Users and trainers: Microsoft MCSE training faulty

IT professionals and trainers in the United States are blaming insufficient security training offered under the nationwide Microsoft Certified Systems Engineer program for contributing to the spread of Code Red and other damaging viruses.

In an e-mail newsletter sent out last week to its 96,000 members, the Bethesda, Md.-based SANS Institute, a research and education organization for systems administrators, urged MCSEs to take a free class offered by the institute on how to reconfigure and patch Windows-based systems against the vulnerabilities exploited last month by the Code Red worm. The core courses required to attain MCSE certification don’t provide the level of security training engineers need to protect their systems, according to SANS Institute officials and other industry experts.

MCSE trainers and students contacted by Computerworld last week said they agree with the organization. Most noted that while basic security is covered as part of the Microsoft Official Curriculum for MSCE certification, in-depth security training is optional and not a core requirement.

The shortfalls in MCSE training are “one of the root causes of lax security in the private sector,” said Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W.Va.-based network security services company.

“Every MCSE that comes through our door has to be quizzed on his level of security understanding,” said Morgan. “Most of them have to be trained in even the most basic of security principles. It costs us time and money.”

MCSEs design, install, support and troubleshoot information systems based on Microsoft Corp. software.

Alan Paller, director of the SANS Institute, said the recent outbreak of the Code Red worm, which took advantage of vulnerabilities in Microsoft’s Internet Information Services (IIS) software and a misconfiguration in the Internet Server Application Interface (ISAPI), is a perfect example of how MCSE training falls short.

“It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching,” said Paller.

“One of the saddest dimensions of information security is that hundreds of thousands of people earned MCSE certifications without being required to demonstrate any competence in security,” stated the SANS newsletter.

Robert Stewart, general manager of training certification at Microsoft, countered that each of the four core classes required for MCSE certification covers various aspects of security.

“There are definitely items and sections of the core exams that focus on security,” said Stewart. In fact, the Windows 2000 Server administration course includes a “pretty big piece on security,” he said. “And you can’t pass through the gate and become an MSCE without passing it.”

MCSE students are required to take five core exams on how to configure, design and administer a Windows 2000 network. (Windows 2000 certification replaced NT certification this year.) However, of the four core design courses offered, only one is geared specifically toward security – and it’s optional.

“There’s nothing specific on security,” said Bob Hillary, vice president of academic affairs and chairman of the IS department at New Hampshire Community Technical College, a major MCSE training center, in Portsmouth. “It’s not that MCSE training is without security, but it’s an elective. Just as they have an ‘MCSE plus I’ for their Internet certifications, they should have an ‘MCSE plus S’ for security,” said Hillary.

Although the in-depth security course is an elective, Stewart said, the fact that Microsoft has designed a specific course on security demonstrates the company’s commitment.

MCSE training is conducted by dozens of private service providers throughout the country. Microsoft, through its training Web site, “makes no warranties or representations with regard to their services.”

Terry Lewis, an MCSE training instructor at Emergent Technologies Inc. in Reston, Va., agreed that security training is “very basic” and should be enhanced. However, to do that, the five-day core courses would have to be lengthened, he said.

“In Microsoft’s defense, I don’t think that in a certification training environment you can teach the in-depth subject of security,” said Lewis. “Should there be more security? Absolutely. Is there any time that can be thrown out of the current courses and devoted to security? No.”

Microsoft Canada in Mississauga, Ont. can be reached at