Rich Kaplan, Ron Markezich: May Silicon Valley Speaker Series

DAN'L LEWIN: My name is Dan'l Lewin. I'm a vice president at Microsoft, overseeing what we do with the .NET initiative and strategy. I see some of you that I know here. We're pleased to have everyone today in an ongoing topical speaker series that we have, and I'd like to just take a brief moment and introduce the speakers for today and then I'll get out of the way.

The first speaker today, Rich Kaplan, has been at Microsoft for a long time, actually about 14 years now, and from the Bay Area, worked at HP a long time ago, been at Microsoft in a variety of roles, very interesting and center-point, focal-point roles inside the company. I actually met him when I started three and a half years ago because he was the one that did the new employee orientation overview, so that's where I got to meet him on my very first day.

And he's had some really interesting roles around Y2K, cross-company mobilization around Y2K was a particularly important one that everybody in our industry is very familiar with, and certainly one that mattered a lot to us and our customers. And then most recently came out of running what we call CDGG, which is the Developer Network activity around MSDN, et cetera, so he knows a fair amount about the developer community. That includes Microsoft.com as well, which is a pretty big operation, runs real-time all the time, as much as possible. And now he's in a really neat role associated with security and so that's clearly the topic for today, so he'll be the lead-off speaker and I think you'll find him to be candid and open and push him and ask good questions as well.

Ron Markezich has been at Microsoft now for six years, that's right, background at Andersen Consulting, et cetera. He's a new CIO in the company, which is clearly also another hot seat and one that is relevant to security, because as you all know we're a pretty big target, and Ron's got a pretty big job trying to understand those issues, but also works very closely in collaboration with the Security Business Unit on internal practices, which we can in turn help share as best practices for the industry. So contrary to the general drift, I think we as a company are going to end up being a leader by far in security because of the implications of what we've been going through over the last n years since the Internet has really made virtually everything present on the network at all times.

So I'm not going to go on any further. I'm going to introduce Rich and let you guys get going. Thanks. (Applause.)

RICH KAPLAN: Well, I'm delighted you guys took time today to spend with us. I hope it's enjoyable or helpful or informative -- or all three would be good. I will start out kind of telling you a little bit about my last job and about my current role. For the last two-plus years I've been running Microsoft.com, MSDN, TechNet, the book business at Microsoft, the training business at Microsoft, and I learned a lot about security. We get targeted fairly often with denial of service attacks, as you probably well know. Up until a month ago I ran Windows Update, so if you have that little bubble that popped up on your XP machine, that was me popping it up there to -- not a pop-up in the browser so to speak, because that's a bad thing, but the person who was helping to update your machines.

And so about eight weeks ago Jim Allchin, who heads up our platform division, said, hey, will you come help work on the security initiative inside of the company. We have this initiative called Trustworthy Computing and with a number of objectives, including making it easier for you guys to update your machines, making quality increase of the software and making your computing environment safer, and so I'm going to sort of share with you what we're doing in that regard.

So part of the feedback we've gotten from customers is to say, listen, this isn't just about securing everything. You can secure everything very easily if it's not connected to anything else. (Laughter.) But that doesn't do anybody any good, as we all know, because we're all going the opposite direction, right, we're absolutely trying to empower employees, no matter where they are, to be connected. We're trying to establish business value to the value chain with the vendors and integrating with our partners.

At the same time, five years ago, where many people did not engineer either their solutions or their networks or their products to be secure, we're in a situation today where you absolutely have to constantly assess your environment. You have to work on isolation resiliency to make sure that devices that have issues with them, that are unsecured, that have viruses are isolated, and then you have to develop and implement controls to help you manage through that.

And so the goal of what we're doing today is to really allow you to do both, do a great job in the connected environment and make sure that it's secure.

Now, already both in my last job and in this job I've had the opportunity to get lots of feedback and so I will just share some of it with you. Reducing passive malware. Simplifying maintenance: I hear a lot about this. I had this in my previous job. Microsoft.com was about 2,000 servers. Microsoft.com is the fourth most-hit site in the world, gets about 140 million unique users a month and maintaining that site was a critical part of my job. And so I had given feedback to the team and I've gotten feedback from you to figure out -- from lots of customers figure out how to do maintenance better. Give us better access control, help us to develop reliable and secure software and give us better guidance.

So across the board there's a number of things that we're doing and I'll share some of those with you. What we're doing on isolation resiliency, what we're doing on advanced updating, what we're doing in authentication and access control, and so I'll share those with you.

Now, one of the things that we're doing is we're releasing a new version of Windows XP called Service Pack 2. It's a free upgrade. It will be out in third quarter of this year. And the goal of this thing is really fourfold. One, to do a better job on network protection. A lot of people have said, listen, I don't know what on my machine is connected to the network and what isn't connected to the network, which applications do network things. That was unclear to people.

Two, safer e-mail. How many people tell their end users don't click on mail that you don't know from people? And how many people do it anyway? (Laughter.) They do. I don't know why, but they do. So people said, hey, help us figure that out.

Make Web browsing safer. One of the great things about Web browsing is that a lot of people have written applications that just install on the Web browser. That's great, it's easy to use, lightweight, that's great. Lots of the malware that's installing on machines, by the way, installs itself in the Web browser. And so one of the things people told us is figure out how to make it clear and concise to people whether they're downloading something or not into their Web browser, so we did that.

People said, you know, this big issue around buffer overruns, that has to be resolved, so help us figure it out, you should do, Microsoft, a better job in terms of quality, and so it's one of the core things we're focusing in on in Windows XP SP 2.

So I thought the best way other than to walk through all the bits of it is that I would show you what we are doing. This is a Windows XP SP 2 machine and I want to show you some of the functionality that we've put in there.

So first I'll go into the Web browser and I'll bring up a quick app; maybe not so quick.

How many people have had this experience? You open your Web browser -- in fact, I've gone over to people's houses and they say, "Oh, my machine is so slow," and you open up the browser and they have 10 or 20 or more of these. It's a horrible problem. So I'm going to go and close these because I really didn't want them. I just opened them up to make a point actually.

