The Setup Behind Microsoft.com

Toreo asesino writes "Jeff Alexander gives an insight into how Microsoft runs its main sites. Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.

Mostly how they run it

is have some crazy sys admins throw chairs around.

Re:Mostly how they run it

[Midnight+Thunder]

Mostly how they run it is have some crazy sys admins throw chairs around.

I thought that was the QA process. Then again I can imagine Microsoft using chair names as the code names to their products:
    - Cogswell
    - Caquetoire
    - Glastonbury
    - Morris
And no I don't know chair names by heart. I am computer geek, not a chair geek, since that would be Balmer ;)

source: http://en.wikipedia.org/wiki/List_of_chairs

Re:Mostly how they run it

[ObsessiveMathsFreak]

With Microsoft Windows Server 2008, chairs practically throw themselves!

Beta in production environment.

[LordSkippy]

"Windows Server 2008 in a production environment."

So even MS has given up on Vista.

Re:Beta in production environment.

[EvanED]

Vista was never meant as a server. Same as XP isn't used as a server, it's Server 2003.

Re:Beta in production environment.

[schnikies79]

Funny, but you're wrong. Pro is for networking enviorments where you need RDP, policies, ability to join a domain, file encryption, etc. Home lacks these.

Re:Beta in production environment.

[JCSoRocks]

Tis a sad day when the fanbois can't even get their insults right. shameful.

Re:Beta in production environment.

[EvanED]

No, the pro version is more intended toward business users. Not servers, but the sort of thing workers have on their desktop. That's why it has tunings for corporate networks and ACLs and quotas and such.

You can debate the drawbacks and benefits of having so many versions, but XP was never intended to be a substantial server.

Re:Beta in production environment.

[ByOhTek]

Windows Server 2008 is (or rather, will be) effectively "Windows Vista Server Edition", just as Windows Server 2003 is effectively "Windows XP Server Edition".

Re:Beta in production environment.

[vtscott]

And of course it's already been modded up (at least only as funny). To clarify why the GP is wrong, from the wikipedia entry on Windows server 2008:

Windows Server 2008 introduces most of the new features from Windows Vista to Windows Server. This is a similar relationship to that between Windows Server 2003 and Windows XP.

Gotta give credit to MS for eating their own dog food...

Allow incoming connection on port 80? Confirm/deny

Re:Beta in production environment.

[Amouth]

i resent that - i personaly feel that xp and server 2003 have next to nothing in common with each other - XP is annoying crap - server 2003 on the other hand is quite nice and one of the first server implementations i have seen MS push out that i actualy look forward to installing on something - because it realy does jsut work. 2008 seems intresting but i am going to hold off migration till 2003 is in the stages to stop reciving updates.

Re:Beta in production environment.

[ashridah]

Which we do on a regular basis. Every few weeks I see emails going around from higher-ups asking us to test their team's RC or beta stuff at home for them, and the project I'm working on has been dependent on VS2008 since beta2. Everyone here has their favourite project they like to keep tabs on. I've got longhorn server 2008 running on one of my machines here.

That said, the choice to use longhorn server in production isn't actually a bad one. It's really, REALLY stable. I keep hearing (from people both inside and outside the company) that it's more stable than 2003 is (and 2003 has the benefits of multiple service packs). It's also a lot more configurable about what it runs, and how much of it it enables when it's installed. I wouldn't bet the entire stable on it, but I'd be willing to put money on it getting a place.

All in all, it's pretty sweet, if you look at it from the sysadmin perspective. Also, the stuff you can setup when you couple it with vista is really nice (from a security standpoint, particularly). That said, some of that functionality is being backported to XP with SP3 or whatever.

Re:Beta in production environment.

[somersault]

Program WinYes! is trying to perform an action on a dialog box. Allow/Deny?

Re:Beta in production environment.

[misleb]

Ok, but is the OS *still* organized like crap? I mean, is C:\Windows still a dumping ground for a bunch of arbitrarily named data files, log files, drivers, and libraries using, for the most part, the old 8.3 naming convention?

Re:Beta in production environment.

[Tim+C]

Home has the rdp *client* of course, so you can connect out, but not the rdp *server*. Pro also ships with IIS as an optional installable extra, which Home lacks.

Re:Beta in production environment.

[merreborn]

NT4, and win2K both had "Workstation" and "Server" versions. Windows XP had "Home" and "Pro". So it's understandable that you might assume that workstation equates to home, and server equates to pro. However, in actuality, "Pro" is closest to "Workstation", and "Home" is really more of a "Workstation lite", with a lot of the workstation features disabled. Win2K3 is the closest thing to a "XP Server" release that ever came to be -- although it's really not related to XP at all.

Re:Beta in production environment.

[Stormcrow309]

Actually, I prefer a custom coded OS with a revision testing regimen that would make most developers and system engineers cry and a lack of bells and whistles. But what do I know, I only work in a division that supports life support systems.

Re:Beta in production environment.

