Feb 15, 2000 (Tech Web - CMP via COMTEX) -- Just two days before the
long-awaited launch of Windows 2000, Microsoft is denying reports that
the operating system has a security flaw.
The company is also not commenting on reports that the new OS is
plagued with 63,000 bugs.
The security flaw came to light when archrival Novell said in a report
on its website that some network administrators on an Active Directory
network can use their access to the network to get confidential data
such as payroll and legal information, even if they have been
explicitly blocked from accessing that data.
Novell, which offers a competing directory called NDS, said the design
of Active Directory breaks a fundamental model of security. Typically,
only a few trusted network administrators are given access rights to
sensitive information and systems in business units such as the payroll
and legal departments. Network administrators with legitimate access to
those resources can put blocks in place to prevent other network
administrators from accessing this sensitive data. But Active Directory
gives some network administrators with access elsewhere on the network
the ability to lift the blocks and access the information and systems
from which they were supposed to be locked out.
But Microsoft said there is no security hole in Active Directory. While
a select number of administrators can remove the block on an object as
described by Novell, the capability is fully auditable, meaning the
owner of the object will know that the change has been made. Moreover,
this power is necessary to be sure that objects don't become orphaned
if the administrator in charge of an object is no longer available to
access the object.
"It isn't a vulnerability," said Steve Litner, manager of the security
response center at Microsoft. "The key factor is always to provide the
protection mechanisms and a degree of auditability so you can know
what's happening."
Analysts said the alleged security hole isn't surprising, considering
Active Directory is new technology and will take some time to shake
out.
"This is a very complex system," said Tony Iams, an analyst at D.H.
Brown Associates. "It's not really that surprising. The thing to watch
is how quickly Microsoft responds."
GartnerGroup analyst Michael Gartenberg said the alleged security hole
should not dissuade users from installing Windows 2000, but users need
to first test it to see if the security hole exists and whether it will
be a problem for them.
Iams and Gartenberg said they had not confirmed the existence of the
security hole for themselves; indeed, no independent confirmation could
be found on Monday.
Also putting into question the stability of Windows 2000 was an
internal Microsoft memo leaked to the media that identified 63,000
potential bugs in Windows 2000, an operating system that Microsoft said
has undergone extensive testing by users. Analysts Gartenberg and Iams
both confirmed the existence of Microsoft's memo.
The 63,000 potential bugs were spotted by Prefix, an internal Microsoft
package for testing software. Some of these could be actual bugs,
others could be code that Prefix detects as possibly needing
optimization, and others are spots where Prefix found developer
comments noting functionality that should be improved in the next
release, analysts said.
"These are not situations you're going to encounter except in extreme
cases," Iams said.
Only users requiring maximum performance from Windows 2000 are likely
to encounter the bugs, and those users will probably be waiting for
future versions of Windows 2000 before deploying systems running the
operating system.
Microsoft did not respond to requests for comment on the bug reports.
Despite the bug reports, new information is emerging that attests to
Windows 2000's stability. In a recent survey of network administrators,
54 percent said Windows 2000 is an order of magnitude more stable than
Windows 95 or Windows 98 -- Windows 2000 "hardly crashes or has not
crashed at all" -- while 22 percent said it is much more reliable,
crashing about half as much as Windows 9x. Compared with Windows NT 4
workstation, 26 percent of respondents said Windows 2000 hardly crashes
or has not crashed at all; 25 percent said it crashes about half as
much; and 24 percent said it is somewhat more reliable, crashing about
20 percent to 30 percent less. The survey was performed in conjunction
with Giga Information Group.
But the picture is not a gloomy one; GartnerGroup also said users can
receive full payback from their investments from installing Windows
2000 in less than two years if they follow best practices.
"Microsoft needs to come up with a fix rapidly," Gartenberg said.
Copyright (C) 2000 CMP Media Inc.
techweb.com |