One of the things that we did in SP 2 of XP is we now have a pop-up blocker built-in. And I had it turned off, so now I'm going to turn the pop-up blocker on and now this time when I go back into the browser -- it's still slow, thanks. That's a separate issue. What you see here is actually a message that says, "A pop-up was blocked. To see this pop-up or additional options click here." And you can click there and you could say, hey, you know what, I want to allow them from this site because in many cases there are actually valid reasons to have pop-ups. Some people, for example, want to install software and it's the way they do it. And so you could say, well, you know, from this site I'll take it or from other sites I won't. So that's one of the things we're doing to reduce malware.

Now, this happens to be the Kontosa travel site and if I click on here what it's going to do is it's going to bring up what's called an ActiveX control so that I can look at a calendar so I can pick a flight. What you'll notice is it actually didn't do it now because one of the ways that malware installs is it just installs things in your browser. What you'll notice is that this says it popped up again and says to help protect your security it stopped this site from installing software, click here for the options. And you can say I want to allow this page to install an ActiveX control. And if I click OK, now it pops up and it says, hey, you know, we have this Kontosa calendar control, do you want to install it. I'll say install, and sure enough now you have your calendar control. It puts the user back in control of what downloads on their machine.

Another thing we did in SP 2, here's a game called Net Chess. A lot of people have said, gee, you did a great job on ease of use, which is everything connects to the Net OK but actually I can't tell what is and is not connected to the Net.

And so if I bring up this game called Net Chess and I say, "Game, New, Network," and I say, yeah, I'm the demo user and I'll do the black site, OK, now what happens is we have something called the Security Control Center and basically this is popping up a security alert that's saying, hey, listen, Net Chess wants to talk to the network, did you know that, you okay with that? And you can select here and say, yes, I want to unblock this program for the time I'm using it or I want to keep blocking this program, I didn't intend to access the network, or I'm going to keep blocking it for now but ask me later. So I'm going to say unblock the program, hit OK, and now I can go ahead and play a network chess game.

So what that allows you to do then is to have one consistent experience knowing which of your devices are trying to connect to the network.

Another thing that we did, you can see down here this thing called Windows Security Alerts that's down in your system tray now. And if I double-click on that, this pops up and it basically says, hey, there's three things you probably ought to be aware of. Your firewall and what's its status, your updating and what's its status, and your antivirus and what's its status, from one location because those are three core areas that users have said, listen, I want to have a better protect experience online.

And in this case you can see, hey, you know what, it says my virus protection is turned off and so if I go down here, in this case I have CA's eTrust Antivirus and if I go here you can see, sure, it was disabled. And so if I enable that to monitor outgoing and incoming files you'll see the status changes and the protection is on and it's no longer highlighted in the system tray anymore, so now people know the status of their firewall, the status of their antivirus and the status to make sure they're getting updated. And, in fact, you could go into any of these like the firewall, for example, and if I wanted to see information about the firewall you could go in and you could see, yes, it's turned on, there's a list of exceptions. Notice Net Chess is in there. That's the one that we turned on so that we could play the chess game. And you can add in a set of exceptions that you want.

There's also something here where you can tell it that you don't want to allow any exceptions. So, for example, hey, if you're at the airport, not that I don't like the guys at the airport, but if you're at the airport or a coffee shop, should you allow any exceptions for things getting on the net? Maybe not, right, because it's in an unprotected environment.

So you can do that and you can also control that; in fact, if you go, we have something called Group Policy. What Group Policy allows you to do is administer from your network and say, hey, if I log onto the network, my firewall for network connections, I can go to my firewall and say, listen, if it's on the domain, in other words, if it's inside of my company, let it download anything because it's inside of our firewall and I have custom apps that I want it to download. You could also set up a profile that says, listen, I don't want to allow any exceptions if this machine isn't inside of our firewall and validated on a domain. And so what that allows you to do is protect a device and particularly that goes inside and outside of the environment.

So that's Windows XP Service Pack 2. It will be available for free on the Net probably in Q3, orderable by disk or download for free off the Internet.

Now, we've gotten feedback beyond that that says, yeah, that's great, Rich, Windows XP, I understand that, but it's a little more complex than the issues that you've highlighted. One of the core technologies that we're working on for the future is around isolation and resiliency in regard to client inspection. So, for example, a lot of people say, listen, the perimeter of my network is safe, it's fine. The issue is when a user comes in from home, connects to the network, has a device that's double-homed, has a device that maybe doesn't have up-to-date antivirus software and connects in and infects the network from a remote location.

So one of the things we're working on is a health-checkup technology that basically whenever you connect to the network will check what update level you have of patches, what update level you have of antivirus and frankly since it will be scriptable whatever technology that you want to check via scripts you'll be able to do that.

Now, you can do that today with Windows Server 2003 with some scripts that are downloadable off of Microsoft.com, but in the next update of Windows Server 2003 that's technology that we're going to automatically add in.

The same thing is true for returning laptops, just like the example I just gave you. One of the ways that issues, a malware gets introduced inside of companies is not the secure desktops that are in the companies but it's the laptop that went outside of the network, was working at home, was working at an airport, was working at a coffee shop and then came back into the network and infected the system. And so we're working on that similar technology such that we can do advanced isolation, whenever a machine comes inside of the network we check it. Based on its status we either let it connect to the network or we isolate those clients. In other words, we don't let them connect to the network, we send them to a specific domain and in that domain the only action that they can take is update their antivirus software and update all the critical patches on their machine. And so that is one of the key things that we're working on for the next update that we're doing of our server technology.

Another bit of feedback I got from people, and part of this is from my previous job as well, is that I know updating machines is complex. It takes time, it takes bandwidth, it takes testing, and so we got a lot of feedback from people that said, listen, make it less complex, make it less risky for me, make them smaller, make it so it doesn't take so much time and make it automated.

And so we're doing a couple of different things here. One is from a complexity perspective we got feedback from people who said, listen, you have Windows Update, you have Office Update, you've got an update technology for SQL Server, you've got an update technology for Exchange.

QUESTION: (Off mike).

RICH KAPLAN: Summarized well by the gentleman in the second row who said that's the nightmare.

Like I said, I'm a guy who ran 2,000 servers. I want one update technology, one update technology.

And so multiple things are happening at Microsoft. Part of it is process, part of it is what we're doing from a technology perspective. So in the future, for example, there will be one update technology for consumers. Windows Update, this thing we call WU today, becomes Microsoft Update in the future. All technologies from consumers update through that.

