Slashdot Mirror
The Setup Behind Microsoft.com
Toreo asesino writes "Jeff Alexander gives an insight into how Microsoft runs its main sites. Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.
Vista was never meant as a server. Same as XP isn't used as a server, it's Server 2003.
Of course they have a firewall, just watch the difference between a tcptraceroute to a public port (like 80) and tcptraceroute to the same ip but some other port (like 110 pop3 for example). You'll see that packets get dropped at some point indicating a firewall. It's not a RST (port closed) it's just dropping packets for nonpublic services. That is a packet filtering firewall.
from the article:
:-).
"...At this point we still don't use firewalls for MS.COM..."
and then
"Router ACLs are in place to block unnecessary ports"
blocking unnecessary ports is a firewall feature (IMHO ?)
Anyway it looks quite impressive. I still don't understand how to handle 650 GB of logs
Funny, but you're wrong. Pro is for networking enviorments where you need RDP, policies, ability to join a domain, file encryption, etc. Home lacks these.
Gone!
You realize that Win2k3 does turn off most services by default, and Win2k8 takes this even further by not installing them at all.
Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?
Link, please?
No, the pro version is more intended toward business users. Not servers, but the sort of thing workers have on their desktop. That's why it has tunings for corporate networks and ACLs and quotas and such.
You can debate the drawbacks and benefits of having so many versions, but XP was never intended to be a substantial server.
No, professional versions offer business-required desktop features that are stripped out of the home version. If it mirrors XP, this would include things like the ability to manage security for accounts on a per-file level.
But it's not intended for servers, either on Vista or XP, as the GP said.
Large scale log processing isn't hard if you have the right tools. :)
MS was (and maybe still is) outsourcing web page caching to Akamai, which is using Linux servers.
Developers: We can use your help.
don't forget the whole slough of Linux servers that they use through Akamai to handle the bandwidth;
it's one reason why why doing a lookup on Microsoft servers, it often shows that they are running Linux. It's also another reason why people point out that Linux is more scalable because even Microsoft can't eat it's own dogfood.
1. The asshat highlights they use no firewall, and yet buried deeper in the article is this "Router ACLs are in place to block unnecessary ports" That's the functional equivalent of a firewall.
2. I get into discussions where tech guys spew traffic numbers and I'm never impressed. It creates issues if you want to actually do something with the data which I doubt they do much beyond running the usual marketing metrics. Until you actually shoot for 99.99 service uptime, you begin to comprehend the challenge it is (on any platform) the traffic itself is not the challenge.
3. I'm very interested in reading what their hardware budget is like. I get excellent performance out of Linux compared to server 2003 boxes on similar compaq dl380's.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
The distinction between port filtering + ACLs and today's notion of "firewall" that's actually useful is of a stateful firewall, doing stateful packet inspection, with policies based on not just the packet you're picking a TCP header out of. If you tried to sell a stateless filter as a "firewall" today, you'd be laughed out of the market.
And no, I don't see any need to firewall a web farm either.
Done with slashdot, done with nerds, getting a life.
GFS: Global Foundation Services. Microsoft's big internal network management thing. It's the people who keep the servers up and running for everything facing outward.
,Passport accounts, etc.
HBI: High Business Impact. Social Security numbers
NLB: Network Load Balancer.
AV: AntiVirus.
DoS: Denial of Service
IIS: Internet Information Services. 'httpd' for Windows.
I can't vel (BTW, on an related note, burden of proof is on the person who makes the claim. This follows by necessity from the impossibility of proving a negative.)
What's purple and commutes? An Abelian grape.
Not complaining in TFA, but this is /. -- I just anticipated the howls of the unwashed hordes rightfully bitching about yet another "professional" OS with a markedly unprofessional Teletubbies UI which certainly isn't ready for market yet, all while ignoring MS' internal dogfood consumption. I'll bet if enough Microsofties had eaten Office dogfood you could shut off that fucking control-click "Research" panel easily.
:)
Nevermind that the UI for 2008 is roughly the same as 2003, only with a more extensive (yet still looking clean and fairly spartan with the eyecandy) set of configuration utilities for roles and features. Just wish I could say the same for the control panel.
As for the 'research' panel... okay, I work here at microsoft, and I own my own copies of office at home, and I have no idea what that is. Of course, I'm hardly an office power user.
You can bet your bottom dollar that office 2007 is all that's in use around most of the company. As is vista, although it tends to be a mixture of vista, xp and 2003/2008 in most offices, usually for a variety of legacy reasons (maintenance of older projects, testing, etc)
I've got all but XP myself, but only because I haven't needed it to do my job.
Home has the rdp *client* of course, so you can connect out, but not the rdp *server*. Pro also ships with IIS as an optional installable extra, which Home lacks.
It's official. Most of you are morons.
