Win2000: A Security Milestone -- with a Mile More to Go
By Alex Salkever
When Microsoft shipped its Windows 2000 suite of operating systems a year ago last January, it included a bonus: an array of new security features designed to keep hackers at bay. The features had another message: They were also aimed at lessening the widely held perception that Microsoft products are security sieves. Even so, security experts reacted cautiously to the Win2K release. And the hacker community, which views any new product from Bill Gates & Co. as a fresh meat, drooled at the prospect of a new Microsoft program to rip apart and publicly embarrass.
A year later, many security companies have had the chance to examine Win2K in detail. And hackers have had their shots at cracking it. So how have Redmond's promises of improved security stood up after this gimlet-eyed scrutiny? Surprisingly well. While plenty of security flaws have been discovered in Win2K, experts say they're less serious than past holes. And very few have been of the variety that allows intruders to take full control of a computer network remotely -- doomsday for any company that sells software.
What's more, the new security features, which do everything from give systems administrators more control over who can do what on a network to vastly improved password encryption, have given Microsoft a solid base to build on. "In a nutshell, Microsoft has stepped up to the plate big-time," says Joel Scambray, managing director at Internet security consultancy Foundstone.
But for all the progress, Redmond's flagship enterprise product still has ground to cover on the security front. Yes, Windows 2000's security vulnerabilities are far less serious than those found in its predecessor, Windows NT 4.0. But while they're all minor, it seems there's more of them.
The Bugtraq vulnerability list maintained by SecurityFocus.com logged 87 reported vulnerabilities on Windows 2000 last year. That compares to 84 vulnerabilities reported against NT 4.0 during the same period. The upshot? Win2K as an out-of-the-box install has too many holes. "They still have some work to do," says Steve Kleynhans, a vice-president at info consultants Meta Group.
What's behind all the niggling bugs? The bells and whistles that Redmond habitually throws into everything it ships in the name of functionality (i.e., ease of use), present myriad opportunities for cybercrooks to wreak havoc. "From our perspective, added functionality is added risk that they don't need to take. A lot of people just don't use all the functionality," says Chris Wysopal, vice-president for research and development at security outfit @stake.
For example, Win2K comes with a "phone book" server function that creates a directory, located on a Web page, of phone numbers of people on a computer network. The feature might be useful for a systems administrator who doesn't want to have to set up such a capability himself. But a system administrator ignorant of this default capability might leave all the phone numbers of his company out on the public Internet.
What's more, the phone server also contains a "buffer overflow" vulnerability. That means an attacker can flood an input field on a Windows 2000 phone-server Web page with more characters than programmers had anticipated the software would ever need to handle. Through simple brute force, that onrush of characters can overload the program and cause the network to crash.
For those reasons, Wysopal thinks Microsoft should require users to explicitly turn on the phone-server function rather than simply ship Windows 2000 with it already active. The phone server is just one of dozens of functions that are turned on automatically in the default installation of Microsoft, he adds.
For Microsoft, this is a tough point to concede. The company has always been reluctant to alienate users who love simplicity, and it's loath to dig into the guts of its operating system to fine-tune the network. Redmond's solution, thus far, has been to leave everything turned on. "Microsoft tends to build a home, sell it to the end user, and ship it with all the doors and windows open." says Kleynhans.
This can let e-mail viruses in, such as the "Anna Kournikova" virus that mangled servers earlier in February and the notorious "Love Bug" virus that struck networks around the globe last spring. All these viruses have relied on the fact that Microsoft Outlook allows users to execute files attached to e-mail with a single mouse click.
Although Microsoft gladly supplies a free patch that'll remove this capability, the company still ships Windows 2000 with an Outlook Express version that remains vulnerable to all these viruses. "The problem that we as Window's users have is that some yo-yo can force a program down our throat that will hurt us," says Jon Callas, the director of software engineering at managed-security-services provider Counterpane. Microsoft did not return several requests for comments for this story.
Still, Microsoft has much to be proud of with the security it has built into Windows 2000. And that security will get only stronger as more companies migrate from mixed networks of Windows NT 4.0 and Windows 2000 machines to networks exclusively made up of computers running the newer software. Pure Windows 2000 networks can take full advantage of many security features that don't work when the system has to account for Windows NT 4.0 machines. And clearly, the company has come a long way from the wide-open doors of Windows 3.1 when any punk with a modem could punch holes in the software.
But Microsoft would do well to sacrifice a little more usability for a little more security. That could mean making it slightly harder to turn on features that a very small number of users will need. But for the majority of Windows 2000 users, such a change would provide peace of mind when they install the software straight out of the box, as most do.
Salkever covers computer security issues twice a month in his Security Net column, only on BW Online
Edited by Douglas Harbrecth