During the course of his 15-year career with the company, Muglia has been given such responsibilities as managing the development of the MSN network, the Microsoft Office suite and Windows Server applications. These days, Muglia is running the storage business he started some 22 months ago while at the same time overseeing Microsoft's enterprise management division.
But outside events may have conspired to turn this into one of his toughest assignments.
During the last couple of years, hackers have repeatedly compromised Microsoft software by exploiting Windows vulnerabilities. The company contends that its software security is improving but allows that it remains a target for the foreseeable future.
The $64,000 question is whether this studied ambiguity will hinder Microsoft's ambitions to sell more of its software to information technology directors with big corporate data centres. Muglia spoke with CNET News.com about the steps Microsoft is taking to foster better enterprise management and how the security issue is affecting the company.
Q: Microsoft has been talking a lot about interim steps -- such as getting users to turn on firewalls -- before making broader changes in the software. Is that the extent of what you can do about security in the near term?
A: Many things go into securing systems. Clearly, we've been working on eliminating problems, and as we continue to find them, we'll make sure to get patches out there. But that's not the only thing we have to do.
For instance?
With Blaster (also known as MSBlast), customers who had the Internet firewall turned on didn't get hit. In general, the idea of having that kind of level of defence is very useful. So we're looking at ways to get the (Internet Connection Firewall) turned on and finding ways to make it as effective as it can be -- in addition to offering tools that prevent people from getting into the system. The way I like to think of it is that you need multiple levels of defence. Like with a house, you need a gate, which is one level of defence. Then you need your doors locked -- and maybe an alarm turned on as well.
When Steve Ballmer gave his presentation at the Churchill Club a few of weeks ago, he talked about "shield technology." What is that going to include?
It's what I'm talking about with fences. Fences and shields are not that different.
Well, what is a shield?
A firewall is a shield. I like to think of the broader term, "countermeasures," because this is an ongoing battle. That hackers are committing criminal acts -- and they are -- if they want to exploit things, they will adopt all sorts of measures to do so. The question becomes: how can we put countermeasures in place that make it as difficult as possible for them? You want them to go someplace else. You don't want them to go to your house.
Go to Linux?
Not Linux. Fundamentally, you want people to build their systems structure so that if a hacker tries to find machines to get into, they won't be able to get into yours. The idea of having countermeasures in place is focused on turning hackers away -- just like a locked door is.
So, what's the real problem? Is it the fact that many people are still not turning on firewalls or is it the way Microsoft's software gets designed?
I think it's a combination. For sure, there are things people can do, and that's why we're working with our original equipment manufacturers and running an ad campaign to get those firewalls turned on. That will help. But clearly, there are places where we can change the structure of our software.
Such as?
We need to make sure that the opportunities hackers have found to get into areas -- that we get rid of those. Those are essentially vulnerabilities we've had to close.
There's more and more interest in remote management. And now, you have blade servers and gigantic data centres. The specific job of remote management is to let someone on another side of the network take control of your computer. Does that fundamentally open security vulnerabilities -- because you have to build in so many capabilities to allow for remote management?
Not really. If access is protected through a security mechanism -- like a difficult-to-break password or a smart card -- that's a very secure mechanism. There's just a search. There's a certificate I need to unlock with a personal identification number, and then there's a password. With that combination, nobody's going to guess that password. It's just impossible.
4%
4%
I think one of the points that Muglia made was that no software is 100% without flaws. I think people need to get that in their head. Also, with all of these viruses the clients I support as a consultant have not been effected by any of them. Why? Because we have policies and procedures for perimeter defense (Firewalls/Routers), Patch management (SMS, SUS) and AV. If a company gets hit with one of these viruses who knows what has been stolen from them because of their wideopen firewalls that allow RPC traffic from the web.