Software Update Services today, which is something you can put inside of a medium size and small business that allows you to consolidate all the patch information in one place and then you make a decision when it gets deployed, that will become the Microsoft Update Services, which means that it will take all of those things and consolidate them inside of your company.

And so the process thing that we're doing is we're driving consistency across every one of our dev teams to make sure they take advantage of and use that new technology.

In fact, I think I have a picture that actually shows that. So today if you're a consumer, you have the thing called AutoUpdate that you turn on in Windows XP that's Windows only. For medium-sized business you have this thing called Software Update Services, and I'm not sure lots of people know about that. That's a technology that you can deploy inside of your company today to do patch deployment, but the issue is today it's Windows only. Today we do have a technology called Software Management Services, SMS, that does allow you to deploy across the enterprise all of the products but the place that we're going to in the future basically in 2004 is a unified existence so that you have AutoUpdate that updates multiple things for clients in a small business or in a consumer setting, this Windows Update Service that takes SQL, Exchange, Office and Windows and updates it in a corporate setting and those things are extended similarly to SMS.

Here's the other thing that we've gotten a lot of feedback about: How do we do a better job on authentication, authorization and access control? We have a technology that's built into Windows called IPsec. IPsec basically allows you to isolate specific parts of your network from other parts of your network. So, for example, if you have a SQL Server that all it should do is talk to an IIS server, at the IP level should any machine be able to talk to either of those two machines? Probably not. If they only need to talk to each other, then you should isolate them to only talk to each other and we can do that through IPsec technology today.

We also have something called RPC over HTTP. Obviously we're not a marketing company, otherwise we would have come up with a great name for that. But what does that mean? That means if you're running Office 2003 and Exchange Server 2003, you can let your remote clients connect through the firewall to do e-mail without having to VPN I, just for e-mail. What does that mean? That means it reduces the amount of remote clients that are connecting inside your firewall and you can set policy that only limits the people who really need to connect remotely to connect remotely.

Secure wireless. On the way over here I was in the back of a cab -- so just to be clear, I wasn't driving -- turned on my laptop and we were driving pretty good out on 101 there, and it kept popping up and telling me about all the wireless networks my laptop was finding in the back of the cab. Traffic was bad at one point, stopped, saw one, connected, got an IP address and synched my mail in the back of the cab. (Laughter.) Don't try that while you're driving.

Wireless technology has been great. It's really enabled -- like on the very first slide, it's really enabled people to do very powerful things, but deploying it in a secure way either with PEAP or WPA or 802.1.x, you have to do it. And so we have those technologies built into Windows and we also have guidance to figure out how to manage and deploy a secure wireless network.

I had no mal intent when I synched my mail in the cab on the freeway, but if my machine had a virus, would it have been introduced into that wireless net? Possibly; not intentionally, but possibly. And so building secure wireless nets is key, and it's part of what's in Windows today.

Access management control. If someone loses a laptop, do you know that the person who has the laptop, who is signing into the network is the person you think it is? Hard to say. I know in our company we use smart cards, right? You have to have a smart card to log into the network to get network access. And if you don't, you don't get to log in. So you not only have to have a device but you have to have a smart card.

What does that mean? Well, if you get single sign-on that means that you reduce the amount of passwords that people have. If you have provisioning that only lets people do certain things, that means you increase the security of your network.

And then data protection. One of the things that we use inside of Microsoft today, and maybe Ron will talk about it, is something called Rights Management Services. And what Rights Management Services allows you to do, in fact, Merrick is a company that implemented it, Rights Management Services allows you to take e-mails and secure them. What do I mean by that? How many people have sent an e-mail to someone intended only for them and then it got forwarded to someone else? Some will admit it, some won't. OK. I have certainly, didn't mean to, I meant it for that person and guess what, it got forwarded to someone else. Makes you think about what you write in e-mails certainly, try to be more polite.

But Rights Management Service is basically a technology that allows you to assign properties to a piece of e-mail, properties like do not forward, so that when you send an e-mail and it gets to that remote location, the client application validates that you are who you said you are against a Windows Server, and then only lets you read that e-mail from the person it was sent to. You can also set rights on it like do not print so not only don't forward it, don't print it.

What those two things allow you to do then is set policy inside your company so that if people ever try to go around those things, right, that there's disciplinary action associated with that and it allows you now to get to a point where you can send more confidently secure information.

Merrick is a company who has implemented it very successfully and has given us positive feedback.

The other thing, of course, I hear about, and it's probably the thing I hear about the most, is do a great job on engineering excellence.

So one of the things that we're doing -- there's a number of things we're doing. One is certainly we're doing things around threat modeling and client inspection. From a process perspective every developer and every test manager got trained last year on security issues, on how to write secure code, on how to do threat modeling, on how to do penetration testing. We are hardcore about making sure the staff understands the impact around quality, the impact on you and the impact on when we don't do a good job what happens. That's secure by design.

The next thing we have done is focused on what we call secure by default. Now, five years ago the whole goal of Windows XP, for example, was to make it easy to do new things, works better, plays better, ability to play games on the Internet, the ability to easily write client-server applications or peer-to-peer applications.

What we discovered is that some of those same things are the things that made it easy to exploit. And so moving forward we turned unused features off by default. We're completely reducing the attack surface of Windows. We looked everywhere that there can be an attack and reduced that surface by turning things off by default.

And least-privilege is a big issue. We're changing least-privilege but let me explain what that means to you. How many people log on to their machine as admin? Show of hands? A lot. You shouldn't log onto your machine as admin. Admin gives you full rights to your machine. Do you need full rights to your machine to do Web browsing and e-mail? Probably not. So why log on that way? Well, it's the default, it's easy to do it that way. So we're making sure for the applications we write that they use the least amount of privilege necessary, and I'd suggest for you guys that you do a similar thing.

Secure by deployment. We have engineering teams that all they do now is write guidance that's available up on the Web, in fact you can order this thing called the Security Guidance Kit. If you go to Microsoft.com/protect, you can go up there and they'll show that to you and you can order it and it has all the engineering teams' work on how to deploy wireless securely, how to do secure SSL, how to do encryption, how to use IPsec, all those technologies they've done engineering work and will share with you how to do that. There are tools up there to help with that and there's training materials as well.

And then communications engagement, community engagement. We have a big team of people who all they do is work online in the communities all the time, listening, getting feedback, based on that feedback driving changes.

