Microsoft: No Separate Security Certification

Microsoft's emphasis on trustworthy computing doesn’t mean its certification group will be adding a security-specific credential in the near future.

Security is all the rage these days, and nowhere more so than at Microsoft, where Chairman and Chief Software Architect Bill Gates recently sent a memo to all his employees emphasizing security over all other considerations.

That new emphasis, however, doesn’t mean Microsoft will be adding a security-specific credential in the near future. There are enough certifications right now, Microsoft officials say, and adding a new one would only cause confusion.

But Anne Marie McSweeney, Microsoft’s director of certification skills and assessment, did also say that security issues would likely get more emphasis within all other tests. Microsoft currently offers two security-related exams: 70-220, Designing Security for a Windows 2000 Network; and 70-227, Installing, Configuring, and Administering Internet Security and Acceleration (ISA) Server 2000. ISA Server is Microsoft’s firewall and caching product.

Some of the security titles currently offered in the industry include the Certified Information Systems Security Professional (CISSP), SANS GIAC Security Engineer (GSE) and the Check Point Certified Security Administrator (CCSA) and Check Point Certified Security Engineer (CCSE).

To read more about Gates’ trustworthy computing memo, see “Gates Urges Trustworthy Computing in Memo” at (click here).

About the Author

Keith Ward is the editor in chief of Visual Studio Magazine.

comments powered by Disqus

Reader Comments:

Wed, Feb 12, 2003 Anonymous Anonymous

When I want to install a windows update,
I want to make the decision not a nagging Win XP SP Hotfix. How can I stop this paranoid SP Hotfix crap? Thanks

Sat, Jul 6, 2002 JINU JOHN Anonymous

I am Jinu looking for your magazine

Wed, Feb 13, 2002 RightonTime Anonymous

Roll your sleeves and get to work.

Tue, Feb 12, 2002 Bitstasher Terra incognita

After seeing all the different viewpoints above, I remain thoroughly entertained! "Bieng Secure" is a temporary state of existence based upon a percieved threat, not a constant fixed mode; but a variable operating solution based on risk management. As an example, when Win2K was rolled out, I lost almost 80 "zombies", and I am still playing catch-up. In order to better understand and manipulate Layer 3 services and protocols, I am getting Cisco certified. As far as Microsoft goes, they do what they do well, mass produce marginal software. Remember, they are motivated by money, not by any humanitarian interests. I currently run NT4, Win2K, and XP with a Cisco router in a home network, so as to "practice" my craft. As for my "exposed" OS, I run Open BSD (with a slightly modified Kernel) and have only "suffered" 3 "B and Es in 2 years over my xDSL. The forementioned "perps" were trapped by my "honey pot" and recieved severe consequences. Resetting the refresh rate on their monitors probably caused a "burn", as well as the psycological impact that that comes from having their hard drives formatted remotely. I was able to convert two of their boxes into my "hosts" after they came up again! All I can say to avoid all of the BS, use a Windowless environment, and Scott Spiess from Rosedale, CA. is absolutely correct in saying "Sorry guys, my stuff is not where you think it is".

Fri, Feb 8, 2002 James Anonymous

I agree with Robert- Security is a matter of self expertise- You guys beleive in Certs like without them you can't implement security. Learn and make it a habit to train yourself. Buy a server, download security info- install- etc. You can easily persuade your boss to buy a 400 machine- test applications/hack- You will be suprised as to how much you learn. If you can get a cert- the better, but don't make it the only option out there and stop whinning.

Wed, Feb 6, 2002 Scott Spiess Roseville, Ca

I agree with Dave on this one. I think it is foolish to say that only big companies get hacked. I also think that since other computer companies are serious about security, then Microsoft should follow suit. I have first hand experience of what people do on the web. I review my IIS logs daily and I see all kinds of people doing stupid stuff. I especially like the WEBDAV or script exploit people. Sorry guys, my stuff is not where you think it is. Everyone looses when a script kiddie gets a hold of an exploit and decides to play with it. It is important that you know the level of security that you want to maintain and have the ability to keep it there. During my MCSE testing, there was never even a mention about turning off services that you do not use. There was not even a question about what port numbers are what. I don’t think that a MCSE without any experience could lock down a Win2K server. I am for making the MCSE better not worse. I am not whining about it, I am trying to do something about it. We desperately need those higher end certifications to better the MCSE certification. We also need Microsoft to be serious about this. I think that the certification group should consider this and put it in their plan.

