Finger-pointing begins in Windows 2000 bug claims

The company has been unable to douse allegations that one of the hotly anticipated technologies in Windows 2000 Server has a security hole.

3 min read
Microsoft has been unable to douse allegations that one of the hotly anticipated technologies in Windows 2000 Server has a security hole.

Whether this so-called security hole is a bug or not depends on who's doing the talking. Microsoft disputes the claim. By contrast, Novell--a competitor that stands to lose sales of its flagship product if Windows 2000 Server takes off--says differently. Third parties, meanwhile, say the problem seems to come from a lack of familiarity with Active Directory, which is completely new.

Novell first leveled the security bug accusation days before last month's Windows 2000 launch. Microsoft easily batted away the claim.

"If this had been a legitimate security bug, Microsoft would have admitted that," said Peter Houston, Microsoft's group product manager for Active Directory. "We would have posted a fix as quickly as we possibly could. The fact that we denied this has been overlooked a bit."

On closer examination, say analysts, the problem may have more to do with how the two companies made different security design decisions about their competing products and less with any inherent weakness.

Active Directory is the part of Windows 2000 server that acts as a "phone book" for managing network computing assets, such as users, applications, systems and network devices. Novell Directory Services performs a similar function but takes a different approach to who has the "right" to manage those assets.

Microsoft took a chapter from the Unix world, delegating one or several people "domain administrator" with rights to access and manage all assets on a corporate network. Unix systems call this person the "root administrator."

"The guy who has the root administrator role can do anything he wants to that system, and the same goes for the domain administrator in Active Directory," Houston said. The domain administrator is also the person who assigns rights to other administrators and users, restricting or enabling their ability to access network assets.

Novell took a different approach and faulted Microsoft's model as being unsecure, said Gary Hein, corporate strategist for the Orem, Utah-based software maker. Rather than designate a single person with full security access and the right to limit others' access, NDS allows companies to restrict a network administrator's access to sensitive areas, such as human resources and payroll departments.

Novell attempted to take away an administrator's rights to sensitive areas but found it could not do so and called attention to what it called a security hole.

"There are some times when a company needs to restrict access to directories even by (network) administrators," Hein said. "You might not want them accessing personnel services, (human resources) or legal. Both Novell and Active Directory allow you to do that, but unfortunately Active Directory allows you to undo that."

Houston argued that Microsoft took a different design approach, allowing domain administrators--who should be trusted, high-level people--free reign.

"Novell did a series of screen shots and so forth, and you can clearly see they got to a point where they decided they had found a bug," he said. "We are simply disagreeing with them, and what they are showing is the intended behavior of the system."

Eric Bowden, general manger of BugNet, a supplier of software bug fixes, faulted Microsoft's approach.

"If we say it is a 'misunderstanding' because it is functioning as designed, then instead of calling it a bug, I would have to call it a design flaw," he said. BugNet, which corroborated Novell's claims, discovered that anyone with enough administrative privileges could reset security and access restricted assets.

Gartner Group analyst Michael Gartenberg said the onus is on companies switching to Windows 2000 Server and Active Directory to make sure they understand exactly how the security model works.

Bowden agreed, warning companies to take caution "who you put in the administrative group."

NDS' security model is not without its shortcomings. Although companies can restrict access by an administrator--regardless of his or her level of authority--problems can arise if that person leaves before relinquishing those rights or disclosing passwords. Companies could be forced to contact Novell before regaining access.

Meta Group analyst Kurt Schlegel said the problem with Active Directory is less a security issue and more a problem of unfamiliarity. "There aren't that many folks that have moved to Active Directory, so there's not a lot of data to go on."