We have a transparency policy that basically says when we hear about an issue we'll evaluate it, fix it and we'll tell you, and we're committed to that. One of the things we were doing in the past, which we changed, which you probably know, is we did that too often, identified it, told you and fixed it. We got feedback that said, listen, you can't do that constantly.

And so you're probably aware we now once a month on Tuesdays release security information on the second Tuesday of every month. I wish it was once a year but we've basically committed to do it based on when we hear about the issues, but we only do it once a month now.

I wanted to share with you one other quick thing before I turn it over to Ron, that one of the pieces of feedback we had gotten in the past is this TWC thing you guys are doing, Trustworthy Computing. After we started doing the things that I mentioned in the beginning, the code reviews, the client inspection, penetration testing, all those different things that we are doing, I went back and had the team look and think about what the impact had been on patching. And so I wanted to share that with you.

If you look at the bottom of this chart, there's a couple examples here, an Exchange example, a SQL example and most importantly probably the Windows example, so let me just talk briefly about the Windows example.

When Windows Server 2000 launched, over a period of 270 days, almost the first year, we had 36 vulnerabilities, critical or serious. And by the end of the year, 265 days, we had had 42 critical or serious vulnerabilities. That was on the Windows 2000 code.

When we released Windows Server 2003 by its release time, it had gotten the benefit of being through this TWC process. Now, as a part of that TWC process in the first year, 365 days, we've only released 13 critical or important bulletins. And so it is having an impact.

Is that good enough? No. I know that. It has to get better. I understand that. And we're doing additional work to make it even better in the future. But little by little the dev teams are making an impact.

Now, two other quick things. Part of the feedback I get from people is, hey, Rich, I want to make my environment secure, tell me how, because it's unclear, it's too complex, it's inconsistent. So those engineering teams that I mentioned before have done a couple of things. One, we released some tools, something called the Baseline Security Analyzer that you can run on individual machines -- and you can find this up on Microsoft.com, if you go to the /protect site it points you to it. The Baseline Security Analyzer will tell you the status of your machine, how many users are configured as admin, how many shares you have open on that machine, what the patch level is and you can run it not only on one machine but on multiple machines.

We've put up there guidance and training, like I mentioned, how to deploy an Active Directory domain, how to deploy Group Policy, how to deploy secure wireless, how to do a defense in-depth strategy.

And then the community engagement, one of the most important things is we have regular newsletters. If you don't have the opportunity to participate in them, go up there today and sign up because we give you notification and information that you can use to help you, both when we know new things, when we do security updates, and when there's new information and new guidance available.

So if I think about, from a community perspective, what our goals are, the feedback I've gotten from people was build in isolation resiliency, just make it easier so that I'm not so dependent on doing patching and updating all the time. Improve maintenance; I can neither afford to, nor have the ability to, update at the rate you want me to update, and so we're working on a set of technologies so that even if an update comes out you'll be protected and you can deploy the patch at your discretion.

Expand authentication and access options. People want to know that the person who's logged onto that machine is the person that they think. And so we have a set of technologies and we'd love to work with you to help deploy those technologies.

Enable engineering excellence. I mentioned what the TWC process had done so far, I know it has to get better, we're applying that same group of individuals to work on updating to make it better as well.

And then continue to deliver tools and guidance. So all that stuff you can find today on Microsoft.com/security. You can also find a number of it on Microsoft.com/protect.

So what would I do? These are the things I told my team when I was running Microsoft.com. Train people on how and what to do to stay secure. Subscribe to the newsletters just because it makes you part of the community and you get access to the information early. Implement a security plan and risk management process. As a part of Microsoft.com, as you can suspect, I did security reviews regularly. It's just part of the job. Adopt a defense in-depth security approach.

Prepare to upgrade laptops and remote systems to Windows XP SP 2. The reason I'd tell you that is that a lot of people say, Rich, I can't upgrade all my machines, I've got too many machines. You know how long it would take to upgrade all my machines? I know in a big, complex environment it's hard to upgrade machines. I'd say make sure in your refresh cycle that you're putting new machines on Service Pack 2 but I would also say if there is one set of machines you ought to put on it, laptops, things that travel inside and outside of your firewall because they're the biggest issue in regards to keeping the environment secure.

And then standardize. One of the things I found managing my environment is that the more things you have on the edge the more likely, because I'd have a review, and then I'd have another review and another review, and I finally got to the point and said, you know, we've got to standardize our edge because if the edge is not standardized there's just too many opportunities for vulnerabilities and too many things to review.

So with that said, I'll bring up Ron, and Ron's going to talk to you about specifically how we deploy these technologies in the Microsoft environment, and right after that we'll open it up for questions.

RON MARKEZICH: Great. Thanks, Rich. (Applause.)

So I guess I'm probably about one month in the job as CIO and it's interesting, I've taken new jobs in the past and I always get the congratulations, good job. I took on this job and every time I got a congratulations it ended with an "I think," or it was not a good job, it was "good luck". So I think being CIO at a technology company, the one thing I don't lack is advice and input from my user base. I have plenty of advice on almost a daily basis on how to do my job. But I welcome that advice. It's something that keeps us an IT organization challenged and make sure that we're held accountable to continually push the way in which we run our organization.

What I'm going to talk today about, and I've never tried this before, to talk about security inside Microsoft in about 19 minutes, but I'm going to talk about what we do to protect our internal organization. And it will be fairly general, I'm going to try to hit a few different areas but I want to certainly leave time for Q & A with both myself and Rich in the last 15 minutes.

Let me start by giving you a little view of the Microsoft organization and the scope of our environment. We have 300,000 devices, PCs, servers, network devices on our network at any given time. It's a fairly fluid environment because we have a pretty mobile workforce where we have machines coming on and coming off of our network. Three hundred thousand is a big number for a company with 55,000 employees, but the nature of the work that we do as a company oftentimes requires employees to have two, three, maybe even four machines in their office running different builds as they're developing products, testing products. It also includes our product group labs, our product support labs, which is a fairly large environment.

But when I have to roll out a patch, I worry about 300,000 machines. I deploy my patches to 300,000 machines across my entire environment.

We as a company have e-mail as our primary means of communication. In fact, we do over 3 million e-mail messages a day internally at Microsoft. In fact, a lot of times when you have someone sitting next door to you and you want to talk to them you send them an e-mail, you don't get out of your seat and go talk to them.

