production environment.

Dear Captain Retard:

Some of the names were in quotes, others were not, there was an "effectively" before the quoted names. This leads one to expect the quoted names were fake, probably designed to be descriptive of a facto or point, rather than litteral product names.

Re:Beta in production environment.

[mikesd81]

I wish I still had mod points. That has the be most unbiased review of a Microsoft product. Way to keep your mind open about different things, as it seems you do.

Re:Beta in production environment.

[Tim+C]

Home has the rdp *client* of course, so you can connect out, but not the rdp *server*. Pro also ships with IIS as an optional installable extra, which Home lacks.

Re:Beta in production environment.

[merreborn]

NT4, and win2K both had "Workstation" and "Server" versions. Windows XP had "Home" and "Pro". So it's understandable that you might assume that workstation equates to home, and server equates to pro. However, in actuality, "Pro" is closest to "Workstation", and "Home" is really more of a "Workstation lite", with a lot of the workstation features disabled. Win2K3 is the closest thing to a "XP Server" release that ever came to be -- although it's really not related to XP at all.

Re:Beta in production environment.

[afidel]

although it's really not related to XP at all.

Not true at all, the code for XP x64 SP2 and 2003 x64 SP2 is mostly common with the obvious addition of the server related stuff to the 2003 version, but they were built off the same codebase.

Re:Beta in production environment.

[cheater512]

Define stable. Would you trust it to run your life support system?
I would say yes to Linux and it probably does run those machines.

Re:Beta in production environment.

[EvanED]

"Home" is really more of a "Workstation lite", with a lot of the workstation features disabled

Alternately, you can think of "Home" as the successor to Windows ME, with an NT kernel. I'll try to do this schematically (WKS = Workstation, SVR = Server, and some other weird abbreviations used to make the alignment work):

Wind. 98 --> Wind. ME --> XP Home --> Vista Home
NT 4 WKS --> 2000 WKS --> XP Prof --> Vista Ultimate
NT 4 SVR --> 2000 SVR --> SVR 2K3 --> SVR 2008

In reality, things are a lot more complicated, because there are other editions, Win 2K Advanced Server, x64 editions, and God knows how many variants of Vista. (Maybe "Vista Business" is a better fit than "Ultimate" above too.) In addition, a lot of people who were or would have been in the 95/98 line moved to the "Pro" line for XP. But, for most people, things probably progressed as indicated.

Re:Beta in production environment.

[toadlife]

Home has ACLs. You just have to edit them from the command line with cacls or use a third party ptogram to edit them like aclview.

Re:Beta in production environment.

ummm, xp pro has better networking capabilities than home, yes, but that does not make it a server os. It lacks the user management capabilities and the general robustness of a server os, and is meant for a workstation, not a server.

Re:Beta in production environment.

[Stormcrow309]

Actually, I prefer a custom coded OS with a revision testing regimen that would make most developers and system engineers cry and a lack of bells and whistles. But what do I know, I only work in a division that supports life support systems.

Re:Beta in production environment.

[BigDogCH]

I would be more worried about the company that wrote the life support software than the OS. Either can probably be trusted to be stable if it is setup carefully and planned well.

Not to mention, I don't know that MS is selling their product with the purpose of running Life Support systems on it. I somehow doubt any life support equipment is running on the latest all-inclusive, for the masses linux distro.

I do concede however, a little piece of me dies everytime one of my workstations or servers lock up.

Re:Beta in production environment.

[Bafoon]

funny but you're wrong. it's NOT meant to be a server for sites such as microsoft.com if you ever attented any microsoft presentation or just well...been around for the past 10 years then you would know server 2008 is meant to do that job.

Re:Beta in production environment.

Unbiased? The guy works at Microsoft.

Re:Beta in production environment.

[ebh]

Precisely. Almost all the critical systems in the development lab I manage run FOSS all over the place, and the lab as a whole is rock stable. I'm betting my career on it, and winning that bet. BUT: I'm still not willing to be my (or my father's) life on code written and tested by some guy known only as "Spooge" who people think is from Uzbekistan but nobody's sure, no matter how good he is.

Re:Beta in production environment.

[secPM_MS]

If you want to run a consumer version of 2k3 server, run 64 bit XP. The problem is in the driver availability and the fact that the vast majority of the apps are coded for 32 bit so you are using the WOW interface a lot, which slows stuff down.

I am writing this on a notebook running Server 2K8 RC1.

The Vista and Server 2K8 kernels are common and both are descended from 2K3 server. The optimizations and feature sets are different though.

Sidebar is not available on server and I don't remember aero being availble either.

Re:Beta in production environment.

Actually XP Pro is better suited as a *client* in a networked environment

Re:Beta in production environment.

hi, it's me, spooge and I can guarantee you I really am from Uzbekistan. Now you know for sure. No need to worry anymore it may be some old hippy from MIT who actually wrote the code.

Go in piss, son.

Re:Beta in production environment.

[XenoPhage]

been around for the past 10 years then you would know server 2008 is meant to do that job. Wow.. So, in essence, since it's 10 years late, they renamed Windows Server 1998 to Windows Server 2008? Slick marketing there! Not sure how they hid that one.. Everyone knew Vista was late.. Noone has made a peep about WS2008!

Re:Beta in production environment.

[ashridah]

Haha, thanks. Of course, the flip side is that i actually work for MS.

Not on the windows server dev team, mind you, I'm in connected tools, which is related to devdiv (visual studio) and a few other server and tools groups (biztalk, etc)

Now, of course, if you spoke to me a few years ago, you'd realise that moving here would be a bigger seachange than .

ash

Re:Beta in production environment.

[ashridah]

I trust people, not machines.

Put competent people in charge, then sure, I'll trust it, regardless of what it's running. Of course, since life support systems are usually buried in a shroud of red tape, overthought-by-committee requirements and whatnot, I doubt that's ever the case. (Except a few notable exceptions, but last I checked, my home country (Australia) was not one of them)

Relating the platform something's built on with the competence of the system, or the people running it just stinks of consultantware and big kickbacks.

You can build anything on almost anything from the more advanced systems. There might be more or less effort involved depending on which platform you actually choose, but the choice should be based on *people*, more specifically, the people who build and the people who maintain. (Not the people having lunch expensed by the proponents of a system)

ash

Re:Beta in production environment.

[Tacvek]

"Home" is really more of a "Workstation lite", with a lot of the workstation features disabled

Alternately, you can think of "Home" as the successor to Windows ME, with an NT kernel. I'll try to do this schematically (WKS = Workstation, SVR = Server, and some other weird abbreviations used to make the alignment work):

Wind. 98 --> Wind. ME --> XP Home --> Vista Home
NT 4 WKS --> 2000 WKS --> XP Prof --> Vista Ultimate
NT 4 SVR --> 2000 SVR --> SVR 2K3 --> SVR 2008

In reality, things are a lot more complicated, because there are other editions, Win 2K Advanced Server, x64 editions, and God knows how many variants of Vista. (Maybe "Vista Business" is a better fit than "Ultimate" above too.) In addition, a lot of people who were or would have been in the 95/98 line moved to the "Pro" line for XP. But, for most people, things probably progressed as indicated.

While that is more or less true, consider that tere are really only three main OS Codebases in Microsoft now. Windows NT (non server, the current offering is various form of Vista, as well as XP until they discontinue it). Windows server (a very close relative to the NT series, but optimized for server environments, and multi-processor usage.) Those two code bases are close enough that they share binaries (when on the same architecure) and they could even be used for the opposite purposes with only minor difficulty.

However Windows CE codebase is a bit different. It is still distinctly Windows, but Executable compatibility with the NT series is rare. (That is due in large part to the fact that most CE devices seem to be platforms other than x86.) Interestingly it is possible to create .NET apps that run under CE and modern NT. Since the desktop Framework is largely a superset of the compact framework, the desktop assemblies get used, so code using only .net compact framework and no CE specific assemblies will run just fine on a desktop system.

Now you may notice that there are also some special sub-codebases. For example there is the NT Embedded codebase (seen as Windows XP Embeded), and the NT PE versions

Re:Beta in production environment.

[ashridah]

Ok, but is the OS *still* organized like crap? I mean, is C:\Windows still a dumping ground for a bunch of arbitrarily named data files, log files, drivers, and libraries using, for the most part, the old 8.3 naming convention?

Dude, if you can't hack that right now, how are you dealing with unix instead?

If any platform's based on a standard of bizarre naming due to space saving stupidity, that's it. Far more so than windows. Infact, name any mature platform that's based on reasonable standards for it's underlying API's and structure.

Didn't think you could. While it's true that things like the FHS are helping on the unix side, try telling an oldschool developer like oracle that they need to follow it. They'll laugh. and laugh.

and laugh.

Windows is in much the same position. At least .NET has made this significantly less painful, because it was considered ahead of time (it's not much easier to actually manage, but that's the tools more than anything, and just takes a bit of experience.... which unsurprisingly, is what dealing with the idiosyncracies of the old systems take anyway!)

ash

Re:Beta in production environment.

[schnikies79]

I never said it was meant be to a server, I was saying it's not. It's better for networking but it's not a server.

Maybe I worded it funny.

Re:Beta in production environment.

[JebusIsLord]

And furthermore, XP x64 edition is actually based off Server 2003's codebase.

Re:Beta in production environment.

[mattmatt]

Good one, Sherlock. Glad you cleared that up.

Re:Beta in production environment.

[twentynine]

more like hasta la vista amirite

Re:Beta in production environment.

If any platform's based on a standard of bizarre naming due to space saving stupidity, that's it. Far more so than windows. Infact, name any mature platform that's based on reasonable standards for it's underlying API's and structure. Uh, OS X? The Squeak VM? The Dr. Scheme VM?

Re:Beta in production environment.

[misleb]

Dude, if you can't hack that right now, how are you dealing with unix instead?

Because at least Unix has conventions.

If any platform's based on a standard of bizarre naming due to space saving stupidity, that's it.

Really? Ok, lets open up C:\Windows on one of our Windows servers. Hmmm a folder named "$hf_mig$". I suppose you know what that means or what convention that follows? Or C:\Windows\adam. Kinda looks like it might be some directory tools. Maybe ADAM = Active Directory AdMinistration? What's that doing there anyway? I could keep going down the list. I suppose there is a very good reason why there are .BMP files in C:\Windows? Desktop wallpapers? Come on. I wonder if they're related the other brilliantly named files such as SET2.tmp and SET3.tmp in that same directory. And don't get me started on the insanity that is C:\Windows\System32. Hardly a single file/folder that doesn't use 8.3 naming. I haven't clue what have that stuff is doing there.

Infact, name any mature platform that's based on reasonable standards for it's underlying API's and structure.

First of all, I was only talking about superficial organization. And if you want to see something nice, have a look at OS X some time. Not only is the System (/System) well organized, but most applications are neatly self contained in /Applications/Some.app. They usually don't spew files all over the place when installed. You know where the term DLL Hell comes from, don't you?

Didn't think you could. While it's true that things like the FHS are helping on the unix side, try telling an oldschool developer like oracle that they need to follow it. They'll laugh. and laugh.

I could give fuck-all what Oracle thinks. My Debian systems are very well organized, thank you very much. I don't find desktop wallpapers in /usr/lib. I don't find temporary files for applications in /usr/bin. FreeBSD is even cleaner. The system files never change unless I explicitly do an upgrade. All supplementary software (ports, mostly) goes in /usr/local. With Windows, on the other hand, who knows what strange and wonderful new files I might find dumped in C:\Windows tomorrow. Maybe $hf_mig2$. WHich would be version 2.0 of whtever that is, i guess.

-matthew

Re:Beta in production environment.

[Extide]

So why is this a problem? It doesnt even matter.


Oh and since you seem to be un-informed all of the hidden "$*$" folders in the windows folder are the folders containing the uninstall files for all of the windows updates. Oh thats right you can't 'uninstall' patches on *nix. Stop bitching about the insignificant stuff, see how stupid it sounds?

Re:Beta in production environment.

[tobiasly]

Actually, I prefer a custom coded OS with a revision testing regimen that would make most developers and system engineers cry and a lack of bells and whistles. But what do I know, I only work in a division that supports life support systems.

Unknown process "heart_rate_monitor.dll" is attempting to page a doctor, Cancel or Allow?

Re:Beta in production environment.

[ashridah]

Because at least Unix has conventions.

Conventions are a nice way of saying "that's the way it's always been, so that's the way it stays." Windows has similar problems left over from legacy, going all the way back to CP/M. Yes, this sucks, but so does some conventions in unixland. Just ask a Solaris 10 admin how much it sucks when your upstream vendor breaks decades-long convention.

Really? Ok, lets open up C:\Windows on one of our Windows servers. Hmmm a folder named "$hf_mig$". I suppose you know what that means or what convention that follows? Or C:\Windows\adam. Kinda looks like it might be some directory tools. Maybe ADAM = Active Directory AdMinistration? What's that doing there anyway? I could keep going down the list. I suppose there is a very good reason why there are .BMP files in C:\Windows? Desktop wallpapers? Come on. I wonder if they're related the other brilliantly named files such as SET2.tmp and SET3.tmp in that same directory. And don't get me started on the insanity that is C:\Windows\System32. Hardly a single file/folder that doesn't use 8.3 naming. I haven't clue what have that stuff is doing there.

You're not looking in the right place. Microsoft, love it or hate it, worked out a long time ago that 'filename' and 'metadata' aren't necessarily the same thing. The filename and path are just handy locational indexes, and don't necessarily need to mean *anything*. Sure, a DLL can, and often, for newer stuff, IS far longer than 8.3, but it wasn't until later versions of NT (3.5/4.0, I don't remember my history too well) that support for it kicked in well enough, and there's some legacy stuff around. You don't break legacy just because it's fun. Microsoft gets this right, even if they had to tread over it a fair bit in vista, and add some nasty hacks to deal with most of the fallout.

Anyway, as I was saying, you're not looking in the right place. Case study: C:\windows\system32\apss.dll: Microsoft(r) InfoTech Storage System Library.
Problem solved. (it's not at all difficult to use something like powershell (or possibly other tools) to just print this out in a souped up version of ls with a little scripting, I might add, just like I can do a few similar scripting tricks on my debian system to tell you who owns the copyright to 90% of .so's in /usr/lib.)

Want another one?

c:\windows\System32\bitsigd.dll: Background Intelligent Transfer Service IGD Support

Oh look, another one, fully named.

Of course, this starts to fall down when the file doesn't contain metadata, but that's a problem for, say, XML schema files in /usr/share/ on linux too. The organisation might be a bit better, but not by much. The saving grace there is that I have dpkg to work shit out for me. .NET goes even further. You can register as many different versions of a namespace as you like, and .NET will do the mapping for you if you request a specific version.

First of all, I was only talking about superficial organization. And if you want to see something nice, have a look at OS X some time. Not only is the System (/System) well organized, but most applications are neatly self contained in /Applications/Some.app. They usually don't spew files all over the place when installed. You know where the term DLL Hell comes from, don't you?

Yes. I do. .NET does a good job of solving this quite nicely. Adds public/private keys into the mix too, plus a bunch of other mechanisms. .NET isn't just for C# either. It deals with VB, C++, and (ahahahha) J# too.
I will admit that the mac platform is neatly arranged, but their QA seems to have gone to the toilet right now. A place that windows' QA has emerged from rather nicely, I should mention.

As for random stuff appearing in random places, try dealing with commercial software. Even on linux, the developers will put shit in strange places. Open

Re:Beta in production environment.

[misleb]

So why is this a problem? It doesnt even matter.

Of course it matters. All kinds of bad things happen when you spew files into system folders. Ever here of DLL Hell? It also matters in terms of amenability and troubleshooting. I should be able to tell roughly what a file does just by look at its name and the folder it is in.

Re:Beta in production environment.

[calebt3]

It lacks the user management capabilities and the general robustness of a server os. What about Windows Server (any version)?

Re:Beta in production environment.

[rbanffy]

"the general robustness of a server os"

You mean they must be using different quality standards for different kernels? That they use different code bases and improvements and fixes do not migrate between products?

Oh my...

Re:Beta in production environment.

What annoys me here is that you have to _say_ it's stable.
MS made us forget that a software should be stable _in the first place_. God, it took them 20 years to make thir OS stable and if we talk about their applications... anyone who's working with Access know what I mean.

Re:Beta in production environment.

[misleb]

You're not looking in the right place. Microsoft, love it or hate it, worked out a long time ago that 'filename' and 'metadata' aren't necessarily the same thing. The filename and path are just handy locational indexes, and don't necessarily need to mean *anything*.

But you can have both... Metadata and reasonably named "locational indexes". Is it so strange to think that people, particularly administrators, might want to have some idea what a file does and why it is there just be noting its "locational index?" I see this is a significant flaw in the design of Windows. And then there is the Registry, of course. Who would have guessed that users might actually want/need to edit it manually. Certainly not Microsoft. That is just poor planning on their part and I won't excuse it.

You don't break legacy just because it's fun. Microsoft gets this right, even if they had to tread over it a fair bit in vista, and add some nasty hacks to deal with most of the fallout.