[Tacvek]

"Home" is really more of a "Workstation lite", with a lot of the workstation features disabled

Alternately, you can think of "Home" as the successor to Windows ME, with an NT kernel. I'll try to do this schematically (WKS = Workstation, SVR = Server, and some other weird abbreviations used to make the alignment work):

Wind. 98 --> Wind. ME --> XP Home --> Vista Home
NT 4 WKS --> 2000 WKS --> XP Prof --> Vista Ultimate
NT 4 SVR --> 2000 SVR --> SVR 2K3 --> SVR 2008

In reality, things are a lot more complicated, because there are other editions, Win 2K Advanced Server, x64 editions, and God knows how many variants of Vista. (Maybe "Vista Business" is a better fit than "Ultimate" above too.) In addition, a lot of people who were or would have been in the 95/98 line moved to the "Pro" line for XP. But, for most people, things probably progressed as indicated.

While that is more or less true, consider that tere are really only three main OS Codebases in Microsoft now. Windows NT (non server, the current offering is various form of Vista, as well as XP until they discontinue it). Windows server (a very close relative to the NT series, but optimized for server environments, and multi-processor usage.) Those two code bases are close enough that they share binaries (when on the same architecure) and they could even be used for the opposite purposes with only minor difficulty.

However Windows CE codebase is a bit different. It is still distinctly Windows, but Executable compatibility with the NT series is rare. (That is due in large part to the fact that most CE devices seem to be platforms other than x86.) Interestingly it is possible to create .NET apps that run under CE and modern NT. Since the desktop Framework is largely a superset of the compact framework, the desktop assemblies get used, so code using only .net compact framework and no CE specific assemblies will run just fine on a desktop system.

Now you may notice that there are also some special sub-codebases. For example there is the NT Embedded codebase (seen as Windows XP Embeded), and the NT PE versions

Re:Beta in production environment.

[ashridah]

Ok, but is the OS *still* organized like crap? I mean, is C:\Windows still a dumping ground for a bunch of arbitrarily named data files, log files, drivers, and libraries using, for the most part, the old 8.3 naming convention?

Dude, if you can't hack that right now, how are you dealing with unix instead?

If any platform's based on a standard of bizarre naming due to space saving stupidity, that's it. Far more so than windows. Infact, name any mature platform that's based on reasonable standards for it's underlying API's and structure.

Didn't think you could. While it's true that things like the FHS are helping on the unix side, try telling an oldschool developer like oracle that they need to follow it. They'll laugh. and laugh.

and laugh.

Windows is in much the same position. At least .NET has made this significantly less painful, because it was considered ahead of time (it's not much easier to actually manage, but that's the tools more than anything, and just takes a bit of experience.... which unsurprisingly, is what dealing with the idiosyncracies of the old systems take anyway!)

ash

Re:Beta in production environment.

[misleb]

Dude, if you can't hack that right now, how are you dealing with unix instead?

Because at least Unix has conventions.

If any platform's based on a standard of bizarre naming due to space saving stupidity, that's it.

Really? Ok, lets open up C:\Windows on one of our Windows servers. Hmmm a folder named "$hf_mig$". I suppose you know what that means or what convention that follows? Or C:\Windows\adam. Kinda looks like it might be some directory tools. Maybe ADAM = Active Directory AdMinistration? What's that doing there anyway? I could keep going down the list. I suppose there is a very good reason why there are .BMP files in C:\Windows? Desktop wallpapers? Come on. I wonder if they're related the other brilliantly named files such as SET2.tmp and SET3.tmp in that same directory. And don't get me started on the insanity that is C:\Windows\System32. Hardly a single file/folder that doesn't use 8.3 naming. I haven't clue what have that stuff is doing there.

Infact, name any mature platform that's based on reasonable standards for it's underlying API's and structure.

First of all, I was only talking about superficial organization. And if you want to see something nice, have a look at OS X some time. Not only is the System (/System) well organized, but most applications are neatly self contained in /Applications/Some.app. They usually don't spew files all over the place when installed. You know where the term DLL Hell comes from, don't you?

Didn't think you could. While it's true that things like the FHS are helping on the unix side, try telling an oldschool developer like oracle that they need to follow it. They'll laugh. and laugh.

I could give fuck-all what Oracle thinks. My Debian systems are very well organized, thank you very much. I don't find desktop wallpapers in /usr/lib. I don't find temporary files for applications in /usr/bin. FreeBSD is even cleaner. The system files never change unless I explicitly do an upgrade. All supplementary software (ports, mostly) goes in /usr/local. With Windows, on the other hand, who knows what strange and wonderful new files I might find dumped in C:\Windows tomorrow. Maybe $hf_mig2$. WHich would be version 2.0 of whtever that is, i guess.

-matthew

Re:Beta in production environment.

[ashridah]

Because at least Unix has conventions.

Conventions are a nice way of saying "that's the way it's always been, so that's the way it stays." Windows has similar problems left over from legacy, going all the way back to CP/M. Yes, this sucks, but so does some conventions in unixland. Just ask a Solaris 10 admin how much it sucks when your upstream vendor breaks decades-long convention.

Really? Ok, lets open up C:\Windows on one of our Windows servers. Hmmm a folder named "$hf_mig$". I suppose you know what that means or what convention that follows? Or C:\Windows\adam. Kinda looks like it might be some directory tools. Maybe ADAM = Active Directory AdMinistration? What's that doing there anyway? I could keep going down the list. I suppose there is a very good reason why there are .BMP files in C:\Windows? Desktop wallpapers? Come on. I wonder if they're related the other brilliantly named files such as SET2.tmp and SET3.tmp in that same directory. And don't get me started on the insanity that is C:\Windows\System32. Hardly a single file/folder that doesn't use 8.3 naming. I haven't clue what have that stuff is doing there.