Wed, Feb 6, 2002 Dave Virginia

Even small companies are out to make money...and it just happens that when their Windows NT servers get hacked (and despite your ignorance, they DO get hacked for various reasons) or go down from Nimda like viruses those "cheap" companies start loosing the not so "Cheap" money. I'm not sure why you big talkers are protecting microsoft when Red Hat, Solaris, Cisco and a whole bunch of other OS and Hardware makers all have Security cert classes for their own products. I'm suprised that someone who has so many certs as you claim to have Robert (sounds like bs to me) would be as ignorant about this as you seem to be.

Wed, Feb 6, 2002 robert Anonymous

Most of you guys work for cheap corporations and complain like you work for the FBI or Microsoft where a hacker would spend time hacking. Hackers don't Hack companies that don't have impact. So why are you folks so worried about Security- There are many security tools that can be used out there. As one of my fella said up there- Do your job.

Tue, Feb 5, 2002 Dave Virginia

I think that the last few people are raising some good ideas. While the people who claim that there is a lot more to a security test then just microsoft are correct, we also have to remember that a general security test cannot teach everyone about every operating system and every product and therefore Microsoft should have a class on how to implement security that should address some basic ideas about security and then teach people on how to implement them in Microsoft products.
Furthermore in my experiance I am comming to realize more and more that no OS can or will every be bugless. Anyone who has ever written code for even a dumb little program that has to be a few thousand lines will easily understand that. The problem with Microsoft is that it does want to dominate the computer world in all aspects. In Unix and linux the OS people do not write DNS and HTTP server code usually. Every server is in general implemented by different groups, a lot of time not because they want money but because they want something that works. Then in open code projects, a whole bunch of other people then get to look at that code and verify it. This does not and will not happen at Microsoft. Microsoft is comming from behind and it is trying to create an OS that has everything that Unix OSs do and then some with less people and in some cases with programmers that do not have the experiance that some of the Unix programmers did (why else would we have windows 9x). Microsoft needs to throw more money, people at all their projects so that the money we pay doesn't just go to Bill's bank accounts but actually buys some better product...maybe in the future.

Mon, Feb 4, 2002 Anonymous Anonymous

Microsoft OS's are complex and ubiquitous. As a result, they are the primary target of hackers and viruses. Are they **100%** secure: No, and they never will be. Given time and patience, anything can be hacked! All we can do is deter malicious people by making the OS harder to hack. I hope that MS "walks the walk" and does a better job at minimizing the weaker points of their OS and therefore helping SysAdmins and Engineers keep ahead of the hackers. But remember, anything can be hacked with time and patience. And popular products make for popular targets. And the most paranoid SysAdmins and Engineer setup the most secure systems. We all have a part to play: you, me, and Microsoft.

Mon, Feb 4, 2002 Anonymous Anonymous

If the market is so crowded why did they create the MCSA?

Sun, Feb 3, 2002 Scott Spiess Roseville, Ca

I think Michael has some good points in his post above. Those points being the security vs. performance of programs and the third party software being installed on a Microsoft OS’s. I fully agree that there is a debate about the security vs. performance on any software that is rolled out in a production network. Performance normally wins those debates. I also agree that there are some very badly written programs out there that do not have any security in them at all. I do believe this is why Microsoft has tightened up their logo program to take care of these very issues. Keeping all of this in mind, I will focus on what programs that are produced by Microsoft and tighten up the idea of a security certification for just those products. It is true that Microsoft is not a security company, but they are responsible for the security in their own products. These products consist of IIS, SQL 2k, FTP and Exchange. These programs are Microsoft core business applications and as such should be solely the responsibility of Microsoft. I do not remember one test question during my MCSE that touches on any of these products. This is the point I am trying to jump up and down about. Since it is proper to review IIS and FTP logs, events caused by Exchange like bouncing SPAM off of a non-protected email server, or incorrect assigning of rights or null passwords in SQL, I really think there is a major hole in the Microsoft testing. A certification for security on just Microsoft products would force Microsoft to pay more attention to security. It would also in the process educate its MCSE’s to do a better job with security. Through studying, everyone will become better at their job. This is the point here people. I have noticed some pretty good posts from people who I do believe work with security. Their suggestion of using hardware for security (I agree with you) works, but this is a Microsoft forum. Using a Pix firewall works great, but Microsoft does not sell Pix’s nor is any of their testing materials going to say that you need to go buy a pix. Microsoft is going to say you need to use a product like ISA. I do believe we are talking about two different things here. I am talking about Microsoft apples and it appears that others are talking about other company oranges. In the end, anyway we can help Microsoft pay attention to what the customer’s wants/needs are, then we are getting better products from them.