You can break legacy. It isn't fun, but it doesn't have to be disastrous either. Apple did it with OS X. And then they did it again when moving from PPC to x86. The only reason Microsoft can't do it is because they've got so much inertia. And it will be their downfall. Though it would probably help if Microsoft didn't wait 4-5 years between major releases (more granular change). Even if Microsoft did want to break legacy, everyone has gotten so used to the old flaws that they can't change. Vista might well be awesome. But the reality is that many people will still be running XP even 5 years from now. Apple, on the other hand, has gotten people accustomed to significant changes.

As for random stuff appearing in random places, try dealing with commercial software.

Fortunately I don't have to much on Linux. I will admit that much of the mess in Windows is as much the fault of developers as it is with Microsoft. But that distribution of responsibility doesn't make using and administering Windows any more pleasant.

We can't be responsible for what third parties do, however. Neither can apple (I just *love* dealing with adobe's software on apples, btw. Or Zend Developer Framework. mmmhm. ) Nor you. Install maya on linux sometime. Or matlab, or something else that you can't fuck with the organisational structure of, because the licensing server would crack the shits.

Indeed, Adobe does make a mess out of a Mac, that is for sure. Fortunately, the majority of applications I use on the Mac just drop right into /Applications without having to run instalers or uninstallers or worry about random libraries and temp files showing up in /System/Library. Apple has done a MUCH better job of encouraging reasonable software design... at least as far as logical distribution of application data. Microsoft could learn a lot from Apple, methinks.

-matthew

Re:Beta in production environment.

[dcam]

Hey, as someone with real experience with 2008 can you answer a couple of questions?

1. Does 2k8 still lock files in use?

2. Is Explorer still &*#*&W#% broken? And by broken I mean things like:
  a) clicking on a network drive that isn't connected locks up explorer
  b) inserting a badly burnt CD locks up explorer
  c) Remote desktop into a machine (with common clipboard). ctrl-C a large number of files. ctrl-v it back on your local desktop. Note explorer is locked up and you cannot cancel the paste
In summary, in 2k8 is that display code still mingled with the code to mount drives/copy files/whatever.

Re:Beta in production environment.

[goodtim]

Dear LordSkippy,

You're fired.

Kindest Regards,
Your Boss

P.S. Please learn the difference between a server and a workstation before applying for a job in the IT department.

Re:Beta in production environment.

[noamsml]

h thats right you can't 'uninstall' patches on *nix. Well, *nix has a different patching model. Since *nices are not usually divided into operating system and applications, but are modularized, uninstalling a "patch" (read: package upgrade) simply means removing a package or installing an earlier version of it.

Re:Beta in production environment.

[ashridah]

To this, I can only say Shell != Kernel, and let it go at that. I can't comment on these problems, mainly because i rarely run into them personally.

ash

Re:Beta in production environment.

[ashridah]

Actually. That's not true. I do feel your pain, but that was because FTP became really sucky in explorer and IE a long time ago, because of single-threadisms.

Re:Beta in production environment.

[ozmanjusri]

So does the person you're responding to.

Re:Beta in production environment.

The mess in C:\Windows is a metaphor for the messy design of the whole Windows system. It's a symptom of the whole closed-souce, proprietary, cathedral model.

Re:Beta in production environment.

Of course it matters.

I don't think it's too big an ask that all the bitmap files should go in a bitmaps directory.

Re:Beta in production environment.

[bhtooefr]

Home replaces the 95/98/Me line, Professional (now Business) replaced the NT Workstation line.

Server has always been the server. ;)

Re:Beta in production environment.

[ohtani]

That is like saying Windows 3.11 should have been used in a server environment because it had networking capabilities and you don't need NT. XP has services. That doesn't mean they'll be as reliable as an OS built around the idea of being a server.

Re:Beta in production environment.

[DesScorp]

"While that is more or less true, consider that tere are really only three main OS Codebases in Microsoft now. Windows NT (non server, the current offering is various form of Vista, as well as XP until they discontinue it). Windows server (a very close relative to the NT series, but optimized for server environments, and multi-processor usage.) Those two code bases are close enough that they share binaries (when on the same architecure) and they could even be used for the opposite purposes with only minor difficulty."

I thought Vista's codebase was adopted directly from 2003 server as a result of the previous version of "longhorn" basically sucking so bad, Microsoft had no choice?

Re:Beta in production environment.

[mgcarley]

That said, the choice to use longhorn server in production isn't actually a bad one. It's really, REALLY stable. I keep hearing (from people both inside and outside the company) that it's more stable than 2003 is

Sshhhh... Don't tell Microsoft that, they might ship it as is.

I remember at a Macromedia conference about 7 years ago when Flash 5 was released, during the demo Flash 5 had crashed on us. He explained that it was just Flash 5 beta, and someone said something like "That sounds like an excuse Bill Gates would use", to which he responded something like "Maybe, but the problem is that Bill actually ships his betas".

I guess you had to be there. It was funny at the time.

Re:Beta in production environment.

"the general robustness of a server os"

You mean they must be using different quality standards for different kernels? That they use different code bases and improvements and fixes do not migrate between products?

Oh my... No, Mr. AC was just making a general statement. Yet it never fails to amaze how some people take some anonymous person's statement and use it as gospel in order to bash Microsoft. "Hey, my neighbor's kid sister told me that the Linux kernel is different for a server than the desktop. OMG! They must be using totally separate codebases maintained in true spaghetti fashion and Linus never bothers to check in fixes for the desktop environment but rather spends his days licking his ballsack!!!" Or, you know, you could perhaps not listen to some anonymous dude spouting an ill-informed opinion just so you can latch on to it and use it as your gay whipping boy in an orgasmic anti-Microsoft frenzy.

Re:Beta in production environment.

[darthflo]

Code-Wise, Server 2008 is built on Vista is built on 2003 is built on XP is built on 2000 is built on NT. Of course Vista and XP will lack some of the preceding servers' features, just like the servers won't typically run Aero or hardware-accelerated Direct3D.
Marketing-Wise, GP has the path summed up pretty much perfectly.

Re:Beta in production environment.

[CoolCat]

How did this crap get 5 Informative?!

XP Pro is for networking and business CLIENTS!!!

Re:Beta in production environment.

[Stormcrow309]

I agree that some FOSS implementations are rock solid. All I have to do is point at the differences between a Java on Redhat application that repeatedly slams a supply robot into our elevator doors and the non-free flow pump that I will never see the source for, but been though so much testing before it is allowed to touch a patient with the vendor that glad to send their whole test plan and results. I have fun telling engineers in the nuclear field that six-sigma is not good enough for healthcare.

Re:Beta in production environment.

[somersault]

Indeed. A simple WinYes++ could have sorted all your woes, but now there is nothing for it but a reboot, as you have run out of memory..

Re:Beta in production environment.

[Tacvek]

There are still three codebases. However because two of them are both so closely related it is inevitable that they would resuse each other. For example, I'm quite sure that the server codebase merges in many of the changes in the NT codebase. Perodically then it is adventageous for the NT codebase to merge any desktop relevent changes from the server line. However, Vista still has does not have all of the code from Server. A fair amount of the server optimization code for example, would be less than useless on a Desktop. It could actually hurt desktop performance. (Which as we are quite aware is already fairly weak in Vista.)

Re:Beta in production environment.

[schnikies79]

Thats what I meant. I wasn't saying that it was supposed to be a server.

I know you can run IIS with it, but it's still not a server OS.

Re:Beta in production environment.

[Allador]

All NT based systems do #1. Dont know if thats something that is even on the radar to be fixed.

2a is fixed in vista, in my experience.

2b is fixed in vista, in my experience.

Not sure about 2c, havent run into that yet on my new laptop.

In general, all the 'network issues locking up the shell' problems from XP and prior seem to be resolved. Not sure if you need to be running the new desktop manager to get that benny.

The times when some action is waiting on slow network responses seem to work correctly on a separate thread now. At least as far as I've seen, which has only been a couple weeks.

Firewall Schmirewall

[mrtroy]

No firewall? Of course not!

Microsoft servers are notorious for their invulnerability.

Re:Firewall Schmirewall

[great_snoopy]

Of course they have a firewall, just watch the difference between a tcptraceroute to a public port (like 80) and tcptraceroute to the same ip but some other port (like 110 pop3 for example). You'll see that packets get dropped at some point indicating a firewall. It's not a RST (port closed) it's just dropping packets for nonpublic services. That is a packet filtering firewall.

Re:Firewall Schmirewall

[oliderid]

from the article:
"...At this point we still don't use firewalls for MS.COM..."

and then

"Router ACLs are in place to block unnecessary ports"

blocking unnecessary ports is a firewall feature (IMHO ?)

Anyway it looks quite impressive. I still don't understand how to handle 650 GB of logs :-).

Re:Firewall Schmirewall

[MstrFool]

Well, remember the story a while back about MS using Linux for some things? I think we just found where they use it. Storing their logs in /dev/nul is the most likely way they deal with 650 GB of logs.

Re:Firewall Schmirewall

[allenw]

Large scale log processing isn't hard if you have the right tools. :)

Re:Firewall Schmirewall

[dave420]

Having wheels is a feature of a car - that doesn't make my bike a car :)

Re:Firewall Schmirewall

[MightyYar]

I still don't understand how to handle 650 GB of logs That the government wants them to store :)

Re:Firewall Schmirewall

[truthsearch]

MS was (and maybe still is) outsourcing web page caching to Akamai, which is using Linux servers.

Re:Firewall Schmirewall

Anyway it looks quite impressive. I still don't understand how to handle 650 GB of logs :-).

My question is why are the logs in ASCII text format? When all you want is say the IP [4 bytes], time of day [4 bytes], URI, referrer and return code [do you really care about their browser strings? You are MS after all, just assume it's IE].

Storing an IP as text requires on average 15 bytes, so right there you can shave off 11 bytes with a binary IP. Time of day is worse, a date+time string is like 25 chars. Doesn't seem like much, but multiply the 32 bytes per entry you save by say 50 million hits and that's 1.5Gbyte you saved. That's not counting the white space you can remove, and a simple huffman code you could apply to the URL/referrer.

Heck, just piping the binary IP/date and ASCII URL/referrer through gzip [or use libz's gzPrintf() etc...] could make a large difference as well.

Point is, bragging about 650GB/day logs is not really impressive when you're "doing it wrong" (tm). That's like bragging about how much you cut your face while shaving.

Re:Firewall Schmirewall

[Xformer]

They're both forms of transportation, though. In that case, are you trying to argue for or against the parent?

http://www.tech-faq.com/firewall.shtml

Re:Firewall Schmirewall

[rasputin465]

Storing their logs in /dev/nul is the most likely way they deal with 650 GB of logs.

Well geez.. in that case I sure hope they do regular backups of /dev/null! ;-)

Re:Firewall Schmirewall

[theGreater]

I wonder if Morgan Stanley knows they are outsourcing their webfarm to Microsoft's I.T. department....

-theGreater.

Re:Firewall Schmirewall

[morgan_greywolf]

Using router ACLs to block ports is pretty much the same thing as using iptables on Linux to filter ports. So, IOW, yes, blocking unnecessary ports on a router means that the router is a firewall. Something is filtering packets and even if it's called a router and not a firewall, that's the function it is serving.

If it walks like a duck and quacks like a duck...

Re:Firewall Schmirewall

"They're blocking ports. Port blocking != firewall."

So when I write my firewall rules and have the choice to block, drop or pass, the firewall is kicks into a a non-firewall mode for block?

Re:Firewall Schmirewall

It's so wrong you can't possibly be serious, but it's so unimportant you can't possibly be a troll. But you would know that I'd know that it's too unimportant to be a troll, so you would make it seem stupid. I feel like I need Wallace Shawn in here to explain the situation.

Re:Firewall Schmirewall

[vidarh]

You store it in ASCII because it's easy to deal with, and because plain text fields such as the URI and referrer are by far the largest component. Inventing some binary format is pointless. It's not like dealing with 650GB a day is particularly hard these days, so wasting time trying to shave bits and pieces of it is pointless and a waste of time and money. You'd archive them in a compressed format after analysis anyway, and webserver logs compress extremely well.

But even the raw, uncompressed, data for a full year could easily be stored in a single rack.

Re:Firewall Schmirewall

[darthnoodles]

They do. They write their data to /dev/null, then read it back and put it into an RLE compression scheme. Unfortunately the counter for the RLE keeps rolling over.

Re:Firewall Schmirewall

[lib3rtarian]

I believe they mean there are not running an embedded firewall product, like CheckPoint.

Re:Firewall Schmirewall

I don't think that word means what you think it means.

Re:Firewall Schmirewall

[AK+Marc]

Actually you're wrong. They're blocking ports. Port blocking != firewall.

Ah, the little children. Do you know what the first firewalls were? Routers with access lists. Anything that blocks anything from going to one place from another is a firewall. Port blocking is a firewall, and there exists no firewall I know of that can't be configured to do nothing other than port blocking. You don't have to inspect packets, track flows, or any of those other things to be a firewall, all you have to do is offer some means of restricting traffic. And blocking ports does that.

Re:Firewall Schmirewall

[Sandbags]

If you read the article in its entirety, you would have learned that they do in fact do port filtering. These are jobs handles by ACL tables and routing rules, not by firewalls. Packet filtering is either being handled by a cisco guard or by ISS and ISA. Their security model is software, not hardware, and security is handled at the machine, not at the perimeter, except for the handling of DoS and similar attacks. I know, it sounds similar, but what a firewall is, what a router is, what happens to your packet as it passes through the various layers and tiers inside their network is different from what you would see in an SMB or small enterprise network. What shocks me is they're not running AV on many of their systems, not that they're running without firewalls.

Also remember, systems you yourself place in your DMZ, your mail server, web server, etc, ALL of those are operating outside your own firewall. They're either software hardned, or hacked. They have little other protection, why should big M$ be any different?

Re:Firewall Schmirewall

[Hatta]

If you read the article in its entirety, you would have learned that they do in fact do port filtering. These are jobs handles by ACL tables and routing rules, not by firewalls.

It's still a firewall, just a firewall implemented with an ACL table.

Their security model is software, not hardware, and security is handled at the machine, not at the perimeter,

So if I have iptables set up on my linux desktop, that's not a firewall?

I know, it sounds similar, but what a firewall is, what a router is, what happens to your packet as it passes through the various layers and tiers inside their network is different from what you would see in an SMB or small enterprise network

Then explain to me these differences. A firewall is a device that accepts or denies traffic based on a set of rules. Is that not exactly what a port blocking router does?

Re:Firewall Schmirewall

[somersault]

Inventing some binary format is pointless I'm guessing you have no prior experience with Microsoft Office then..

Re:Firewall Schmirewall

[mrhandstand]

Its the new tape device Native Uniform Linear Loader /dev/null

Re:Firewall Schmirewall

[marcansoft]

$ cat /dev/null | gzip - > devnull.gz
$

Works fine for me. Are you sure you're not confusing /dev/null with /dev/zero? The latter's a real bitch, it's always too large for my destination drive! Gzip helps though; you can get compression ratios of approximately 2000:1.

Re:Firewall Schmirewall

I don't know where you work, but storing [say] a months worth of 650GB data isn't exactly easy for most people to do. And not only that but you have to consider the I/O load. It's probably less intensive to stream out gzip data to your log than ASCII simply because most processors can compress faster than they can write to SCSI [realistically]. It's like when I snapshot my system disk [well when I was running Gentoo that is]. My system was only using 4GB, so I didn't really need to compress it, but I did anyways since it made the backup/restore so much faster.

And it isn't like using libz is hard either. They have formatted I/O wrappers for printf and the like. So you could easily port a native app using fprintf() or whatever to it.

My point though was that bragging about it (650GB A DAY!!!) isn't impressive because they're doing it wrong anyways.

Re:Firewall Schmirewall

[darthnoodles]

Yes I am confusing them. I'm not really a Linux/Unix guy. I'm just pretending.

Re:Firewall Schmirewall

[harrisg]

hmmm, I need to look into this /dev/null

I've been running out of disk space on my MythTV box! :)

Re:Firewall Schmirewall

[TooMuchToDo]

ACLs are dumb rules, and can be used on routers, layer 3 switches, etc.. Firewalls do stateful packet inspection.

Re:Firewall Schmirewall

it's actually 650GB compressed. around 10 TB uncompressed.

Re:Firewall Schmirewall

[sparks]

I can't read the actual article, but I can assure you that there is a firewall in place for ms.com.

Hint: Microsoft don't own ms.com!

Re:Firewall Schmirewall

[lena_10326]

My question is why are the logs in ASCII text format? When all you want is say the IP [4 bytes], time of day [4 bytes], URI, referrer and return code [do you really care about their browser strings? You are MS after all, just assume it's IE]. Storing an IP as text requires on average 15 bytes, so right there you can shave off 11 bytes with a binary IP. Time of day is worse, a date+time string is like 25 chars. Doesn't seem like much, but multiply the 32 bytes per entry you save by say 50 million hits and that's 1.5Gbyte you saved. That's not counting the white space you can remove, and a simple huffman code you could apply to the URL/referrer.

