Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Setup Behind Microsoft.com

Posted by kdawson on from the matter-of-scale dept.

Toreo asesino writes "Jeff Alexander gives an insight into how Microsoft runs its main sites. Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.

20 of 412 comments (clear)

  1. Microsoft brainwashing by morgan_greywolf · · Score: 2, Insightful

    Windows and IIS...rock solid and secure! www.microsoft.com is on Windows Server 2008/IIS7, MSDN/TechNet are migrating to Win2k8/IIS7, and update.microsoft.com is on Windows Server 2003/IIS6. We do all the normal shut-off-unused-services practices that line up with MS published security guidance and we utilize GFS images to ensure standardized builds of systems. This guy is brainwashed. There should be no unused services turned on by default! Admins shouldn't have to shutoff unused services -- they shouldn't be enabled unless necessary. Also, rock solid and secure? Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

    --
    My blog
    1. Re:Microsoft brainwashing by bigstrat2003 · · Score: 2, Insightful

      You know, I resent the way people crow whenever Microsoft uses anything that isn't a Microsoft product. You know what? That means they have competent IT professionals working for them, who are objective and recognize what the best tool for a particular job is. Seriously, we should respect them for that, not trumpet it like it's something to be laughed at.

      --
      "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
    2. Re:Microsoft brainwashing by truthsearch · · Score: 2, Insightful

      I would agree, if only Microsoft didn't try to brand Linux and open source as evil. If their "Get the Facts" campaign showed Linux' strengths alongside Windows', instead of being one-sided propaganda, then we'd applaud them. But you can't call open source a cancer while using it without getting ridiculed.

      --
      Developers: We can use your help.
  2. Eating dogfood is good by ReallyEvilCanine · · Score: 5, Insightful

    How can anyone complain that they're running Server 2008? My company's software quality dropped considerably when we stopped eating our own dogfood two years ago. When techs, engineers and everyone else is stuck with the same problems as the future ell-users, shit gets fixed a lot faster and a lot better.

    1. Re:Eating dogfood is good by iroll · · Score: 2, Insightful

      People are complaining?

      ((rereading thread))

      Care to point that out? I'd say most people would be happy that they are using their own product in a critical environment.

      --
      Repetition does not transform a lie into the truth. - FDR
  3. No a firewall, but... by VxSote · · Score: 2, Insightful

    FTA: "Router ACLs are in place to block unnecessary ports" While that might not provide SPI and other benefits of a true firewall, it's still a hell of a lot different than plugging a box into a wide open connection.

  4. Re:Supporting by plague3106 · · Score: 5, Insightful

    How many times have you seen the microsoft.com website down / hacked?

  5. Re:Supporting by outZider · · Score: 4, Insightful

    Reliability in numbers. If you have 30 machines running your website, no one will notice if one goes down.

    --
    - oZ
    // i am here.
  6. Re:Beta in production environment. by ByOhTek · · Score: 3, Insightful

    Windows Server 2008 is (or rather, will be) effectively "Windows Vista Server Edition", just as Windows Server 2003 is effectively "Windows XP Server Edition".

    --
    Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  7. Re:Priceless... by BytePusher · · Score: 3, Insightful

    It's called Alpha testing in this case. It's good marketing on their part to say, "We're so sure our software is good we use our pre-Beta software in a production environment." Never mind the fact that they have Server 2003 waiting ready to take over when their 2008 server horks itself.

  8. Perhaps the only ones who can do it "right" by teebob21 · · Score: 5, Insightful

    Let's set aside the natural urge to bash MS into oblivion. Let's (just for now) ignore conventional advice about network security and firewall use. Now, not only are these guys a Microsoft shop...they ARE Microsoft. MS claims their software is stable and secure. Perhaps it is -- when was the last time microsoft.com was taken down by malevolent hackers?

    That said, with their closed source and closed-doors policy to revealing details about the inner workings of the OS, _Microsoft_ may be the only company that can successfully deploy a 100% Microsoft powered solution. How many registry changes, service daemon modifications, and other tweaks have been made to get their config running this way? The world may never know. It's probably impossible for the consumer world to ever have that level on knowledge about the Windows environment, and thus run it at peak security levels. For most consumers and businesses, a Linux OS with properly implemented firewalls is much more secure than an out-of-the-box Windows deployment and router ACLs.

    --
    khasim (12/9/06): In a blind taste test, more people preferred Coke over the Pepsi that I had previously pissed in.
  9. Re:HBI? by SpaFF · · Score: 3, Insightful

    I was assuming he meant Host Based Intrusion.

    --
    -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
  10. Re:Microsoft and logs do not compute by Crane+Style · · Score: 4, Insightful

    Isn't that just you announcing your ignorant of which tools to use? Are you that kid in gym class that was always trying to put his shoes back on without untying them, rather than take the seconds to untie/re-tie he'd stomp himself around the locker room for minutes until they fit right. Oh and, how long would it take you to create and print a tri-fold pamphlet using sed? Perhaps you're the problem, not the app.

  11. Re:Firewall Schmirewall by morgan_greywolf · · Score: 3, Insightful

    Using router ACLs to block ports is pretty much the same thing as using iptables on Linux to filter ports. So, IOW, yes, blocking unnecessary ports on a router means that the router is a firewall. Something is filtering packets and even if it's called a router and not a firewall, that's the function it is serving.

    If it walks like a duck and quacks like a duck...

