Security was one of four major targets that Microsoft set itself in developing an operating system fit for enterprise datacentres and large-scale e-commerce; the others being performance, scalability and availability. The security target has largely been met as far as the core operating system is concerned, but Microsoft has yet to put its house in order in other departments of the IT environment.
The major weakness is the Active/X component technology used for many applications as an alternative to Java, according to Yag Kanani, partner in charge of European secure e-business practice at Deloitte and Touche. "The whole Active/X trust model needs revising," says Kanani. He contends that the recent Love Bug virus would have been intercepted within a pure Java environment. "Java provides some additional protection to prevent certain applets being run," he says.
The Love Bug virus was specific to Microsoft Outlook Express clients, and the problem is being fixed by an update to the Outlook 98 and Outlook 2000 e-mail software. As such, it does not relate directly to the Windows 2000 operating system, but Kanani argues that the whole issue of e-mail security needs sorting out to ensure that rogue attachments can never access address books without the user's knowledge or permission.
Windows 2000 offers significant security improvements over NT 4.0 says Kanani, but needs complementing with measures at the network and applications level, and policies to restrict users' access to systems. Protection against denial of service attacks, which bombard Web servers with data, requires such a multi-pronged approach.
Another important security concern is the stack overflow attack. Here hackers exploit the fact that many applications, for example Internet search engines, have input fields that have a specified maximum length. In some cases, if a data string greater than this length is entered, the extra characters overwrite part of the system stack in the host computer where executable utilities may be held. If the additional characters contain program code, this can be made to execute on the target system.
In this way hackers can run their own programs, for example, to access confidential fields or even re-format the hard disc of the host system, which could be a Web server. Designing the application so that it discards all data in fields that are too long and requests the user to try again is the only way to provide absolute protection against attack. If the application fails to do this, the operating system can do little to help.
Windows 2000 now incorporates most of the features needed for an enterprise-class operating system. A major advance in security administration is the Security Configuration Tool, which defines policies to govern users' access rights to programs, files and parts of the network. "In previous versions, all users could access certain critical files, and could upload Trojans [programs that do not attack immediately but cause damage when other users access them], modify files, or input potentially vulnerable applications into those directories," says Kanani.
The most widely publicised security improvement is the inclusion of the Kerberos authentication system, which allows users and systems to verify each other's identities. Kerberos has substantial advantages over other authentication systems, including the NTLM protocol used in NT 4.0. For example, it supports Single Sign On, enabling users to access all resources, for which they have been granted permission via a single log-on procedure, without having to undergo additional checks during the course of a session.
This is achieved by using temporary tickets that last for the duration of a session only, avoiding the need for the authentication process to be repeated whenever the user accesses a new application or server. Instead, the user's client application presents the ticket to each new system, which then verifies that this is valid with the network's Kerberos server. Efficiency is also boosted through support for delegated authentication, which enables a service to access another resource on behalf of the client, avoiding the need for the user's system to present a ticket. Kerberos also allows users to authenticate, which is increasingly important in large complex networks where the validity of a service cannot be taken for granted.
Kerberos does have a potential weakness in its reliance on a single server to hold details of users. It also only addresses the authentication requirements of the network, and does not facilitate non-repudiation, which is essential for many e-commerce applications to prove that a transaction actually took place. Therefore, Kerberos on its own is of no use for external environments, notably the Internet, where users are not automatically known to the system. For the latter, some mechanism for verifying identities via mutually trusted third parties that can issue certificates of proof is required. To cater for this, Microsoft has developed Certificate Services for Windows 2000, based on a public key infrastructure, which will facilitate secure Internet applications with the option of using smartcards, or some other devices owned by the user, to provide an additional level of protection on top of passwords or Pin numbers.
So Windows 2000 now has most of the right features, but its security has yet to undergo the prolonged exposure to real-world applications that, for example, Unix has in its major versions. The case has yet to be proven, and it may well be that some security holes emerge that will be closed in subsequent releases.
The security of Windows 2000 also relies on correct configuration. To maintain backward compatibility, some of the earlier, looser security mechanisms have been maintained as options. But there is a danger that sites upgrading from NT 4.0 to Windows 2000 will leave some of the old procedures in place. "There's quite a tendency to keep the system the way the old one used to be," says Kanini.
Partly to cater for the risk that poor configuration could jeopardise the security of Windows 2000, Microsoft is trying to boost awareness through its training programme. Until now security has been covered as part of the general administration courses within the Microsoft Certified System Engineer training programme, but is now addressed in a dedicated course entitled, How to Design and Secure a Windows 2000 Network.
According to Microsoft's UK education manager, Clare Curtis, the course aims to ensure that customers understand all the new features and can apply them effectively within an overall security model. It would be advisable for every Windows 2000 site, whether greenfield or upgrading from NT 4.0, to send at least one person on this course.