Logging in fixed format is not more efficient than variable format text files (unless we're talking about transactions but we're not). Let's assume you're logging the basics: IP address, Timestamp, Return code, URI and we'll look at logging in fixed format then variable format.

[abcd] [timestmap] [code] [URI]
4 bytes 8 bytes 1 byte 50 bytes (you actually need 2 bytes for HTTP return code, but let's ignore that)

Every record will require 63 bytes and we'll round up to 64 for proper word alignment). So, if we log 1000 messages, we will consume 64,000 bytes total.

Ok. Now for text logging with space delimiters. We have 3 options below, each requiring slightly less space than the previous. We'll run totals for each.

123.567.890.123 YYYYMMDDHHMMSS x URI...............\n
16 bytes 15 bytes 2 bytes 50 bytes 1 byte

123.567.890.123 1197572382 x URI...............\n (UNIX time)
16 bytes 11 bytes 2 bytes 50 bytes 1 byte

1235678901231197572382xURI...............\n (UNIX time)
12 bytes 10 bytes 1 bytes 50 bytes 1 byte

16 + 15 + 2 + 50 + 1 = 84 bytes * 1000 = 84,000 bytes
16 + 11 + 2 + 50 + 1 = 80 bytes * 1000 = 80,000 bytes
12 + 10 + 1 + 50 + 1 = 74 bytes * 1000 = 74,000 bytes

Wow. Fixed binary format kicks variable text format's ass. Wrong. This assumes the URI (or message) block will always occupy 50 bytes. It will not. Let's go right down the middle and assume it averages 25 bytes and we'll recalculate.

16 + 15 + 2 + 25 + 1 = 59 bytes * 1000 = 59,000 bytes
16 + 11 + 2 + 25 + 1 = 55 bytes * 1000 = 55,000 bytes
12 + 10 + 1 + 25 + 1 = 49 bytes * 1000 = 49,000 bytes

Variable text format almost always beats fixed binary format for logging. That's why Microsoft (and the rest of the world) stores log files as text. Plus, it's far easier to manage and debug when you can slice and dice the files with standard command line tools.

One more thing. I know what you might be thinking. We're logging URLS, which will probably consume the majority of the 50 byte allotment. Most developers will calculate an average width size and double it, so no matter what we'll still be filling about 50% of the message section.

Last point. If I were to use your example, the savings with text logging would even be greater. 2 URLS would be stored, both consuming about 50% of their data block. IP address, timestamp, URI, Referrer URI, Return Code. There's also a bunch of other little optimizations you can do such as storing the domain, year, month, and day in the filename rather than in the data or dropping the least significant byte in the HTTP return code.

Re:Firewall Schmirewall

[great_snoopy]

A stateless firewall is still a firewall even it's the oldest form of firewall.

Re:Firewall Schmirewall

[DeadBeef]

Sounds like you just made up some definitions in your head ( or worse follow someone other deluded sods mantra ) for some fairly well worn terminology and then decided to go on a crusade to harass the unbelievers.

Firewall is not an synonym for stateful filter like you imply later on in this thread. For some data to support my statement, the firewall entry at wikipedia says:

"A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules."

It then goes on to mention classify firewalls into first, second and third generation ( the first being what you called "Port blocking" ).

In retrospect IPHBT. Oh well.

Re:Firewall Schmirewall

[zLaSh]

Call Microsoft's Support, ping their IP, and ask them if their PC's are warm. That way you can know if their firewall acted up.

Re:Firewall Schmirewall

[lena_10326]

I should have included this in my previous post. A real world example (1Kb for storing a URI path and 2Kb for a full URI) would drive home the point even more. Just for shits and giggles let's do something closer to a real example.

Fixed binary

[IP address] [Timestamp] [Method] [Path(/path/to/script.cgi)] [HTTP Version] [Return Code] [Referrer(http://from.domain.com?file.html)]

4 + 8 + 1 + 1024 + 1 + 2 + 2048 = 3088 bytes * 1000 = 3,088,000 bytes

Variable text

[IP address] [Timestamp] [Method] [Path(/path/to/script.cgi)] [HTTP Version] [Return Code] [Referrer(http://from.domain.com?file.html)] [EOL]

16 + 15 + 5 + 512 + 3 + 3 + 1024 + 1 = 1579 bytes * 1000 = 1,579,000 bytes

Let's add one more variation: variable length binary records. Maybe that will offer some savings.

Variable binary format

[IP address] [Timestamp] [Method] [Path Len] [Path] [HTTP Version] [Return Code] [Referrer Len] [Referrer]

4 + 8 + 1 + 2 + 512 + 1 + 2 + 2 + 1024 = 1556 bytes * 1000 = 1,556,000 bytes

Pretty good, some savings over variable text; however, we now lost the ability to edit, head, tail, or do anything useful with command line tools. Not exactly worth it for a 1% gain. Oh yes, don't forget gzip will compress ASCII text better than binary because it'll drop the 8th bit on every byte so you'll automatically pickup a built in 12.5% gain with ASCII files which blows away the 1% gain of variable binary format.

Re:Firewall Schmirewall

"Firewalls do stateful packet inspection."

Firewalls optionally do stateful packet inspection. It is all in how you write your rules and setup the firewall. You can, for example, accept/reject protocols by filtering at OSI layer 2 without looking at a layer 3 packet in detail or keeping state. This is a "firewall" too.

Re:Firewall Schmirewall

[mattmatt]

The oldest form of firewall would likely be more related to that in your car between the engine bay and the cabin.

Re:Firewall Schmirewall

But do they have NAT King Cole in them?

Re:Firewall Schmirewall

[Oriumpor]

Why bother, if they get nuked they just reload the boxen, it's not worth the trouble of taking a 3rd party's word for the fact that it stopped an attack.

Also, anything they get hit with would arguably have to be 0 day, and hence AV would be nearly useless against it anyways.

Re:Firewall Schmirewall

[Martin+Blank]

And firewalls are capable of and do perform routing. However, most people consider them separate from routers.

I'm glad I read the comments for this story. Pedantry seemed to be on the decline here at Slashdot in recent weeks. Apparently, it was just being stored up.

Re:Firewall Schmirewall

[jelle]

Make sure to use one of the read versions for /dev/null, namely /dev/zero and /dev/random... ;-)

Re:Firewall Schmirewall

[gokalp]

If they do that, how can they say we have a log file of 650GB daily to deal with... ----- http://www.internet.gen.tr/

Re:Firewall Schmirewall

[WallyDrinkBeer]

Nah, they have stored their logs redundantly stored in /home/landsecurity, /home/nsa and /home/cheney.

Re:Firewall Schmirewall

[The-Bus]

Just do what I do. Have an old guy in a security uniform ask everyone to sign in on a dry-erase board.

It saves paper.

Re:Firewall Schmirewall

[lena_10326]

If they do that, how can they say we have a log file of 650GB daily to deal with...

I'm not sure what you're getting at. They just generate lot of data. It's Microsoft one of the largest corporations in the world. Not surprising at all.

I know some other posters have said 650GB a day is nothing, but they are talking crap. It's a lot of data. If you're actually using the data, you may need to store 30, 60, or 90 days worth. Analyzing 19TB, 39TB, 58TB is not a simple matter if you're doing any real sort of data mining with ad hoc queries. Archiving, compressing, and backing up the data is straightforward but what's the point of doing that if you're not planning on actually going back to look at the data?

Re:Firewall Schmirewall

[Net_Wakker]

Been a long time since I had to look up an abreviation, and a first casual google did not yield any useful results for IPHBT. Pretty impressive.

Re:Firewall Schmirewall

[AlexBirch]

They back it up in /dev/random

Re:Firewall Schmirewall

[DeadBeef]

My apologies, I just made it up off the top of my head. I'm not sure if it has been used anywhere before, did anyone get my half assed variant of YHBT? =)

Re:Firewall Schmirewall

They certainly would be, if ntbackup.exe would stop reporting "Access violation whilst accessing /dev/null" and terminating the backup.

Re:Firewall Schmirewall

[Measure+Twice]

They obviously mean that there are no Firewall boxes. They have been doing port blocking for as long as there's been a microsoft.com. That was one of the first sites to be hit by distributed ping Denial of service attacks. You manage 650GB/Day of logs by posting them to a set of SQL servers. The Server 2008 issue is one of 'Eating your own dogfood' which was always the policy at MSFT. sometimes that's an IT nightmare, and sometimes it works out well. NT4 and SQL7 were adopted in-house long before any public betas, because the alpha releases were more stable than the shipping product (NT3.51/SQL6.5)

Re:Firewall Schmirewall

[kipple]

they are logging everything a user visiting microsoft.com has said, typed, chatted, thought or seen in the last n months and all the cookies too.
of course.

Re:Firewall Schmirewall

[UnknownSoldier]

Exactly, whether a firewall is in hardware, or software, is moot -- if packets are being filtered, you have a firewall.

Re:Firewall Schmirewall

I still don't understand how to handle 650 GB of logs

Me too... isn't 640kb supposed to be enough for anyone ?

Re:Firewall Schmirewall

No, it isn't, actually.

Re:Firewall Schmirewall

[cecil_turtle]

You manage 650GB/Day of logs by posting them to a set of SQL servers. That would make the problem worse. You manage 650GB/day by analyzing them quickly / continuously, storing the meta data and deleting the raw logs as quickly as possible. Unless you mean to pull them into SQL Analysis Services and make OLAP cubes of the data (and again delete the raw logs).

Re:Firewall Schmirewall

[lintux]

> My question is why are the logs in ASCII text format? When all you want is say the IP [4 bytes]

Congratulations, you have just decided to go for a log format that will cause you a lot of pain in the transition to IPv6! :-)

Re:Firewall Schmirewall

[commanderfoxtrot]

I've dealt with large logs by putting the (compressed) text files somewhere safe, then using Microsoft's excellent LogParser tool to do queries on them or pull records into a database for real work.

If you ever deal with any web server log files (or any text files/CSV etc), then it's worth taking a look at LogParser.

Re:Firewall Schmirewall

[cecil_turtle]

Thanks, I'll look into it.

Supporting

[kripkenstein]

The highly objective and insightful article mentions, for example,

Windows and IIS...rock solid and secure!

Way to go with supporting the troops there.

Re:Supporting

[plague3106]

How many times have you seen the microsoft.com website down / hacked?

Re:Supporting

[outZider]

Reliability in numbers. If you have 30 machines running your website, no one will notice if one goes down.

Re:Supporting

[stvmty]

I wonder what restrained him from using the tag.

Re:Supporting

[kripkenstein]

How many times have you seen the microsoft.com website down / hacked? My point was that TFA reads like it was written by a fanboy.

Re:Supporting

[MightyYar]

True that... and I guess it also is a testament to Akamai (and by extension Linux), since that is who MS uses to serve their site:

% nslookup www.microsoft.com
Server: 192.168.1.1
Address: 192.168.1.1#53
 
Non-authoritative answer:
www.microsoft.com canonical name = toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net canonical name = g.www.ms.akadns.net.
g.www.ms.akadns.net canonical name = lb1.www.ms.akadns.net.
Name: lb1.www.ms.akadns.net
Address: 207.46.192.254
Name: lb1.www.ms.akadns.net
Address: 207.46.19.190
Name: lb1.www.ms.akadns.net
Address: 207.46.193.254
Name: lb1.www.ms.akadns.net
Address: 207.46.19.254

Re:Supporting

[MightyYar]

My point was that TFA reads like it was written by a fanboy. You mean that the guy who describes himself as "IT Pro Evangelist, Microsoft Australia" is a MS fanboy? Oh the horror! :)

I think that we can forgive him - it seems to be his job description.

Re:Supporting

[sid0]

So you're saying IIS isn't secure? Please check your facts.

Re:Supporting

[Digital+Vomit]

The highly objective and insightful article mentions, for example,

"Windows and IIS...rock solid and secure!"

Talc is technically a rock...

Re:Supporting

[MightyYar]

Whoopsie, looks like Akamai uses IIS now - I'm behind the times, I guess:

% nmap -A -T4 -F -P0 www.microsoft.com
 
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-12-13 11:48 EST
Interesting ports on wwwbaytest2.microsoft.com (207.46.19.254):
(The 1218 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 7.0
179/tcp closed bgp
443/tcp open ssl/http Microsoft IIS webserver 7.0
 
Nmap finished: 1 IP address (1 host up) scanned in 167.891 seconds

Re:Supporting

[kripkenstein]

So you're saying IIS isn't secure? Please check your facts. No, my point was that (as I answered above) TFA reads like it was written by a fanboy.

Re:Supporting

[Blakey+Rat]

The guy works for Microsoft, what do you expect? If your intent was truly to point out it was written by someone with a vested interest in Microsoft, then, well, DUH!!!

But don't question the facts unless you can back them up. IIS is reliable and secure, and has been since Windows Server 2003 came out.

Re:Supporting

[kripkenstein]

The guy works for Microsoft, what do you expect? Actually I would expect serious Microsoft employees to not write amateurish fanboy articles. That someone works for a company, uses their products, and appreciates them, doesn't necessarily lead to fanboyism (unless one is 13 years old, which I presume he isn't).

Re:Supporting

[plague3106]

I dunno, maybe the fact that the blog is by an employee working for MS TechNet. Hmm...

Re:Supporting

[jimicus]

Erm.... nmap always reported the webserver as being IIS, because the nature of Akamai's service is that the webserver reports itself as being whatever's really running on the other side of their network.

The thing that causes the confusion is if you do an nmap -O, and it guesses the host operating system to be Linux despite running IIS on the web server.

Re:Supporting

[caluml]

Well, it's strategy. You can't knock it if it's working.

I think the real thing here is, is that IIS4 and 5 were junk. I luckily haven't had to work with it since then, but I can well believe that, by adopting standard good practice, Microsoft have reached the stage of stability and security that Apache was many years ago. Now the argument isn't about security/stability. It's to do with cost, and what you prefer working with.

Re:Supporting

[Bri3D]

Akami forwards the header strings from whatever httpd the Akami network is caching/fronting for.

http://news.netcraft.com/archives/2003/08/17/wwwmicrosoftcom_runs_linux_up_to_a_point_.html

Re:Supporting

[Allador]

It is amazing that people post links to things but they forget to read their own links to see whether it supports their statements or not.

That secunia link you posted is actually quite impressive.

There have been 3 IIS6 advisories ever. None of them allow remote ownership of the box.

The worst one is this:
"The vulnerability is caused due to a boundary error in asp.dll when handling ASP code. This can be exploited to cause a stack-based buffer overflow by placing ASP code that attempts to include a file with an overly long name (longer than 260 bytes).

Successful exploitation allows bypassing any security restrictions enforced by ASP or execution of API's with no ASP equivalent, but requires permissions to upload ASP code to a web folder."

The other two are a WebDAV DoS vuln, and one where the server can inappropriate return an error page if you dont have a custom one defined.

I dont think your one-line response had the effect you wanted it to.

Microsoft brainwashing

[morgan_greywolf]

Windows and IIS...rock solid and secure! www.microsoft.com is on Windows Server 2008/IIS7, MSDN/TechNet are migrating to Win2k8/IIS7, and update.microsoft.com is on Windows Server 2003/IIS6. We do all the normal shut-off-unused-services practices that line up with MS published security guidance and we utilize GFS images to ensure standardized builds of systems. This guy is brainwashed. There should be no unused services turned on by default! Admins shouldn't have to shutoff unused services -- they shouldn't be enabled unless necessary. Also, rock solid and secure? Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

Re:Microsoft brainwashing

[plague3106]

You realize that Win2k3 does turn off most services by default, and Win2k8 takes this even further by not installing them at all.

Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

Link, please?

Re:Microsoft brainwashing

[Bert64]

And there are some services you cannot easily turn off without breaking things...
They use router ACLs to drop connections to unused ports, router ACLs cause significant performance hits unless your running really high end kit with hardware firewall service modules. Really, if a port is unused it should be closed, and thus rejected by the target machine.

Also if they're using router ACLs to filter ports, that *is* a firewall, albeit a fairly crude one.

Re:Microsoft brainwashing

[oliderid]

"This guy is brainwashed."

He looks like a man enjoying his job to me.

"update.microsoft.com"

Devil's advocate would say:
If Windows Servers are so insecure
And microsoft.com is one of the busiest web sites in the world

Then one major security breach in (+)ten years would mean that there is a pretty good IT team behind. (Which was a Ddos attack if I remind well...It used to be lethal for any architecture at that time)

Re:Microsoft brainwashing

[tha_mink]

Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into Uh...no. The article was about a domain name close to update.microsoft.com being hijacked and used to distribute trojans. I'm actually surprised, considering what a huge trophy it'd be to at least deface their site, that it doesn't ever really happen.

Re:Microsoft brainwashing

[morgan_greywolf]

You realize that Win2k3 does turn off most services by default, and Win2k8 takes this even further by not installing them at all. Really? Then why did he say that they had to turn them off?