You're not looking in the right place. Microsoft, love it or hate it, worked out a long time ago that 'filename' and 'metadata' aren't necessarily the same thing. The filename and path are just handy locational indexes, and don't necessarily need to mean *anything*. Sure, a DLL can, and often, for newer stuff, IS far longer than 8.3, but it wasn't until later versions of NT (3.5/4.0, I don't remember my history too well) that support for it kicked in well enough, and there's some legacy stuff around. You don't break legacy just because it's fun. Microsoft gets this right, even if they had to tread over it a fair bit in vista, and add some nasty hacks to deal with most of the fallout.

Anyway, as I was saying, you're not looking in the right place. Case study: C:\windows\system32\apss.dll: Microsoft(r) InfoTech Storage System Library.
Problem solved. (it's not at all difficult to use something like powershell (or possibly other tools) to just print this out in a souped up version of ls with a little scripting, I might add, just like I can do a few similar scripting tricks on my debian system to tell you who owns the copyright to 90% of .so's in /usr/lib.)

Want another one?

c:\windows\System32\bitsigd.dll: Background Intelligent Transfer Service IGD Support

Oh look, another one, fully named.

Of course, this starts to fall down when the file doesn't contain metadata, but that's a problem for, say, XML schema files in /usr/share/ on linux too. The organisation might be a bit better, but not by much. The saving grace there is that I have dpkg to work shit out for me. .NET goes even further. You can register as many different versions of a namespace as you like, and .NET will do the mapping for you if you request a specific version.

First of all, I was only talking about superficial organization. And if you want to see something nice, have a look at OS X some time. Not only is the System (/System) well organized, but most applications are neatly self contained in /Applications/Some.app. They usually don't spew files all over the place when installed. You know where the term DLL Hell comes from, don't you?

Yes. I do. .NET does a good job of solving this quite nicely. Adds public/private keys into the mix too, plus a bunch of other mechanisms. .NET isn't just for C# either. It deals with VB, C++, and (ahahahha) J# too.
I will admit that the mac platform is neatly arranged, but their QA seems to have gone to the toilet right now. A place that windows' QA has emerged from rather nicely, I should mention.

As for random stuff appearing in random places, try dealing with commercial software. Even on linux, the developers will put shit in strange places. Open

Re:Beta in production environment.

[misleb]

You're not looking in the right place. Microsoft, love it or hate it, worked out a long time ago that 'filename' and 'metadata' aren't necessarily the same thing. The filename and path are just handy locational indexes, and don't necessarily need to mean *anything*.

But you can have both... Metadata and reasonably named "locational indexes". Is it so strange to think that people, particularly administrators, might want to have some idea what a file does and why it is there just be noting its "locational index?" I see this is a significant flaw in the design of Windows. And then there is the Registry, of course. Who would have guessed that users might actually want/need to edit it manually. Certainly not Microsoft. That is just poor planning on their part and I won't excuse it.

You don't break legacy just because it's fun. Microsoft gets this right, even if they had to tread over it a fair bit in vista, and add some nasty hacks to deal with most of the fallout.

You can break legacy. It isn't fun, but it doesn't have to be disastrous either. Apple did it with OS X. And then they did it again when moving from PPC to x86. The only reason Microsoft can't do it is because they've got so much inertia. And it will be their downfall. Though it would probably help if Microsoft didn't wait 4-5 years between major releases (more granular change). Even if Microsoft did want to break legacy, everyone has gotten so used to the old flaws that they can't change. Vista might well be awesome. But the reality is that many people will still be running XP even 5 years from now. Apple, on the other hand, has gotten people accustomed to significant changes.

As for random stuff appearing in random places, try dealing with commercial software.

Fortunately I don't have to much on Linux. I will admit that much of the mess in Windows is as much the fault of developers as it is with Microsoft. But that distribution of responsibility doesn't make using and administering Windows any more pleasant.

We can't be responsible for what third parties do, however. Neither can apple (I just *love* dealing with adobe's software on apples, btw. Or Zend Developer Framework. mmmhm. ) Nor you. Install maya on linux sometime. Or matlab, or something else that you can't fuck with the organisational structure of, because the licensing server would crack the shits.

Indeed, Adobe does make a mess out of a Mac, that is for sure. Fortunately, the majority of applications I use on the Mac just drop right into /Applications without having to run instalers or uninstallers or worry about random libraries and temp files showing up in /System/Library. Apple has done a MUCH better job of encouraging reasonable software design... at least as far as logical distribution of application data. Microsoft could learn a lot from Apple, methinks.

-matthew

Firewall Schmirewall

[mrtroy]

No firewall? Of course not!

Microsoft servers are notorious for their invulnerability.

Re:Firewall Schmirewall

[great_snoopy]

Of course they have a firewall, just watch the difference between a tcptraceroute to a public port (like 80) and tcptraceroute to the same ip but some other port (like 110 pop3 for example). You'll see that packets get dropped at some point indicating a firewall. It's not a RST (port closed) it's just dropping packets for nonpublic services. That is a packet filtering firewall.

Re:Firewall Schmirewall

[oliderid]

from the article:
"...At this point we still don't use firewalls for MS.COM..."

and then

"Router ACLs are in place to block unnecessary ports"

blocking unnecessary ports is a firewall feature (IMHO ?)

