Microsoft Adding New Security Exam

Microsoft Adding New Security Exam – is it Enough?

Microsoft has recently announced that it is beefing up= the security portion of its certification track, by introducing exam 70-214 = Implementing and Administering Security in a Microsoft Windows 2000 Network. With this exam, which goes into beta in mid-October, Microsoft now has two security related exams for its Windows 2000/.NET certification tracks that MCSE and MCSA candidates can take (the other one is 70-220 Designing Security for a Microsoft Windows 2000 Network). This is consistent with Microsoft̵= 7;s announced “trustworthy computing” initiative, but is it enough?=

It seems to me, as someone= who has been around Microsoft technologies for a number of years and has been an MC= SE since early 1997, that Microsoft misses the mark here in one critical way. = The problem isn’t with the security exams themselves, and to be fair it appears from the exam objectives for 70-214 (http://www.mic= rosoft.com/traincert/exams/70-214.asp) that Microsoft is finally addressing the security issues that are relevant = for day-to-day network administrators who manage Microsoft products. However, w= here Microsoft comes up short is that making the new exam an elective shows that they really don’t take network security as seriously as they should. Some of the skills being measured by this exam, s= uch as implementing, managing, and troubleshooting service packs and security updates, are of critical importance to a network administrator and shou= ld be foundational knowledge.

In my experience, only a s= mall percentage of Windows 2000 MCSEs bothered to take the 70-220 security design elective, as it is considered one of the harder design exams. Most opt for = the easier 70-219 designing Active Directory exam. This type of practice has history on its side as well, as during the NT4 days the majority of MCSEs had Internet Information Server as an elective. This was = in part because IIS 3.0 and later 4.0 counted towards the “+I” cer= tifications, but the main reason people took the exam as an elective was because it was widely regarded as the easiest elective. Too numerous times to count have I seen people going through the MCSE track come onto the discussion forums and ask for people’s opinions as to what the easiest elective was. Often times it was just that the person was getting tired towards the end of the track and just wanted to wrap up as quickly as possible, but in other cases people genuinely wanted the easiest path possible. If history repeats itsel= f, and it likely will, the 70-214 exam won’t = be particularly popular with the majority of certification candidates. If it happens, it will be disappointing because 70-214 has the makings to be a valuable exam, especially as technology moves forward with the further integration of wireless networks into corporate LANs, making security even = more important.

One could make the argumen= t that it is the fault of the exam taker for not taking the initiative to take tou= gher exams that yield more practical skills, however,= it also behooves Microsoft to recognize the problem and correct it in its certification program. That is especially true given Microsoft’s notorious reputation for being light on security in their products and in t= heir emphasis. The best approach as I see it would be to stop trying to patch the certification program, but rather blow it up and re-build it from scratch. It’s no coincidence that the value of certification has declined as holding certification has become less of an indicator of real world performance.

Microsoft made progress by integrating TCP/IP, once an elective, into the core exams on the Windows 2000/.NET tracks. They recognized that TCP/IP knowledge was no longer optio= nal for a Microsoft certified professional, but was mandatory. Now they need to step up and recognize that security is no longer optional either, but is mandatory. A Windows 2000 administrator who can’t secure the operating system (as much as can be done) against outside threats and doesn’t u= nderstand the security tools and procedures available just isn’t of much value = in the real world. By not integrating security into the requirements for obtai= ning the MCSE (it can be justified not to include it in the lower level MCSA), Microsoft isn’t adequately preparing certified professionals to succe= ed in the real world, and therefore dilutes the value of the certification in a day and age where network security is at the forefront of importance. =

So, while Microsoft is mak= ing strides by introducing the 70-214 exam, they sti= ll have a ways to go to show they are ready to emphasize security to the degree that is necessary in today’s corporate world. Rather than just releas= ing .NET equivalents of the Windows 2000 exams, we need to see a new certificat= ion track altogether, with new exams, where security is just as integral of a part as networking.