Re:Microsoft brainwashing

Someone needs to learn the definition of "most".

Re:Microsoft brainwashing

[truthsearch]

Most of microsoft.com uses distributed Akamai linux servers for protection against DDOS attacks.

Re:Microsoft brainwashing

[dedazo]

There should be no unused services turned on by default!

Right, that's what's he's saying... right?

Also, rock solid and secure? Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

I don't doubt that. Of course shit happens elsewhere as well.

Re:Microsoft brainwashing

[ShatteredArm]

I read it as "We had to turn them off when we installed everything" rather than "We turn them off each time we reboot the server." But maybe I read it incorrectly...

Re:Microsoft brainwashing

[Blakey+Rat]

This guy is brainwashed. There should be no unused services turned on by default! Admins shouldn't have to shutoff unused services -- they shouldn't be enabled unless necessary.

Windows Server 2003 (and presumably 2008) already ship this way.

Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

No, it was "windowsupdate.com" which is owned by MS, but not the actual Windows Update site (that site is located at windowsupdate.microsoft.com.) Also, it wasn't "broken into" it was the subject of a DDoS attack my a virus/trojan, in a futile attempt to prevent infected users from installing the update that removed the virus. (The hacker must have been a little stupid to DDoS the wrong domain though!)

Re:Microsoft brainwashing

[EvanED]

He also said "You realize that Win2k3 does turn off most services by default, and Win2k8 takes this even further by not installing them at all."

I suspect the moderation is more related to that.

Re:Microsoft brainwashing

Except that MS update has never been compromised, and if it ever were it would be HUGE news. Nice troll though.

Re:Microsoft brainwashing

You sure about that? From an earlier post higher up:

Whoopsie, looks like Akamai uses IIS now - I'm behind the times, I guess:

% nmap -A -T4 -F -P0 www.microsoft.com

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-12-13 11:48 EST
Interesting ports on wwwbaytest2.microsoft.com (207.46.19.254):
(The 1218 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 7.0
179/tcp closed bgp
443/tcp open ssl/http Microsoft IIS webserver 7.0

Nmap finished: 1 IP address (1 host up) scanned in 167.891 seconds

Re:Microsoft brainwashing

[SEMW]

Wow, you got (Score:3, Insightful) for smugly saying "Link please?"? Here's a link for ya Google. Learn to look things up for yourself instead of acting like a smug bastard when someone points out the obvious. "Link, please?" used in that context is a shortened form of "I've looked around, and can't find the slightest reference to what you mentioned; but rather than assume that you made it up, I am going to give you the benefit of the doubt and assume that it merely, for whatever reason, wasn't well publicised. Thus, would care you to supply any proof of your claim?"

I can't vel (BTW, on an related note, burden of proof is on the person who makes the claim. This follows by necessity from the impossibility of proving a negative.)

Re:Microsoft brainwashing

[jez9999]

Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

Link, please? http://update.microsoft.com/

Re:Microsoft brainwashing

[plague3106]

Well, first I said "most." Second, it's possible he wrote incorrectly. He might mean "we only run required services."

But don't believe me though, go install Server 2003 R2 yourself. IIS either isn't installed unless you specify, or it comes locked down to server ONLY static content. (I know that latter part is the default IIS setup, because I had to go turn everything I needed on).

Re:Microsoft brainwashing

[Tim+C]

The onus on providing evidence is on the person making the claim. If they can't find a source to back their claim up, then perhaps they shouldn't be making it at all. Otherwise, it's just FUD, and we all know how much we hate it when certain other people spread that...

Re:Microsoft brainwashing

[AK+Marc]

I read it as "We had to turn them off when we installed everything"

That's correct. However, something intended to be secure, like a firewall, comes out of the box unable to work at all (well, most of the high-end ones). 100% of all functionality may be installed when delivered/setup, but until manually activated, nothing actually works. I haven't tried the most recent version of IIS, but I'm used to it opening up the services upon install, then giving default "not configured" web pages. That is functionally no better than leaving the services off and is less secure than leaving them off. If it is intended to be "secure" at all, everything would start off (including DHCP client) until someone got on it and configured it. But then, people would complain that it doesn't work out of the box. If you buy a Cisco access point, you'll see that they have big stickers all over the device telling you that it doesn't work. But that was a change from the enabled-as-an-insecure-bridge configuration they came in initially.

Re:Microsoft brainwashing

[kernelpanicked]

Troll, FUD, Flamebait, wow guys get some original material or shut up already. I didn't find anything directly on update.microsoft.com but a very quick google search will show you just how "secure" Microsoft keeps their own shit.

http://www.news.com/2100-7349_3-6085589.html
http://www.zone-h.org/content/view/227/31/
http://news.zdnet.com/2100-1009_22-6085589.html
http://www.infoworld.com/articles/hn/xml/00/11/03/001103hnhacker.html
http://archives.cnn.com/2000/TECH/computing/01/10/ms.taiwan.idg/index.html
http://news.zdnet.co.uk/internet/0,1000000097,2086058,00.htm

There are many more but I'm not really in the mood for doing other folks homework for them.

Re:Microsoft brainwashing

http://www.google.com/search?q=update+microsoft+down

Pick one relating to Microsoft Update being shut down because of attacks/virus/etc.

and stop being a lazy MS troll ..

Re:Microsoft brainwashing

[ad0gg]

Of the commonly used web servers, IIS is most secure. There hasn't been a remove exploit for it since server 2003 launched. Go check Secunia .

Re:Microsoft brainwashing

[PitaBred]

That's not quite what I get. Higher-up post must have some funny routing or something going on upstream from them:

~$ nmap -A -T4 -F -P0 www.microsoft.com

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-12-13 11:32 MST
Warning: Hostname www.microsoft.com resolves to 4 IPs. Using 207.46.193.254.
Interesting ports on wwwtk2test2.microsoft.com (207.46.193.254):
Not shown: 1254 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
443/tcp open https?

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 38.963 seconds

Re:Microsoft brainwashing

[Jugalator]

Hmm, that site just told me to upgrade Firefox 2 to Internet Explorer 5. :-/

Re:Microsoft brainwashing

[jjrockman]

Wow. I'm impressed. Each of these links either are: a) really old, before Windows 2003 Server even existed, or b) about exploits in the DotNetNuke software and not specifically IIS. Troll, FUD, Flamebait, eh? So which one are you guilty of?

Re:Microsoft brainwashing

ROFL, who the heck mods these up??

Re:Microsoft brainwashing

[Kalriath]

Actually, when you first boot Windows Server it pops up with the "Configure Your Server" page, and an extra note that until you've set up roles on it, nothing will work. As in, it hasn't started IIS, it hasn't started AD, it hasn't even started Terminal Services. And until you've picked which ones you want to run, it wont even allow inbound connections whatsoever!

Re:Microsoft brainwashing

[Kalriath]

And they're all related to viruses designed to attack Windows Update from other compromised PCs. Not Windows Update ever been broken into/hacked. So I'm not surprised he failed to find anything. Or do you expect that when hit with a massive DoS Sourceforge wouldn't just as quickly shut down sf.net or Slashdot.org?

Re:Microsoft brainwashing

[secPM_MS]

When you install 2K8 your are given 2 choices, server core (a headless server without any GUI, just a command shell) and the standard server. If you install server core, you can then use powershell to manage it. I have been working with and running Server 2K8 since Vista Beta 1. Standard server is minimal. Once you have it up and running, you then install the roles and features that you want. If there is some particular functionality that you don't care about, you can use SCW (server configuration wizard) to disable the appropriate service(s).

2K8 and its predecessor 2K3 are very stable and capable OS's with a very long supported lifetime. From a administrator's point of view, WU is far preferable to rebuilding Open BSD when security patches come out, let alone the short supported lifetime of any given release. Some of the Linix distro's have more reasonable support lifetimes, but the 7 to 10 years that Microsoft has is very nice.

Re:Microsoft brainwashing

[bigstrat2003]

You know, I resent the way people crow whenever Microsoft uses anything that isn't a Microsoft product. You know what? That means they have competent IT professionals working for them, who are objective and recognize what the best tool for a particular job is. Seriously, we should respect them for that, not trumpet it like it's something to be laughed at.

Re:Microsoft brainwashing

[truthsearch]

I would agree, if only Microsoft didn't try to brand Linux and open source as evil. If their "Get the Facts" campaign showed Linux' strengths alongside Windows', instead of being one-sided propaganda, then we'd applaud them. But you can't call open source a cancer while using it without getting ridiculed.

Re:Microsoft brainwashing

[bigstrat2003]

Microsoft isn't one person, in the first place. It's made up of a lot of different people who see things differently. Second, there's no reason whatsoever we shouldn't recongize the good things Microsoft does, while still calling them out for the bad things they do. I understand what you're saying, but I think that we need to judge each action independently, especially as they were performed by different people (marketing vs IT).

I mean, seriously, what's the alternative? If Microsoft uses Linux, they get ridiculed. If they don't use (or don't even consider, at least) Linux, they get blasted for being stupid and not using the best tool available. That's hardly fair.

Re:Microsoft brainwashing

[felipekk]

One of the best ones I've seen in a while. Thanks for making my day better.

Re:Microsoft brainwashing

[truthsearch]

You're right, Microsoft is not one person. But it is conceptually one entity. When executives are in the press calling open source a cancer the head of web administration should not choose Linux server caching, even from a third party. A company should ideally display one concise image, as I'm sure anyone in their marketing department would agree.

If a linux evangelist allowed his web admin to use IIS for his web site wouldn't the evangelist lose all credibility? It's essentially the same thing.

Even a group as large as 55,000+ Microsoft employees is supposed to be organized from the top down. Remember the story of Microsoft employees using iPods? Management made it clear it was not accepted policy.

Microsoft wouldn't be ridiculed for using Linux if they simply agreed that their tools aren't the absolute best for every job. Conceding from the start that Linux has its benefits in some scenarios would have sufficed. They had the option to work with the community and instead chose to have war. (Yes, some things have changed recently, but they haven't done a complete 180.)

Re:Microsoft brainwashing

[bigstrat2003]

Again, I understand what you're saying, but I think it's completely unfair to look at it so uniformly. This isn't just Microsoft sympathy, either. You mentioned a couple of other examples:

If a linux evangelist allowed his web admin to use IIS for his web site wouldn't the evangelist lose all credibility?

Remember the story of Microsoft employees using iPods? Management made it clear it was not accepted policy. Both of those are also completely ridiculous things which should not be allowed to happen. I'm against this expectation of uniformity, no matter who propagates it.

Re:Microsoft brainwashing

[Rudolf]

I can't vel

What does "I can't vel" mean?

Re:Microsoft brainwashing

[SEMW]

It means I forgot to use 'preview' before submitting ;-)

Re:Microsoft brainwashing

[Allador]

Wow, your google-fu is not very good.

Lets see, thats one link about a vuln in dotnetnuke, one link about an unpatched IIS5 (ie, win2000 server) being broken into back in 2002, another one about the SAME french dotnetnuke as the first site being hacked, another about an unpatched win2000 server from 2000, another about an unpatched win2000 server being hacked through the (2+ year old vuln) being unpatched, and one about a win2000 server getting hacked through an IIS zero-day vuln in 2001.

Of all of these, only one (the last one) is even remotely relevant, and you had to back 6 years and 2 major versions of the OS to find that.

IIS and Windows may or may not be secure, but your post added absolutely nothing to the conversation.

Re:Microsoft brainwashing

[Allador]

Also if they're using router ACLs to filter ports, that *is* a firewall, albeit a fairly crude one. Not necessarily. If they running cisco kit then they're doing they're doing router filtering through installed FSM (Firewall Service Modules).

Yeah, its high end cisco stuff, but they're running one of the worlds busiest websites, and they've got cash leaking out of their pockets. So yeah, they're probably going to be running high end kit.

Even without FSMs, router acls work fine as long as the number of statefully managed sessions (which usually means outbound) isnt too big.

Hi, and welcome to Bizaro World...

[JargonScott]

Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment. Please try a complimentary goatee.

wtf!

[mseidl]

They run AV when they can? No firewalls? It's like a 1960s flashback!

Re:wtf!

[dgr73]

Maybe they've just seen too many hacker movies and want to try out their "You have hacked into microsoft.com!" page.

Re:wtf!

[slashbob22]

I call honeypot.

They are doing one of 2 things:
1) Trapping all the nasties to figure out what's out there and make their product better
OR
2) Trapping all the nasties to figure out what's out there and sell another solution to protect you
3) ...
4) Profit!
Come to think of it if you select number 2 you can go straight to 4.

I wonder what platform they use...

[thriemus]

...I am guessing they do not use an Apache Cluster :)

Eating dogfood is good

[ReallyEvilCanine]

How can anyone complain that they're running Server 2008? My company's software quality dropped considerably when we stopped eating our own dogfood two years ago. When techs, engineers and everyone else is stuck with the same problems as the future ell-users, shit gets fixed a lot faster and a lot better.

Re:Eating dogfood is good

[iroll]

People are complaining?

((rereading thread))

Care to point that out? I'd say most people would be happy that they are using their own product in a critical environment.

Re:Eating dogfood is good

[JCSoRocks]

True that. I wasn't surprised at all. I'd be disappointed if they *weren't* using Server 2008.
Also, the summary is a little deceiving - although they don't have a firewall they are using the ACL on the router... so it's not like they've just plugged their web server directly into the interwebs - they do have some protection.

Re:Eating dogfood is good

yes; but, microsoft internet sites also compete with other internet sites and some of those other internet sites are supplied by microsoft, giving microsoft through its position as supplier in the operating system and services market an (arguably unfair) advantage in its position in the internet sites market.

Re:Eating dogfood is good

[ReallyEvilCanine]

Not complaining in TFA, but this is /. -- I just anticipated the howls of the unwashed hordes rightfully bitching about yet another "professional" OS with a markedly unprofessional Teletubbies UI which certainly isn't ready for market yet, all while ignoring MS' internal dogfood consumption. I'll bet if enough Microsofties had eaten Office dogfood you could shut off that fucking control-click "Research" panel easily.

Re:Eating dogfood is good

[ClarifyAmbiguity]

Nothing's stopping those other sites from developing their own servers.

Re:Eating dogfood is good

[ashridah]

Not complaining in TFA, but this is /. -- I just anticipated the howls of the unwashed hordes rightfully bitching about yet another "professional" OS with a markedly unprofessional Teletubbies UI which certainly isn't ready for market yet, all while ignoring MS' internal dogfood consumption. I'll bet if enough Microsofties had eaten Office dogfood you could shut off that fucking control-click "Research" panel easily.

Nevermind that the UI for 2008 is roughly the same as 2003, only with a more extensive (yet still looking clean and fairly spartan with the eyecandy) set of configuration utilities for roles and features. Just wish I could say the same for the control panel. :)

As for the 'research' panel... okay, I work here at microsoft, and I own my own copies of office at home, and I have no idea what that is. Of course, I'm hardly an office power user.

You can bet your bottom dollar that office 2007 is all that's in use around most of the company. As is vista, although it tends to be a mixture of vista, xp and 2003/2008 in most offices, usually for a variety of legacy reasons (maintenance of older projects, testing, etc)

I've got all but XP myself, but only because I haven't needed it to do my job.

Re:Eating dogfood is good

[iroll]

Wait, lol, you don't think that Microsoft employees use Office??!?

What are they using? TeX? Open Office?!?

No firewalls?

[LiquidCoooled]

If they don't have firewalls, then I have a definition of a firewall wrong.

look:

In terms of how we protect the sites, we utilize (starting at the outside edge of the network and working in):

      1.
            Cisco Guards for DoS detection and automated response
      2.
            Router ACLs are in place to block unnecessary ports ...

Re:No firewalls?

[Major+Blud]

I think what the MS guy was getting at is that there are no firewalls on the indiviual servers. A Cisco ACL isn't technically a "firewall", since it isn't based off of NAT, but accomplishes the same thing.

Re:No firewalls?

[cavtroop]

No, I think he was getting at the fact that they don't have any firewalls that do any sort of packet inspection, etc. Just ACLs blocking ports, which is *technically* a firewall.

Packet inspection is the key to his comments here, I think.

Re:No firewalls?

Oh dear. You've got a bit more learning to do if you think NAT has anything to do with firewalling.

Re:No firewalls?

[0racle]

NAT != Firewall and vice versa. A firewall does not have to use NAT and a NAT device is not necessarily a firewall.

http://en.wikipedia.org/wiki/Firewall

Re:No firewalls?

[mysticgoat]

The original definition of a firewall was a sacrificial physical computer sitting between the outside world and the corporate jewels.

The antimalware industry would like to convince its market that software which configures a user machine in a proper and safe manner is indeed a "firewall". This is marketeer hype. Many IT professionals use the word "firewall" in its original sense, before the McAfeeNorton&Trend language distortion. To those IT professionals, a GUI software assistant that closes unneeded ports and monitors for indications of malformed packets is called "GUIcrap".

Well, it should be called that.