Anyway it looks quite impressive. I still don't understand how to handle 650 GB of logs :-).

Re:Firewall Schmirewall

[MstrFool]

Well, remember the story a while back about MS using Linux for some things? I think we just found where they use it. Storing their logs in /dev/nul is the most likely way they deal with 650 GB of logs.

Re:Firewall Schmirewall

[allenw]

Large scale log processing isn't hard if you have the right tools. :)

Re:Firewall Schmirewall

Anyway it looks quite impressive. I still don't understand how to handle 650 GB of logs :-).

My question is why are the logs in ASCII text format? When all you want is say the IP [4 bytes], time of day [4 bytes], URI, referrer and return code [do you really care about their browser strings? You are MS after all, just assume it's IE].

Storing an IP as text requires on average 15 bytes, so right there you can shave off 11 bytes with a binary IP. Time of day is worse, a date+time string is like 25 chars. Doesn't seem like much, but multiply the 32 bytes per entry you save by say 50 million hits and that's 1.5Gbyte you saved. That's not counting the white space you can remove, and a simple huffman code you could apply to the URL/referrer.

Heck, just piping the binary IP/date and ASCII URL/referrer through gzip [or use libz's gzPrintf() etc...] could make a large difference as well.

Point is, bragging about 650GB/day logs is not really impressive when you're "doing it wrong" (tm). That's like bragging about how much you cut your face while shaving.

Re:Firewall Schmirewall

[rasputin465]

Storing their logs in /dev/nul is the most likely way they deal with 650 GB of logs.

Well geez.. in that case I sure hope they do regular backups of /dev/null! ;-)

Re:Firewall Schmirewall

[morgan_greywolf]

Using router ACLs to block ports is pretty much the same thing as using iptables on Linux to filter ports. So, IOW, yes, blocking unnecessary ports on a router means that the router is a firewall. Something is filtering packets and even if it's called a router and not a firewall, that's the function it is serving.

If it walks like a duck and quacks like a duck...

Re:Firewall Schmirewall

"They're blocking ports. Port blocking != firewall."

So when I write my firewall rules and have the choice to block, drop or pass, the firewall is kicks into a a non-firewall mode for block?

Re:Firewall Schmirewall

[darthnoodles]

They do. They write their data to /dev/null, then read it back and put it into an RLE compression scheme. Unfortunately the counter for the RLE keeps rolling over.

Re:Firewall Schmirewall

[AK+Marc]

Actually you're wrong. They're blocking ports. Port blocking != firewall.

Ah, the little children. Do you know what the first firewalls were? Routers with access lists. Anything that blocks anything from going to one place from another is a firewall. Port blocking is a firewall, and there exists no firewall I know of that can't be configured to do nothing other than port blocking. You don't have to inspect packets, track flows, or any of those other things to be a firewall, all you have to do is offer some means of restricting traffic. And blocking ports does that.

Re:Firewall Schmirewall

[somersault]

Inventing some binary format is pointless I'm guessing you have no prior experience with Microsoft Office then..

Re:Firewall Schmirewall

[mrhandstand]

Its the new tape device Native Uniform Linear Loader /dev/null

Re:Firewall Schmirewall

[marcansoft]

$ cat /dev/null | gzip - > devnull.gz
$

Works fine for me. Are you sure you're not confusing /dev/null with /dev/zero? The latter's a real bitch, it's always too large for my destination drive! Gzip helps though; you can get compression ratios of approximately 2000:1.

Re:Firewall Schmirewall

[darthnoodles]

Yes I am confusing them. I'm not really a Linux/Unix guy. I'm just pretending.

Re:Firewall Schmirewall

[lena_10326]

My question is why are the logs in ASCII text format? When all you want is say the IP [4 bytes], time of day [4 bytes], URI, referrer and return code [do you really care about their browser strings? You are MS after all, just assume it's IE]. Storing an IP as text requires on average 15 bytes, so right there you can shave off 11 bytes with a binary IP. Time of day is worse, a date+time string is like 25 chars. Doesn't seem like much, but multiply the 32 bytes per entry you save by say 50 million hits and that's 1.5Gbyte you saved. That's not counting the white space you can remove, and a simple huffman code you could apply to the URL/referrer.

Logging in fixed format is not more efficient than variable format text files (unless we're talking about transactions but we're not). Let's assume you're logging the basics: IP address, Timestamp, Return code, URI and we'll look at logging in fixed format then variable format.

[abcd] [timestmap] [code] [URI]
4 bytes 8 bytes 1 byte 50 bytes (you actually need 2 bytes for HTTP return code, but let's ignore that)

Every record will require 63 bytes and we'll round up to 64 for proper word alignment). So, if we log 1000 messages, we will consume 64,000 bytes total.

Ok. Now for text logging with space delimiters. We have 3 options below, each requiring slightly less space than the previous. We'll run totals for each.

