Security has always been an important part of any infrastructure, but in recent years, it has taken on an even more critical role. The primary reason for the increased concern is the surging use of the Internet and the requirement to “Internet-enable” companies of all shapes and sizes. In addition, the high availability of tools used to compromise systems has made it easy for almost anyone with a small amount of knowledge to attack systems. And of course, broadband Internet access in the home has given these crackers exactly what they crave—a point with high bandwidth from which to launch anonymous attacks.
A number of high-profile attacks have been unleashed recently, focused primarily on Microsoft systems. The rise in the number of attacks on Microsoft systems may be attributable to several factors. For one thing, Microsoft systems are easy to compromise. For another, some of the people designing these attacks are out to show that Microsoft does not have a stable platform on which to do business. And finally, folks who administer these servers often do not have the proper security training to effectively block such attacks.
In fact, the people who are supposed to be responsible for securing Windows systems—MCSE-certified IT professionals—have been criticized lately for being inadequately prepared by the certification process to defend against these attacks. Both CertCities.com and Computerworld have published articles on this topic, and they raise some very interesting and eye-opening questions related to the coverage of security in the MCSE program.
The problem and possible solutions
Nowhere in the current MCSE program is there a requirement for a course on security, nor is detailed security information covered in any of the core exams for the MCSE certification. Even in these insecure times, the course related to exam 70-220, Designing Security for a Microsoft Windows 2000 Network, is merely an elective. Would moving this course to the “required” column make any difference in how Windows IT professionals view security? Some people think so.
By its very nature, Windows is a vulnerable product, mostly because it has so many services turned on by default. People who maintain these servers should be required to receive in-depth security training to learn where these vulnerabilities exist and how to defend against them.
The SANS Institute, an organization devoted to network security, has developed its own course to supplement the training MCSEs receive. This organization feels so strongly about the lack of security training in the MCSE program that its course on securing IIS servers costs only $229, which, as any IT professional who has attended courses knows, is a bargain.
The SANS course includes these topics:
- Planning your network architecture
- Server hardening
- IIS authentication
- Web-based applications
- Logging and auditing
- Remote administration
Many of these items are discussed in various places in the MCSE curriculum; however, a number of them are found only in the Windows 2000 security design course. Microsoft can almost certainly take a lesson from the SANS Institute and make all of these important points on security available in one comprehensive course and a related MCSE exam. It is much easier to learn a topic when it’s the focus of a course than to have bits and pieces of the topic covered as bullet points in other courses.
What needs to happen for security to be made a more important area of knowledge for MCSEs? First, IT professionals should demand that Microsoft include more security-related courses. But with the lackluster turnout for upgrades to the Windows 2000 MCSE, this may not be enough. Organizations, corporations, and other entities need to make sure that their Windows systems administrators are up to speed on security issues that are vital to the organization.
Sending administrators to the SANS course is a great first step, but a more comprehensive security training program needs to be developed for IT staff. While training budgets may be tight, especially these days, consider the cost of the Code Red worm, which has been estimated at $2.6 billion. What if some of this money had been devoted to sending a system administrator to a comprehensive security course instead? I am not suggesting that simply sending someone to a class is a magic bullet, but it is a solid beginning.
The MCSE certification is a fairly intensive exercise when it comes to learning the ins and outs of maintaining a Windows infrastructure, but it doesn’t prepare its holders in the area of network and server security that is vitally important to the success of an organization. By supplementing the MCSE core requirements with either the MCSE security design course and exam or with a third-party security course, an administrator can acquire the requisite knowledge to more effectively tighten security in the Windows infrastructure and to prevent compromising the stability of the network and the data it contains.
The personal stuff
I am not an authority when it comes to server-related security. When I took the exams for my Windows NT 4.0 MCSE (I have been working on upgrading to Windows 2000, but it has not been a priority), security was barely touched upon. I know the basics of locking down a Windows infrastructure to make it more difficult for folks to snoop around, but everything I have learned has been from sources like TechRepublic and Microsoft’s “best practices” documents—not from the MCSE.
Had security been a more integral part of the MCSE program from the beginning, I am positive that many of the problems we are seeing would not be taking place today. Folks who administer these servers need to be aware that Windows has some key vulnerabilities, and we need to become proficient in the steps it takes to secure a Windows network.
What needs to be done for security education for Windows admins?
We look forward to getting your input and hearing your experiences regarding this topic. Join the discussion below or send the editor an e-mail.