Caveat: I have been a customer of Trend Micro for around 10 years and I am very happy to have their GUIcrap on my computers. The only thing I'm not happy about is them calling it a "firewall", because it ain't that.

Re:No firewalls?

[PitaBred]

From the wikipedia article:

"A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules" Ok. So a NAT device, which inspects packets coming in, and denies them if they're going to ports that aren't forwarded according to rules or passes them through if they are, isn't a firewall? It seems to fit the description pretty much exactly.

Re:No firewalls?

[0racle]

What you're describing is a NAT device (not a firewall) with SPI (a firewalling function), not a pure NAT device. A NAT device on its own simply translates. Anything coming from the private side goes out. You can have a 1 to 1 NAT device where all traffic that comes into the NAT device from the public end is passed without inspection to the inside. This is often done on one to many or PAT devices by defining a DMZ host. Otherwise what the NAT device does if a request comes in to a IP/port that does not have an active session is simply drop it. This is just the same as making a port 80 request to a system not running a Web Server or other service on that port. You don't call that firewalling now do you?

NAT is not a firewalling technique. NAT devices may however run software that also allows them to be firewalls.

No a firewall, but...

[VxSote]

FTA: "Router ACLs are in place to block unnecessary ports" While that might not provide SPI and other benefits of a true firewall, it's still a hell of a lot different than plugging a box into a wide open connection.

Re:No a firewall, but...

[blueg3]

Of course, he didn't say they plugged them into a wide-open connection. Perhaps people inferred that from the statement that they don't use firewalls, but that's their mistake.

Priceless...

[orclevegam]

Cisco Router: ~$700
Server to run it on: ~$2000
Beta testing Microsofts new server 2008 in a production environment: Priceless

Re:Priceless...

[BytePusher]

It's called Alpha testing in this case. It's good marketing on their part to say, "We're so sure our software is good we use our pre-Beta software in a production environment." Never mind the fact that they have Server 2003 waiting ready to take over when their 2008 server horks itself.

Re:Priceless...

[UncleTogie]

Actually looked up the price of that Cisco Guard...

Not a router, and *definitely* not in the $700 range...

Re:Priceless...

[orclevegam]

Wow, that's one expensive piece of hardware. Wonder if it's really worth that, or if you could get a similar effect using iptables and a little reactive software. At any rate, those numbers I tossed out weren't really serious, and the $2k price tag I tossed out for the server is probably way off base as well.

Ever tried to bookmark something on that site?

[hey]

Its like they change the URLs weekly.
I wonder if its on purpose (to avoid bookmarking) or just bad design.

Re:Ever tried to bookmark something on that site?

[jherrick]

Once someone has worked in a large (10,000+ people) organization, you realize that every "department" grows to a point when it wants its own web "presence" including plenty static and dynamic content. At some point you end up with a collection of disparate web content that needs to be indexed and searchable. Then, at some point, you decide to flatten / reorganize / index and look for tools to do this. It's not an easy process, but I think it's more of a cycle.

Just my $.02

Re:Ever tried to bookmark something on that site?

[daeg]

URLs are permanent. Great URLs don't change. Good URLs at least get a redirect to the new location. Good URLs that are no longer available (content completely removed) direct to a page that says the content has been removed.

IIS and ASP.NET make it obscenely difficult, though, to do this. When you set up a custom error (404) page under ASP.NET, the original QUERY_STRING is lost. At least in .NET 2.0 under IIS 6 (confirmed by MS devs), there is no way to get it. Period. So all those awful ASP.NET query strings that look like idiots using PHP back in 2000 cannot be reasonably corrected -- including a lot of URLs on Microsoft.com.

Re:Ever tried to bookmark something on that site?

there are several redirectors to 'patch up' old url. fwlink, go.asp, etc annoying

Re:Ever tried to bookmark something on that site?

[ShaunC]

I don't care how many people are in your enterprise; when you create a resource for the public (like MSDN), publish your entire API references etc. there, your URIs should not be changing every month. I've had the same experience as the OP, where I'll bookmark something on MSDN and try to pull it up merely a few weeks later, only to hit a 404. Even the MSKB URIs keep changing around. "This article (876543) was previously known as 'Q876543'" and such tripe. Pick a consistent gosh-darned convention and stick with it. It seems to have something to do with constant reorganization of their "tree" navigation structure, but whatever the cause, it's damned annoying.

Five years ago, I could go to http://php.net/fsockopen and be taken to the documentation for that function. The same URI works today. There's no reason that I shouldn't be able to go to http://microsoft.com/api/win32/wsastartup and rely on that URI to point wherever Microsoft has decided that documentation wants to go today...

Re:Ever tried to bookmark something on that site?

[Allador]

You cant do that using a custom 404 page, but you can do it (retain all original information) using the IIS built in redirection functionality, or one of the many ISAPI url re-writers.

The URL re-writer is probably a better solution anyway, as it gets the http request before any of the more complicated stack get it, and then you can manage the list of redirects through a simple text file.

They do use firewall

[zukinux]

"In terms of how we protect the sites, we utilize (starting at the outside edge of the network and working in):
1. Cisco Guards for DoS detection and automated response
2. Router ACLs are in place to block unnecessary ports
..."
That's what a firewall does... and the funniest thing that this guy doesn't know the definition of a firewall.

Re:They do use firewall

[oni]

Maybe he meant that the building itself has no walls to protect it from a fire. Maybe their server room is in a gazebo in a park somewhere.

Re:They do use firewall

[LibertineR]

No, dufus. A true firewall inspects individual packets.

Re:They do use firewall

All the high end routers I know of can inspect the packets if you want when using ACLs. You dont have to but you can. Saying a firewall has to inspect packets is a bit of a stretch.

Every consumer OS has a built in *firewall* right? Dont these tend to just drop packets in the typical configuration?

My checkpoint firewalls also dont inspect packets that I tell them to drop and I dont think anyone would say the checkpoint isnt a firewall.

Re:They do use firewall

[sigepltrain]

What a wonderful world it would be if all servers could be left alone to enjoy the comfort of a nice Gazebo. Also, can someone explain the definition and also site examples of what a firewall is, I'm not getting it from the other 300 or so posts. Does anyone read before they post?

HBI?

[RandoX]

What is HBI? A quick search found the following unrelated and unhelpful information:

HBI Health and Biomedical Information
HBI Healthcare Building Ideas (magazine)
HBI Home Builders Institute
HBI Home Business Institute
HBI Horizontal Blanking Interval (television)
HBI Hot Beef Injection (band)
HBI Hot Briquetted Iron (plant or facility)
HBI Hubbard Broadcasting Inc.

Wikipedia: Page does not exist.

Re:HBI?

[orclevegam]

Humongously Bad Interface. That's the internal name for all new MS APIs.

Re:HBI?

[JCSoRocks]

HBI - Hot But Incarcerated?

Re:HBI?

Hung Burly Italians

Re:HBI?

[SpaFF]

I was assuming he meant Host Based Intrusion.

Re:HBI?

HBI stands for High Business Impact. It's MS speak.

Re:HBI?

HBI/MBI/LBI stands for High/Medium/Low Business Impact. How this actually translates into any useful feature, policy, or capability is beyond the ken of mortal men.

Re:HBI?

[ashridah]

Hm. I would have said 'High Business Impact' but I don't know the context that he used it in, since I cbf'ed reading the article.

Re:HBI?

[s4ltyd0g]

High Business Impact

Microsoft and logs do not compute

I once had a 800MB plain-text logfile that I wanted to do a simple search and replace. I opened up the file in Word on a P4-2Ghz-2GB system and it took over two hours to complete roughly 50% of the task at hand. At this point I finally gave up because I was worried what was being done to my file and copied the file to an old PIII/450MHZ/512mb running linux and the task took about 2 seconds using a simple regex with sed.

Re:Microsoft and logs do not compute

[orclevegam]

You have just got to love a text editor that copies an entire file into memory before displaying it.

Re:Microsoft and logs do not compute

[Crane+Style]

Isn't that just you announcing your ignorant of which tools to use? Are you that kid in gym class that was always trying to put his shoes back on without untying them, rather than take the seconds to untie/re-tie he'd stomp himself around the locker room for minutes until they fit right. Oh and, how long would it take you to create and print a tri-fold pamphlet using sed? Perhaps you're the problem, not the app.

Re:Microsoft and logs do not compute

Except that when I started the task in Word, I left for lunch and came back two hours later and found it 50% done. I did not care as long as it finished before I got back - which it did not. I knew Word would take much longer than any *nix tool, I just did not expect that it would take orders of magnitude longer.

Re:Microsoft and logs do not compute

WOW OMGZ Linux IS SO MUCH BETTERZ!!! WOW! You showed us Windows users!!!!!!

Idiot.

Re:Microsoft and logs do not compute

I think he was implying that you're a fanboy turd because you're comparing Word to something that's completely different. Try opening the same file in OpenOffice (that is, after OpenOffice takes a minute or two to even open itself) and get ready for the same wait (at the very, very least).

What it boils down to is that you're just another of the endless cavalcade of Slashdot losers who trot out "hilarious" anecdotes to demonstrate the *obvious* superiority of linux over Windows. In reality, though, only others like yourself find them enlightening or funny, and everyone else just rolls their eyes.

Re:Microsoft and logs do not compute

What Microsoft App do you suggest then edlin ???

Re:Microsoft and logs do not compute

Woah, multiple sane comments? On slashdot? Whatever happened to the 99.999% OMG LINUX circlejerk? Perhaps there is hope that this site might one day not fail completely at supplying useful commentary due to ridiculous bias, though I doubt it.

Gentoo / *BSD user btw, I've run some form of Linux since SuSE 6.1.

Re:Microsoft and logs do not compute

[module0000]

Isn't that just you announcing your ignorant of which tools to use? Are you that kid in gym class that was always trying to put his shoes back on without untying them, rather than take the seconds to untie/re-tie he'd stomp himself around the locker room for minutes until they fit right. Oh and, how long would it take you to create and print a tri-fold pamphlet using sed? Perhaps you're the problem, not the app. Damn straight. It would have taken him just as long to attempt the same operation in Linux, using OpenOffice. He's a tard for using a "full featured word processor" for a "simple find and replace". That's like using a pneumatic jack hammer to put in my 2-man camping tent spikes, and complaining that the setup and take down of my "spike-putter-in device" was far too excessive compared to the linux-rubber-mallet. What a fucking retard.

The sad part is that despite your perfectly good retort and explanation to the gym-class idiot, he probably read a quarter of your post, mentally tagged you as a MS fanboy, and kept giggling. Makes all the non-idiotic GNU/Linux advocates look like idiots standing next to him.

Re:Microsoft and logs do not compute

Well, vi would have the same issue on Linux and Notepad on Windows is no better. Basically, any interactive editor would have this issue. Sed doesn't apply as it works on a stream, and doesn't need to cache a copy of the data.

Why does everyone feel the need to call others idiots, fanboys, whatever? It serves no purpose, other than to prove an intellectual discussion cannot be obtained with the poster. Actually, does anyone really think they are going to prove their point doing this?

Re:Microsoft and logs do not compute

[EvanED]

He's a tard for using a "full featured word processor" for a "simple find and replace". That's like using a pneumatic jack hammer to put in my 2-man camping tent spikes...

At the same time, it would help if Windows came with a decent set of CLI programs. It's possible that he didn't have a better tool installed.

Re:Microsoft and logs do not compute

[djp928]

vi?

Re:Microsoft and logs do not compute

I think the GP meant there are no Windows tools (ie: those that come with Windows) that let you work with huge files. ie: if you had a 20 gig file, and wanted to view some small chunk of it, how would you do it on Windows (without using Perl, or any other external tool)?

Unix on the other hand, comes with all those tools already there.

Re:Microsoft and logs do not compute

vbscript...

Re:Microsoft and logs do not compute

Makes all the non-idiotic GNU/Linux advocates look like idiots standing next to him. There is no such thing as a non-idiotic GNU/Linux fan. There is such a thing as a non-idiotic Linux fan. Red Hat Enterprise Linux is not called Red Hat Enterprise GNU/Linux. I am not using Ubuntu GNU/Linux or Gnome/Linux or X11/Linux or Gnome/X11/Linux. I am using Linux. I can run GNU tools (and Gnome, KDE, X11, etc) on BSDs as well. I am a fan of Linux over BSDs because of several reasons over the GNU tools, such as the kernel itself and assorted modules.

Re:Microsoft and logs do not compute

[Blackknight]

Windows has a findstr command that works just like grep. I don't know why more people don't know about this.

Swimming in acronym soup...

[thatseattleguy]

Could someone with more Microsoft Kool-Aid in their veins stick their fork in the acronym salad that is this article? ACL (Access Control Lists - which technically are a firewall), DoS (denial of service attacks) and IPS (intrusion protection services) I all know, but WTF are:

HBI?
GFS (is the G for "Ghost")?
NBI?
NLB?
ACE?

TIA :),
/tsg/

Re:Swimming in acronym soup...

[loconet]

Interesting, I thought I was the only one. Why is it that every time I read about Microsoft related technology it's always an acronym salad. Not even commonly used acronyms either, they use acronyms for their own way of calling technology xyz. It's almost like they do it on purpose ..

Re:Swimming in acronym soup...

GFS: Global Foundation Services. Microsoft's big internal network management thing. It's the people who keep the servers up and running for everything facing outward.

HBI: High Business Impact. Social Security numbers ,Passport accounts, etc.

NLB: Network Load Balancer.

AV: AntiVirus.
DoS: Denial of Service
IIS: Internet Information Services. 'httpd' for Windows.

Re:Swimming in acronym soup...

[bsod_vista]

NLB - Network Load Balancer? ACE - Access Control Entry? Cisco router acl's use this terminology GFS - global file system (stab in the dark for this one) As for the other two... NFC (No F**king Clue)

Re:Swimming in acronym soup...

[thatseattleguy]

Those of us born before the Nixon administration will remember this used to be a particular specialty of IBM. They insisted - even in their advertising - on referring to "hard files", when the entire rest of the industry knew these simply as "disks" or "disk drives". This continued well into the personal computer era - I remember PC Week ads well into the mid-1980s, before they sank into the mire and reinvented themselves as a somewhat more open entity.

For IBM, I believe it was more a case of too many years of being "the environment" rather than "one of many competitors in the same environment" - in other words, more a symptom of corporate isolation and insulation than of Microsoft-style mendacious embrace/extend/extinguish treatment of industry standards. Though if Ballmer had been an IBM exec instead, who knows...

Re:Swimming in acronym soup...

No, sorry. I'm too busy being one of those Linux elitist geeks who talk in Unix jargon... (and loving it, of course).

Re:Swimming in acronym soup...

[EricWright]

Funny... I thought C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe was 'httpd for Windows'.

Re:Swimming in acronym soup...

[cecil_turtle]

NLB in this context is "Network Load Balancing", a Microsoft specific technology (part of Windows Server), as opposed to an external / third part Network Load Balancer appliance. http://support.microsoft.com/kb/240997

A router can be a firewall too

[was+kroepoek]

From TFA:

At this point we still don't use firewalls for MS.COM sites[...] 1. We don't handle HBI data so we don't have the need for external logging capabilities. If we did handle HBI, we'd have firewalls.

Can someone explain this please? HBI?

2. [...] Just IIS logs are a challenge without trying to parse another ~650GB of firewall logs.

That's a non-argument. I use iptables without the LOG target; why would i want to log packets before dropping them? This would make no sense to me. If i want a NIDS, i'll install a NIDS.

2. Router ACLs are in place to block unnecessary ports

Wait a minute, ACLs you say?! Isn't this *exactly* what firewalls are for? Blocking/allowing IP ranges and incoming connections on certain ports...

Re:A router can be a firewall too

[VGPowerlord]

2. [...] Just IIS logs are a challenge without trying to parse another ~650GB of firewall logs.

That's a non-argument. I use iptables without the LOG target; why would i want to log packets before dropping them? This would make no sense to me. If i want a NIDS, i'll install a NIDS.

IIS is a web server, thus those are web server logs, which can be parsed to get statistics about page views, errors, etc...

Re:A router can be a firewall too

[was+kroepoek]

IIS is a web server, thus those are web server logs

Read.

Better response:

[Rik+Sweeney]

At this point we still don't use firewalls for MS.COM sites and don't have any plans on the books to put them in place. Here is the short answer as to why:

1. We run Linux.

What happened to Akamai Linux?

[140Mandak262Jamuna]

I vaguely recall MSFT had to outsource load balancing to Akamai which used Linux boxes to redistribute the incoming traffic at some point in the past. Looking at Netcraft.com, it shows some subdomains of microsoft.com resolved to Linux boxes before the year 2000. So it is able to get out of the sandbox now? Is that the main story?

Perhaps the only ones who can do it "right"

[teebob21]

Let's set aside the natural urge to bash MS into oblivion. Let's (just for now) ignore conventional advice about network security and firewall use. Now, not only are these guys a Microsoft shop...they ARE Microsoft. MS claims their software is stable and secure. Perhaps it is -- when was the last time microsoft.com was taken down by malevolent hackers?