123.567.890.123 YYYYMMDDHHMMSS x URI...............\n
16 bytes 15 bytes 2 bytes 50 bytes 1 byte

123.567.890.123 1197572382 x URI...............\n (UNIX time)
16 bytes 11 bytes 2 bytes 50 bytes 1 byte

1235678901231197572382xURI...............\n (UNIX time)
12 bytes 10 bytes 1 bytes 50 bytes 1 byte

16 + 15 + 2 + 50 + 1 = 84 bytes * 1000 = 84,000 bytes
16 + 11 + 2 + 50 + 1 = 80 bytes * 1000 = 80,000 bytes
12 + 10 + 1 + 50 + 1 = 74 bytes * 1000 = 74,000 bytes

Wow. Fixed binary format kicks variable text format's ass. Wrong. This assumes the URI (or message) block will always occupy 50 bytes. It will not. Let's go right down the middle and assume it averages 25 bytes and we'll recalculate.

16 + 15 + 2 + 25 + 1 = 59 bytes * 1000 = 59,000 bytes
16 + 11 + 2 + 25 + 1 = 55 bytes * 1000 = 55,000 bytes
12 + 10 + 1 + 25 + 1 = 49 bytes * 1000 = 49,000 bytes

Variable text format almost always beats fixed binary format for logging. That's why Microsoft (and the rest of the world) stores log files as text. Plus, it's far easier to manage and debug when you can slice and dice the files with standard command line tools.

One more thing. I know what you might be thinking. We're logging URLS, which will probably consume the majority of the 50 byte allotment. Most developers will calculate an average width size and double it, so no matter what we'll still be filling about 50% of the message section.

Last point. If I were to use your example, the savings with text logging would even be greater. 2 URLS would be stored, both consuming about 50% of their data block. IP address, timestamp, URI, Referrer URI, Return Code. There's also a bunch of other little optimizations you can do such as storing the domain, year, month, and day in the filename rather than in the data or dropping the least significant byte in the HTTP return code.

Re:Firewall Schmirewall

[DeadBeef]

Sounds like you just made up some definitions in your head ( or worse follow someone other deluded sods mantra ) for some fairly well worn terminology and then decided to go on a crusade to harass the unbelievers.

Firewall is not an synonym for stateful filter like you imply later on in this thread. For some data to support my statement, the firewall entry at wikipedia says:

"A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules."

It then goes on to mention classify firewalls into first, second and third generation ( the first being what you called "Port blocking" ).

In retrospect IPHBT. Oh well.

Re:Firewall Schmirewall

[lena_10326]

I should have included this in my previous post. A real world example (1Kb for storing a URI path and 2Kb for a full URI) would drive home the point even more. Just for shits and giggles let's do something closer to a real example.

Fixed binary

[IP address] [Timestamp] [Method] [Path(/path/to/script.cgi)] [HTTP Version] [Return Code] [Referrer(http://from.domain.com?file.html)]

4 + 8 + 1 + 1024 + 1 + 2 + 2048 = 3088 bytes * 1000 = 3,088,000 bytes

Variable text

[IP address] [Timestamp] [Method] [Path(/path/to/script.cgi)] [HTTP Version] [Return Code] [Referrer(http://from.domain.com?file.html)] [EOL]

16 + 15 + 5 + 512 + 3 + 3 + 1024 + 1 = 1579 bytes * 1000 = 1,579,000 bytes

Let's add one more variation: variable length binary records. Maybe that will offer some savings.

Variable binary format

[IP address] [Timestamp] [Method] [Path Len] [Path] [HTTP Version] [Return Code] [Referrer Len] [Referrer]

4 + 8 + 1 + 2 + 512 + 1 + 2 + 2 + 1024 = 1556 bytes * 1000 = 1,556,000 bytes

Pretty good, some savings over variable text; however, we now lost the ability to edit, head, tail, or do anything useful with command line tools. Not exactly worth it for a 1% gain. Oh yes, don't forget gzip will compress ASCII text better than binary because it'll drop the 8th bit on every byte so you'll automatically pickup a built in 12.5% gain with ASCII files which blows away the 1% gain of variable binary format.

Microsoft brainwashing

[morgan_greywolf]

Windows and IIS...rock solid and secure! www.microsoft.com is on Windows Server 2008/IIS7, MSDN/TechNet are migrating to Win2k8/IIS7, and update.microsoft.com is on Windows Server 2003/IIS6. We do all the normal shut-off-unused-services practices that line up with MS published security guidance and we utilize GFS images to ensure standardized builds of systems. This guy is brainwashed. There should be no unused services turned on by default! Admins shouldn't have to shutoff unused services -- they shouldn't be enabled unless necessary. Also, rock solid and secure? Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

Re:Microsoft brainwashing

[plague3106]

You realize that Win2k3 does turn off most services by default, and Win2k8 takes this even further by not installing them at all.

Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

Link, please?

Re:Microsoft brainwashing

[SEMW]

Wow, you got (Score:3, Insightful) for smugly saying "Link please?"? Here's a link for ya Google. Learn to look things up for yourself instead of acting like a smug bastard when someone points out the obvious. "Link, please?" used in that context is a shortened form of "I've looked around, and can't find the slightest reference to what you mentioned; but rather than assume that you made it up, I am going to give you the benefit of the doubt and assume that it merely, for whatever reason, wasn't well publicised. Thus, would care you to supply any proof of your claim?"

I can't vel (BTW, on an related note, burden of proof is on the person who makes the claim. This follows by necessity from the impossibility of proving a negative.)

Re:Microsoft brainwashing

[jez9999]

Uh, didn't I read an article not too long ago about how the update.microsoft.com site was broken into?

Link, please? http://update.microsoft.com/

Re:Microsoft brainwashing

[plague3106]

Well, first I said "most." Second, it's possible he wrote incorrectly. He might mean "we only run required services."

