There’s talk that Microsoft may introduce new certifications for desktop support and security. The discussion began last month at CompTIA’s 2002 Strategies conference. Microsoft’s Judith Morel announced that a worldwide Job Task Analysis survey of MCPs showed that MCSAs and MCSEs don’t spend much time working with client OSs. She added that there’s also strong interest in a security certification.

The desktop support strategy is certainly sound. That’s a niche that needs to be filled. For the last few years, help desk professionals have been turning to CompTIA for its A+ and even Network+ accreditations to demonstrate their desktop and basic networking expertise. But there is no reason to introduce a security certification.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

Squeaky wheels get greased
There’s been a noticeable softening in the way that Redmond deals with Microsoft Certified Professionals. It almost seems that if IT professionals complain loudly and long enough, Microsoft will cater to their wishes. I don’t believe that’s in the best long-term interest of those earning Microsoft certification.

First, the deadline for taking Windows NT 4.0 exams was extended. Then, Microsoft announced certifications would no longer retire. More recently, there have been rumblings that Microsoft is revisiting its decision to provide only pass/fail scores on exams. All of these reversals could serve to weaken Microsoft certifications.

The large chorus of complaints that followed the scoring change is certainly fueling Microsoft’s review of that system. I still believe, as I wrote in February, that numeric scores are unnecessary. Further, if you’ve busted your tail to earn a Microsoft certification, do you want someone who failed the same test you passed to be pointed to the topics they need to study again? I thought the purpose of a certification exam was to test your IT understanding and expertise, not to help you become certified.

Now it appears that Microsoft may cave in on the security certification as well. Back in January, Microsoft’s position was that there were enough certifications. A security certification wasn’t needed.

That was then. This is now.

The only reason I see for Microsoft to consider a security certification is that so many IT professionals are saying one is needed. I disagree. I see no place for a stand-alone security track among any software or hardware vendor. Leave the security certifications to the vendor-independent organizations like CompTIA.

Every exam should test security knowledge
Remember Microsoft’s TCP/IP exam? Exam 70-059: Internetworking with Microsoft TCP/IP on Microsoft Windows NT 4.0 seemed like a critical exam back in 1998. Many observers didn’t understand how Microsoft could discontinue such an important test at a time when TCP/IP had clearly won dominance over all other protocols.

Microsoft’s explanation was logical and appropriate. TCP/IP had become so dominant, so important, and so critical that Redmond no longer felt TCP/IP should be an elective or even an exam by itself. In fact, some IT professionals were earning MCSE certification without ever proving their TCP/IP expertise. To eliminate that problem, Microsoft began including TCP/IP content in each exam, thereby requiring candidates to prove their TCP/IP knowledge regardless of which exam they were taking. This was definitely the correct step to take.

Microsoft should do the same thing with security, and I believe it will.

Whether you’re taking an exam on supporting Windows XP, administering Exchange Server 2000, or configuring Windows .NET Server, you should be pelted with questions that test your security expertise. Security is as important as any other topic, regardless of whether the exam covers a client operating system, a critical application such as enterprise e-mail, or administering and configuring servers.

A quick look at current Microsoft exam objectives shows Redmond is on the right track. The Windows 2000 Pro exam tests your ability to:

* Encrypt data on a hard disk by using Encrypting File System (EFS).
* Implement, configure, manage, and troubleshoot local security policy.
* Implement, configure, manage, and troubleshoot a security configuration.

The Windows 2000 Server exam tests your ability to perform all those actions and to:

* Deploy service packs, which often include security upgrades.
* Install, configure, and troubleshoot a virtual private network (VPN).
* Implement, configure, manage, and troubleshoot security by using the Security Configuration Tool Set.

The Windows 2000 network infrastructure administration exam tests your ability to:

* Enable, configure, customize and manage IPSec.
* Remove EFS recovery keys.
* Manage and monitor network traffic.
* Configure remote access security.

Microsoft Exam 70-220: Designing Security for a Microsoft Windows 2000 Network is devoted entirely to security, as is much of Exam 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition.

The above list, while only a sampling, demonstrates that Microsoft is already testing candidates’ security knowledge. All it needs to do is continue that effort by ensuring that each certification exam it offers tests candidates on the appropriate and relevant security issues associated with each exam topic.