It's interesting, too, as IM, using Live Communications Server, becomes more popular inside Microsoft; in fact, IM is quickly reaching the types of volumes that we've historically had on e-mail. E-mail usage doesn't drop. E-mail usage stays the same and IM usage on LCS continues to go up and reaches the point in which we have e-mail usage.

Another interesting fact as well, spam, we have about 8 million messages from the outside coming into Microsoft per day. Almost 7 million of those per day are deleted as spam. In fact, two days ago we announced the availability of an Intelligent Messaging Filter, IMF, as an add-on to Exchange Server as a free download via Microsoft.com. We use that to filter spam.

Our philosophy with spam is that we have zero false-positives, so we've set the thresholds so that no legitimate mail gets deleted. That does mean some spam gets through, but then we rely on client-side controls via Office 2003 as well as IMF to protect against spam on that side.

We have about 400 buildings around the world, five of those right here on this little campus. We do have one single instance of SAP, so if you look at our core line of business applications, SAP runs in Redmond, 1.5 terabyte database, grows about 30 gigs a month, runs on SQL Server 2000, soon to be SQL Server 2005.

I support about 7 million remote connections per month. It's a big number, 7 million per month. The reason it's so big is I give employees different ways to connect remotely. Rich talked about smart cards. We require smart cards to get on the corporate network. We integrate them with our ID badge so we didn't have to buy another card, we just put the chip on the back. But a lot of employees don't like using smart cards all the time to do things like e-mail, e-mail being the most mission-critical application they have. I give employees a lot of different means to access their e-mail other than having to have their smart card. Capabilities like RPC over HTTP, which is in Office 2003; Outlook Web Access, part of Exchange Server 2003; Exchange Active Synch, Outlook Mobile Access via the phones are other ways to access e-mail. But if you add up all the different remote connections we have 7 million.

We also have a secure extranet site in which we host SharePoint Servers and so employees can communicate with partners, with customers via documents hosted in the SharePoint environment in our extranet.

And then we have about 89,000 end users within my environment. The difference between the 55,000 employees and 89,000 users is primarily contractors, vendors, temporary work staff, some partners that do joint work with Microsoft.

I'll tell you some of my priorities. These are my four priorities as CIO at Microsoft. First and foremost, I need to be Microsoft's first and best customer. The philosophy we have as an IT organization is our No. 1 job is to take our products, run them in our environment very early, well before they're released to customers to ensure we get feedback to our product teams, and we find any issues in those products before they're released to customers.

In fact, you can think of that entire network that I have as a large lab where we're constantly bringing in products early in the lifecycle. But I'll tell you that is one of my competitive advantages as a CIO, because I'm getting value out of those products very early and there's not an issue as to whether or not I'm current on Microsoft products come the time they're available to customers. Typically I'm fully deployed on those Microsoft products by the time they get to our customers. But that also allows me to use the capabilities in those products to lower costs, add new services, increase my security and increase my service levels to our employees.

Secondly, I look to enable world-class, predictable experiences for my customers that use my services, employees and our partners. We also look to set accordingly an IT strategy across our entire environment. We're a fairly large IT organization, fairly large IT environment, and we have a number of line of business applications as well as core infrastructure components that we need to make sure we operate in a very coordinated manner across that environment.

And then last, but certainly not least, my job is to protect Microsoft's digital assets, which is what I'll focus on here in this discussion.

So if I look at my security strategy, I can really center around four key themes. I start by securing the network perimeter, so the edge of the network I need to secure, and then I need to secure the network interior. We have 55,000 employees, we have 30,000 to 40,000 vendors, contractors on top of that that might have network access, and so there are things that could happen with malicious users internally to the network that I need to make sure are protected.

Thirdly, I look to secure key assets. Other than our people at Microsoft, our most important assets are source code, our intellectual property. And so we do certain things around our key assets to give them another layer of security.

And then fourth but certainly not least is compliance and audit. I have yet to implement a policy at Microsoft that is followed completely unless I enforce that policy. Policies without enforcement do not get followed, they aren't even known, and if they're known, no one adheres to them.

And so we have an effort around our security team that focuses on security compliance, auditing, enforcement across the environment.

What I'm going to do is drill down on -- I forget if it's the white ones or the yellow ones, I guess it's the white ones -- is where I'm going to drill down for this discussion and give you kind of an overview of what we do in those areas.

So if I start with securing the network perimeter, the two areas we're most concerned with on the perimeter are malicious users. Those are typically the non-Microsoft employees and there's plenty of them. There's more non-Microsoft employees in this world than Microsoft employees in this world, so it's a much larger risk profile for me as a CIO. And then malicious software, which could and typically would potentially exist on Microsoft assets coming from the outside. So Rich talked about the mobile computers, we have a fairly mobile workforce; in fact, half of our PCs in the company are Tablet PCs or laptops so they're typically mobile, and a lot of times employees will take those on vacation or take them to grandma's house and there could be something on that computer that I don't want allowed into my environment.

So the ways we address these two threats: One, for malicious users we talked about we require two-factor authentication. So we require the smart card, we use Microsoft Connection Manager, we use the SDK in Windows Server 2003 to build the scripts so that we ensure you have a smart card, you have something you know in terms of a password and something you can hold in terms of a smart card to keep malicious users from getting into the network.

We also for malicious software use the Connection Manager SDK to write scripts to check machines before we bring them into the network, and we call it Secure Remote User, SRU. It's our own internal term that we use. But we run a scan of that machine to make sure the latest patches and that there's not viruses or exploits in that machine that we don't want to allow inside our network.

I'm going to go through these fairly quick to make sure we have some Q & A time at the end.

The second part, and this is always a popular talk with people, to secure the network interior one of the key areas we focus on is patch management. I told you about 300,000 machines on our environment. We worry about every one of those machines. We think about every one of those machines.

This has a fairly complicated process. It's actually fairly straightforward and smooth. Let me explain it to you real quick. First of all, let me start by saying I deploy patches the same time customers do. So I get a patch the same time a customer does, we look at the rating that the MSRC gives that patch and if it's a critical patch that we want to deploy in an emergency situation, I'll use that example, our deadline is 72 hours to get that patch deployed. The other patch window that we use is 21 days. So it's either an emergency patch, 72 hours we want that deployed across the environment, or a critical patch which we want deployed within 21 days across the environment. We don't mess around with other deadlines because it just confuses people.