Well, first I said "most." Second, it's possible he wrote incorrectly. He might mean "we only run required services."
But don't believe me though, go install Server 2003 R2 yourself. IIS either isn't installed unless you specify, or it comes locked down to server ONLY static content. (I know that latter part is the default IIS setup, because I had to go turn everything I needed on).
NT4, and win2K both had "Workstation" and "Server" versions. Windows XP had "Home" and "Pro". So it's understandable that you might assume that workstation equates to home, and server equates to pro. However, in actuality, "Pro" is closest to "Workstation", and "Home" is really more of a "Workstation lite", with a lot of the workstation features disabled. Win2K3 is the closest thing to a "XP Server" release that ever came to be -- although it's really not related to XP at all.
Erm.... nmap always reported the webserver as being IIS, because the nature of Akamai's service is that the webserver reports itself as being whatever's really running on the other side of their network.
The thing that causes the confusion is if you do an nmap -O, and it guesses the host operating system to be Linux despite running IIS on the web server.
I'm actually out of words at this point.
Wow. I'm impressed. Each of these links either are: a) really old, before Windows 2003 Server even existed, or b) about exploits in the DotNetNuke software and not specifically IIS. Troll, FUD, Flamebait, eh? So which one are you guilty of?
Quit jabbering on the phone while driving. You are not that important.
Akami forwards the header strings from whatever httpd the Akami network is caching/fronting for.
http://news.netcraft.com/archives/2003/08/17/wwwmicrosoftcom_runs_linux_up_to_a_point_.html
it's actually 650GB compressed. around 10 TB uncompressed.
Logging in fixed format is not more efficient than variable format text files (unless we're talking about transactions but we're not). Let's assume you're logging the basics: IP address, Timestamp, Return code, URI and we'll look at logging in fixed format then variable format.
Every record will require 63 bytes and we'll round up to 64 for proper word alignment). So, if we log 1000 messages, we will consume 64,000 bytes total.
Ok. Now for text logging with space delimiters. We have 3 options below, each requiring slightly less space than the previous. We'll run totals for each.
16 + 15 + 2 + 50 + 1 = 84 bytes * 1000 = 84,000 bytes
16 + 11 + 2 + 50 + 1 = 80 bytes * 1000 = 80,000 bytes
12 + 10 + 1 + 50 + 1 = 74 bytes * 1000 = 74,000 bytes
Wow. Fixed binary format kicks variable text format's ass. Wrong. This assumes the URI (or message) block will always occupy 50 bytes. It will not. Let's go right down the middle and assume it averages 25 bytes and we'll recalculate.
16 + 15 + 2 + 25 + 1 = 59 bytes * 1000 = 59,000 bytes
16 + 11 + 2 + 25 + 1 = 55 bytes * 1000 = 55,000 bytes
12 + 10 + 1 + 25 + 1 = 49 bytes * 1000 = 49,000 bytes
Variable text format almost always beats fixed binary format for logging. That's why Microsoft (and the rest of the world) stores log files as text. Plus, it's far easier to manage and debug when you can slice and dice the files with standard command line tools.
One more thing. I know what you might be thinking. We're logging URLS, which will probably consume the majority of the 50 byte allotment. Most developers will calculate an average width size and double it, so no matter what we'll still be filling about 50% of the message section.
Last point. If I were to use your example, the savings with text logging would even be greater. 2 URLS would be stored, both consuming about 50% of their data block. IP address, timestamp, URI, Referrer URI, Return Code. There's also a bunch of other little optimizations you can do such as storing the domain, year, month, and day in the filename rather than in the data or dropping the least significant byte in the HTTP return code.
Camping on quad since 1996.
No, because you'd have to go to considerable effort to configure it in such a way that what you say would actually happen. Hell, even my Windows Server 2003 machine is still running stable and virus/spyware free after about five years (or so).
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Firewall is not an synonym for stateful filter like you imply later on in this thread. For some data to support my statement, the firewall entry at wikipedia says:
"A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules."
It then goes on to mention classify firewalls into first, second and third generation ( the first being what you called "Port blocking" ).
In retrospect IPHBT. Oh well.
I am a lawyer and this constitutes legal advice and I shall indemnify you against any losses arising from taking it.
Actually, when you first boot Windows Server it pops up with the "Configure Your Server" page, and an extra note that until you've set up roles on it, nothing will work. As in, it hasn't started IIS, it hasn't started AD, it hasn't even started Terminal Services. And until you've picked which ones you want to run, it wont even allow inbound connections whatsoever!
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Here, fixed that for you: http://www.networkmirror.com/EVCMz0uDTZ3L1XPV/blogs.technet.com/jeffa36/archive/2007/12/13/microsoft-com-what-s-the-story.aspx.html Enjoy! :)