Why do so many security problems still exist?
Once you’ve secured your network, there’s only so much you can do to prevent breaches and the next round of viruses from wreaking havoc. Those who write new viruses and exploit new security holes identify new security weaknesses and create new threats because most IT professionals typically work to close known holes and vulnerabilities. I don’t see how any vendor could create a credible certification that tests your ability to close security holes that aren’t widely known to exist.

Microsoft software is frequently found to have security flaws because a large community of individuals constantly pokes, prods, and snoops to locate backdoors, breaches, holes, and other weaknesses. They choose Microsoft as a target because a large number of enterprises use Microsoft software. If OS/2 had the same enterprise presence that Windows does, I feel confident that you’d be reading many more articles about security holes that need to be fixed in OS/2.

Eckel’s take
The best any vendor can do is test IT professionals on their ability to understand fundamental security issues and ensure that those administering software and configuring hardware systems know how to make the most of available security tools and keep up with updates as they’re released. As John McCormick wrote last July, it’s clear many network administrators can improve their diligence.

Certification can help by reinforcing the fundamentals, but a new certification track isn’t the solution. Instead, security fundamentals should be emphasized in every IT exam.

Microsoft recently introduced a new product support life cycle policy designed to make support availability more predictable and consistent. This will allow customers to better plan their upgrades, instead of relying on announcements about the retirement of products or the discontinuation of support for them.

Under previous policies, customers couldn’t effectively plan upgrades. This had a significant impact on IT budgets and implementation plans. Microsoft’s new policy makes clear when the support for a product will end and what types of support are available during the product life cycle.

Best online Microsoft MCTS Training, Microsoft MCITP Training at certkingdom.com

The new policy should be of great benefit to those who rely on Microsoft products, especially its operating systems.

The policies
Microsoft has adopted two support policies—one that covers business and development software, the other for consumer products, hardware, and multimedia software. The primary difference between the two is that additional paid support is unavailable for consumer, hardware, and multimedia products.

Microsoft’s Support Lifecycle policy establishes two phases of support for business and development software.

The Mainstream Support Phase lasts at least five years from the product release date. Mainstream support provides the same options and services that are currently available, including free incident support, paid incident support, hourly charge support, warranty claim support, and hot fix support. In this phase, customers can suggest design changes or feature additions, and Microsoft will evaluate the requests.

At the end of that five-year period, customers can elect to purchase extended support, which covers the product for an additional two years. With extended support, you must pay for support on an hourly basis. To get hot fix support, you have to purchase a hot fix support contract within 90 days after the end of the mainstream period. During the extended phase, Microsoft will not respond to requests for warranty support, make design changes, or add new features.

Beyond the extended phase, customers can obtain additional support through Microsoft’s strategic partners. This custom support may include assisted support as well as hot fix level support.

Online self-help support—which includes access to the Microsoft Knowledge Base, FAQs, troubleshooting tools, and other resources—is available for a period of at least eight years after the product release date. So for at least one year after the end of the extended phase, customers will have access to online resources free of charge to resolve issues without contacting Microsoft.

For Microsoft’s consumer, hardware, and multimedia products, no extended support is available at the end of the mainstream phase. Customers will continue to have access to the self-help resources, however, for the same eight-year period from the product’s release.

Service packs and patches
In addition to the new support policy, Microsoft also announced a change in its Service Pack Support Policy, which extends the availability of support for product service packs.

Previously, Microsoft only offered support for the most recent service pack; it now offers support on the current and immediately preceding service packs. Support for preceding service packs will continue for up to one year after the release of the most current one. Customers can request new or receive existing hot fixes for both during the mainstream support phase.

Microsoft will not automatically create hot fixes for the immediately preceding service packs, however. If a customer needs a hot fix for the earlier service pack, it must contact Microsoft to request it.

Security patches
For business and development software, Microsoft will offer security patches through the extended support phase at no additional charge. Security fixes for most products will thus be available for seven years from the product release date.

Microsoft will provide security patches for its consumer, hardware, and multimedia products for five years—through the end of the mainstream support phase.

Coverage
Microsoft says the new policies cover most of its currently available and future product offerings. To verify that your product is covered by the policy, you should visit the product’s Web page or find it via the Locate Your Product page.

For additional information about Microsoft’s new policies, you can visit the Support Lifecycle Support Policy FAQ page.

Potential benefit
In the long run, the new policies likely won’t result in big changes in the way Microsoft’s customers use its products, but they will add better predictability to the product life spans. Because of the new policies, customers won’t be caught off guard by announcements of the discontinuation of support for particular products.