X

NT security an easy target

NT may be a victim of its own success, but analysts say Microsoft could be doing a better job of confronting security problems head on.

CNET News staff
5 min read
"Windows NT is becoming the victim of its own success."

That's what the Windows NT camp at Microsoft (MSFT) says as hackers find the operating system an increasingly attractive target. But outside observers say Microsoft could be doing a better job of confronting the security problems head on.

The latest tool to target NT systems is called Lophtcrack, created by a hacker group called lOpht. But Lophtcrack is only the most recent in a series of hacker tools posted to help others attack NT sites by stealing passwords, tools that have generated speculation that NT is not as secure as it should be.

Microsoft would argue that the availability of these tools and the increased attention paid to NT security are side effects of its growing acceptance in the corporate marketplace. At the same time, the company wants to dampen the spark of doubt lit by hacker groups like the lOpht.

"All of these issues we take very seriously," said Mike Nash, director of marketing for Windows NT Server and infrastructure products. "There's a lot of fear and it's really easy to whip the industry into a frenzy. Since more of Windows NT is out there, the potential for hackers to make an example of it has increased."

But some analysts are critical of the manner in which Microsoft has responded to the publicized security threats.

"Microsoft has not been really clear about what exactly the vulnerability is and even if there is one," said Neil MacDonald, analyst with the Gartner Group. "The people who found the problem portray it as the worst thing in the world. The truth is somewhere in between."

As reported by the online publication Electronic Engineering Times, the Lophtcrack tool could allow a user to retrieve Windows NT network domain user names and passwords. The new program works in conjunction with previously posted software tools called PWDump and NTCrack that can also allegedly be used to break into NT servers.

The creators of Lophtcrack were not available for comment.

Microsoft managers insist the tools can only really breach NT security if administrators have failed to put proper security polices in place. They say, for example, that tools such as NTCrack can only function if a hacker gains access to privileged files through a network administrator's password. In other words, outsiders can only break in with the cooperation of an insider. Microsoft advises toughening up of security policies by requiring passwords that combine numbers, letters, upper case and lower case characters to make passwords harder to decrypt.

But MacDonald said the threats posed by these tools are real and has advised Gartner Group clients running Windows NT Server and Workstation to set access controls for the operating systems. These controls allow access to the software and files to be audited so that wayward users and administrators will be spotted when they try to access the system.

While he agrees with Microsoft that security is partly a policy issue, the lOpht hacker code also demonstrates a weakness in the NT security architecture. Specifically, MacDonald explained, NT does not have a randomizing encryption element called "salt" in the operating system. This means that once hackers get a hold of a list of encrypted passwords, it's easier to crack the code and decipher the actual passwords that will let them into the server. "I don't think Microsoft is being quite honest about this," he added.

On the other hand, this trial by fire may help Microsoft strengthen the OS. "What NT lacks in years of experience it will make up for in the number of people who try to break in," MacDonald said.

Others analysts agree the attention paid to Windows NT by rogue code writers is part of the natural evolution of an operating system as it gains popularity among users who have information they want to protect.

"It appears there is blood in the water, so sharks come over to find out what's going on," said Dan Kusnetsky, director of Unix and client-server environments for market researcher International Data Corporation.

As Windows NT has gained popularity on corporate networks, it has increasingly become the subject of security scrutiny, much like Unix did in the 1970s.

"The more mature the operating system, the more tools there are to protect it from security holes," Kusnetsky said. "As NT is relatively new as a server environment, having been introduced in 1993, it is under fire, just as Unix and [Digital Equipment's operating system] VMS went through the fire in their early stages. I don't think Windows NT has any better or worse record as far as security breaches.

"It's an operating system that has yet to achieve the level of maturity of its competitors," he added. "Microsoft gets to face the wars now."

Unix derivatives developed out of Bell Labs in the early 70s. The operating system was then offered to various universities where it was poked with by academics and students, who quickly found ways to get around security roadblocks in the software. Through various "hacks" into Unix operating systems, a better understanding of security was gained.

Toward the end of the decade, a consortium of IBM, Digital Equipment, and the Massachusetts Institute of Technology convened to study security issues within Unix. That work, dubbed the Athena Project, resulted in Kerberos, a standard that is still broadly used in most Unix OS flavors for security purposes.

Microsoft has not yet adopted the Kerberos security methods for NT, preferring to develop its own security solutions. The company currently offers C2-level security, a federal designation that allows the operating system to be used in government settings. A Kerberos security architecture will be among the new features of Windows NT 5.0, due out sometime next year. But be forewarned: Kerberos, although fairly secure, has not managed to solve all of the security holes in Unix-based systems.

In the meantime, Microsoft is trying to contain the security scare, which even the company recognizes as a threat to NT's continued growth.

"Growth will be more dependent on our nascent server business," he noted. "And while business has been very strong, there is FUD [fear, uncertainty, doubt] out there now, FUD about important issues we are working very hard on," Mike Brown, Microsoft's chief financial officer, said yesterday during a press conference about the company's quarterly results.