On the 72-hour patch what I'll do is do some quick testing on that patch on our client configurations and I'll send an e-mail out to all employees at Microsoft and I'll say we have a patch, load this patch on your machine within 24 hours. If you don't load this patch on your machine within 24 hours yourself, we'll do it for you once 24 hours is up.

The reason we give employees the option to load the patch on their machine is if they're here talking to all of you and I force patch their machine via SMS, maybe sometimes it's a little embarrassing if they're in the middle of a large presentation to customers. So we want to give them the ability to patch the machines themselves before we do it for them.

For our server owners we'll do the same thing. We'll send an e-mail out to all of our application owners that have applications running on servers and we'll say you have 24 hours to patch your application, your servers that your applications run on. If you don't do it within 24 hours we'll patch the machines for you.

Those types of situations we don't want to patch and if the patch requires a reboot, reboot an application, if it's a payroll run in the middle of our pay run at the end of two-week period, that's not a good thing to do, so we want to give the application owners the ability to patch that machine within one of their maintenance windows and we also want to give the application owners the ability to do some testing on their applications before they patch their machine.

Once that 24 hour window is up on the client and the server, I'll start deploying that patch across the environment using SMS. SMS is a requirement on any server in my data center, it's a requirement within my secure network on your client machines to have SMS 2003 client installed, and that is our means to deploy the patches.

There are cases, especially in some of our labs, where we cannot touch the machine, or for certain reasons they can't have SMS on that machine, say they're running tests for a particular customer that doesn't have SMS and they want to mirror that customer's environment. In those instances if the machine is not patched by the deadline we'll shut that machine off the network, the user of that machine will come in, see that they're shut off the network, they'll call our Help desk, we'll re-enable them because they'll need to load the patch and then they'll patch their machine.

So in short that's how that works. The 21-day process, works much the same way except the time in which we give employees and the server owners to patch their machines is much greater than in an emergency type of situation.

Also when it comes to securing the network interior we've just completed IPsec deployment across our entire environment, so we run an IPsec-require mode, meaning if you have any machine and you want to get corporate resources with that machine, say a client machine that wants to get to a file share or something else, it needs to be IPsec enabled. Where this protects us is that person that might be able to get inside a Microsoft building with a non-Microsoft machine, connect to our network and try to get around our network. They're not going to get very far unless that machine is IPsec-enabled. To be IPsec-enabled, it means you have to have Windows XP Pro on it, which is the standard requirement in our environment, and it has to have the IPsec certification and be domain joined. So that protects us from those users.

I'll mention one other thing about smart cards. We're using smart cards for external access. We're now also piloting smart cards for all internal access. So there will be a time inside Microsoft, whether you connect to the network internally, externally, we treat you the same exact way, smart cards required, IPsec enabled, and we run you through the same checks, the same quarantine checks as we would run you through as a remote user. It gives us a very secure environment, both from a malicious user and malicious software perspective.

In addition, with smart cards what we have done is we've taken that same approach to our domain admins. So if you are a domain admin, typically in my IT organization, and you want to access servers where we manage our domains, you need to have a smart card. And so that allows us to limit the number of admins on those servers and it ensures that we have two-factor authentication on those highly critical servers. It helps a lot in our Sarbanes-Oxley processes. Most IT shops when it comes to Sarbanes-Oxley, this is a key control point because those people that have those domain rights can have rights to financial systems and we want to ensure those people are known and we have high security around people that have access to those financial systems via two-factor authentication.

I mentioned source code. We also take IPsec policy to our source code and so we have an added layer of IPsec policy around our source code. So if I have a machine and I'm a developer, that machine needs to be IPsec-enabled with the appropriate certificates to check source code in or out. It helps us from a malicious user that might be inside our network or outside of our network.

I'll talk about one more thing, Application Software Assurance Program, we call it ASAP, easy name to remember, I remember ASAP easier than I remember the actual acronym and what it stands for. But we have about 1,800 line-of-business applications at Microsoft, quite a few. To get into a data center or to host a production line-of-business application you need to run through an ASAP process, and there's checkpoints along the way both in the design phase, the testing phase, the user-acceptance testing phase and the deployment phase that ensures you're adhering to security and privacy policy that we set before that application gets into production or can be used.

So just to summarize kind of that quick overview and then we'll leave about 15 minutes for questions with myself and Rich, when I think about security policy at Microsoft I really think about four key areas and they are equally important across those areas. One is train people. I need to make sure my employees are educated on security policy. They know what we're going to enforce, otherwise I get a bunch of flame-mails because they don't like me enforcing stuff they don't know we're enforcing.

I need to make sure my security people, my IT people are trained around security policy. I need to make sure we have enforced policies, so I mentioned before policies that aren't enforced don't do a whole lot of good, so make sure we have enforced policies across the environment.

We also make sure we have optimized processes. The way in which, as an example, we do patch management across the environment, we look to make that a well-known, well-optimized process across the entire environment.

And last but certainly not least our technology that we use to manage that environment needs to be well integrated with our people, with our policy and with our processes.

So before I have Rich up here, I need to make sure you guys are aware of a couple things in terms of additional resources and then we'll launch into Q & A. In terms of a great site to go to for protection of your PC, Microsoft.com/protect, walks you through the steps. A lot of those steps are going to be right in SP 2. In fact, I'll mention as part of that dog-fooding, Microsoft being Microsoft's first and best customer role I have, we actually have 35,000 machines inside Microsoft running Windows XP SP 2 right now, and by the time we have that deployed our entire client workforce will be running XP SP 2.

We also have the security guidance center, which you can see that Microsoft.com/security/guidance and then there's two security summits coming up, on June 3rd the Santa Clara Convention Center and then on June 22nd at the Moscone Convention Center; my boss, Rick Devenuti, who used to be our CIO and now runs global services and IT, will be at the event on June 22nd at the Convention Center. And registration information is on the screen.

So with that, I'll invite Rich back up and we'll spend about 15 minutes answering questions between the two of us.

QUESTION: (Off mike).

RON MARKEZICH: SP 2.

QUESTION: Oh, SP 2, I see.

