Ok, this is somewhat old news, but somehow this slipped off my radar back in February. Even when I showed it to a few IT admins today that follow such news very closely, they mentioned to me that they don't remember seeing anything about this in the SANS newsletter, NTBUGTRAQ, or any other security mailing lists.

Microsoft Triumphant in OpenHack 4 Competition

In October 2002, eWeek Labs launched its fourth annual OpenHack online security contest. The year's contest, the third year of participation for Microsoft, was designed to test enterprise security by exposing systems to the real-world rigors of the Web. Both Microsoft and Oracle were given a sample Web application by eWeek and were asked to redevelop the application using their respective technologies. Individuals from throughout the world were then invited to attempt to compromise the security of the resulting sites in exchange for cash prizes.

Microsoft developed its application using the Microsoft .NET Framework, IIS 5.0, Windows 2000 Advanced Server, and SQL Server 2000. (It should be noted that Microsoft Windows .NET Sever 2003 with IIS 6.0 would have been used had it been released at the time of the contest. In Windows .NET Server 2003, several of the steps we took to "lock down" the operating system and Web server are already completed by default.)

The results of the competition may be found at: http://www.eweek.com/category2/1,3960,600431,00.asp

In total, the Microsoft solution withstood over 82,500 attacks. Microsoft emerged from OpenHack 4 unscathed, as it did in its previous engagements with the first and second OpenHack competitions.

An article explaining how the solution was built and configured, including best practices for software developers and systems administrators to secure their own solutions is available at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/openhack.asp

(this text was copied from http://www.microsoftsoutheast.com/news/product_news_0302.asp)

I don't know about you, but I'm sick an tired of hearing people out there constantly bicker and complain about how Microsoft sucks or how insecure their software is. Things like that just bother me. Obviously if Microsoft WON the OpenHack 4 competition, then it's been shown that security on Windows can be achieved. There's one caveat here... that is that the person(s) setting up the box actually know what they are doing and pay attention to proper setup. One of the major roots of this problem is, I think, that some IT admins (ie: those that constantly bicker and complain about Microsoft) think that adminning a Windows Server is the same as their PC at home. Well, IT'S NOT! Just because your Windows XP Home Edition PC (or heaven forbid you're still running Windows 95, 98, Me) looks and feels similar to your Windows Server at work doesn't mean that they are the same! Anyway, I think I've beaten this topic enough for now. But rest assured, this gripe with come back every now and again because this post will not all of a sudden magically cure all these admins who think like I've described.