Windows 2000: It's new, it's big! Is it secure?
Jim Reavis
Network World on Security, 10/27/99
As I am just putting the finishing touches on this article, the news coming across the wire is that Windows 2000, the rechristened NT operating system, will in fact live up to its name and be released in February of 2000, not late in 1999 as repeatedly promised. Microsoft President Steve Ballmer said at the Gartner Group's Symposium/ITxpo that Microsoft would not ship Win 2000 until it was "absolutely, positively right."
This will likely be acceptable to most of you in IT land, as there is an increasing recognition that this is a significant upgrade worthy of the name change. Many of the new features in Windows 2000 are security related and take advantage of emerging standards. Will Windows 2000 improve your organization's security posture?
Advertisement: |
The new security features in Windows 2000 cover a variety of new areas. One of the most notable and pleasant features is the integration of IP Security. IPSec is an IETF standard for encryption of TCP/IP traffic across the wire. It is the standard that is integrated into IPv6 and is considered to be a more secure method for TCP/IP encryption than its predecessors, including Microsoft's own Point-to-Point Tunneling Protocol. IPSec is fast becoming the lingua franca of virtual private networks, and Microsoft's native adoption of IPSec is significant in giving organizations the capability to roll out secure, heterogeneous VPNs globally.
A significant security standard implemented in Windows 2000 is Kerberos, the network authentication protocol developed at MIT. Like IPSec, Kerberos is on the IETF standards track and provides capabilities for Windows 2000 to exchange credentials with, as well as authenticate with, other enterprise systems.
Unlike the current Microsoft authentication protocol NTLM, Kerberos makes no assumption of trust and is a superior option for mitigating the risk of internal security breaches. Kerberos can be used in place of the NTLM authentication protocol for homogeneous Windows 2000 communications. Windows 2000 will need to use NTLM for interoperable authentication with NT 4.0 and Windows 9x systems. For those of you that had large networks of P's using Netbeui, which were migrated to TCP/IP, it will be a similarly long period of coexistence to migrate off of NTLM. Having Kerberos-aware networks will become increasingly important in the future; it is not only more secure, but is also more efficient - users and resources can bypass domain controllers after initial authentication. It also provides a solid foundation for open Single Signon solutions.
Other new security features incorporated into Windows 2000 include:
* Encrypted File System. One component is transparent file encryption on NTFS file systems, configurable on a per folder/file basis. The underlying encryption algorithm is standard DES, using 128 bit keys for North America and 40 bit keys internationally. Microsoft is lobbying the Department of Commerce for an exemption to export strong crypto, but that will not happen the first time around, even with the release delay and the Clinton Administration's pronouncement of loosening crypto regulations. However, even weak crypto is an improvement over nothing, and if you are not already using PGP or something else to encrypt your data, there is no reason not to use a seamless option like Encrypted File System (EFS).
The Encrypted File System includes recovery capabilities, a feature that will delight administrators and infuriate privacy advocates. Any time a crypto system is recoverable, the possibility exists that an unauthorized person can decrypt data. An analysis of EFS key recovery by security analysts is ongoing; so far all parties agree that it is critical to store the recovery key securely and maintain physical security to ensure that the recovery capability is not compromised and data is not exposed.
* Public-key infrastructure. PKI will be an integral part of Windows 2000. Several standards are incorporated into the operating system to enable Windows 2000 to function as a PKI, including a certificate authority, the LDAP-enabled Active Directory, a key management system, and other related components. It remains to be seen what the impact will be on the third-party PKI industry; it is likely that Microsoft's own PKI solution will be sufficient on the low end and midrange.
* Extensive Testing. Windows 2000 has had an extensive development and test period. The first beta appeared in September of 1997, and Beta 2, which had most of the final features in place, shipped in August of 1998. Beta 3 shipped in May and Release Candidate 2 shipped in September to over 650,000 subscribers. Microsoft also took a new step in its development process by opening Windows 2000 to a hacker challenge. Launched in August of this year, the Microsoft Windows 2000 Beta Internet Test Site has apparently withstood most attacks.
Microsoft has stated that the challenge has pointed out some denial of service problems related to TCP SYN and fragmentation attacks, but if someone has found a major hole in this test, they have not come forward. Now as any security expert can tell you, a test like this cannot prove security, only insecurity. It is also no indication that the configuration used is the default for Windows 2000, or something that can be easily duplicated by systems administrators. Still, it is a positive that Microsoft has had enough confidence to hold a hacker challenge and at least found a few issues worthy of fixing. If nothing else, you cannot accuse Microsoft of rushing to get this product out - it has been a long time coming.
The major security questions we have with Windows 2000 do not concern whether or not Microsoft is trying to do the right thing - they clearly are, and the security feature enhancements we have mentioned are welcome. The question is: Can any single company's testing and quality assurance process deliver 30 million lines of code without significant security vulnerabilities?
A lot of new concepts are introduced in this release, chief among them the Active Directory. Although based upon the standard Lightweight Directory Access Protocol, the LDAP standard does not specify a security model, which has been left up to Microsoft to invent. Microsoft clearly has placed more emphasis upon security in this operating system than any of its predecessors. If the Windows 2000 release is followed by a relative minor spate of security bugs, it will prove that the heightened emphasis on security can translate into a successful and secure operating system. If Windows 2000 proves to have an unreasonable number of security vulnerabilities, it could prove to be the end of major milestone releases of operating systems in favor of more conservative, iterative operating system upgrades.
RELATED LINKS
Windows 2000: Holy grail or fool's crusade?
Windows TechEdge, 06/04/99
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
