Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

The Setup Behind Microsoft.com

Posted by kdawson on Thu Dec 13, 2007 12:14 PM
from the matter-of-scale dept.
Toreo asesino writes "Jeff Alexander gives an insight into how Microsoft runs its main sites. Interesting details include having no firewall, having to manage 650 GB of IIS logs every day, and the use of their yet unreleased Windows Server 2008 in a production environment.
+ -
story

Related Stories

This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • by Anonymous Coward on Thursday December 13 2007, @12:15PM (#21684425)
    is have some crazy sys admins throw chairs around.
  • by mrtroy (640746) on Thursday December 13 2007, @12:16PM (#21684447)
    No firewall? Of course not!

    Microsoft servers are notorious for their invulnerability.
    • by great_snoopy (736076) on Thursday December 13 2007, @12:19PM (#21684511)
      Of course they have a firewall, just watch the difference between a tcptraceroute to a public port (like 80) and tcptraceroute to the same ip but some other port (like 110 pop3 for example). You'll see that packets get dropped at some point indicating a firewall. It's not a RST (port closed) it's just dropping packets for nonpublic services. That is a packet filtering firewall.
        • But generally.. (Score:5, Insightful)

          by Junta (36770) on Thursday December 13 2007, @01:05PM (#21685323)

          Router ACLs are in place to block unnecessary ports
          Cisco Guards for DoS detection and automated response
          In other words, they don't use firewalling where you have administrator defined rules to control traffic flow, they use networking equipment that accept administrator defined rules to control traffic flow .... totally different..

          What in the world do *you* perceive the difference being between a 'firewall' and a router blocking ports based on source and destination being compared with a set of rules (aka ACLs)? Generally, firewall rules *can* get more complex than that, but mere port blocking by an intermediate router has been considered a firewall, even if it doesn't log violating or accepted packets, even if it doesn't have complex rules about connection state. Even if it doesn't have the word 'firewall' emblazened on the chassis somewhere.
          • Re:But generally.. (Score:5, Informative)

            by nuzak (959558) on Thursday December 13 2007, @01:15PM (#21685463) Journal
            The distinction between port filtering + ACLs and today's notion of "firewall" that's actually useful is of a stateful firewall, doing stateful packet inspection, with policies based on not just the packet you're picking a TCP header out of. If you tried to sell a stateless filter as a "firewall" today, you'd be laughed out of the market.

            And no, I don't see any need to firewall a web farm either.
        • by AK Marc (707885) on Thursday December 13 2007, @01:26PM (#21685597)
          Actually you're wrong. They're blocking ports. Port blocking != firewall.

          Ah, the little children. Do you know what the first firewalls were? Routers with access lists. Anything that blocks anything from going to one place from another is a firewall. Port blocking is a firewall, and there exists no firewall I know of that can't be configured to do nothing other than port blocking. You don't have to inspect packets, track flows, or any of those other things to be a firewall, all you have to do is offer some means of restricting traffic. And blocking ports does that.
    • by oliderid (710055) on Thursday December 13 2007, @12:22PM (#21684545)
      from the article:
      "...At this point we still don't use firewalls for MS.COM..."

      and then

      "Router ACLs are in place to block unnecessary ports"

      blocking unnecessary ports is a firewall feature (IMHO ?)

      Anyway it looks quite impressive. I still don't understand how to handle 650 GB of logs :-).

  • by ReallyEvilCanine (991886) on Thursday December 13 2007, @12:20PM (#21684519) Homepage
    How can anyone complain that they're running Server 2008? My company's software quality dropped considerably when we stopped eating our own dogfood two years ago. When techs, engineers and everyone else is stuck with the same problems as the future ell-users, shit gets fixed a lot faster and a lot better.
        • by ashridah (72567) on Thursday December 13 2007, @01:42PM (#21685831)
          Not complaining in TFA, but this is /. -- I just anticipated the howls of the unwashed hordes rightfully bitching about yet another "professional" OS with a markedly unprofessional Teletubbies UI which certainly isn't ready for market yet, all while ignoring MS' internal dogfood consumption. I'll bet if enough Microsofties had eaten Office dogfood you could shut off that fucking control-click "Research" panel easily.

          Nevermind that the UI for 2008 is roughly the same as 2003, only with a more extensive (yet still looking clean and fairly spartan with the eyecandy) set of configuration utilities for roles and features. Just wish I could say the same for the control panel. :)

          As for the 'research' panel... okay, I work here at microsoft, and I own my own copies of office at home, and I have no idea what that is. Of course, I'm hardly an office power user.

          You can bet your bottom dollar that office 2007 is all that's in use around most of the company. As is vista, although it tends to be a mixture of vista, xp and 2003/2008 in most offices, usually for a variety of legacy reasons (maintenance of older projects, testing, etc)

          I've got all but XP myself, but only because I haven't needed it to do my job.
  • by thatseattleguy (897282) on Thursday December 13 2007, @12:31PM (#21684717)
    Could someone with more Microsoft Kool-Aid in their veins stick their fork in the acronym salad that is this article? ACL (Access Control Lists - which technically are a firewall), DoS (denial of service attacks) and IPS (intrusion protection services) I all know, but WTF are:


    HBI?
    GFS (is the G for "Ghost")?
    NBI?
    NLB?
    ACE?


