Security Watch

The World's Biggest Bullseye

A talk with the man responsible for securing Microsoft's internal network.

• By Keith Ward
• 06/29/2005

Q: What are the biggest security issues facing Microsoft IT?

A: The biggest challenges we have is keeping pace with the business. Our business is rapidly changing. Our business model has changed through globalization. A major stress on IT is to provide a level of service around the world, including connectivity issues.

Another area of concern is the distribution of intellectual property on our internal network. As we work with partners and vendors, our network expands and expands. It puts stress on the user base. And intellectual property moves around. For example, marketing product plans and other confidential data we're trying to protect.

We've also put a lot of resources focused on pushing our security boundary to hosts that sit on our network. We're very diligent on software updating, and patch quickly and thoroughly. We spend the majority of our effort maintaining the health of our network.

Q: What was the last major security crisis you faced?

A: We had a public network incident in October 2000, and that was the impetus of a lot of security work. It was a crisis at the time, and helped us crystallize the trustworthy computing initiative. It was a network intrusion that didn't involve any intellectual property, just access to the network environment by a single individual.

Q: How many infiltration attempts do you see in a typical day?

A: It's literally thousands. It's a massive number. A lot of it is traffic we block through firewall rules and intrusion detection. We do a lot of scanning and probing, a lot of analysis. About 5 percent of the total traffic is deliberate attempts to intrude on the network. A lot is automated traffic, script kiddie-type stuff.

Q: How sophisticated are most of the attacks?

A: I compare it to the millions of people playing basketball around the world, but only 300 play in the NBA. Very few [attackers] are creative and have malicious intent and are skilled at that level and can execute sophisticated attacks. We have an internal attack and penetration team, white-hat hackers whose full-time job is to try and hack into the network. We allow them a lot of latitude to be creative. There are five working today.

Q: What do you use for patch management?

A: We use WSUS [Windows Server Update Services] in some smaller environments, but predominantly we use SMS 2003. We push out all security updates, typically on two-week timeframe, but we can lower the timeframe to 48 hours and push out via SMS. Client machines have a deadline, and can be forced [to patch and update themselves].

Q: Do you use biometric authentication? If so, what kind?

A: We use smart cards for three purposes: Remote authentication through a VPN for vendors or other outsiders; anybody with elevated access, like domain administrators, have to authentication whether they're local or remote; and to get access to a high-security line of business applications, like those who have access to source code. We went with smart cards, and they have been deployed about two years now. We've looked at biometric authentication, but haven't gone with it.