Sat, Feb 2, 2002 Michael In a state os security consciousness.

Microsoft is a software company that is made up of human beings programming software just like any other software provider. All software companies that sell the product they produce is done to allow them to stay in business, thus they have to give the consumer/commercial customer what the market wants. The decision of performance or security lies within the market that the software is targeted for. Keep this in mind when looking at MS software and security. In an ideal world, we choose performance over security because there are no crackers/hackers in the ideal world and because we all trust and honor each others privacy. This is not an ideal world! Security is the responsibility of the individual that determines how secure he/she wants to be. If the product is not secure enough for the person that purchases it, then they should take the measures to secure it. This is where a real security administrator/engineer comes in. Does MS need to be the provider of education and certification of this person. I do not think it is appropriate. MS does not produce all products used on its OS nor does it have access to prevent any software from being installed on it's OS that will cause/exploit a venerability. That is the security administrator/engineers job. If MS decided to become a security educator and provider of security, it would have to incorporate all products that they make and the ones on the market that are applied to their software to be effective. That is why there are other organizations in the public that do provide this education. That is where we should seek our security education and certification. As for why MS has so many vulnerabilities exposed after the product is released, there are more little “David the potential conquerors” out there wanting to take down the apparent Goliath than there little David’s that want to take down the smaller software providers. Bigger target means more shooting at it, thus we see some hits. Think of how we each were conceived! A barrage in which one gets through. Locks are for honest people!

Sat, Feb 2, 2002 Anonymous Anonymous

Atleast Microsoft is taking a step in the right direction with the security toolkit. There is a full version of hfnetchk by shavlik that allows central distribution of all fixes. It was impossible to keep track of all of the hotfixes before. How do I get those five 9s when I have to reboot my server almost every week to apply hotfixes?

Fri, Feb 1, 2002 ciscoboy ohio

IIS + your file system = disaster waiting to happen. Yeah, MS security. Right. ROTFLMAO

Fri, Feb 1, 2002 Brian Hawkes Anonymous

Why is there no certification exam? To me there is a rather simple reason, of course one could rant and rave about the various related issues forever. However the fact remains, if MS were to offer a "security-specific credential" they would have to back up their NEW security certified people with something more than lip service, and it is clear that MS is not capable of that. The MS approach to security is to lobby congress to go after people who have discovered vulnerabilities in their products to 'BE quiet" and "not disclose these bugs to the public so hackers can take advantage of them" What a RIOT! It a sad commentary on our times AND our country. The software industry is setting new standards for business, I call it "Pay me now for the PROMISE of a working product SOMETIME in the future" If ANY other industry released such half assed products as are generally released to the American public as SOFTWARE, and charged for them, they would be almost instantly regulated by the government. It seems that the SOFTWARE industry has come up with a new business pratice. Release PRE-BETA software to the public, and then use funds from the early suckers, er customers to complete the product that you already paid for. MS clearly pioneered this practice, and now many other software houses have masterd this method. The REALITY or ACTUAL QUALITY of software products is actually of little concern. What is MORE important is to create HYPE and the IMPRESSION of a good product through advertising and marketing. What you actually sell can be TOTAL crap, and AFTER you make enough money you can always release a patch after the fact.

That's business in America, if you dont watch closely they will steal your pants to ...

Fri, Feb 1, 2002 Ellis Raleigh

I agree with Mark.
CISSP, it is platform independent, and does not just deal with computer security. It even deals with physical security. The only fault with MS products is that they are so easy to setup. I guaratee I could pull 5 people off the street, give them the CD for Advanced server and in less than 4 hours they could have a simple server up and running. Try that with FreeBSD.
MS makes its products easy to use and setup so anyone can use them. Where MCSE's etc come in is having the knowledge to restrict the end user to the minimum rights and privileges they need to accomplish their work, nothing more nothing less, and the MCSE's should keep up with security issues, Scan their networks, make sure the Anti-virus progs are updated etc. Best advice I can give is for System Administrators and Engineers to get off the "blame Microsoft wagon" and do your jobs.

