Microsoft has been unable to douse allegations that one of the hotly
anticipated technologies in Windows 2000 Server has a security hole.
Whether this so-called security hole is a bug or not depends on who's doing
the talking. Microsoft disputes the claim. By contrast, Novell--a
competitor that stands to lose sales of its flagship product if Windows
2000 Server takes off--says differently. Third parties, meanwhile, say the
problem seems to come from a lack of familiarity with Active Directory,
which is completely new.
Novell first leveled the security bug accusation days before last
month's Windows 2000 launch. Microsoft easily batted away the claim.
"If this had been a legitimate security bug,
Microsoft would have admitted that," said Peter Houston, Microsoft's group
product manager for Active Directory. "We would have posted a fix as
quickly as we possibly could. The fact that we denied this has been
overlooked a bit."
On closer examination, say analysts, the problem may have more to do with
how the two companies made different security design decisions about their
competing products and less with any inherent weakness.
Active Directory is the part of Windows 2000 server that acts as a "phone
book" for managing network computing assets, such as users, applications,
systems and network devices. Novell Directory Services performs a similar
function but takes a different approach to who has the "right" to manage
Microsoft took a chapter from the Unix world, delegating one or several
people "domain administrator" with rights to access and manage all assets
on a corporate network. Unix systems call this person the "root
"The guy who has the root administrator role can do anything he wants to
that system, and the same goes for the domain administrator in Active
Directory," Houston said. The domain administrator is also the person who
assigns rights to other administrators and users, restricting or enabling
their ability to access network assets.
Novell took a different approach and faulted Microsoft's model as being
unsecure, said Gary Hein, corporate strategist for the Orem, Utah-based
software maker. Rather than designate a single person with full security
access and the right to limit others' access, NDS allows companies to
restrict a network administrator's access to sensitive areas, such as human
resources and payroll departments.
Novell attempted to take away an administrator's rights to sensitive areas
but found it could not do so and called attention to what it called a
"There are some times when a company needs to restrict access to
directories even by (network) administrators," Hein said. "You might not
want them accessing personnel services, (human resources) or legal. Both
Novell and Active Directory allow you to do that, but unfortunately Active
Directory allows you to undo that."
Houston argued that Microsoft took a different design approach, allowing
domain administrators--who should be trusted, high-level people--free reign.
"Novell did a series of screen
shots and so forth, and you can clearly see they got to a point where
they decided they had found a bug," he said. "We are simply disagreeing
with them, and what they are showing is the intended behavior of the system."
Eric Bowden, general manger of BugNet,
a supplier of software bug fixes, faulted Microsoft's approach.
"If we say it is a 'misunderstanding' because it is functioning as
designed, then instead of calling it a bug, I would have to call it a
design flaw," he said. BugNet, which corroborated Novell's claims,
discovered that anyone with enough administrative privileges could reset
security and access restricted assets.
Gartner Group analyst Michael Gartenberg said the onus is on companies
switching to Windows 2000 Server and Active Directory to make sure they
understand exactly how the security model works.
Bowden agreed, warning companies to take caution "who you put in the
NDS' security model is not without its shortcomings. Although companies can
restrict access by an administrator--regardless of his or her level of
authority--problems can arise if that person leaves before relinquishing
those rights or disclosing passwords. Companies could be forced to contact
Novell before regaining access.
Meta Group analyst Kurt Schlegel said the problem with Active Directory is
less a security issue and more a problem of unfamiliarity. "There aren't
that many folks that have moved to Active Directory, so there's not a lot
of data to go on."