That said, with their closed source and closed-doors policy to revealing details about the inner workings of the OS, _Microsoft_ may be the only company that can successfully deploy a 100% Microsoft powered solution. How many registry changes, service daemon modifications, and other tweaks have been made to get their config running this way? The world may never know. It's probably impossible for the consumer world to ever have that level on knowledge about the Windows environment, and thus run it at peak security levels. For most consumers and businesses, a Linux OS with properly implemented firewalls is much more secure than an out-of-the-box Windows deployment and router ACLs.

Re:Perhaps the only ones who can do it "right"

[bigman2003]

I'm not sure if by '100% Microsoft powered solution' you mean that EVERYTHING, including the content, needs to be Microsoft powered...

But there are tons of places using Windows Server/IIS/ASP/SQL Server to run their sites, business, etc. There is nothing wrong with it.

It's almost like they were meant to work together.

Re:Perhaps the only ones who can do it "right"

[Vellmont]

Perhaps it is -- when was the last time microsoft.com was taken down by malevolent hackers?

This is rather poor evidence that the Microsoft software is stable and secure. It assumes that a hacker would want to take down Microsoft.com. Sure, there's some jerkoffs that want to pull a big publicity stunt like that. But a smarter hacker would want to lie a LOT more low than that.

Also, as pointed out by someone else, Any large site like this is run on multiple servers. Even a malevolent hacker bent on taking down microsoft.com would have to take down a significant amount of them to affect the whole website.

Re:Perhaps the only ones who can do it "right"

[kurokaze]

You honestly don't think that if a hacker managed to deface a microsoft site they wouldn't be blaring trumpets for the world to hear?

Not only would they be advertising their 7337 h4x0r skillz on every hacker newsgroup and forum but they'd also be sending press releases to places like here. This would be front page news and they would be a legend.

Re:Perhaps the only ones who can do it "right"

[xtracto]

I think you have this leet hacking process backwards (at least for interwebs def4c1ng), the way it works is that hackers look for web servers which have known vulnerabilities and then apply such hacks to them in order to deface the web site. Generally they do not go to a specific page and try to deface it (unless they have an ulterior motive like cash).

Re:Perhaps the only ones who can do it "right"

[Blakey+Rat]

All of eBay is (or at least was a year ago) run on Microsoft servers, and while they have problems with scammers, they don't have any availability problems to speak of. And they're still running some ancient (relatively-speaking) code. Of course, they're also big enough that if they did have problems with the latest Windows, Microsoft would definitely step in on their behalf and get it fixed.

Re:Perhaps the only ones who can do it "right"

[Vellmont]

You seem to have a strange miss-conception that all hackers are 13 year olds that only want to deface websites.

You have to look no further than the legion of spammers that assemble botnets to send out spam/DOS/whatever to know that's simply not the case.

Keeping out the 13 year olds isn't too hard, it just takes some diligence. They're dumb enough to announce their presence by defacing, etc. It's the other guys that are smart enough to stay hidden I'm referring to.

Re:Perhaps the only ones who can do it "right"

[mini+me]

The first person to write a successful Linux or OS X virus would receive just as much fanfare, if not more. So why aren't we seeing more attempts at it?

Re:Perhaps the only ones who can do it "right"

[Super_Z]

MS claims their software is stable and secure. Perhaps it is -- when was the last time microsoft.com was taken down by malevolent hackers?

# dig www.microsoft.com
[..]

;; ANSWER SECTION:
www.microsoft.com. 2520 IN CNAME toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 300 IN CNAME g.www.ms.akadns.net.
g.www.ms.akadns.net. 300 IN CNAME lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net. 300 IN A 207.46.19.190
lb1.www.ms.akadns.net. 300 IN A 207.46.192.254
lb1.www.ms.akadns.net. 300 IN A 207.46.19.254
lb1.www.ms.akadns.net. 300 IN A 207.46.193.254
[..]

# nmap -v -p22 -O 207.46.19.190
[..]
Host wwwbaytest1.microsoft.com (207.46.19.190) appears to be up ... good.
Interesting ports on wwwbaytest1.microsoft.com (207.46.19.190):
PORT STATE SERVICE
22/tcp filtered ssh
Device type: general purpose
Running: lwIP, Sun Solaris 2.X|7
OS details: lwIP (Lightweight TCP/IP stack) version lwip-0.5.3-win32, Sun Solaris 2.6 - 7 (SPARC), Sun Solaris 2.6 - 7 x86, Sun Solaris 2.6 - 7 with tcp_strong_iss=0, Sun Solaris 2.6 - 7 with tcp_strong_iss=2

Nmap run completed -- 1 IP address (1 host up) scanned in 1.806 seconds

I'm actually out of words at this point.

Re:Perhaps the only ones who can do it "right"

[Super_Z]

# nmap -v -p22 -O 207.46.19.190
[..]
Running: lwIP, Sun Solaris 2.X|7
OS details: lwIP (Lightweight TCP/IP stack) version lwip-0.5.3-win32, Sun Solaris 2.6 - 7 (SPARC), Sun Solaris 2.6 - 7 x86, Sun Solaris 2.6 - 7 with tcp_strong_iss=0, Sun Solaris 2.6 - 7 with tcp_strong_iss=2

I tried the above nmap with a newer version and could not reproduce this result. My conclusion is that the above guess is probably some default answer from nmap (3.7) and should be considered as rubbish.

Re:Perhaps the only ones who can do it "right"

[xtracto]

Uh, if you read parent post, I was replying to his assertion that Microsoft sites have not been defaced. Also, if you read my post carefully I also stated that, there are certain types of hackers who hack pages for profit which ultilmate goal is not to deface web sites. Of those, there might been hacked servers in the control of Microsoft but which are in some way hacked by these more clever hackers, however it is not easy to know for sure by the same nature of those hacks.

Re:Perhaps the only ones who can do it "right"

[RzUpAnmsCwrds]

Uhh, this is old news. Akamai uses a variety of operating systems, including Linux and Solaris. That's why Microsoft.com used to show up as running "IIS" on "Linux" when you looked at it on Netcraft.

Are you suggesting that Microsoft should never use a non-Microsoft solution? Because for the kind of traffic Microsoft serves (think 700 million systems updating every month - that's something like 50 petabytes of data), Akamai has a unique level of capability that no other organization can offer.

Re:Perhaps the only ones who can do it "right"

[Reziac]

I dunno about that, but here it is 10 hours after TFA hit slashdot, and I'm getting this:

=======
We are currently unable to serve your request

We apologize, but an error occurred and your request could not be completed.

This error has been logged. If you have additional information that you believe may have caused this error please report the problem here. [link]

Re:Perhaps the only ones who can do it "right"

That said, with their closed source and closed-doors policy to revealing details about the inner workings of the OS, _Microsoft_ may be the only company that can successfully deploy a 100% Microsoft powered solution. How many registry changes, service daemon modifications, and other tweaks have been made to get their config running this way? The world may never know.

You're right. The world will probably never know. I doubt event Microsoft knows for sure because in this instance the business task of "configuring our web server" will mush together with "develop our product" in ways that are very difficult to separate for either code developers or accountants.

But here is the key insight that you won't find on Microsoft's sales brochures and which whiz by the heads of most Microsoft customers and whiz by many in the FOSS world that dismiss MS with their outer layer of emotional neurons:

A company with

• programmers and
• access to source code

can present a

• high volume and
• secure

interface to the web. If I'm a company that needs to do something similar - and most do - then I should consider the business case of hiring a few competent programmers and obtaining affordable (i.e., free) source code vs the typical decision of hiring a herd of system administrators and application specialists to care and feed my licensed binaries running on my web server farm.

Yes, that's right - MS is advertising the benefits of open source development and deployment, if you can read between the lines.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Router ACL= Firewall

[udippel]

SUREURCORRECT!

2. Router ACLs are in place to block unnecessary ports

Right-o ! Shows what a brainwashed, single-minded dim he is. Doesn't say "(Microsoft) Firewall v.0.38.2a" on the shrink-wrapped package; and voilà, isn't (a firewall). That's how they keep the masses unwashed and in admiration. (But I digress.)

Actually, the whole thing is a disgrace, but what to expect ... !?

2. We have ~650GB/day of IIS logs [...] Just IIS logs are a challenge without trying to parse another ~650GB of firewall logs.

Why is an IIS log size just as large as a firewall log ? Makes me wonder, if he thinks they were the same ??
650GB of what ? ASCII text or gzip ?

3. 5+ years ago, there wasn't a firewall solution that would scale to our needs and this forced us to focus on network, host, and application security.

I'd never would want their stuff for free even. Because the use of the word 'forced' is absolutely wrong. Program security is the alpha and omega of security; and anyone who wants to have his software taken seriously would look into exactly these. Not into firewalls.

5. Application security is critical since a firewall is likely going to allow traffic on the correct port and protocol through to the web servers so IIS/ASP.NET/Applications must deal with these requests gracefully.

This is so right, see above. But the mentality implies he is unaware of the fact that predictable and graceful behaviour is what we want in the applications in the first place.

6. We do run AV on our servers when we can. At times product adoption means we don't install it, but we do normally run AV.

Makes one wonder what this is supposed to tell us. At times they don't get an AV running on their own boxen ? Can someone point out to me, which logic underpins non-usage of AV for 'product adoption' ? Like, on those boxen containing Vista ?

650 GB log

they used MS Excel...right

akamai

[wwmedia]

don't forget the whole slough of Linux servers that they use through Akamai to handle the bandwidth;

it's one reason why why doing a lookup on Microsoft servers, it often shows that they are running Linux. It's also another reason why people point out that Linux is more scalable because even Microsoft can't eat it's own dogfood.

Re:akamai

Get with the program, stupid. Your information is outdated.

Ok...

[Verunks]

Nice setup but what about root passwords?

Misleading Summary. Total Propaganda

[mpapet]

1. The asshat highlights they use no firewall, and yet buried deeper in the article is this "Router ACLs are in place to block unnecessary ports" That's the functional equivalent of a firewall.

2. I get into discussions where tech guys spew traffic numbers and I'm never impressed. It creates issues if you want to actually do something with the data which I doubt they do much beyond running the usual marketing metrics. Until you actually shoot for 99.99 service uptime, you begin to comprehend the challenge it is (on any platform) the traffic itself is not the challenge.

3. I'm very interested in reading what their hardware budget is like. I get excellent performance out of Linux compared to server 2003 boxes on similar compaq dl380's.

Now there's a best practice

[QuietLagoon]

use of their yet unreleased Windows Server 2008 in a production environment.

Now there's a best practice that other corporations should follow - the use of test software in a production environment.

Re:Now there's a best practice

[Atriqus]

Come on, it's the same people who were hit by a worm because they didn't apply Recommended Updates to their own servers. :)

But generally..

[Junta]

Router ACLs are in place to block unnecessary ports
Cisco Guards for DoS detection and automated response In other words, they don't use firewalling where you have administrator defined rules to control traffic flow, they use networking equipment that accept administrator defined rules to control traffic flow .... totally different..

What in the world do *you* perceive the difference being between a 'firewall' and a router blocking ports based on source and destination being compared with a set of rules (aka ACLs)? Generally, firewall rules *can* get more complex than that, but mere port blocking by an intermediate router has been considered a firewall, even if it doesn't log violating or accepted packets, even if it doesn't have complex rules about connection state. Even if it doesn't have the word 'firewall' emblazened on the chassis somewhere.

Re:But generally..

[nuzak]

The distinction between port filtering + ACLs and today's notion of "firewall" that's actually useful is of a stateful firewall, doing stateful packet inspection, with policies based on not just the packet you're picking a TCP header out of. If you tried to sell a stateless filter as a "firewall" today, you'd be laughed out of the market.

And no, I don't see any need to firewall a web farm either.

Re:But generally..

[Junta]

The thing that's really troublesome here is, I don't think the person writing the article would care to mention that detail, at least not outside the ports IIS serve users on, which are the only ones he thinks matters. On the externally available ports that should be publicly available, there is *zero* applicability for stateful rules, particularly when you have external parties already tracking obvious DoS for you. For other ports (for example a port out of the IANA range), I wouldn't be surprised to find out they do have stateful inspection to allow traffic associated with an outbound connection in. The problem being their networking equipment might make it a transparent default. Of course, if they are running 100% microsoft software bottom to top, they may never even need to contact an external update server and forgo that entirely, something >90% of the world can't do, and is still a moot point with respect to how 'bulletproof' their server setup is.

Re:But generally..

[AK+Marc]

If you tried to sell a stateless filter as a "firewall" today, you'd be laughed out of the market.

Most of the low end routers claimed "firewall" when they did nothing other than nat. Though now someone else wrote code that runs on their Linux core so they have firewalls they didn't have to pay for. But what you are saying is that a filter firewall is a firewall under every documented definition of the word, but wouldn't sell well because people expect stateful operation. That sounds like you are violently agreeing. The first thing that comes to ones mind isn't the only correct answer. Otherwise, horses can no longer be mustangs, since if you mention someone went out and bought a mustang, nearly all people would picture a car and not a horse. Language doesn't work that way.

Re:But generally..

[AmaDaden]

First generation - packet filters... it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, which comprises most internet communication, the port number).

Second generation - "stateful" filters...

Thats form http://en.wikipedia.org/wiki/Firewall. So basically what you and MS are saying is that because the firewall system they have is so out dated you can't even call it a firewall anymore? So is a car with out an Air conditioner not a car? What about a laptop with no wireless?

Re:But generally..

[cheater512]

Hmm...Is it worth buying Windows 2008 solely to put it on the net without a firewall (as they brag about doing) and then suing them for false advertising when it has porn popups on it 15 mins later?

Re:But generally..

[Kalriath]

No, because you'd have to go to considerable effort to configure it in such a way that what you say would actually happen. Hell, even my Windows Server 2003 machine is still running stable and virus/spyware free after about five years (or so).

Re:But generally..

[kasperd]

If you tried to sell a stateless filter as a "firewall" today, you'd be laughed out of the market.

That depends on which market you are aiming for. If you are aiming for buzzword compliance, then it is of course a no-go. But if you are aiming for people who know what they are doing and wants to run a large reliable production system, then it is a different matter. A stateless firewall is simpler. And being simpler means that it will most likely also have less bugs. Less bugs means you are less likely to have security vulnurabilities. And stateless means it is easier to have redundancy. Have two firewalls next to each other, and if one fails just route packets through the other.

Re:But generally..

[cheater512]

Ah but the important question is: Have you been running it for 5 years *without a firewall*?

No? Didnt think so. :P

Re:But generally..

[Kalriath]

In Microsoft speak, I don't have a firewall. I do however use Port Forwarding. DIE, NAT ROUTER!!

Either way, if it were possible I could expose it directly to the internet with no troubles (but it's not possible).

Until I configured the port blocking on my dedicated server hosted at a datacentre, it was exposed directly to the internet too. No issues there either.

Re:But generally..

[cecil_turtle]

Some protocols require stateful inspection for a firewall to even operate properly, like passive FTP where ports need to be dynamically opened up by the firewall based on the control connection's conversation. That's actually the only instance I can think of, but there may be others. Oh, yeah, and FTP sucks.

Re:But generally..

[Briareos]

Some protocols require stateful inspection for a firewall to even operate properly, like passive FTP where ports need to be dynamically opened up by the firewall based on the control connection's conversation. Sorry, but what you're talking about is active FTP. Passive is using the already established control connection for data transfer...

Re:But generally..

[cecil_turtle]

Passive is using the already established control connection for data transfer... I wish, but no it doesn't. It's a matter of what side of the connection you're on, I was talking about the person hosting the "server" side of FTP. You're sort of correct (not technically) if your talking about the client side of FTP, but even then Active FTP just uses port 20 - so at least it's a static, known number and thus you don't need a stateful firewall. For Passive FTP, if you're on the server side, you absolutely need a stateful firewall because the client will initiate a data connection back to your server on some random port (that's negotiated over the control connection) - but no, passive FTP does not actually USE the control connection for data transfer. I think some clients might offer that as an option, but it's not very common. And encrypted FTP (FTP over SSL) is even more ridiculous.

3 Free Tips

[deweycheetham]

FTA

|In terms of how we protect the sites, we utilize (starting at the outside edge of the network and working in): ... Windows and IIS...rock solid and secure! www.microsoft.com is on Windows Server 2008/IIS7, MSDN/TechNet are migrating to Win2k8/IIS7, and update.microsoft.com is on Windows Server 2003/IIS6. ...

So there you have it. I think this is a good insight into how we run our own internet properties today. What do you think? Have you got any feedback for the boys over at our MSCOM Operations team?|

3 Free Tips, the rest I charge for:

1st don't advertise your networks security especial from the outside - in.
2nd don't believe your own propaganda on rock solid. There are too many issues in it to be rock solid.
3rd don't state your future migration plans on secure architectures to the public.

