I work for a large multi-national bank, and have run into similar issues: here's how I've pushed back to Microsoft.

MS has gone a long way to provide documentation on how to secure their Operating Systesms and Infrastructure products (IE, IIS, etc.), but my personal beef has always been that they don't test against their own "best practices" or "security standards".

In order to force them to put their standards where their mouth is we did the following - we followed their hardening standards to the letter. When the applications (some components of Exchange, and SharePoint Portal and Sharepoint Team services) failed to work, we pushed this back to MS and simply said "Your product, your standards, your fix". Sweet, and very little work for us.

I can't say that all the product features are fixed, but we've receieved some high-level buy in from the MS side, and I expect they'll be fixed within the next couple of weeks. I also expect they'll end up producing some additional documentation for other companies who can then benefit from our history.

My thought is that, eventually, MS will have their developers doing most testing against their "worst case scenario standards" and hopefully publish proper security procedures from the outset of new releases.

If anyone out there thinks this is a one-sided thing where Microsoft benefits by having us work out their problems, think again. In doing this "extra work", I've made some very key contacts at Microsoft - contacts which I intend, at some point, to use when we've got non-security related issues. Let's face it, every product has bugs.

"Step right up! Everyone's a winner!"

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/69/11725#11725