Fri, Feb 1, 2002 Anonymous Anonymous

Getting back to the right topic. Would you have a fresh MCSE 2K implementing security at your firm, knowning only what was on the exams? I didn't think so! New MCSE's are not equiped with the right knowledge let alone properly roll out an active directory security model. What is needed is more requirments for the MCSE or add a certification for the people willing to do the extra work.

Fri, Feb 1, 2002 Lennie the 3rd planet from the sun

Go Mark! That's just what I was thinking as I read this page. You got it bro!

Fri, Feb 1, 2002 Ronnie Anonymous

MArk- You are an exmaple of a clues Specialist- Passing the exam only shows the effort you put o get certified. Applying the stuff is something else. Don't just come here screaming without being considerate you ignorant dude.

Fri, Feb 1, 2002 Pete Indiana

I would like to see MS have a solid Security Certification. What it should cover is the implemetation of Security specific to MS products. Additionally, electives for the certification should be specific implemetation of top of the line 3rd party security software being placed on MS operating systems. MS could coordinate with Computer Associates, Symantec and Cisco and could sponsor an inter-corporation certification. Prerequisites might include CCNA, CCSA etc. Electives could also include testing for some software that do not have their own certification such as Mail Essentials and Raptor Firewall. The certification (Microsoft Certified Security Professional - MCSP) should include a first year free subscription from the corporations involved for updates to their products. This would highlight the MCSP as a necessary type of employee and would show just how serious MS and others truely view security.

Thu, Jan 31, 2002 TexasMCSE Austin

First off, 70-220 is not INTENDED to be a security exam. It is a DESIGN exam, and desiging a secure network is very different from IMPLEMENTING a secure network.

Secondly, Microsoft should NOT be in the security certification business. Anyone trying to do a secure network without using security specific hardware and software is a fool who knows nothing about security. Security certs should be vendor neutral courses and exams that cover a wide array of security products, and issues on securing multiple OS's and protocols.

Thu, Jan 31, 2002 Anonymous Anonymous

Get an CISSP and/or Checkpoint, specialize in Cisco PIX firewalls and other non-ms products and of course REALLY know security protocols, hacking, and encryption. It will REALLY help you to know this stuff instead of just thinking that by passing an exam it will solve matters

Thu, Jan 31, 2002 Anonymous Anonymous

You know I just love when people like this Mark Austin jump into the online discussion group. If I have it right Mark, if I want a certification, I should go somewhere else than Microsoft. Mark, this is a microsoft group and we don't give a dam about your certs, we just want microsoft to do something positive for a change. Mark, if that is his real name, must be part of the ignorant, arrogant group that we here from time to time

Thu, Jan 31, 2002 Mark Anonymous

You want a Sec Cert ?

Do the Damn CISSP and Shut the Hell up

Mark Austin

Thu, Jan 31, 2002 Ron Beacom Peterborough

Anyone can become an MCSE and not have a clue about security. The Security Design exam is a joke. It is hard to tell if Microsoft products are bad or that so many people are trying to hack them. I have had a classroom of imac's for 2 years and have only had one virus. Who would bother to waste their time writing a virus for a MAC when Outlook is an easier target!

Thu, Jan 31, 2002 Scott Spiess Roseville, Ca

I could not disagree more with BasicIT about what Microsoft should be doing for IT professionals. Excusing Microsoft for stopping short of a good job just encourages Microsoft to do more sloppy work. Keeping up with Hotfixes and patches is a system administrator’s job, this is true, but Microsoft needs to make those hotfixes and patches work without crashing your system. Patching a production server should not be a hold your breath kind of thing. Unfortunately, Microsoft still has a lot to learn about customer service and quality control. The hotfixes and patches also should be available before every little script kiddie out there is using it to exploit your server. Please understand, an exploit is not something that is caused by the system administrator, it’s a bug/whole in the software. This is a bug/whole in the software that should not be there in the first place. There are some really serious security problems with SQL, FTP, IIS and ActiveX. To say that the people in this discussion group are whining because they think Microsoft should do a better job is a mistake and misdirected. Please also understand that the IT professional has nothing to do with the creation of the Microsoft product. Microsoft has that responsibility. Let us not forget the now famous Windows XP security exploit that allows you to around the operating system and use the system bus to allow Internet users to access your local hard drive. Microsoft was making the claim that Windows XP was its “MOST” secure operating system. Ya right! The FBI had a few things to say about Microsoft Windows XP. This was a major blunder and it shows just how sloppy Microsoft is. I do believe that Bill Gates in his memo said something like “Security is more important than everything else.” Funny I don’t see Bill blaming the system administrators here and I still think he is playing lip service to us all. A security certification would prop up the idea of looking at security and maintaining a proper level security. Since Microsoft is demonstrating that they cannot produce a product that does not have serious security holes, it is the IT professionals job to point this out and put public pressure on Microsoft to start doing their job to their customers satisfactions, not the Microsoft marketing departments satisfaction.