But don't believe me though, go install Server 2003 R2 yourself. IIS either isn't installed unless you specify, or it comes locked down to server ONLY static content. (I know that latter part is the default IIS setup, because I had to go turn everything I needed on).

Re:Microsoft brainwashing

[jjrockman]

Wow. I'm impressed. Each of these links either are: a) really old, before Windows 2003 Server even existed, or b) about exploits in the DotNetNuke software and not specifically IIS. Troll, FUD, Flamebait, eh? So which one are you guilty of?

Re:Microsoft brainwashing

[Kalriath]

Actually, when you first boot Windows Server it pops up with the "Configure Your Server" page, and an extra note that until you've set up roles on it, nothing will work. As in, it hasn't started IIS, it hasn't started AD, it hasn't even started Terminal Services. And until you've picked which ones you want to run, it wont even allow inbound connections whatsoever!

Re:Microsoft brainwashing

[bigstrat2003]

You know, I resent the way people crow whenever Microsoft uses anything that isn't a Microsoft product. You know what? That means they have competent IT professionals working for them, who are objective and recognize what the best tool for a particular job is. Seriously, we should respect them for that, not trumpet it like it's something to be laughed at.

Re:Microsoft brainwashing

[truthsearch]

I would agree, if only Microsoft didn't try to brand Linux and open source as evil. If their "Get the Facts" campaign showed Linux' strengths alongside Windows', instead of being one-sided propaganda, then we'd applaud them. But you can't call open source a cancer while using it without getting ridiculed.

Eating dogfood is good

[ReallyEvilCanine]

How can anyone complain that they're running Server 2008? My company's software quality dropped considerably when we stopped eating our own dogfood two years ago. When techs, engineers and everyone else is stuck with the same problems as the future ell-users, shit gets fixed a lot faster and a lot better.

Re:Eating dogfood is good

[iroll]

People are complaining?

((rereading thread))

Care to point that out? I'd say most people would be happy that they are using their own product in a critical environment.

Re:Eating dogfood is good

[ashridah]

Not complaining in TFA, but this is /. -- I just anticipated the howls of the unwashed hordes rightfully bitching about yet another "professional" OS with a markedly unprofessional Teletubbies UI which certainly isn't ready for market yet, all while ignoring MS' internal dogfood consumption. I'll bet if enough Microsofties had eaten Office dogfood you could shut off that fucking control-click "Research" panel easily.

Nevermind that the UI for 2008 is roughly the same as 2003, only with a more extensive (yet still looking clean and fairly spartan with the eyecandy) set of configuration utilities for roles and features. Just wish I could say the same for the control panel. :)

As for the 'research' panel... okay, I work here at microsoft, and I own my own copies of office at home, and I have no idea what that is. Of course, I'm hardly an office power user.

You can bet your bottom dollar that office 2007 is all that's in use around most of the company. As is vista, although it tends to be a mixture of vista, xp and 2003/2008 in most offices, usually for a variety of legacy reasons (maintenance of older projects, testing, etc)

I've got all but XP myself, but only because I haven't needed it to do my job.

No a firewall, but...

[VxSote]

FTA: "Router ACLs are in place to block unnecessary ports" While that might not provide SPI and other benefits of a true firewall, it's still a hell of a lot different than plugging a box into a wide open connection.

Re:Supporting

[plague3106]

How many times have you seen the microsoft.com website down / hacked?

Priceless...

[orclevegam]

Cisco Router: ~$700
Server to run it on: ~$2000
Beta testing Microsofts new server 2008 in a production environment: Priceless

Re:Priceless...

[BytePusher]

It's called Alpha testing in this case. It's good marketing on their part to say, "We're so sure our software is good we use our pre-Beta software in a production environment." Never mind the fact that they have Server 2003 waiting ready to take over when their 2008 server horks itself.

Re:Supporting

[outZider]

Reliability in numbers. If you have 30 machines running your website, no one will notice if one goes down.

Re:HBI?

[orclevegam]

Humongously Bad Interface. That's the internal name for all new MS APIs.

Swimming in acronym soup...

[thatseattleguy]

Could someone with more Microsoft Kool-Aid in their veins stick their fork in the acronym salad that is this article? ACL (Access Control Lists - which technically are a firewall), DoS (denial of service attacks) and IPS (intrusion protection services) I all know, but WTF are:

HBI?
GFS (is the G for "Ghost")?
NBI?
NLB?
ACE?

TIA :),
/tsg/

Re:Swimming in acronym soup...

[loconet]

Interesting, I thought I was the only one. Why is it that every time I read about Microsoft related technology it's always an acronym salad. Not even commonly used acronyms either, they use acronyms for their own way of calling technology xyz. It's almost like they do it on purpose ..

Re:Swimming in acronym soup...

GFS: Global Foundation Services. Microsoft's big internal network management thing. It's the people who keep the servers up and running for everything facing outward.

HBI: High Business Impact. Social Security numbers ,Passport accounts, etc.

NLB: Network Load Balancer.

AV: AntiVirus.
DoS: Denial of Service
IIS: Internet Information Services. 'httpd' for Windows.

Re:Supporting

[stvmty]

I wonder what restrained him from using the tag.

Re:HBI?

[JCSoRocks]

HBI - Hot But Incarcerated?

