Is Windows security an afterthought?

Application security
Current threats
Digital certificates
Disaster Recovery
human factors
Identity & Access Management
IDS/IPS management
Incident response
Instant Messaging
Intrusion management
IT architecture
Managed security services
Microsoft Exchange
Network security
PEN testing
Platform Security
Product evaluation
Product/Service evaluation
Remote users
Risk management
Secure Coding
Security management
Security products
Security Program Management
Security tokens
Service and support
Signature updating/Management
Single sign-on
vulnerability management
As the editor of, I often speak with users about their Windows security responsibilities. One senior systems analyst in particular sent me an interesting note recently... To give you some background, he's in charge of configuring and administering desktop systems (primarily Win2000 and XP)for a large company, and he developed many of the security policies and procedures in place for those desktops. However, even with those seemingly important tasks on his plate, he said he took over Windows security only because no one else had. He specifically said: "I ended up taking over the security functions because no one else was looking after them. I've learned a lot (enough to know there's so much more to learn), earned my CISSP and started specializing in MS Windows security. I never really set out to do that though." Does this sound familiar to you? Were you recently or temporarily assigned Windows security responsibilities because they weren't being handled? Did you choose to take over Windows security on your own? How long have you been working at it, or plan to? Any feedback is appreciated. I will include comments in a story for I'm just trying to get a sense of how people got into the Windows security field, how long they've been in charge of securing Windows systems and if they plan to stay there. You may contact me publicly or privately. Thanks for your time and attention! Best regards, Robyn Lorusso Editor

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hello Robyn,

I originaly began studying Windows software (the aim was to get my MCSE) so I could enter the world of computer administration. I wanted to move from the user admin/help desk to the tech side of the systems my company used. I was already a part of security as my help desk and user support duties dealt with remote access, authentication issues, certificates and logic key administration. But my intent was not originaly to become “The Security Guy”.

So, while the progression to dedicated security proffesional with a speciality in Windows was a natural progresion, it was not my original intention.

