Microsoft delivers BUG-OS the latest version of WIndows
"It's not a bug but a feature." --- P. T. Barnum
=======================
Microsoft competitor Novell today said it had uncovered a security hole in Windows 2000, a claim Microsoft denies.
Novell leveled the accusation against a technology in the Windows 2000 operating system that stands to diminish sales of Novell's main product. Novell claims the security problem affects Active Directory, which is one of the cornerstones of Windows 2000 Server, a version of the new OS. The feature would allow technology administrators to more easily manage resources on a corporate network and speed the handling of their security access.
A Microsoft executive vehemently denied a security bug existed. "There is not a security vulnerability," said Steve Lipner, manager of the Redmond, Wash.-based software maker's Security Center.
If it exists, the problem would be a blow to Microsoft as it prepares to launch Windows 2000 on Thursday. But, analysts warn, the source of the complaint may make the accusation suspect.
"Microsoft, being in the position they're in, is going to come under the scrutiny of their competition, and their competition is going to use every opportunity to point any potential flaw they may find in the product," said Gartner Group analyst Michael Gartenberg.
Novell brought the problem to Microsoft's attention on Friday, but Microsoft engineers working through the weekend could not reproduce the security breach, Lipner said.
Novell makes a similar competing technology called Novell Directory Services, which makes Active Directory a competitive threat.
Gary Hein, corporate strategist for Novell, said his company uncovered the security bug while testing software for compatibility with Windows 2000.
"There are some times when a company needs to restrict access to directories even by (network) administrators," he said. "You might not want them accessing personnel services, (human resources) or legal. Both Novell and Active Directory allow you to do that, but unfortunately Active Directory allows you to undo that."
Hein used the example of a payroll department where one person has the right to administer that directory. Administrators of other directories normally would be restricted from accessing personnel. But if that administrator goes to another directory, say engineering, where he has rights and returns to personnel, "low and behold, he has rights," Hein said.
The problem would appear not to be in Activity Directory itself but the utility used for generating rights, Hein said.
Lipner faulted Novell's methodology, which he claimed led the company to reach the wrong conclusions. Novell engineers started out by taking away "user" access rights from a directory, or in Active Directory parlance, "object," but they failed to change another important setting. Each object is assigned user rights and broader "owner" rights. By failing to remove the owner rights in testing, Novell engineers erred, Lipner said.
"The security system is operating as designed," he said. "While they attempted to remove access from a domain administrator, they really didn't do a complete job of that. They took discretionary access away but left ownership."
That oversight meant no security rights had been taken away, giving the appearance of a breach, Lipner said.
Novell stands to lose sales of Novell Directory Services should large numbers of corporations switch to Windows 2000 and Active Directory. The Orem, Utah-based software maker has been adjusting its product strategy by emphasizing e-commerce as it prepares for business beyond Windows 2000. |