What happened to Akamai Linux?

[140Mandak262Jamuna]

I vaguely recall MSFT had to outsource load balancing to Akamai which used Linux boxes to redistribute the incoming traffic at some point in the past. Looking at Netcraft.com, it shows some subdomains of microsoft.com resolved to Linux boxes before the year 2000. So it is able to get out of the sandbox now? Is that the main story?

Perhaps the only ones who can do it "right"

[teebob21]

Let's set aside the natural urge to bash MS into oblivion. Let's (just for now) ignore conventional advice about network security and firewall use. Now, not only are these guys a Microsoft shop...they ARE Microsoft. MS claims their software is stable and secure. Perhaps it is -- when was the last time microsoft.com was taken down by malevolent hackers?

That said, with their closed source and closed-doors policy to revealing details about the inner workings of the OS, _Microsoft_ may be the only company that can successfully deploy a 100% Microsoft powered solution. How many registry changes, service daemon modifications, and other tweaks have been made to get their config running this way? The world may never know. It's probably impossible for the consumer world to ever have that level on knowledge about the Windows environment, and thus run it at peak security levels. For most consumers and businesses, a Linux OS with properly implemented firewalls is much more secure than an out-of-the-box Windows deployment and router ACLs.

Re:Perhaps the only ones who can do it "right"

[Super_Z]

MS claims their software is stable and secure. Perhaps it is -- when was the last time microsoft.com was taken down by malevolent hackers?

# dig www.microsoft.com
[..]

;; ANSWER SECTION:
www.microsoft.com. 2520 IN CNAME toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 300 IN CNAME g.www.ms.akadns.net.
g.www.ms.akadns.net. 300 IN CNAME lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net. 300 IN A 207.46.19.190
lb1.www.ms.akadns.net. 300 IN A 207.46.192.254
lb1.www.ms.akadns.net. 300 IN A 207.46.19.254
lb1.www.ms.akadns.net. 300 IN A 207.46.193.254
[..]

# nmap -v -p22 -O 207.46.19.190
[..]
Host wwwbaytest1.microsoft.com (207.46.19.190) appears to be up ... good.
Interesting ports on wwwbaytest1.microsoft.com (207.46.19.190):
PORT STATE SERVICE
22/tcp filtered ssh
Device type: general purpose
Running: lwIP, Sun Solaris 2.X|7
OS details: lwIP (Lightweight TCP/IP stack) version lwip-0.5.3-win32, Sun Solaris 2.6 - 7 (SPARC), Sun Solaris 2.6 - 7 x86, Sun Solaris 2.6 - 7 with tcp_strong_iss=0, Sun Solaris 2.6 - 7 with tcp_strong_iss=2

Nmap run completed -- 1 IP address (1 host up) scanned in 1.806 seconds

I'm actually out of words at this point.

Re:HBI?

[SpaFF]

I was assuming he meant Host Based Intrusion.

Re:Microsoft and logs do not compute

[Crane+Style]

Isn't that just you announcing your ignorant of which tools to use? Are you that kid in gym class that was always trying to put his shoes back on without untying them, rather than take the seconds to untie/re-tie he'd stomp himself around the locker room for minutes until they fit right. Oh and, how long would it take you to create and print a tri-fold pamphlet using sed? Perhaps you're the problem, not the app.

Re:Supporting

[MightyYar]

My point was that TFA reads like it was written by a fanboy. You mean that the guy who describes himself as "IT Pro Evangelist, Microsoft Australia" is a MS fanboy? Oh the horror! :)

I think that we can forgive him - it seems to be his job description.

Re:Supporting

[Digital+Vomit]

The highly objective and insightful article mentions, for example,

"Windows and IIS...rock solid and secure!"

Talc is technically a rock...

akamai

[wwmedia]

don't forget the whole slough of Linux servers that they use through Akamai to handle the bandwidth;

it's one reason why why doing a lookup on Microsoft servers, it often shows that they are running Linux. It's also another reason why people point out that Linux is more scalable because even Microsoft can't eat it's own dogfood.

Misleading Summary. Total Propaganda

[mpapet]

1. The asshat highlights they use no firewall, and yet buried deeper in the article is this "Router ACLs are in place to block unnecessary ports" That's the functional equivalent of a firewall.

2. I get into discussions where tech guys spew traffic numbers and I'm never impressed. It creates issues if you want to actually do something with the data which I doubt they do much beyond running the usual marketing metrics. Until you actually shoot for 99.99 service uptime, you begin to comprehend the challenge it is (on any platform) the traffic itself is not the challenge.

3. I'm very interested in reading what their hardware budget is like. I get excellent performance out of Linux compared to server 2003 boxes on similar compaq dl380's.

Now there's a best practice

[QuietLagoon]

use of their yet unreleased Windows Server 2008 in a production environment.

Now there's a best practice that other corporations should follow - the use of test software in a production environment.

But generally..

[Junta]

Router ACLs are in place to block unnecessary ports
Cisco Guards for DoS detection and automated response In other words, they don't use firewalling where you have administrator defined rules to control traffic flow, they use networking equipment that accept administrator defined rules to control traffic flow .... totally different..