Discuss This Question: 7  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • BlueKnight
    When I first came to work here I was assigned to support 106+ users in one of our user departments because they had so many problems, chief among them was pervasive viruses. This department was using an older version of Windows and utilized the "sneaker net" for sharing files. The first thing we did was to install anti-virus software and banned the sneaker net, giving them file sharing space on the server. We then upgraded their systems to the then current Windows OS and modified their network to utilize IP instead of 3 other protocols. All around performance ended up many times faster than before we began attacking the problems. I've always felt that Windows security was an afterthought. Microsoft always put the emphasis on adding bells and whistles rather than security. Lately, they seem to have gotten much more serious about security, but they still have a way to go. That being said, there still is no substitute for the good old fashioned "human firewall." We all need to train users on best practices for desktop security, and keep reinforcing it so they don't get lax. Jim I'm not certified, but I am certifiable
    10 pointsBadges:
  • Astronomer
    I have been involved with windows NT since the 3.1 beta. One thing I have noticed is with every release microsoft proclaims "now security is our focus". I got involved in NT security at the Intel early access services lab. No-one else stepped up to the plate so I had to learn the hard way. This led me to network security in general which has been my focus for the last five years. In my current job as network engineer, I am responsible for network security for the entire college but I have found a great deal of my time diverted to windows security issues. Depending on the size of the IT staff, this often comes with the territory. Another reason windows is a concern here is the lack of staff knowledge. Since the support team is afraid of anything other than windows we are using windows systems in roles where there is a higher risk than with a more secure OS like unix. Others may disagree but my experience has been that most windows configurations are considerably more vulnerable than corresponding unix configurations. I believe part of this is the average difference in knowledge between unix admins and windows admins. You can lock down both systems if you know what you are doing but you have more power under unix. Given my choice, I would focus on the network side and avoid the servers. Unfortunately, this has not been possible so far. rt
    15 pointsBadges:
  • Glennp7777
    I began PC, workstation and server security under Linux. I had been running Windows PCs since MSDOS 3.3, but had never really delved into securing them until I began having to lock-down Linux servers. Since, I have been in charge of all Windows PCs on our LAN and my own network at home with a W2K PDC Active Directory setup with Linux running SaMBa, SSH, SCP, LDAP, etc. The better question is whether security was an afterthought of Microsoft's!? They did not really start considering security measures in any of their Operating Systems until Windows NT. When they did, they half-a**ed it to the point that they adopted their Security initiative in 2000(?). That's probably because W2K was realeased like a caged dog.. for those of you who do not remember.. W2K was not mature enough to run until 6 months after release.. I sure would not have touched it in 2000!
    0 pointsBadges:
  • RobynLorusso23
    I just want to thank everyone for your feedback so far. It's very interesting to read about the different ways you've come into the Windows security role... I also want to speak to glennp7777's comment: "The better question is whether security was an afterthought of Microsoft's!?" That is a story in itself! I think just about everyone would agree that Microsoft didn't place enough emphasis on security in the early days, maybe because increased security would mean reduced OS flexibility/usability. Maybe because the software giant didn't realize how much of a target it would become ... Generally speaking, some may say Microsoft has approached Windows security the way many companies do... Until a good hacking, virus or security meltdown occurs, an organization is not likely to invest the money and human hours in Windows hardening and threats prevention. Member BlueKnight seems to be one who was hired to handle virus problems... I guess it's a matter of when to get proactive rather than reactive about security, and what pushes people to make the change, at Microsoft and in various enterprises. - Robyn Editor
    0 pointsBadges:
  • Sonyfreek
    I got into the security field after years of system administration experience. Of everyone I've worked with, most administrators don't really care about security; it impedes them doing their work. For example, one of my admins will immediately try to remove all of the restrictions we've imposed when he hits a roadblock. He's done things like given a user local admin privileges to make a program work, where he could have solved the problem by relaxing privileges on one or two directories versus making the entire machine a security risk. Basically, I would see things like this happening and it discouraged me. I tend to be on the paranoid side and would rather have myself or a user somewhat inconvenienced than to let a cracker get the best of my network/computer. I think every security engineer should be of like mind. Not to the point that they won't allow changes to the network. Rather, they should ensure that the changes are done properly and re-assess the risks involved prior to implementing it. Microsoft, concerned about security? When did they start caring? Probably when their profit margin started to decrease because other operating systems were being considered and implemented over the Windows product line. They wanted to get WinNT 4.0 to pass the C2 standards so they could sell it to the Government, and carried through with Common Criteria for Windows 2000. Just as long as no one outside Microsoft looks at the source code, they got away with that for awhile. Then the UK started considering and using Linux OS's, so they opened up their source code to scrutiny by those Governments... I'm not sure if the U.S. Government was one of them or not, however. I believe that it was done for foreign governments only, but would be surprised if the U.S. Government didn't have it also. I think the whole Trusted Computing Environment and security is a marketing strategy that they tout about when fears arise about losing their market share. It has nothing to do with them caring about making their products safe from intrusion/flaws/bugs. Sonyfreek
    0 pointsBadges:
  • Analog
    I think this is not uncommon at all. The simple fact is, security itself is commonly an after-thought. Not just with Windows, but in general. I find it unfair (in some cases) that Microsoft is always the target for these kinds of discussions. The trend is so very obvious. Gain popularity, and someone will pick you apart until you lose that popularity. For example, Linux. What did everyone say when Linux was first gaining popularity? It's more secure than Windows. That alone was one of the biggest reasons it gained in popularity to begin with. And what is happening now? More and more you are seeing Linux exploits reach the media (commonly blown way out of proportion -- as Windows exploits often are) and now open source is under fire and under public watch much the same way Windows has been for so many years. Not as much as Windows, no. But still, much more so than back during say, the Debian 'Hamm' days. This trend will continue. Why? Because EVERYTHING has holes. Not just Windows. And the more Linux and other OS's gain in size and popularity, the more holes you're going to see surface. This extends, of course, beyond the Linux OS but also in to the large volume of open source software projects. Microsoft is taking measures that might actually put them ahead of some Linux distributions in terms of security. It's simple. There are Windows desktops everywhere. There are not very many Linux desktop shops out there. In some places, yes. In most places, absolutely not. Do you sincerely think that managing a desktop environment of 1000+ Linux stations versus the same number of Windows stations would be that better (more secure?) Probably not. By the way, I am a Linux user and in my particular line of work I do prefer it over Windows without a single doubt. I am also however a real-world fellow working in the security industry, not a hobbyist. These are my 'real-world' opinions. Thanks Slade Edmonds Systems & Methods, Inc.
    0 pointsBadges:
  • Cazulp
    My route to Windows Security is probably similar to most. I am fortunate in some regards in that my hobby, PC's and the Internet, became my full time job after I moved from Mainframe Computers. In 1997 we deployed Internet Banking using Public Key Certificates off our own CA for mutual authentication between the Client browser and the Web Server. From there I became fully involved in deploying security software which now includes defining the security requirements for Windows 2000, Windows XP and Internet Explorer for 50,000 employees. In addition I author a security patch document which not only gives the recommended patches and settings for Windows and its components but also the issues that are involved with deployment. All this without any training or letters behind my name. Thanks to the Internet and Google, I have had the opportunity to become somewhat of an expert.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: