Microsoft denies Novell's claim of Windows 2000 bug

Days before Windows 2000's much-anticipated launch, Novell leveled charges against a competing technology in the operating system, which stands to diminish sales of Novell's main product.

Novell claims the security problem affects Active Directory, which is one of the cornerstones of Windows 2000 Server, one of three versions of the new operating software. The feature allows technology administrators to more easily manage resources on a corporate network and speed the handling of their security access.

A Microsoft executive vehemently denied a security bug existed.

"There is not a security vulnerability," said Steve Lipner, manager of the Redmond, Wash.-based software maker's Security Center.

Novell stands to lose sales of Novell Directory Services, one of its flagship products, should large numbers of corporations switch to Windows 2000 and Active Directory. The Orem, Utah-based software maker has been adjusting its product strategy by emphasizing e-commerce as it prepares for business beyond Windows 2000.

Directory software essentially serves as a "phone book" of computing assets on a network, including users, applications, systems, and network devices, for example.

The stakes in the directory software market are high. Novell is largely dependent on its directory software for a revised strategy targeted at providing all of the software that users don't "see," but can make it easier to connect to a network and organize an organization's technology resources.

Much like the database market before it, many believe directory software will serve as an underlying technology for corporations and Internet service providers (ISP) going forward. In light of that opportunity, both Microsoft and Novell are betting big that their software can fill the needs of the industry

If it exists, the problem would be a blow to Microsoft as it prepares to launch Windows 2000 on Thursday. But, analysts warn, the source of the complaint may make the accusation suspect.

"Microsoft, being in the position they're in, is going to come under the scrutiny of their competition, and their competition is going to use every opportunity to point any potential flaw they may find in the product," said Gartner Group analyst Michael Gartenberg.

Novell brought the problem to Microsoft's attention on Friday, but Microsoft engineers working through the weekend could not reproduce the security breach, Lipner said.

Novell makes a competing technology called Novell Directory Services. Gary Hein, corporate strategist for Novell, said his company uncovered the security bug while testing software for compatibility with Windows 2000.

The alleged flaw has to do with an administrator's rights to specially restricted areas of a network. "There are some times when a company needs to restrict access to directories even by (network) administrators," Hein said. "You might not want them accessing personnel services, (human resources) or legal. Both Novell and Active Directory allow you to do that, but unfortunately Active Directory allows you to undo that."

Hein used the example of a payroll department where one person has the right to administer that directory. Administrators of other directories normally would be restricted from accessing personnel. But if that administrator goes to another directory, say engineering, where he has rights and returns to personnel, "lo and behold, he has rights," Hein said.

The problem would appear not to be in Active Directory itself but the utility used for generating rights, Hein said.

Lipner faulted Novell's methodology, which he claimed led the company to reach the wrong conclusions. Novell engineers started out by taking away "user" access rights from a directory, or in Active Directory parlance, "object," but they failed to change another important setting. Each object is assigned user rights and broader "owner" rights. By failing to remove the owner rights in testing, Novell engineers erred, Lipner said.

"The security system is operating as designed," he said. "While they attempted to remove access from a domain administrator, they really didn't do a complete job of that. They took discretionary access away but left ownership."

That oversight meant no security rights had been taken away, giving the appearance of a breach, Lipner said.