Cheers ;}

--- Just because you go hunting doesn't mean you have to shoot yourself in the foot ---

Re:3 Free Tips

[Cairnarvon]

1st don't advertise your networks security especial from the outside - in.
(...)
3rd don't state your future migration plans on secure architectures to the public.

Security through obscurity doesn't work in this context either.

Re:Misleading Summary. Total Propaganda

[kurokaze]

port filtering is just one property of a firewall, that alone does not constitute a firewall

Dufus indeed...

[Junta]

In order to apply the 'ACLs' they describe, they *have* to inspect the packets, by definition. They may only compare a relatively small number of fields (src ip, dst ip, make sure it is a TCP packet *and* the destination port is 80). They might not make use of any logging or stateful inspection (then again, stateful may add next to nothing, so long as they don't need to contact external servers for any updates), but that doesn't mean they can get away with saying 'look, no firewall!' All he's saying is that port 80 (and maybe a few other hand selected ones) are 'wide open' (except something else blocks DoS for them even on those ports). Honestly, I doubt you'll find many public web services that puts a more restrictive 'firewall' than MS just confessed to having in an article where they declare 'no firewall!'

No filewall?

They *do* have a firewall, or at least nmap says so:

# nmap -p22 www.microsoft.com

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-12-13 09:26 PST
Warning: Hostname www.microsoft.com resolves to 4 IPs. Using 207.46.193.254.
Interesting ports on wwwtk2test2.microsoft.com (207.46.193.254):
PORT STATE SERVICE
22/tcp filtered ssh

Nmap finished: 1 IP address (1 host up) scanned in 0.458 seconds

See? It says filtered, not closed. The packet was dropped.

Re:No filewall?

[deweycheetham]

hey what verion of nmap are you running?

Re:No filewall?

[PitaBred]

Starting Nmap 4.20 Ummm... really? Did you have to waste a post asking that? Please tell me you weren't serious?

Re:No filewall?

[deweycheetham]

4.20

Sorry just missed it in the orginal post. My Bad. I caught it after I posted it, but to late.

Re:Misleading Summary. Total Propaganda

[mpapet]

port filtering is just one property of a firewall, that alone does not constitute a firewall

Let's not get into a game of semantics abuse.

The author boldly states they use no firewall which leads one to believe they gave the machines a public IP address with no other protection. And then buried in the story is the method by which they protect the servers.

The author has undeniably mislead readers. Because of Microsoft's long history of misleading practically everyone at one time or another to meet their end goals, it is reasonable to assume this was intentional.

score 5 interesting .. why for ??

[rs232]

"Isn't that just you announcing your ignorant of which tools to use?"

What tools would you use to do the same job?

Re:Microsoft and logs do not compute (Score:5, Interesting)

Re:score 5 interesting .. why for ??

[DataBroker]

What tools would you use to do the same job?

Ultraedit

Re:score 5 interesting .. why for ??

[Crane+Style]

Perl

Re:score 5 interesting .. why for ??

[Mr_Magick]

The Programmer's File Editor http://en.wikipedia.org/wiki/Programmer's_File_Editor handles large files very well. From Wikipedia:

Programmer's File Editor is a freeware text editor targeted particularly to the needs of software programmers. It was written by Alan Phillips of Lancaster University in the north of England. Development of Programmer's File Editor ceased in 1999, but the program is still in use by some programmers.

Re:score 5 interesting .. why for ??

[kasperd]

What tools would you use to do the same job?

cygwin

Official policy to the rescue [?]

[dcavanaugh]

Large scale log processing isn't hard if you have the right tools. :) Let's hope their corporate policy allows something a little more robust than "Event Viewer".

Re:Official policy to the rescue [?]

[blincoln]

Let's hope their corporate policy allows something a little more robust than "Event Viewer".

I imagine they have IIS configured to log to a database, and then just use whatever query and reporting tools they want to. But 650GB a day is still a lot to deal with.

It's an advert for Windows 2008 server...

This isn't news. It's an advert.

Re:Misleading Summary. Total Propaganda

[kurokaze]

No, you're reading too much into it.

If someone were to say that they have a firewall on their linux box by cutting off port 25, would that be considered a firewall? No, you naturally would want not only port filtering, but also IP filtering with default-deny or default-allow rules to also be in place. Simply blocking ports does not constitute a firewall.

No Firewalls!

[thewils]

I have to say it sounds initially like they just stick the machines out there and let them fend for themselves. Then you read on and find that Microsoft can't live on the web without surrounding their servers by a ring of *nix devices providing Packet Filtering.

They don't trust even Win2k8 servers to be secure enough without the *nix safety blanket.

Re:No Firewalls!

[Allador]

Can you point to anything in the article that indicates this 'unix security blanket' you refer to?

All I see in it is that they have acls in place on the routers (probably with FSMs), which are cisco kit.

You do know that Cisco routers dont run Unix, right?

Re:No Firewalls!

[thewils]

Cisco Guard has to be some implementation of a *nix-like OS...

From a sample session I found on a security update:

          prompt$ ssh root@detector.example.com
          root@detector.example.com's password:
          Last login: Tue Nov 23 15:48:13 on ttyS0
          [root@DETECTOR root]# passwd
          Changing password for user root.
          New password:
          Retype new password:
          passwd: all authentication tokens updated successfully.

Looks like *nix to me...It certainly aint Windows.

Re:No Firewalls!

[Allador]

There are other operating systems in this universe other than unix/unix-clones and windows.

Most Cisco kit runs Cisco IOS for the operating system (home-grown, based off DEC & VMS roots). There is a newer version of IOS that is based off QNX, which is also not Unix (though it is POSIX-compliant).

Isn't this a GOOD thing?

[stwrtpj]

Cisco Router: ~$700
Server to run it on: ~$2000
Beta testing Microsofts new server 2008 in a production environment: Priceless

I know you meant your post as a joke, but isn't this a GOOD thing that MS is running their site on their next server edition? It's called "eating your own dog food."

You ARE a m$ fanboy!

[mangu]

He's a tard for using a "full featured word processor" for a "simple find and replace"

Two points you and the other fanboys are missing: (1) there IS no text editor for "a simple find and replace" in a default micro$oft system, and (2) full featured text editors in Linux do NOT load the whole file in memory before opening it.

Idiots. Typical micro$oft shills.

Re:You ARE a m$ fanboy!

Then go out an try to vi an 800MB file, be it on Linux, Solaris, HP-UX, whatever. It takes ages to load on them too.

The one thing the Unix operating systems have an advantage in is the CLI tools. Each one does something similar so you can combine easily.

Re:You ARE a m$ fanboy!

[JoeZeppy]

Notepad?

Re:You ARE a m$ fanboy!

Same problem. It takes a long, long time.

Re:You ARE a m$ fanboy!

[ratboy666]

"Then go out an try to vi an 800MB file, be it on Linux, Solaris, HP-UX, whatever. It takes ages to load on them too."

It may. That's why we have POSIX compliant programs like sed. "Stream Editor". To be used in precisely these cases.

But, ok, I'm crazy!!! How crazy? Let me tell you... I am running Fedora Core 5 Linux on a Panasonic Toughbook CF-27. 6GB of the slowest hard disk, coupled with 128MB of memory. So far, so good? And, icing on the cake, it's a 350Mhz Pentium II.

Running with the GUI (Gnome, the default) leaving web browser and 3 other windows open (not sure what they are running, and, frankly, I don't care), I am going to use vi (VIM 7, w/ bell and whistles) on a 618MB text file.

Yup! I told you, I am crazy: Crazy Freddy, they call me!!! Let's see how long it takes (because I am not going to just accept "takes ages" without measuring just what ages is):

[fred@pandora snobol4]$ time vi y

real 4m59.040s
user 1m36.500s
sys 0m35.390s
[fred@pandora snobol4]$ ls -hl y
-rw-rw-r-- 1 fred fred 618M Dec 13 13:29 y

It took 5 minutes, of which 2 minutes was spent on processor and 3 whole minutes physically reading the file. So, by substitution, takes ages == 5 minutes (actually, = 5 minutes, because I am deliberately timing this on 10 year old hardware).

I wonder what 4 hours is on that timescale?

Or are you telling me that Windows is SO bad as an environment that (1) tools for this are not provided, and (2) the standard system editor supplied by the OS vendor is incapable of handling the problem, forcing me to use 3rd party tools for something this simple?

Re:You ARE a m$ fanboy!

[orclevegam]

Don't know about the original vi, but vim doesn't have that problem. You'll get a message warning about calculating line numbers or something like that, but it will still open and you can edit it while it's doing that.

Re:You ARE a m$ fanboy!

[JacksBrokenCode]

He's a tard for using a "full featured word processor" for a "simple find and replace" Two points you and the other fanboys are missing: (1) there IS no text editor for "a simple find and replace" in a default micro$oft system, and (2) full featured text editors in Linux do NOT load the whole file in memory before opening it.

Two things you don't get:

1. The vast majority of people buying computers these days don't need to do find and replace on text files that are hundreds of megabytes or larger. If you need to perform that operation, you probably aren't just cruising on a clean "default micro$oft system" and hopefully are capabale of finding the right tool for the job. Either way, your argument is a strawman because the parent poster said Word was the wrong tool for the particular job and you responded by saying MS doesn't include the right tool.
2. The parent also used the term "full featured word processor" and you responded with a comment about "full featured text editors". A word processor is for composing & formatting documents while a text editor is simply for editing text. Just because you don't know the difference doesn't mean there isn't one.

I could call you an idiot and a shill for completely missing the point in your haste to slam Microsoft, but that wouldn't help foster an intelligent discussion, would it?

Back In The Days

I heard that Back In The days, Microsoft were using FreeBSD for their outward-facing servers, hacked-up to look exactly like Windows NT (for that was the product they were selling at the time).

Re:Back In The Days

[mu51c10rd]

You may be thinking of this.

Re:Back In The Days

Nope,

The way I heard it was that they had the servers inside their own building, and called it "testing the opposition" that ran for many years, as I heard it from someone who worked inside a microsoft office for a while

Re:Router ACL= Firewall

[blincoln]

Why is an IIS log size just as large as a firewall log ?

Probably because 99+% of the entries would be functionally identical, or present on the firewall but not the web server?
- Putting firewalls in front of a dedicated web server farm is going to mean your logs are going to contain nearly the same number of entries. The firewall will log an incoming connection, then the web server will log that same connection if it's allowed. The firewall will end up with *more* entries because of the connection attempts that it is blocking.
- The logging configuration for the web server and the firewall are going to be pretty similar. You are going to want to see source IP, source DNS name, date/time, source port. On the firewall you'll want things like destination IP and port and the rule that blocked/allowed the traffic. On the web server you'll want the requested URL and HTTP status.
It's all going to end up in a database anyway, because running grep or whatever repeatedly against 4.5TB of text files just to analyze last week's traffic would get old pretty quickly. So minor differences in size of data are probably going to be nullified by having to use relatively wide varchar fields for things like the source DNS name.

Typical Microsoft

[Bryansix]

You realize that Win2k3 does turn off most services by default, and Win2k8 takes this even further by not installing them at all.

Why does Microsoft not install them at all? Could it be because in their default state they are insecure? I don't want them to not be installed. (btw, Server 2003 does this too just with less services) I want them all installed and all turned off. Then I want the default state of the services to be secure when I do enable them. If this means making a wizard to set up the damn service then so be it. Why does Microsoft always assume that everybody using their products is all of the sudden going to have some magical knowledge of all the attributes that define said program? Why don't they make services as easy to configure in a secure manner as Microsoft Word is to use?

Re:Typical Microsoft

[Extide]

You gotta be kidding me... Not installing un-needed services is the *NIX APPROACH! Got to give it to you dim wits sometimes though, only a loonix zealot would say crap like that haha. It really sounds like you have no clue what your talking about, its ALWAYS a wizard with MS, whether underneath the skin it is just turning on a service or actually installing it doesnt matter. At all.

Re:Typical Microsoft

[Bryansix]

Last time I installed IIS6.0 it didn't walk me through shit. What are you talking about?

But serving dogfood is bad

[g2devi]

I agree that eating your own dog food is good.

But when you serve it in *production* environments, especially external environments, it's not dog food. It's "using your users as Beta testers without their permission or knowledge". Production environments need to be on the conservative side since any critical flaw will affect your unwitting users, which is why people gravitate towards "the stable but old enterprise versions" of RedHat, Novell, Debian, Solaris, and Microsoft Windows rather than the "cutting edge but occasionally problematic but you can 95% of the time recover without too much pain" newer versions.

Failure to do so is either banking on the belief that your users either don't care about losing or corrupting their data or relying on a "hey we never promised that things actually works, be thankful that it does because legally you've let us have our way with you" EULA disclaimer.

Re:Misleading Summary. Total Propaganda

[mini+me]

Why is blocking of port 25 based on the port alone not a firewall? It fits well within the definition. Sure, firewalls can do much more complex operations, but that obviously isn't necessary in this circumstance.

Technically? Yes. Practically? No

[mpapet]

We all know Microsoft's target audience is the PHB. They will race to the faulty assumption the OS security is bulletproof. A condition which is not knowable, nor very likely considering their long-time meme that "good security" = "good firewall"

perhaps microsoft will stamp one of these

[hansoloaf]

"hacker tested" icons we see all over at various e-commerce sites then?

Incidentally (regarding your sig)....

[filthpickle]

the intro is on the D, G and B strings, it's 7-7-7 then 10-7-7

the verses are
D-Bm 4 times, then Em-A-D (the even though you broke my heart and killed me part)

for the part between the verse and chorus (except the ones who are dead) hit B and hold

the chorus is F-C-B-F twice, then B-C-F-Em-Dm (the F-Em-Dm part is the 'you make a neat gun'), then B-A and repeat

I laughed my ass off when I beat it the first time, best video game ending EVER!

On the Subject of Firewalls and Microsoft.com

[pgn674]

Every once in a while my Vista machine develops a little networking problem. I usually have to disable and re-enable the network card to bring it back. But, if I run Vista's network Diagnose & Repair first, a stupidity arises. It tries to ping www.microsoft.com, and when it fails, it complains. Why is it trying to ping www.microsoft.com? Www.microsoft.com does not reply to pings. Microsoft.com does (usually), but not www.microsoft.com. Www.microsoft.com resolves to lb1.www.ms.akadns.net, and IP addresses 207.46.19.190 and 207.46.192.254. A sample of the error message is bellow. [Window Title] Windows Network Diagnostics [Main Instruction] Cannot communicate with www.microsoft.com(207.46.192.254). [Content] Network diagnostics pinged the remote host but did not receive a response. [Reset the network adapter "Wireless Network Connection"] [Cancel] So, why on earth do they have the tool ping www.microsoft.com? Seems stupid to me.

Re:On the Subject of Firewalls and Microsoft.com

[pgn674]

Crap. Here's the same post, with proper formatting. Guess I should have hit Preview, huh?

Every once in a while my Vista machine develops a little networking problem. I usually have to disable and re-enable the network card to bring it back. But, if I run Vista's network Diagnose & Repair first, a stupidity arises.

It tries to ping www.microsoft.com, and when it fails, it complains. Why is it trying to ping www.microsoft.com? Www.microsoft.com does not reply to pings. Microsoft.com does (usually), but not www.microsoft.com. Www.microsoft.com resolves to lb1.www.ms.akadns.net, and IP addresses 207.46.19.190 and 207.46.192.254. A sample of the error message is bellow.

[Window Title]
Windows Network Diagnostics
[Main Instruction]
Cannot communicate with www.microsoft.com(207.46.192.254).
[Content]
Network diagnostics pinged the remote host but did not receive a response.
[Reset the network adapter "Wireless Network Connection"] [Cancel]

So, why on earth do they have the tool ping www.microsoft.com? Seems stupid to me.

He is basically clueless

[kosmosik]

The guy is clueless. All he wrote is that they use new version of IIS and Windows and nothing else. He does not have a clue on how it is all run. The OS they run is not important. I think the application stack is roughly equivalent to unix stuff. Despite the license fees which M$ doesn't have to pay.

1. For what I understand they don't handle data that needs some audit trail in transactions and so on so they don't need firewall. I don't see any logic in his statement.

2. 650GB/day (of what exactly?) may seem a lot but in fact a quite regular database cluster and a proper design would handle that easily if it is well scaled.

3. He is probably just quoting somebody else. Maybe he is right here but it is hard to judge with no knowledge on how exactly does this setup use? And what he means as firewall is another mystery for me.

4. He is stating that some form of NLB made by MS in their web server architecture is bad since it makes normal network design complex and expensive. Is that what he is stating?

5. This point also makes no sense to me. Of course application security is essential since it has nothing to do with firewall. A firewall merely passes or not the traffic based on simple, low-level protocol parameters. Firewall does not protect against application flaws. Application flaws occur at very different level. He is even clueless about OSI model...

The rest is just bullshit about how it is cool to use untested software in production. Actually it is very uncool.

Also this "knowledge" of his is useless. I would love to see some insights on such large setups from somebody who is not M$ and actually did research and testing on which platform to use. Like Google for example. :)

And also how does microsoft.com compares to google.com? Which is bigger in means of traffic/application load/databases and so on?

