The interdependent security initiatives, strategies, and technologies that Microsoft has deployed were implemented in a number of phases. The essential enabling technologies described in this paper run on Microsoft® Windows Server™ 2003. However, most of the technologies were developed when the infrastructure was based on Microsoft Windows® 2000 Server, and can be implemented on Windows 2000 Server. All of the technologies and deployments continue to mature based on evolving security requirements, future strategic plans, and product testing and validation requirements.
This paper is intended for enterprise technical decision makers, security operations staff, and infrastructure engineering staff. It is not intended to serve as a procedural guide. Each enterprise environment is composed of unique circumstances. Therefore, each organization should adapt the approaches, designs, processes, and best practice recommendations described in this paper to meet its specific needs. Note that for security reasons, the domain names provided are for illustration only and do not necessarily reflect actual names.
Introduction: OTG Mission and Priorities
Enable people and businesses throughout the world to realize their full potential.
Proactively deliver IT infrastructure and applications that exceed defined expectations of our clients, customers, and partners—making it easy to work anywhere at any time.
Microsoft Corporate Security Group Mission:
Prevent malicious or unauthorized use of digital assets that results in the loss of Microsoft intellectual property or productivity by systematically assessing, communicating, and mitigating risks.
The Corporate Security Group reports to the Operations and Technology Group (OTG). Prior to examining the Corporate Security Group, it is useful to understand the Microsoft and OTG missions, as well as OTG’s IT priorities and IT environment.
The Microsoft company mission is to enable people and businesses throughout the world to realize their full potential.
OTG is a highly customer-focused organization with the related mission to proactively deliver IT infrastructure and applications that exceed defined expectations of our clients, customers, and partners— making it easy to work anywhere at any time.
The phrase “exceed defined expectations” in OTG’s mission reflects an emphasis on service measurement and analysis. This part of the mission is based on the tenet that “you cannot manage what you do not measure.” For example, in the IT operations area, expectations are documented in the form of service level agreements. The service level agreement metrics are reviewed monthly in a CIO “scorecard.”
OTG’s IT priorities are as follows:
Be Microsoft’s first and best customer
Provide intellectual leadership
Set a coordinated IT strategy
Run a world-class utility
Be Microsoft’s First and Best Customer
The primary business of Microsoft is software design. Consequently, OTG has a mission that is unique among global enterprises. For example, in addition to running the enterprise IT utility, OTG plays a strategic role as one of the Microsoft early adopters by testing and deploying Microsoft software before its release to customers. In addition to benefits Microsoft realizes through product feedback from testing for scale and load in a real-world production environment, these evaluation efforts must provide tangible business benefits to Microsoft. For example, as of October 2003, OTG ran the corporate infrastructure on Windows Server 2003 with approximately 4,200 servers deployed (which include 800 infrastructure servers and key line-of-business applications). In addition, the corporate website, www.microsoft.com, has over 600 servers running Windows Server 2003. Internal real-world evaluation activities drive a very high rate of change in the environment, with many more deployments to servers and desktop computers than is typical at enterprises of comparable size.
Provide Intellectual Leadership
OTG drives the early adoption of technologies that help define the Microsoft vision of the leading-edge IT professional, developer, and information worker. OTG also provides product feedback to the Microsoft product development groups.
Set a Coordinated IT Strategy
OTG leads the process that defines and delivers high-value IT solutions at both the business-unit level and the enterprise level. Setting strategy is a critical OTG function because the IT infrastructure is centralized, whereas line-of-business application development is decentralized. Although application development occurs independently in each business unit, OTG provides centralized support for applications, hosting in the data center, and architectural guidance and standards (including security standards).
Run a World-Class Utility
A unique challenge for OTG is to deliver on all the previously mentioned priorities while providing world-class availability, reliability, and cost-effectiveness in a global environment that includes high client expectations and technically skilled users.
The Corporate Security Group, OTG, and Microsoft missions are aligned in several ways. For example, measurement is key to successfully fulfilling both the Corporate Security Group and OTG missions. Additionally, the Corporate Security Group focus on productivity and intellectual property is necessary to support the Microsoft company mission, which is focused on people and businesses. Through this alignment, the Corporate Security Group has effectively partnered with business owners throughout Microsoft to develop an appropriate security strategy.