RON MARKEZICH: Windows XP SP 2. I have over 150,000 machines running Windows XP Pro because that is a requirement for my client machines and then in my data center Windows Server 2003 is our requirement.

QUESTION: And do you have 300,000 machines total, did you say?

RON MARKEZICH: Total, correct.

QUESTION: So about 50 percent are not running Windows XP? What are they running?

RON MARKEZICH: No, no, no. So those 300,000 machines include client and server machines. So standard configuration for a client is to have Windows XP Pro, that's our standard for our environment. In fact, you can't be on our environment without Windows XP Pro. There are certain instances, for instance, for the Macintosh development group that develops Office for the Mac, we do grant exceptions to, but the 150,000-plus PCs, laptops and tablets are running XP Pro. The server machines are running Windows Server 2003, except where we grant exceptions for instances where we're doing product support for customers that aren't on Windows Server 2003.

Does that answer your question?

QUESTION: Yes, thank you, that's great. Would you say then that all your clients except for a few exceptions are Windows XP Pro or Service Pack 2 at this point?

RON MARKEZICH: Yes, definitely. That's our standard machine in the client space and the server is Windows Server 2003.

QUESTION: A quick question about XP Service Pack 2 again. For example, the firewall, you describe a bunch of different ways you can provide exceptions and do different things. Is there a way to automate that at an administrative level for a whole group of people?

RICH KAPLAN: Yeah, absolutely. Through Group Policy, so if you have -- either through scripting or Group Policy you can automate that. Most people certainly in this audience here who are going to go back to organizations would want to administer it. So you can decide, hey, there's exceptions there for the five apps that we run inside of our company, those are the only exceptions, or you could say, hey, when you're inside the company you can install anything but when you're on the outside and not on a domain then you get to install nothing. So all of those things are controlled through group policy.

QUESTION: And then on the virus piece of SP 2 you showed how you can easily show a user it's either on or off with, for example, CA eTrust. Does that work seamlessly with Symantec antivirus, McAfee Network Associates antivirus, all the major vendors?

RICH KAPLAN: We have worked with all the major vendors. I think that one of the things you should do is you should get -- you can order a beta of XP SP 2 today. You should get it and try it in your environment just from a test perspective, what's the impact of having your app pop up and ask if it can connect to the net, does it work with your antivirus. Our goal was 100-percent compatibility, because that's always one of the issues around upgrading, but I'd encourage you to try it yourself.

QUESTION: Yeah, hi. No security is ever perfect unfortunately.

RON MARKEZICH: There is one where you don't have a network, which is some sort of security you want, but if you're off the network you're fine.

QUESTION: Or the power switch, right?

RON MARKEZICH: The power switch, too.

QUESTION: Recently there was an unfortunate but well publicized event a few months ago where some Microsoft source code was divulged. And there's been speculation it might have been through a partner of some kind. My question is, with your elaborate security policy, could that have happened within Microsoft or have you studied that to see how it might have happened and you feel that you're safe from that kind of event?

RON MARKEZICH: Yeah, that one did not happen through our Microsoft network, so it's not my role to understand how something that might happen with partners.

Rich, I don't know if you want to comment on the partner side or if you've had any experience on that.

RICH KAPLAN: Well, in regard to that, the legal agreement that we have with the partners that we share -- you know, we have a Shared Source -- basically the situation there is we have a Shared Source Initiative, right, which allows a number of our partners to have source code and it leaked through one of the partners.

So could we do a better job helping those partners make sure their environments are secure? Probably. Should we? Love to.

Collectively I think the issue is an issue for everybody who has intellectual property, because you've got to think through all the aspects really of defense in-depth and how you manage your intellectual property.

So part of the whole discussion today is about awareness and making sure that people are thinking through all of those strategies. And a lot of the work that these guys do, for example, IPsec, the whole IPsec discussion he had is really about the fact that, hey, the only people who have access to source code inside -- we have 60,000 employees, so the only people who have source code inside of our company are the people who actually need access to that source and so you control access.

QUESTION: As a follow-up question, presumably someone with malicious intent, a Microsoft employee, disgruntled or who had access could have accomplished a similar malfeasance. (Off mike).

RON MARKEZICH: I'm not aware of that ever happening. We do have multiple layers of defense to protect the source code. We also have policy. You can't think of a developer on, say, Office having source code access to the entire source code environment. We have layers of defense within the source code environment itself. So there's policy, there's process, there's technology applied to limit the risk of even an employee, a malicious user doing something like that.

QUESTION: Of your 300,000 devices that are on your network, how many of those are unowned or unmanaged by Microsoft, and how do you do policy and compliance with those for your systems?

RON MARKEZICH: Well, OK, so you've got to define managed first. The way in which I define managed might be different than a lot of other companies. Our policy is employees are admins on their own machines and so I don't manage in the strict sense any of the machines on our environment. We do manage in terms of security patches and policies, so there's certain software we don't allow in the environment and so we scan or remediate for that.

But in terms of pure management of the machine where we lock down the bits, none of those machines are locked down. We allow employees to, because of the nature of their work, to work on those machines and load what they want to do on their machines to get their job done.

In terms of what we consider the secure net environment that are IPsec enabled, over two-thirds of those machines are in the secure net environment, which is domain joined, SMS on the machine and are within our secure net, so I can touch those machines and do what I want.

There's about one-third that sit outside of that secure net environment. For certain things like our extranet you're certainly not going to have your extranet machine be IPsec-enabled so that only machines outside that are domain joined can access your extranet because we have business partners, we have customers that need to get on our extranet, they need to get to Microsoft.com, they need to communicate and interact with Microsoft. Those types of machines are part of that one-third that are not in my secure net or managed domain.

QUESTION: (Off mike).

RON MARKEZICH: Well, they'll be domain joined. So if Microsoft doesn't own that machine, that vendor or that contractor that is doing work for us will need to make sure that machine is domain joined before they get corporate resources.

QUESTION: The stuff you're doing with IPsec is very elegant, great and also very complex. Is Microsoft's looking at bundling it up into some form of wizard or process that will allow capable companies like ourselves to actually implement that?

RON MARKEZICH: So did I make IPsec sound complex?

QUESTION: No, we actually do IPsec quite a lot but not from a client level, so it's a lot harder.

RON MARKEZICH: So the IPsec deployment that we've done internally has not -- I'll be honest, has not been one of the more complex deployments that we've had. We've actually had a fairly small team that's worked on it.