    TIA :),
    /tsg/

    • by Anonymous Coward on Thursday December 13 2007, @01:18PM (#21685493)
      GFS: Global Foundation Services. Microsoft's big internal network management thing. It's the people who keep the servers up and running for everything facing outward.

      HBI: High Business Impact. Social Security numbers ,Passport accounts, etc.

      NLB: Network Load Balancer.

      AV: AntiVirus.
      DoS: Denial of Service
      IIS: Internet Information Services. 'httpd' for Windows.
  • by teebob21 (947095) on Thursday December 13 2007, @12:36PM (#21684811) Journal
    Let's set aside the natural urge to bash MS into oblivion. Let's (just for now) ignore conventional advice about network security and firewall use. Now, not only are these guys a Microsoft shop...they ARE Microsoft. MS claims their software is stable and secure. Perhaps it is -- when was the last time microsoft.com was taken down by malevolent hackers?

    That said, with their closed source and closed-doors policy to revealing details about the inner workings of the OS, _Microsoft_ may be the only company that can successfully deploy a 100% Microsoft powered solution. How many registry changes, service daemon modifications, and other tweaks have been made to get their config running this way? The world may never know. It's probably impossible for the consumer world to ever have that level on knowledge about the Windows environment, and thus run it at peak security levels. For most consumers and businesses, a Linux OS with properly implemented firewalls is much more secure than an out-of-the-box Windows deployment and router ACLs.
    • by EvanED (569694) <evaned@noSPam.gmail.com> on Thursday December 13 2007, @12:16PM (#21684463)
      Vista was never meant as a server. Same as XP isn't used as a server, it's Server 2003.
    • by JCSoRocks (1142053) on Thursday December 13 2007, @12:26PM (#21684619)
      Tis a sad day when the fanbois can't even get their insults right. shameful.
      • by vtscott (1089271) on Thursday December 13 2007, @12:39PM (#21684865)
        And of course it's already been modded up (at least only as funny). To clarify why the GP is wrong, from the wikipedia entry [wikipedia.org] on Windows server 2008:

        Windows Server 2008 introduces most of the new features from Windows Vista to Windows Server. This is a similar relationship to that between Windows Server 2003 and Windows XP.

        Gotta give credit to MS for eating their own dog food...

        Allow incoming connection on port 80? Confirm/deny

        • by ashridah (72567) on Thursday December 13 2007, @01:24PM (#21685569)
          Which we do on a regular basis. Every few weeks I see emails going around from higher-ups asking us to test their team's RC or beta stuff at home for them, and the project I'm working on has been dependent on VS2008 since beta2. Everyone here has their favourite project they like to keep tabs on. I've got longhorn server 2008 running on one of my machines here.

          That said, the choice to use longhorn server in production isn't actually a bad one. It's really, REALLY stable. I keep hearing (from people both inside and outside the company) that it's more stable than 2003 is (and 2003 has the benefits of multiple service packs). It's also a lot more configurable about what it runs, and how much of it it enables when it's installed. I wouldn't bet the entire stable on it, but I'd be willing to put money on it getting a place.

          All in all, it's pretty sweet, if you look at it from the sysadmin perspective. Also, the stuff you can setup when you couple it with vista is really nice (from a security standpoint, particularly). That said, some of that functionality is being backported to XP with SP3 or whatever.

    • Re:Supporting (Score:5, Insightful)

      by plague3106 (71849) on Thursday December 13 2007, @12:23PM (#21684563)
      How many times have you seen the microsoft.com website down / hacked?
      • Re:Supporting (Score:5, Insightful)

        by outZider (165286) <outzider AT fsckedhost DOT com> on Thursday December 13 2007, @12:30PM (#21684693) Homepage
        Reliability in numbers. If you have 30 machines running your website, no one will notice if one goes down.
        • Re:Supporting (Score:5, Informative)

          by MightyYar (622222) on Thursday December 13 2007, @01:05PM (#21685325)
          Whoopsie, looks like Akamai uses IIS now - I'm behind the times, I guess:

          % nmap -A -T4 -F -P0 www.microsoft.com
           
          Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-12-13 11:48 EST
          Interesting ports on wwwbaytest2.microsoft.com (207.46.19.254):
          (The 1218 ports scanned but not shown below are in state: filtered)
          PORT STATE SERVICE VERSION
          80/tcp open http Microsoft IIS webserver 7.0
          179/tcp closed bgp
          443/tcp open ssl/http Microsoft IIS webserver 7.0
           
          Nmap finished: 1 IP address (1 host up) scanned in 167.891 seconds