What are the most common security-related questions that still crop up? People keep asking me when will [the stream...
of vulnerabilities] end? They keep hearing about this buffer overflow and that buffer overflow. While no operating system can be totally secure or without any vulnerability, there's been such an effort and push behind Windows Server 2003, and the concentration is at the code level. We will see changes. Keep in mind that nothing is perfect, but there is a greater effort and a pointed effort. What are some of the biggest changes that customers need to be aware of? Look at IIS 6.0. You have to make an effort to install it. You have to learn how to turn it on. This is the opposite of NT. The reason NT became so successful was we finally had a server that anyone [could] install and understand. NT was installed by the push of a button. We are going back to the philosophy that it has to be hard, and you may need to hire someone for a lot of money, and you are going to have to know what you are doing. How are customers getting on with IIS 6.0? From what I hear from those who are trying it out, they struggle with knowing what to do. They are wondering how they should know what to turn on. If everything is turned off by default, there is going to have to be a lot of documentation and help. We've got a whole generation of administrators who are used to simply inserting a CD-ROM and following the wizards. It was stupid for users to do this, but many people got away with it. So two things happened; these customers didn't need training, and when something went wrong, they blamed Microsoft. If Microsoft is successful in providing the information the users need, perhaps there will be a lot less Microsoft bashing. Windows Server 2003 may be the first operating system designed with security in mind. Given Microsoft's history of security breaches, are customers hot to install this software? The techies are, but no one has any money. People are testing the software, but it's going to be a slow adoption. Operating system adoption follows the economy. What are some of the other benefits that make the server a worthwhile upgrade? If you take away the issue of vulnerability, there were many things found wanting in Windows 2000. For example, if I wanted to implement certificate services, there is no enrollment service. Certificate services are in Windows Server 2003. Now, I have an excellent technology and all the pieces and parts that are not in Windows 2000 are here, including automatic enrollment, key archival, cross trust. These are features that enterprises want. Do you expect this upgrade to require extensive training? If people are moving from Windows NT 4.0 to Windows Server 2003, it's going to be an enormous leap for them. Moving from Windows 2000 to Windows Server 2003 is not so bad; it's one of degree. There is a lot for people to know because things are different, but we also have a much more sophisticated audience (from a security standpoint) than when Windows 2000 was introduced. There [were] many solid administrators who knew very little about encryption and security, so to use the security features in Windows 2000 required a quantum leap of understanding. Even if companies have not totally installed Windows 2000, so many people have gained so much knowledge. I don't think it's going to be as much of a challenge. There will be a huge need to train people to do it right, but I don't think people have the money to spend. We are also losing technical trainers (in the industry) because there is no work for them. I read a statistic recently [in MCP Magazine] that said there had been more than 25,000 certified technical trainers, and now there are only about 9,000 certified trainers.
Meet Bragg, hear her presentation on "The promise of trustworthy computing and why most of corporate America will never benefit from it," and attend her workshop, "Ten best practices for Windows security," at Enterprise Windows Decisions, May 14-16 in Chicago.