We are taking what we've done and building that experience into a set of white papers that we could share with customers to help ease the deployment of IPsec and so then they can learn through some of the things that we did inside Microsoft in their IPsec deployment.

And so across the board what we try to do is take our experience in deploying products, deploying new policy via our technology, working with our product teams and groups like the Security Business Unit and getting that type of guidance out to customers.

RICH KAPLAN: Yeah, I mean, I'd add on that. We are always about making things easier. New technology inherently seems to be complex, right, and so people who deploy early usually have lots of expertise. That's a technology where I think that, yeah, we do have to make it just a core part with wizards, with inclusion into AD in a simple way, with inclusion in a policy in a simple way and so over time I think you'll see it a lot more integrated.

QUESTION: Assume that that can be managed. What are the metrics you use on a daily basis to know that your applications are secure, metrics like how do you keep track of application security, perimeter security? What are the metrics that you use that give you that warm and fuzzy feeling?

RON MARKEZICH: Well, we have quite a few. So I mean you've got to look at the different layers. So if you look at the four categories, protect the exterior, the interior and key assets, there are metrics on each one of those, so patch compliance is a metric we look at on a monthly basis because you might deploy that patch initially, but if you have new machines built on the environment you need to make sure that they're up to date on their patches.

From an application perspective, that ASAP audit that we do, we make sure that no applications go into our production environment before they pass that process. And then once they are in the production environment we scan that environment constantly to ensure that configuration changes don't take them out of compliance from that ASAP process.

We also use -- and I'm not sure if you're familiar with this, Microsoft Operations Framework, MOF, as our standard operating framework for our operations, and with that we adhere to the change release and incident management process as defined in MOF that help us ensure that application changes don't give us risk to the environment. So any of the application changes go through what we call a Change Advisory Board, a CAB, so that we know the changes to that application aren't going to change a configuration that takes them out of policy for security compliance.

So there's a variety of different measures and processes to ensure the initial compliance as well as ongoing compliance.

QUESTION: With the Service Pack 2 do we really need to have separate antivirus software or is that the philosophy of Microsoft to integrate antivirus right inside the Windows operating system?

RICH KAPLAN: We purchased [the IP and technology assets of] a company about a year ago called GeCAD from Eastern Europe actually that makes antivirus software. We haven't decided yet how and if we will integrate that technology.

And so the whole goal really of Service Pack 2 is absolutely to partner well with all the AV vendors. So be concise, you have to have AV software with SP 2 because the key thing that we were trying to do was expose in a common way security issues on your PC.

So you asked about ease of deployment of IPsec. One of the things we found is that customers don't really -- not you guys, but the end users who are sitting in front of a PC, most of them sort of don't know what is happening on their PC. They know they're browsing the Web, they know they're running the app and they know they're doing e-mail. And so the whole goal really of that Security Center was to expose to them in a common way the state of their PC.

And so all we wanted to do is take the current AV vendors and unify the experience, so whether it's their firewall, their updating or their AV it was unified in a common experience so we could expose the end users to that so that over time they could go, oh, it's green or it's red, it's red, the thing in my tray is flashing, it's red, there's something wrong, I should look at it or, gee, it's not in the tray, must be fine, and that's basically what we were trying to do there.

QUESTION: (Off mike).

RICH KAPLAN: Long term philosophy in terms of AV, we haven't really decided yet. Over time we certainly want to do things like behavior blocking, which means that, hey, by the way, we should be able to track things on the net before they actually get to a machine and go, oh, that doesn't look like normal traffic, hmm, what should we do with that? And so there are a lot of things that we are investigating to make the problem simpler.

STAFF: We have time for one more question.

QUESTION: You mentioned that Service Pack 2 is free, so I'm wondering if you could touch on some points of security that you'll actually have in "Longhorn," which, of course, people will be paying for. And also I'm wondering if Microsoft, if you have any computers in your system right now running "Longhorn."

RICH KAPLAN: So certainly one of the things we're doing, one of the evolutionary things, if I talk about the evolution of desktop operating systems, so Windows 3.0 no networking built in, Windows 3.1 no networking built in, Windows for Workgroups suddenly introduced the idea of having a TCP/IP stack in Windows. Windows 95 had the Network Neighborhood that sort of introduced, oh, well, I'm always going to want to -- Windows for Workgroups had this map the Z drive equals or the D drive and you mapped it and it was way too complex. And so we've gotten to this evolutionary point where you don't really differentiate anymore whether an app is on the net or not on the net.

"Longhorn" extends that even further, right, such that the concept of digital photos or the concept of music and differentiating whether it's on your local drive or somewhere on the server is quite transparent. So the great news is that the evolution of networking gets even better in "Longhorn" with great scenarios that make it easier for end users to do things.

At the same time we recognized, boy, now in that fully connected network we have to extend even beyond here to make it even more secure and so we'll use everything we learned in Service Pack 2 and all the experience you guys have running Service Pack 2 and we'll continue to evolve that security technology in "Longhorn."

But it does mean, like every one of the evolutions of the operating system, when "Longhorn" ships we will have taken advantage of new technologies and new things we've learned.

RON MARKEZICH: And to answer your question on the number of -- we do have just over 4,000 client machines inside Microsoft running "Longhorn" today. It's interesting when you talk about this, because I talk to customers a lot and our issue is a little different. The oldest client OS we have is Windows XP Pro RTM bits and then we have Windows XP SP 2, we have "Longhorn" clients. And so we have multiple versions of the OS but they're going forward, not backward. In fact, to manage that, because often at RTM we'll have bits that are beta, release candidate 1, escrow 1 and then RTM bits in the environment. Three weeks after RTM of any OS or Office release we use SMS to bring everyone up to date on the RTM bits. So today we have Windows XP Pro RTM bits and then going forward we do have 4,000 "Longhorn" machines and 35,000 XP SP 2 machines.

RICH KAPLAN: Great. Well, thank you, guys for spending your time with us today. I hope it was helpful. (Applause.) My e-mail is richka, R-I-C-H-K-A, @microsoft.com. If you have an issue let me know about it. I get a lot of e-mail. I'm not always as good as I used to be at responding to them all but send me mail. If we're doing good send me mail, if we're doing bad send me mail. Either way I'll try to help.

Thanks. (Applause.)

Top of page