What in the world do *you* perceive the difference being between a 'firewall' and a router blocking ports based on source and destination being compared with a set of rules (aka ACLs)? Generally, firewall rules *can* get more complex than that, but mere port blocking by an intermediate router has been considered a firewall, even if it doesn't log violating or accepted packets, even if it doesn't have complex rules about connection state. Even if it doesn't have the word 'firewall' emblazened on the chassis somewhere.

Re:But generally..

[nuzak]

The distinction between port filtering + ACLs and today's notion of "firewall" that's actually useful is of a stateful firewall, doing stateful packet inspection, with policies based on not just the packet you're picking a TCP header out of. If you tried to sell a stateless filter as a "firewall" today, you'd be laughed out of the market.

And no, I don't see any need to firewall a web farm either.

Re:But generally..

[Junta]

The thing that's really troublesome here is, I don't think the person writing the article would care to mention that detail, at least not outside the ports IIS serve users on, which are the only ones he thinks matters. On the externally available ports that should be publicly available, there is *zero* applicability for stateful rules, particularly when you have external parties already tracking obvious DoS for you. For other ports (for example a port out of the IANA range), I wouldn't be surprised to find out they do have stateful inspection to allow traffic associated with an outbound connection in. The problem being their networking equipment might make it a transparent default. Of course, if they are running 100% microsoft software bottom to top, they may never even need to contact an external update server and forgo that entirely, something >90% of the world can't do, and is still a moot point with respect to how 'bulletproof' their server setup is.

Re:But generally..

[Kalriath]

No, because you'd have to go to considerable effort to configure it in such a way that what you say would actually happen. Hell, even my Windows Server 2003 machine is still running stable and virus/spyware free after about five years (or so).

Re:Supporting

[MightyYar]

Whoopsie, looks like Akamai uses IIS now - I'm behind the times, I guess:

% nmap -A -T4 -F -P0 www.microsoft.com
 
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-12-13 11:48 EST
Interesting ports on wwwbaytest2.microsoft.com (207.46.19.254):
(The 1218 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 7.0
179/tcp closed bgp
443/tcp open ssl/http Microsoft IIS webserver 7.0
 
Nmap finished: 1 IP address (1 host up) scanned in 167.891 seconds

Dufus indeed...

[Junta]

In order to apply the 'ACLs' they describe, they *have* to inspect the packets, by definition. They may only compare a relatively small number of fields (src ip, dst ip, make sure it is a TCP packet *and* the destination port is 80). They might not make use of any logging or stateful inspection (then again, stateful may add next to nothing, so long as they don't need to contact external servers for any updates), but that doesn't mean they can get away with saying 'look, no firewall!' All he's saying is that port 80 (and maybe a few other hand selected ones) are 'wide open' (except something else blocks DoS for them even on those ports). Honestly, I doubt you'll find many public web services that puts a more restrictive 'firewall' than MS just confessed to having in an article where they declare 'no firewall!'

Re:Microsoft and logs do not compute

[module0000]

Isn't that just you announcing your ignorant of which tools to use? Are you that kid in gym class that was always trying to put his shoes back on without untying them, rather than take the seconds to untie/re-tie he'd stomp himself around the locker room for minutes until they fit right. Oh and, how long would it take you to create and print a tri-fold pamphlet using sed? Perhaps you're the problem, not the app. Damn straight. It would have taken him just as long to attempt the same operation in Linux, using OpenOffice. He's a tard for using a "full featured word processor" for a "simple find and replace". That's like using a pneumatic jack hammer to put in my 2-man camping tent spikes, and complaining that the setup and take down of my "spike-putter-in device" was far too excessive compared to the linux-rubber-mallet. What a fucking retard.

The sad part is that despite your perfectly good retort and explanation to the gym-class idiot, he probably read a quarter of your post, mentally tagged you as a MS fanboy, and kept giggling. Makes all the non-idiotic GNU/Linux advocates look like idiots standing next to him.

Re:Supporting

[jimicus]

Erm.... nmap always reported the webserver as being IIS, because the nature of Akamai's service is that the webserver reports itself as being whatever's really running on the other side of their network.

The thing that causes the confusion is if you do an nmap -O, and it guesses the host operating system to be Linux despite running IIS on the web server.

Re:Supporting

[Bri3D]

Akami forwards the header strings from whatever httpd the Akami network is caching/fronting for.

http://news.netcraft.com/archives/2003/08/17/wwwmicrosoftcom_runs_linux_up_to_a_point_.html

Vista as a server (?)

[nuckfuts]

Interestingly, I noticed that when pre-GUI disk checking occurs on Server 2008 it says "Windows Vista" at the top of the screen.

At least this is true with the version I'm testing - June 2007 CTP (Community Technology Preview). I expect in later versions this will be obscured.

Hidden

[MBHkewl]

The blog has been taken off public view, and only for those who have MS TechNET access. Before that, there were comments on lies & un explained abbreviations the dude used... /. word verification: bondage !!!

URL Not Working...

[luncheon]

Here, fixed that for you: http://www.networkmirror.com/EVCMz0uDTZ3L1XPV/blogs.technet.com/jeffa36/archive/2007/12/13/microsoft-com-what-s-the-story.aspx.html Enjoy! :)

this is what I get

[sentientbrendan]

when I try to go to their site:

"We are currently unable to serve your request

We apologize, but an error occurred and your request could not be completed.

This error has been logged. If you have additional information that you believe may have caused this error please report the problem here.
"

I think that gives a good demonstration of how they run their site...