In a four-month project intended to improve the security and performance of its Web site, cosmetics manufacturer Mary Kay Inc. has nearly completed an upgrade to Microsoft's newest operating system and Internet-server software.
Mary Kay is replacing Windows 2000 Server with the newer Windows Server 2003 on approximately 20 Web servers, each equipped with four Intel Pentium 4 processors. At the same time, it's swapping Microsoft's older and more vulnerable Internet Information Services 5.0 Web server software with IIS 6.0. The project is 90% complete, according to the company's chief architect of E-business, Barry Bloom.
Mary Kay's Web site, www.marykay.com, is used by a far-reaching network of independent salespeople and consumers. The 40-year-old company doesn't sell its products directly to consumers online, but links shoppers to the Web pages of some of its more than 1 million beauty consultants, where they can purchase Mary Kay products. Last year, the company's wholesale sales exceeded $1.5 billion.
While Mary Kay avoided any significant security problems with Windows 2000 and IIS 5.0, there were "stability issues" associated with IIS 5.0's inability to isolate the processes of applications based on Microsoft's .Net Framework, Bloom says. Because of that shortcoming, one glitch could affect all applications running on a server.
IIS 6.0 addresses that vulnerability by isolating application processes so that one faulty process can't impact an entire system. In addition, Mary Kay was able to lower the access privileges of IIS 6.0 accounts, so that a potential intruder might do less damage. And, consistent with Microsoft's "secure by default" strategy, many of IIS 6.0's features come disengaged out of the box. "The attack surface is greatly reduced," Bloom says.
During the project, Mary Kay used TeaLeaf Technology Inc.'s RealiTea application-management software to assess Web-site performance. RealiTea lets system administrators view the performance of a Web application from the user's perspective. "We all know load testing only tells part of the story," Bloom says. "It's only when [an application is] in users' hands that you know for sure."