Thu, Jan 31, 2002 BasicIT Virginia

MS is not a Security Company, but MCSEs are or should be professionals in an industry that requires you to be on top of game in all areas including. I’m an MCSE and CCNA and I focus on security. I have no Security specific certs and I won’t get any until I see an RFP or job ad that states it is required for me to have one. If you or powers that be decide to implement a MS solution then you need keep your system secure by staying up to date on SPs, Hotfixs and security news. MS needs to do nothing but continue to do what it does best make software that people - in spite of faults - still want to use. And MCSEs and other Professionals need to do what we do best, ENGINEER and IMPLIMENT solutions that include security as a main component. Stop Whining about what MS should do for you and start saying what you can do for your MS systems.

Wed, Jan 30, 2002 Anonymous Anonymous

Microsoft is serious about security this time around. .Net and Passport will not work unless there is end to end security.
And the only way to do that is via HARDWARE. There is a group inside Microsoft that is working on a hardware solutoin to secure the operating system.

Wed, Jan 30, 2002 Me You

Anne Marie McSweeney- I got news for you. You admit there are enough certs out there and adding a sec cert will only create confusion. We are already confused. Ms has been ignorant for so long about sec. Don't you have qualified ppl to come up with proper security measures and certs? idiots.

Wed, Jan 30, 2002 Eren Turkey

so it is easy. Microsoft is not a security firm! Why do you think the best firewall is Checkpoint even operating system is NT? You think Microsoft wouldn't do best. They have source codes ofcourse MS would make best.

Wed, Jan 30, 2002 Scott Spiess Roseville, Ca

Why does the certification group keep doing this? Microsoft NEEDS a REAL security test. The 70-220 test is not a security test! I have taken and passed this test with flying colors. If Microsoft believes that knowing what a firewall, RRAS server and a router is and where they go is security, I have a bridge to sell them. As I have stated in other discussion groups, the reading and understanding of IIS and FTP logs, ACL's, command line security and actual testing your security is all part of being a systems administrator. This of course needs to be included in the MCSA too, since it will be there job to view such logs and review security. None of this is in the actual 70-220 MCSE testing and it is drastically needed. I think earning a certification for the ISA exam would be a great thing as long as it counted for something. Microsoft has taken the MCSE+I away from us and there is not any added benefit to taking more Microsoft tests. I think that it is a shame that the certification group has watered down what was accomplished in the MCSE 4.0 track. There is no certification level for people who know (or want to know) what they are talking about. I have seen ISA (also read the training kit) and I am certified in Proxy 2. I find it very funny that in the ISA training kit, the security messages get relegated to Appendix A. Security is not taken seriously in the training kit. There should be chapters on security, not just event notices. Netmeeting (secure H.323 gatekeeper) has its own chapter. I guess Netmeeting is more important than security. Simply put, we need more information and more of an indication from Microsoft that they really give a dam about security. Saying that you care about security and actually doing it are two different things. I as a MCSE in 4.0 and 2K do not need more lip service from Microsoft. What MCSE’s need is for Microsoft to start caring about the products that they produce. I am tired of 1.0 version of tests and software. The old joke of “I will not implement a Microsoft operating systems until service pack 3” is more founded now then ever. I should not be surprised that our certification group is once again on the opposite side of the certified professionals that they are suppose to represent.

Wed, Jan 30, 2002 What Security??? USA

Q: So what security certification do you have? ..... A: I have the new Microsoft Security Certification, MC-EverybodyGetsIn. They'll laugh you right out of your job interview. Good decision of Microsoft NOT to have a security cert. One email from Bill does not equal a good security record from Microsoft.

Tue, Jan 29, 2002 Anonymous Anonymous

I could see the test items right now:

How do you explain to you CIO a IIS bug has crashed the router with Nimda traffic?


Plug and Play option has compromised the network, how do you avoid having to clean your desk out?

MS and security are oxymorons...

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.