Mary Kay's Web-Site Makeover

In a four-month project intended to improve the security and performance of its Web site, cosmetics manufacturer Mary Kay Inc. has nearly completed an upgrade to Microsoft's newest operating system and Internet-server software. Mary Kay is replacing Windows 2000 Server with the newer Windows Server 2003 on approximately 20 Web servers, each equipped with four Intel Pentium 4 processors. At the same time, it's swapping Microsoft's older and more vulnerable Internet Information Services 5.0 Web server software with IIS 6.0. The project is 90% complete, according to the company's chief architect of E-business, Barry Bloom.

Mary Kay's Web site, www.marykay.com, is used by a far-reaching network of independent salespeople and consumers. The 40-year-old company doesn't sell its products directly to consumers online, but links shoppers to the Web pages of some of its more than 1 million beauty consultants, where they can purchase Mary Kay products. Last year, the company's wholesale sales exceeded $1.5 billion.

While Mary Kay avoided any significant security problems with Windows 2000 and IIS 5.0, there were "stability issues" associated with IIS 5.0's inability to isolate the processes of applications based on Microsoft's .Net Framework, Bloom says. Because of that shortcoming, one glitch could affect all applications running on a server.

IIS 6.0 addresses that vulnerability by isolating application processes so that one faulty process can't impact an entire system. In addition, Mary Kay was able to lower the access privileges of IIS 6.0 accounts, so that a potential intruder might do less damage. And, consistent with Microsoft's "secure by default" strategy, many of IIS 6.0's features come disengaged out of the box. "The attack surface is greatly reduced," Bloom says.

During the project, Mary Kay used TeaLeaf Technology Inc.'s RealiTea application-management software to assess Web-site performance. RealiTea lets system administrators view the performance of a Web application from the user's perspective. "We all know load testing only tells part of the story," Bloom says. "It's only when [an application is] in users' hands that you know for sure."The TeaLeaf product also helps Mary Kay gauge Web-site performance over time. "We use it to grade ourselves and the user experience of our applications," Bloom says. As a result of the upgrade, some Mary Kay applications run 50% faster and Web pages appear more quickly.

Bloom expresses "faith" that Microsoft is working hard to improve the overall security of the Windows environment but acknowledges he'd like to see more progress with the vendor's patch-management processes. "Every time we have a patch," he says, "it's an upheaval."