How Microsoft Fights Off 100,000 Attacks A Month

El Lobo writes to mention a ComputerWorld article about Microsoft's battles with the Hackers of the world. The software giant fights off more than 100,000 attacks every month, protecting their data-heavy internal network from the paws of your average script kiddie. The article discusses Microsoft's 'defense in depth' strategy, and discusses just some of the layers in that barrier. From the article: "The first layer of protection for the Microsoft VPN is two-factor authentication. After an infamous incident in the fall of 2000, Microsoft installed a certificate-based Public Key Infrastructure and rolled out smart cards to all employees and contractors with remote access to the network and individuals with elevated access accounts such as domain administrators. Two-factor authentication requires that you have something physical, in this case the smart card, and also know something, in this case a password."

Re:How about the best step . . .

[Anonymous Coward]

"Keeping your vital data physically disconnected from the outside Internet."

Beyond that, Microsoft needs to control what executable code its employees can grab off the Internet. Apparently, even non-IT workers there can download and install almost anything. I know a contractor in technical support that just translates the phone conversations and really isn't a technical person at all. He just speaks multiple languages. And from what he tells me, he has no restrictions on his computer from installing software off the internet.

Re:I'm surprised...

[Anonymous Coward]

RSA is making their physical asset. They carry smart cards. RTFA.

http://www.rsasecurity.com/node.asp?id=1173 [rsasecurity.com]

Marketting Material

[dave562]

That article wasn't very informative. It only talks about the security functionality offered by Microsoft products (specifically VPN/ISA and Exchange). It doesn't even address what kind of attacks are being launched against the company beyond the typical "Virus emails." In other words, it's just thinly disguised marketting material put out under a header that seems interesting.

I wonder how they got to the 100,000 number. If you count port scans and IP spoofs then my home network sees thousands of attacks every month.

Re:OpenBSD Firewalls

[Anonymous Coward]

IIRC Hotmail was *not* OpenBSD, but rather it was FreeBSD. Or at least their servers were. I used hotmail primarily before Microsoft purchased them, and it was pretty amusing to me back then because for a while it was actually still running on BSD machines. And once they had switched over to Windows, the service was horribly slow, unreliable, and generally crap. Finally MS picked up the slack and fixed all the problems.

Re:I'm surprised...

[Da_Weasel]

Not exactly. Here is a quote from a case study that Microsoft published regarding the migration of hotmail from FreeBSD to Windows 2000.

"The original builders of the application created a two-tier architecture built around various UNIX systems. FreeBSD, a UNIX-like system similar to the Linux operating system, was used to run the front-end Web servers that handled login, Microsoft Outlook Express, and Web-based content delivery tasks."

...

"During June and July of 2000, the Hotmail site was converted from FreeBSD running Apache Web services to Windows 2000 Server running Microsoft Internet Information Services 5.0."

You can read the case study here: http://www.microsoft.com/technet/interopmigration/ case/hotmail/default.mspx [microsoft.com]

Re:I'm surprised...

[ampmouse]

Hotmail ran on FreeBSD [theregister.co.uk] until after 2001, but microsoft bought hotmail in 1998. So, microsoft was running hotmail on FreeBSD for over 4 years.

Re:I'm surprised...

[bmajik]

funny you mention that - all outbound internet traffic from Microsoft's internal network goes through...

wait for it..

Microsoft ISA Server.

There may be other stuff out in front of that, but I have no evidence that there is.

I happen to dislike ISA server - because all of my traffic to the outside world goes through it, and if i notice it, its because it did something i didn't like (like forgot how to resolve hostnames - that's pretty common). I used to complain about it every day.. i'd say stuff like "ISA server makes me want to quit my job" or "maybe i could buy a 28.8 modem and get reliable fast internet access while at work). But, ISA server has gotten a lot better and the # of times a week I curse my existance has gone way down. I'll complain to co-workers that "there is no excuse for this - i've run Squid before and there are never any problems", but to be honest, i've never run a squid cluster with over 100 nodes serving over 100,000 PCs, so its not precisely apples to apples. And i've never put pre-production Squid code into a production environment -- which is exactly what we do with everything we make. My inbox has been on beta exchange for months, and over half the domain controllers here in Fargo are running Longhorn server builds.

Same thing with wireless. We deployed WPA before most of the outside world had heard of it. Internally, it was the only way to get wireless at all. If your device didn't do WPA, you didn't get to connect.

There are a few well-known "MS uses linux!!!!@#$!@#$ OMGZORZ!!!" stories out there, so i'll address the ones i am familiar with

MS uses Linux to host MS.Com

False. Microsoft.Com runs on windows servers. Microsoft has contracted with akamai to do geocaching of various web properties, and akamai uses linux to a large extent. This is why when you look at some MS.Com "machines" with tools like nmap, they'll come back as Linux boxes. they aren't MS machines, they aren't in any MS datacenter, and they aren't MS managed.

Hotmail is all linux

False. Hotmail was never linux. Hotmail has a distributed architecture, and at the time of acquisition, the front end machines were FreeBSD, and the back ends were Ultra enterprise 4500s. Eventually, the FE's were moved to Windows Server. My understanding is that they tried the transision using NT4 and it was miserable, and tried again with W2k and it was much much better. Eventually, all the Fe's got moved onto one of the server products (i dont remember if it was w2k or w2k3 before it was "done") and the hotmail capacity went UP.. i.e. re-writing the hotmail stuff natively for the new windows based platform has allowed hotmail to run more efficiently on less hardware, with lower management costs. The backend machines were still enormous sun boxes last time i asked about it a few years ago.. for a few reaons. 1) the investment in those was huge 2) the filesystem was completely customized for the application. I wouldn't be surprised if the back ends have also moved off of Sun machines. The back end boxes apparently did almost nothing with CPUs.. but lots and lots of disk IO. The custom filesystem is probably the biggest reason that moving back ends didn't happen earlier.

It's important to Microsoft to run our own stuff everywhere we can, because it demonstrates to customers that the product can meet their capacity needs, and because real world use is the best test of big complex systems. There are a few things we are NOT self hosting on yet - for instance, I am in the Business Division and while we sell a variety of ERP programs (from companies we've acquired), we still use 3rd party ERP systems to run "Microsoft, the Company". Those of you with ERP experience will understnad that this is not something you transition "over nite" or "just because". It is a goal for us in the Business Division to move MS onto our ERP stuff internally - it adds additional credibility to our products when we can tell customers "it can run Microsoft, so it can probably run your stuff". And our competitors _love_ saying things like "why buy MS's version of blah, they dont even use it themselves!"