    --
    My blog
  12. But generally.. by Junta · · Score: 5, Insightful

    Router ACLs are in place to block unnecessary ports
    Cisco Guards for DoS detection and automated response In other words, they don't use firewalling where you have administrator defined rules to control traffic flow, they use networking equipment that accept administrator defined rules to control traffic flow .... totally different..

    What in the world do *you* perceive the difference being between a 'firewall' and a router blocking ports based on source and destination being compared with a set of rules (aka ACLs)? Generally, firewall rules *can* get more complex than that, but mere port blocking by an intermediate router has been considered a firewall, even if it doesn't log violating or accepted packets, even if it doesn't have complex rules about connection state. Even if it doesn't have the word 'firewall' emblazened on the chassis somewhere.
    --
    XML is like violence. If it doesn't solve the problem, use more.
  13. Dufus indeed... by Junta · · Score: 2, Insightful

    In order to apply the 'ACLs' they describe, they *have* to inspect the packets, by definition. They may only compare a relatively small number of fields (src ip, dst ip, make sure it is a TCP packet *and* the destination port is 80). They might not make use of any logging or stateful inspection (then again, stateful may add next to nothing, so long as they don't need to contact external servers for any updates), but that doesn't mean they can get away with saying 'look, no firewall!' All he's saying is that port 80 (and maybe a few other hand selected ones) are 'wide open' (except something else blocks DoS for them even on those ports). Honestly, I doubt you'll find many public web services that puts a more restrictive 'firewall' than MS just confessed to having in an article where they declare 'no firewall!'

    --
    XML is like violence. If it doesn't solve the problem, use more.
  14. Re:Firewall Schmirewall by AK+Marc · · Score: 5, Insightful

    Actually you're wrong. They're blocking ports. Port blocking != firewall.

    Ah, the little children. Do you know what the first firewalls were? Routers with access lists. Anything that blocks anything from going to one place from another is a firewall. Port blocking is a firewall, and there exists no firewall I know of that can't be configured to do nothing other than port blocking. You don't have to inspect packets, track flows, or any of those other things to be a firewall, all you have to do is offer some means of restricting traffic. And blocking ports does that.

    --
    Learn to love Alaska
  15. Re:Beta in production environment. by Stormcrow309 · · Score: 2, Insightful

    Actually, I prefer a custom coded OS with a revision testing regimen that would make most developers and system engineers cry and a lack of bells and whistles. But what do I know, I only work in a division that supports life support systems.

    --

    In God we trust, all others require data.

  16. Re:Beta in production environment. by ashridah · · Score: 4, Insightful

    Ok, but is the OS *still* organized like crap? I mean, is C:\Windows still a dumping ground for a bunch of arbitrarily named data files, log files, drivers, and libraries using, for the most part, the old 8.3 naming convention?

    Dude, if you can't hack that right now, how are you dealing with unix instead?

    If any platform's based on a standard of bizarre naming due to space saving stupidity, that's it. Far more so than windows. Infact, name any mature platform that's based on reasonable standards for it's underlying API's and structure.

    Didn't think you could. While it's true that things like the FHS are helping on the unix side, try telling an oldschool developer like oracle that they need to follow it. They'll laugh. and laugh.

    and laugh.

    Windows is in much the same position. At least .NET has made this significantly less painful, because it was considered ahead of time (it's not much easier to actually manage, but that's the tools more than anything, and just takes a bit of experience.... which unsurprisingly, is what dealing with the idiosyncracies of the old systems take anyway!)

    ash

  17. Re:Beta in production environment. by misleb · · Score: 5, Insightful

    Dude, if you can't hack that right now, how are you dealing with unix instead?


    Because at least Unix has conventions.

    If any platform's based on a standard of bizarre naming due to space saving stupidity, that's it.


    Really? Ok, lets open up C:\Windows on one of our Windows servers. Hmmm a folder named "$hf_mig$". I suppose you know what that means or what convention that follows? Or C:\Windows\adam. Kinda looks like it might be some directory tools. Maybe ADAM = Active Directory AdMinistration? What's that doing there anyway? I could keep going down the list. I suppose there is a very good reason why there are .BMP files in C:\Windows? Desktop wallpapers? Come on. I wonder if they're related the other brilliantly named files such as SET2.tmp and SET3.tmp in that same directory. And don't get me started on the insanity that is C:\Windows\System32. Hardly a single file/folder that doesn't use 8.3 naming. I haven't clue what have that stuff is doing there.

    Infact, name any mature platform that's based on reasonable standards for it's underlying API's and structure.


    First of all, I was only talking about superficial organization. And if you want to see something nice, have a look at OS X some time. Not only is the System (/System) well organized, but most applications are neatly self contained in /Applications/Some.app. They usually don't spew files all over the place when installed. You know where the term DLL Hell comes from, don't you?

    Didn't think you could. While it's true that things like the FHS are helping on the unix side, try telling an oldschool developer like oracle that they need to follow it. They'll laugh. and laugh.


    I could give fuck-all what Oracle thinks. My Debian systems are very well organized, thank you very much. I don't find desktop wallpapers in /usr/lib. I don't find temporary files for applications in /usr/bin. FreeBSD is even cleaner. The system files never change unless I explicitly do an upgrade. All supplementary software (ports, mostly) goes in /usr/local. With Windows, on the other hand, who knows what strange and wonderful new files I might find dumped in C:\Windows tomorrow. Maybe $hf_mig2$. WHich would be version 2.0 of whtever that is, i guess.

    -matthew

    --
    "THERE IS NO JUSTICE, THERE IS ONLY ME." -Death