(Posted January 20, 2001)
I started writing this just to forward a URL about security for Microsoft's
web server (IIS) to my boss, but it turned into something else entirely.
You may be interested in reading it, or you may not. I make no guarantees.
Hey, Bruce - we should require that the new IIS person reads all the documents linked to by this article, which is an overview of assorted security resources along with an overview of how to use them. It's especially eye-opening to read about the new time-saving admin tools in IIS5, if for nothing else than to open your eyes to the amount of stuff that needs to be hacked by hand (or worse, can't be fixed at all) in IIS4.
Also, it might be useful for Dolly to skim this, just to get a feeling for how IIS really works--this stuff certainly won't be in the official Microsoft IIS curriculum, though a good instructor will cover it. (hi, Dolly!)
Hey, that raises a question - do we normally do technical portions of the
interview when we hire people? (That is, have some techies grill the candidate
on actual technical issues? I remember Bruce & Mike did this when I interviewed,
with a detailed discussion of pros & cons of G3 processor upgrade cards,
and OS 8.5 vs 8.1...but I don't know if that was the exception or typical.)
Anyway, on to the article,
* Keeping Up with IIS Security: Check out Microsoft's updated documents and
new tools that help you handle IIS security. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=15492
I'm not just sending this because it will be useful for supporting IIS; I
think it can be useful to educate our customers and management.
This is a good example of the level of knowledge & research it takes
to do a good job just on the security aspect of running an IIS server; similar
knowledge, research, and planning is needed in the areas of maintenance procedures,
monitoring, performance tuning, site design, methods of implementing specific
This is in contrast to the prevailing attitude of "well, we installed it on a workstation and it was really easy to install, so why can't you just install it?" I find often people simply do not realize (just because they've never been exposed to it, not because they are mean or stupid), that this sort of work is involved in a professionally run system, because they never have to do it themselves on their home computer.
(On the other hand, they also don't think about how every once in a while
their home computer gets completely screwed up and they are pretty much powerless
to fix it, or the only way to fix it is to blow it away and start over from
And it is completely understandable for your average computer user to be
completely unaware of all that goes into keeping things working behind the
scenes; they should be shielded from all that.
But I have a very real concern that upper management, at a VP/Board level, is unaware of that, which is because IS has not educated them. And when our customers come to us with a server or a new application that they are interested in implementing, IS does not educate them on this, and allows them to talk us out of doing things the way they need to be done if they are going to work right. We pretend that it is the customer's decision, but if we never educate them on the facts of IT life, how can we let them make such a decision? It's like leaving it up to your kids to decide whether to have sex, without making sure that they know how conception and STD's work.
If it was just doing a poor job communicating this important lesson to our
customers, that would be one thing - a bad thing, but correctable through
change of habit. But I think it is worse than that. I think it is not done
because IS management does not understand it, either. And that explains
an awful lot about how things get done around here.
Of course, this means that my responsibility, if I want things to work right--which is the entire motivation for this--is precisely to educate IS management on this point. So, in the interests of doing that, and to avoid merely being "full of sound and fury, signifying nothing," here I go. (Though I'll thank you for not immediately leaping to the first phrase* of that sentence.)
IT is not simple. IT is very complex, always changing, and frequently the tools don't work. For this reason, IT is not easy to do well. However, IT *can* be done well if the organizations and people implementing it:
get to know the technology thoroughly, and stay thoroughly up-to-date with it. To do this requires an ongoing involvement in two things:1) lots of hands-on experience in realistic test environments (including network and production-volume load testing) and
2) following the current news sources (mailing lists, websites, magazines, newsgroups, etc) that cover that particular technology or product in depth. Participating in discussions with peers outside the company who support the same technology is one of the best ways to accomplish this.
have clear, shared, explicitly stated expectations with the users of the technology of what functionality the technology needs to deliver, and how it should deliver it to the users. This implies a well done design and testing process, including multiple iterations of feedback into the design cycle, and just as importantly ongoing feedback and modification where needed throughout the lifespan of the technology.
have "doing IT right" as their ultimate priority. This doesn't mean ignoring the company's needs; rather it is the only way an IS department can possibly meet the company's needs - by doing IT right.
The number and frequency of complaints we receive about IT, and the broad range of the company these complaints come from (from the board, VP's, directors, managers, right on down to contractors and temps, and perhaps most tellingly, even from within the ranks of the IS department itself) should serve as a clear indication that currently, we are not doing IT right.
(And if you examine the exceptions, where things are working well and our customers are happy, I think you will find that those areas are already working in accordance with the principles above.)
If we are serious about benefiting the company, we will change how we do
Thanks for listening,
* What, you don't remember how the full quote about the sound and fury goes? Ok, here y'go: http://www.tulane.edu/~walker/fury_board/messages/19.html -- who says I take myself too seriously?
PS: Don't get me wrong, I suspect this situation is pretty close to normal for most IS departments. That doesn't excuse anyone from not getting on the clue train -- it just points out how many people and companies still don't get it, or IT. (But it doesn't say anything at all about IT!)
Here are a few other examples of not getting IT (whether IT is Information Technology, or something else you are supposed to be about):
Verizon sued over inability to provide DSL service to its paying DSL customers: http://www.cnn.com/2001/TECH/computing/01/17/verizon.ap/index.html
The Federal government just gave a half-billion dollars (that's $500,000,000.00, boys and girls) to tragically flawed Seattle light rail project in spite of massive local outpouring of criticism and despite the project going 50% over the original, voter-approved budget and 3 years past the original schedule, while simultanouesly hiding the budget overruns from the public while dropping substantial portions of the routes laid out to get voter approval in the first place, all before a single shovel has even been put in the dirt: http://seattlep-i.nwsource.com/local/rail201.shtml
Talk about not having "doing the job right" being the ultimate priority; here's someone who seems to be willing (by ordering the faking of maintainance records! just like Alaska Airlines was just nailed over!) to trade the lives of American servicepeople in order to preserve a military helicopter program and the billions of tax dollars that are being given funnelled out the military-industrial complex: http://seattlep-i.nwsource.com/national/ospr20.shtml
Dave Winer says "Roll up your sleeves and start working with real writers, designers and system managers. Tell them about your [technology and how they should use it]. Watch their faces. Then go back to the drawing board."
Feeling smug because you think you have a clue?
Read this and think about whether you really do or not--did you see this combination of broad access to technology with mass popular political movements coming? Were you expecting to read about it in today's front-page news? Admit it, you thought it was going to be years, if it wasn't just a technologist utopian daydream. But no, it's real, and it's happening today.
(New York Times website, registration required, yadda yadda yadda - which btw I have been saying for years, long before it showed up on Seinfeld, thank you very much. What can I say, I'm a Jewish smart aleck from the east coast.)
Having a hard time with no leaders who understand technology, much less ones who can develop a technology strategy?
You're not the only one - the Bush cabinet is clueless, too: http://msnbc.com/news/518737.asp
fullerbecker.com - online since April 1999
This page updated January 21, 2001