Networking

Why Microsoft doesn't need a stand-alone security cert

Microsoft has reversed many of its certification policies, but it should stand by its decision to avoid creating a security certification. In this edition of IT Certification Corner, Erik Eckel tells you why.


There's talk that Microsoft may introduce new certifications for desktop support and security. The discussion began last month at CompTIA's 2002 Strategies conference. Microsoft's Judith Morel announced that a worldwide Job Task Analysis survey of MCPs showed that MCSAs and MCSEs don't spend much time working with client OSs. She added that there's also strong interest in a security certification.

The desktop support strategy is certainly sound. That's a niche that needs to be filled. For the last few years, help desk professionals have been turning to CompTIA for its A+ and even Network+ accreditations to demonstrate their desktop and basic networking expertise. But there is no reason to introduce a security certification.

Squeaky wheels get greased
There's been a noticeable softening in the way that Redmond deals with Microsoft Certified Professionals. It almost seems that if IT professionals complain loudly and long enough, Microsoft will cater to their wishes. I don't believe that's in the best long-term interest of those earning Microsoft certification.

First, the deadline for taking Windows NT 4.0 exams was extended. Then, Microsoft announced certifications would no longer retire. More recently, there have been rumblings that Microsoft is revisiting its decision to provide only pass/fail scores on exams. All of these reversals could serve to weaken Microsoft certifications.

The large chorus of complaints that followed the scoring change is certainly fueling Microsoft's review of that system. I still believe, as I wrote in February, that numeric scores are unnecessary. Further, if you've busted your tail to earn a Microsoft certification, do you want someone who failed the same test you passed to be pointed to the topics they need to study again? I thought the purpose of a certification exam was to test your IT understanding and expertise, not to help you become certified.

Now it appears that Microsoft may cave in on the security certification as well. Back in January, Microsoft's position was that there were enough certifications. A security certification wasn't needed.

That was then. This is now.

The only reason I see for Microsoft to consider a security certification is that so many IT professionals are saying one is needed. I disagree. I see no place for a stand-alone security track among any software or hardware vendor. Leave the security certifications to the vendor-independent organizations like CompTIA.

Every exam should test security knowledge
Remember Microsoft's TCP/IP exam? Exam 70-059: Internetworking with Microsoft TCP/IP on Microsoft Windows NT 4.0 seemed like a critical exam back in 1998. Many observers didn't understand how Microsoft could discontinue such an important test at a time when TCP/IP had clearly won dominance over all other protocols.

Microsoft's explanation was logical and appropriate. TCP/IP had become so dominant, so important, and so critical that Redmond no longer felt TCP/IP should be an elective or even an exam by itself. In fact, some IT professionals were earning MCSE certification without ever proving their TCP/IP expertise. To eliminate that problem, Microsoft began including TCP/IP content in each exam, thereby requiring candidates to prove their TCP/IP knowledge regardless of which exam they were taking. This was definitely the correct step to take.

Microsoft should do the same thing with security, and I believe it will.

Whether you're taking an exam on supporting Windows XP, administering Exchange Server 2000, or configuring Windows .NET Server, you should be pelted with questions that test your security expertise. Security is as important as any other topic, regardless of whether the exam covers a client operating system, a critical application such as enterprise e-mail, or administering and configuring servers.

A quick look at current Microsoft exam objectives shows Redmond is on the right track. The Windows 2000 Pro exam tests your ability to:
  • Encrypt data on a hard disk by using Encrypting File System (EFS).
  • Implement, configure, manage, and troubleshoot local security policy.
  • Implement, configure, manage, and troubleshoot a security configuration.

The Windows 2000 Server exam tests your ability to perform all those actions and to:
  • Deploy service packs, which often include security upgrades.
  • Install, configure, and troubleshoot a virtual private network (VPN).
  • Implement, configure, manage, and troubleshoot security by using the Security Configuration Tool Set.

The Windows 2000 network infrastructure administration exam tests your ability to:
  • Enable, configure, customize and manage IPSec.
  • Remove EFS recovery keys.
  • Manage and monitor network traffic.
  • Configure remote access security.

Microsoft Exam 70-220: Designing Security for a Microsoft Windows 2000 Network is devoted entirely to security, as is much of Exam 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition.

The above list, while only a sampling, demonstrates that Microsoft is already testing candidates' security knowledge. All it needs to do is continue that effort by ensuring that each certification exam it offers tests candidates on the appropriate and relevant security issues associated with each exam topic.

Why do so many security problems still exist?
Once you've secured your network, there's only so much you can do to prevent breaches and the next round of viruses from wreaking havoc. Those who write new viruses and exploit new security holes identify new security weaknesses and create new threats because most IT professionals typically work to close known holes and vulnerabilities. I don't see how any vendor could create a credible certification that tests your ability to close security holes that aren't widely known to exist.

Microsoft software is frequently found to have security flaws because a large community of individuals constantly pokes, prods, and snoops to locate backdoors, breaches, holes, and other weaknesses. They choose Microsoft as a target because a large number of enterprises use Microsoft software. If OS/2 had the same enterprise presence that Windows does, I feel confident that you'd be reading many more articles about security holes that need to be fixed in OS/2.

Eckel's take
The best any vendor can do is test IT professionals on their ability to understand fundamental security issues and ensure that those administering software and configuring hardware systems know how to make the most of available security tools and keep up with updates as they're released. As John McCormick wrote last July, it's clear many network administrators can improve their diligence.

Certification can help by reinforcing the fundamentals, but a new certification track isn't the solution. Instead, security fundamentals should be emphasized in every IT exam.

Editor's Picks

Free Newsletters, In your Inbox