Microsoft shill doesn't know what a firewall is

[Cairnarvon]

News at 11.

Also, running AV software on a web server? What? I can't think of very many situations where that would be at all defensible.
The rest of the article reads like a marketing presentation. Very enterprise.

the article itself

[maestroX]

since the link requires you to logon, here's a version of which I believe to be a copy of the article: http://www.networkmirror.com/EVCMz0uDTZ3L1XPV/blogs.technet.com/jeffa36/archive/2007/12/13/microsoft-com-what-s-the-story.aspx.html/

Re:the article itself

[Evets]

That link doesn't work either. It looks like they are handling all that traffic by denying access to the content. I guess that's one way of dealing with it :/

Re:the article itself

[jjMick]

Yes, generates text We're sorry, but it appears the page you want no longer exists or perhaps never did.

MS Xenix

[Locutus]

Sure, that's all well and good for a public face but we all know they really use Xenix behind all that Windows dressing. ;-)

LoB

Link not working?

Anyone have a link that actually works? The one in the article is out.

nothing better to say?

all you guys really have nothing better to do then pick apart and gripe at everything Microsoft? I'd like to see all you Linux fan-boys configure as complex an infrastructure with as much volume in site traffic as microsoft.com and still be able to have reliable and fast uptime. I think this speaks wonders for how innovative and thoroughly tested Server 2008 will be. Sure Microsoft has their fair share of bugs, and bad UI, but it just gets more complaints because everyone is using it - there's plenty of terrible Linux open-source, never will be out of beta, crap out there - and none of that gets this firestorm of bad attention, most likely cause it's never really used in such a popular environment. Or is it that you all really like being perpetually employed to fix Linux never-quite-done stuff?

Re:nothing better to say?

I couldn't agree more. There are a lot of comments of differing length posted here... however most say the same thing: "I'm a noob wanna-be who couldn't engineer my way out of a paper bag so I hide behind the cozy obscurity of an underdog operating system."

Go back to trying to make your web-cam take timelapse footage of your coverless P4 chassis and leave the engineering to the engineers.

Re:nothing better to say?

[pandrijeczko]

Actually, all that the Microsoft infrastructure says is that they have put together a pretty good & scaleable server farm/cluster solution, nothing more. The same can be done using Linux servers and clusters in theory - has it been done with Linux on the same scale as Microsoft.com? I don't know.

And if you're referring to Linux versioning, please remember that with OSS products there is no remit to get a "finished" product into a box onto the shelves - just because it happens to be "Random Linux App v0.3" does not mean it is "not quite done".

Bad link

[jaygridley]

The blog entry the story links to does not exist. Not Found: Forum Not Found The forum you requested does not exist.

Re:Bad link

[jjMick]

Hmm, at time of writing (and during several hours as well) the link goes to Log In page.

Re:Bad link

[jaygridley]

Yeah it does, if you sign up and log in it then gives you the not found error. Maybe something that wasn't supposed to be made public?

Vista as a server (?)

[nuckfuts]

Interestingly, I noticed that when pre-GUI disk checking occurs on Server 2008 it says "Windows Vista" at the top of the screen.

At least this is true with the version I'm testing - June 2007 CTP (Community Technology Preview). I expect in later versions this will be obscured.

Re:Vista as a server (?)

[empaler]

If the component does what it's supposed to, and there is no difference in how it should be applied to server and desktop computers, then there's no reason to go through making a new version.

This explains the crappy service

[Master+of+Transhuman]

"the use of their yet unreleased Windows Server 2008 in a production environment."

Now how stupid is that? What sys admin would use an unreleased OS in a production environment?

That's like Rule No. 1, isn't it?

Re:This explains the crappy service

Quote:
"Now how stupid is that? What sys admin would use an Open Source OS in a production environment?

That's like Rule No. 1, isn't it?"

Fix'd.

Hidden

[MBHkewl]

The blog has been taken off public view, and only for those who have MS TechNET access. Before that, there were comments on lies & un explained abbreviations the dude used... /. word verification: bondage !!!

Re:It Blows

[Macthorpe]

Where does it say 'error logs'? I read 'IIS logs'.

Some of the new stuff

[Captain+Original]

I got to see some of the new stuff in Windows 2008 with one of the MS sales engineers, and I have to say, I'm impressed. Here's some of the stuff they did:
General:
This will be the last Windows Server that will have 32-bit installation available. With the popularity of x64 based Intel and AMD processors, and the proven reliability of WOW64, this shouldn't be a problem.
You may add/remove as many roles at a time, with a single reboot required after all the roles have been installed
You can bypass entering the product code on installation (Activation still requires the code though). Setup is no longer linear - you can pick and choose what you wish to configure.
Virtualization:
Virtualization has now become a feature of the OS, rather than a separate application installation. You can enable virtualization as a server role. When this happens, a thin layer acts as the interface between the virtual hosts and the hardware (marketing term: "Hypervisor"). The parent host OS then becomes a virtual image (that can't be moved). All hosts are treated as equals.
Virtualization requires the 64-bit edition of Server 2008 installed.
Virtual machines can now have memory spaces > 4 GB and have multiple cores
Virtual machines can run any Windows and some Linux variants are now supported (most likely all will run; MS will actually field support calls for the supported Linux variants).
Event Log
The event log is so much better that I can't begin to explain how much better is it. You truly have to see it. Here's some of the features:
Events displayed within each subsystems management screens. Ex: if I were to open IIS management, I would see a default screen with all the events that were generated by IIS, and none that were generated by other systems.
Events from all eventlogs (Application, Security, System, etc) can be displayed in one window
You are able to see events categorized by event severity, and grouped by time frame (ex: 1 critical event in the last hour, 3 in the last day, x in the last week).
You are able to push events to a central server from multiple server, or you can pull events from other servers to one (subscription)
You are able to execute applications or send emails when an event is fired. You set up criteria for that to happen (event ID, severity, text in body/subject, etc).
Management
The Computer Management MMC console has been replaced by the Server Management console. The Server Management console is automatically populated with links to the management windows for each installed role, thus making it the de-facto configuration window.
PowerShell is a new command line interface. It is a hybrid console/scripting environment, created to aid in systems management. You can manage either the local server or remote servers from it.
New Server 2008 Core Installation Option
Server core is an optional way to implement Windows 2008. It removes the GUI portion of the OS as well as a number of other features, thus reducing the attack surface of the OS.
Core is not a separate product; the Standard, Enterprise, and Datacenter editions can all be installed in Core mode
Managed with remote tools and command prompt (cmd)
5 available server roles
Included:
o DNS
o DHCP
o File sharing
o AD
o WSV - windows server virtualization
o Limited IIS - static content only
o Task manager
Not included:
o No GUI

Re:It Blows

Wow, Twitter. This is content-free, even by your low standards. I'll bet you were pissing yourself laughing as you posted this, though. Hey, whatever gets you through, right?

Re:Router ACL= Firewall

[garbletext]

650GB of what ? ASCII text or gzip ?

Silly boy; They use CABs.

link

Windows Genuine Advantage Servers Out
http://it.slashdot.org/article.pl?sid=07/08/25/1819248

Nothing about a breakin though.

J

URL Not Working...

[luncheon]

Here, fixed that for you: http://www.networkmirror.com/EVCMz0uDTZ3L1XPV/blogs.technet.com/jeffa36/archive/2007/12/13/microsoft-com-what-s-the-story.aspx.html Enjoy! :)

Re:It Blows

[gormanly]

Um, you must be new here. Every /.er knows that IIS=>59L *

* ERROR_UNEXP_NET_ERR

Re:It Blows

Were you going to say something but instead decided to just flap in the wind?

Re:Bill Gates Behind a Curtain

[Gen.Anti]

The Bill of Oz?

But it's a setup
until you're fed up

Take it easy

[metoor30]

If you use the definition given by Wikipedia of a firewall http://en.wikipedia.org/wiki/Firewall, you will notice that the first generation of firewalls were in fact packet filters. However, as with many words or phrases, definitions change over time. The definition commonly associated with a modern firewall is something more than a simple packet filter like an application layer firewall or stateful filter. For us Linux, Cisco or other old school IT guys, we still refer to a packet filter as a firewall. This person obviously has a more modern, Microsoft, way of thinking of a firewall. That does not give us the right to belittle him and say he does not know what he is talking about. They have a certain level of security, whether you want to call it a firewall or not is your choice. To be perfectly honest, a packet filter is not much with security these days. Most attacks are going to be directed to a certain port to exploit specific software vulnerabilities and these are the attacks that a packet filter cannot handle. A bigger security risk is the fact that they are using unproven software to run their production environment. I personally wouldn't use a new windows OS until, at least, service pack 1 in a production environment. It is always best to wait for software to be proven before it is allowed in a production environment (see Debian GNU/Linux).

Asked to log in before reading a blog? What?

[DrHanser]

Why am I being asked to log in before I read a fucking blog? I've tried both Firefox and Safari now, and both ask me to log in. Even going to the root blog URL redirects me to a login page.

Link broken?

[42forty-two42]

When I go to that link with the bugmenot login, I get:
Not Found: Forum Not Found
The forum you requested does not exist.

Was the article deleted?

Re:Link broken?

[jjMick]

It appears there are three different error messages, possibly depending when the the post is being accessed or depending from the country. The latest error outside of US is: We are currently unable to serve your request We apologize, but an error occurred and your request could not be completed.

Re:Server

[Dare+nMc]

I thought that was the reason Home only supported a single CPU, otherwise it has the power to be a server, so you need Pro.

Does anyone really know if Home now supports multiple core? It seams those laptops default to home, and home shows multiple CPU's. but it sure seams dual core laptops run much faster once upgraded to PRO, where as non duo core seamed little difference.
(could just be my imagination though.)

Re:Server

[Z80xxc!]

Windows XP Home Edition can and always had permitted just as many cores as Windows XP Professional. However, Windows XP Professional is allowed to have to physically separate processors, where as Windows XP Home may only have one. Microsoft claims that Windows XP Professional is "optimized for notebook computers", and implies that Home Edition is not. However, I have never noticed any difference in performance, though the Professional features such as remote desktop, EFS, and the ability to join a domain all make it worthwhile to get XP Pro.

Just as an aside, Windows XP Media Center Edition is actually the exact same in terms of features as Windows XP Professional, and thus can use up to two physical processors. The only difference is that Windows XP MCE can only be joined to a domain during setup or by using a special hack, and of course it has media center components that XP Pro does not have.

Isn't it ironic?

[starrsoft]

We are currently unable to serve your request

We apologize, but an error occurred and your request could not be completed.

This error has been logged. If you have additional information that you believe may have caused this error please report the problem here.

Looks like that 650 GB of logs is going to be bigger today...

Netcraft confirms it!

Netcraft confirms it! Microsoft are running 2008, 2003, 2008, 2003, 2008...

hum ...

[McGiraf]

We are currently unable to serve your request

We apologize, but an error occurred and your request could not be completed.

This error has been logged. If you have additional information that you believe may have caused this error please report the problem here.

"we are currently unable to process your request"

We are currently unable to serve your request
We apologize, but an error occurred and your request could not be completed.

This error has been logged. If you have additional information that you believe may have caused this error please report the problem here.

this is what I get

[sentientbrendan]

when I try to go to their site:

"We are currently unable to serve your request

We apologize, but an error occurred and your request could not be completed.

This error has been logged. If you have additional information that you believe may have caused this error please report the problem here.
"

I think that gives a good demonstration of how they run their site...

Re:this is what I get

[th0ma5]

The Google cache can help here: http://209.85.173.104/search?q=cache:cZIWXV4A-GIJ:blogs.technet.com/jeffa36/archive/2007/12/13/microsoft-com-what-s-the-story.aspx+http://blogs.technet.com/jeffa36/archive/2007/12/13/microsoft-com-what-s-the-story.aspx&hl=en&ct=clnk&cd=1&gl=nz&client=firefox-a

We are currently unable to serve your request

[Captain_Chaos]

We are currently unable to serve your request

Slashdotted. Oh, the many levels of delicious irony...

You are joking, I hope?

[FoamingToad]

Ever used notepad with anything larger than a couple of hundred KB? Absolutely, unforgiveably, awfully slow.

Although I'll agree that Word is probably not the right tool for the job, I'd agree with the other posters that say that to do a job such as this, most of the standard MS-based tools are inadequate.

Disclaimer - I haven't used the Microsoft Logfile Parser which _may_ be better suited to this task, but I do a fair bit of work with large plain-text files in a Windows environment and usually end up using Programmers File Editor or Textpad.

Re:You are joking, I hope?

[JoeZeppy]

Partially - Notepad will handle up to 32 Mb, but yeah, I wouldn't want to try it. I use Textpad myself, and PrimalScript for vbscripting

Can we all agree that if your log files are 800 Mb you should probably think about rotating them more often? And Word wouldn't be my first or second choice for ascii text files. Hell, I'll suck them into Excel if I have to sort them by line before I'd use Word.

What was on this page

If you've ever wondered how microsoft.com uses our technology then read on. I recently came across some good information from the folks over at the Operations team at Microsoft.com. The thread basically talks about how we use IIS, Firewalls and Windows Server 2008. I think as we come up to launch next year it's a really good and quick insight into what they do and how they do it. So enjoy the reading and let me know what you think..Pretend I've asked about how they protect our sites...

At this point we still don't use firewalls for MS.COM sites and don't have any plans on the books to put them in place. Here is the short answer as to why:

1.
We don't handle HBI data so we don't have the need for external logging capabilities. If we did handle HBI, we'd have firewalls.
2.
We have ~650GB/day of IIS logs just for www.microsoft.com and update.microsoft.com (not including the 6GB/hour for each download server). Just IIS logs are a challenge without trying to parse another ~650GB of firewall logs.
3.
5+ years ago, there wasn't a firewall solution that would scale to our needs and this forced us to focus on network, host, and application security. Based on the success of that work, we've not looked further at firewalls even though there are solutions that I believe (haven't tested) would handled the traffic load (our non-download based web traffic alone can be in the 8-9 Gbps range and ~30 total for internal hosted traffic).
4.
We also used NLB for load balancing exclusively up until July 2006 and the micro segmentation of networks required by that solution made firewalls an expensive and very complex solution. Again, especially at the scalability that used to be available.
5.
Application security is critical since a firewall is likely going to allow traffic on the correct port and protocol through to the web servers so IIS/ASP.NET/Applications must deal with these requests gracefully. I realize there are other options/features of firewalls/IPS that provide other options.

In terms of how we protect the sites, we utilize (starting at the outside edge of the network and working in):

1.
Cisco Guards for DoS detection and automated response
2.
Router ACLs are in place to block unnecessary ports
3.
NetScalers for www.microsoft.com and MSDN/TechNet (NLB still for update.microsoft.com) and those also provide DoS protection inherently as well as providing a few other knobs we can turn when required.
4.
Windows and IIS...rock solid and secure! www.microsoft.com is on Windows Server 2008/IIS7, MSDN/TechNet are migrating to Win2k8/IIS7, and update.microsoft.com is on Windows Server 2003/IIS6. We do all the normal shut-off-unused-services practices that line up with MS published security guidance and we utilize GFS images to ensure standardized builds of systems.
5.
Automated Netmon/Perfmon captures for attack analysis on NLB systems when SYN floods occur (event trigger). We've not yet done this for NetScaler systems, but we are noodling on how in our copious spare time :).
6.
We do run AV on our servers when we can. At times product adoption means we don't install it, but we do normally run AV.
7.
Application security as mentioned. ACE is ver

We are currently unable to serve your request

[sjames]

We apologize, but an error occurred and your request could not be completed.
This error has been logged. If you have additional information that you believe may have caused this error please report the problem here.

The above is what I get when I try to RTFA. I guess that tells me all I need to know!

Re:It Blows

[Barryke]

Allow me:

• We are currently unable to serve your request
  
  We apologize, but an error occurred and your request could not be completed.
  
  This error has been logged. If you have additional information that you believe may have caused this error please report the problem here.

How appropriate seen articles subject.
Hah.

Post deleted

[rob1n1]

The article seems to have been deleted -- everything else works, except it can't find that article. Google Cache works, though. http://209.85.173.104/search?q=cache:cZIWXV4A-GIJ:blogs.technet.com/jeffa36/archive/2007/12/13/microsoft-com-what-s-the-story.aspx+http://blogs.technet.com/jeffa36/archive/2007/12/13/microsoft-com-what-s-the-story.aspx&hl=en&ct=clnk&cd=1&gl=nz&client=firefox-a

Re:Post deleted

Funny, I just assumed the whole thing was a gag when I got that error message. Thanks for the link.

Will agree with you

[FoamingToad]

on the second point at least partially, although I suspect the line count would be problematic - once you're going to that sort of volume for logfiles and have Office installed, it's probably time to look at brewing your own routines using VBA. Quick and dirty for the win.

Never heard of PrimalScript before - will check it out. Thanks for the mention.

N.B. Who else measures files in megabits? Weird ;-)