http://news.cnet.com/news/0-1003-202-1564280.html

Finger-pointing begins in Windows 2000 bug claims By Joe Wilcox Staff Writer, CNET News.com March 3, 2000, 4:25 p.m. PT URL: http://news.cnet.com/category/0-1003-200-1564280.html

Microsoft has been unable to douse allegations that one of the hotly anticipated technologies in Windows 2000 Server has a security hole.

Whether this so-called security hole is a bug or not depends on who's doing the talking. Microsoft disputes the claim. By contrast, Novell--a competitor that stands to lose sales of its flagship product if Windows 2000 Server takes off--says differently. Third parties, meanwhile, say the problem seems to come from a lack of familiarity with Active Directory, which is completely new.

Novell first leveled the security bug accusation days before last month's Windows 2000 launch. Microsoft easily batted away the claim.

"If this had been a legitimate security bug, Microsoft would have admitted that," said Peter Houston, Microsoft's group product manager for Active Directory. "We would have posted a fix as quickly as we possibly could. The fact that we denied this has been overlooked a bit."

On closer examination, say analysts, the problem may have more to do with how the two companies made different security design decisions about their competing products and less with any inherent weakness.

Active Directory is the part of Windows 2000 server that acts as a "phone book" for managing network computing assets, such as users, applications, systems and network devices. Novell Directory Services performs a similar function but takes a different approach to who has the "right" to manage those assets.

Microsoft took a chapter from the Unix world, delegating one or several people "domain administrator" with rights to access and manage all assets on a corporate network. Unix systems call this person the "root administrator."

"The guy who has the root administrator role can do anything he wants to that system, and the same goes for the domain administrator in Active Directory," Houston said. The domain administrator is also the person who assigns rights to other administrators and users, restricting or enabling their ability to access network assets.

Novell took a different approach and faulted Microsoft's model as being unsecure, said Gary Hein, corporate strategist for the Orem, Utah-based software maker. Rather than designate a single person with full security access and the right to limit others' access, NDS allows companies to restrict a network administrator's access to sensitive areas, such as human resources and payroll departments.

Novell attempted to take away an administrator's rights to sensitive areas but found it could not do so and called attention to what it called a security hole.

"There are some times when a company needs to restrict access to directories even by (network) administrators," Hein said. "You might not want them accessing personnel services, (human resources) or legal. Both Novell and Active Directory allow you to do that, but unfortunately Active Directory allows you to undo that."

Houston argued that Microsoft took a different design approach, allowing domain administrators--who should be trusted, high-level people--free reign.

"Novell did a series of screen shots and so forth, and you can clearly see they got to a point where they decided they had found a bug," he said. "We are simply disagreeing with them, and what they are showing is the intended behavior of the system."

Eric Bowden, general manger of BugNet, a supplier of software bug fixes, faulted Microsoft's approach.

"If we say it is a 'misunderstanding' because it is functioning as designed, then instead of calling it a bug, I would have to call it a design flaw," he said. BugNet, which corroborated Novell's claims, discovered that anyone with enough administrative privileges could reset security and access restricted assets.

Gartner Group analyst Michael Gartenberg said the onus is on companies switching to Windows 2000 Server and Active Directory to make sure they understand exactly how the security model works.

Bowden agreed, warning companies to take caution "who you put in the administrative group."

NDS' security model is not without its shortcomings. Although companies can restrict access by an administrator--regardless of his or her level of authority--problems can arise if that person leaves before relinquishing those rights or disclosing passwords. Companies could be forced to contact Novell before regaining access.

Meta Group analyst Kurt Schlegel said the problem with Active Directory is less a security issue and more a problem of unfamiliarity. "There aren't that many folks that have moved to Active Directory, so there's not a lot of data to go on."

-- Jonathan Latimer (latimer@q-a.net), March 06, 2000

Answers

Did I misread the article, or is Novell saying that a superuser accessing the system is a "security hole"? If there are things that are *that* sensitive, why not set them up on independent systems with restricted access that only connect to the main system to share data?

I guess what they could do is make the SU unable to access data files, but what do you do when someone forgets their password?

You have to trust somebody (well....),

Frank

-- Someone (ChimingIn@twocents.cam), March 06, 2000.

I'm not familiar with either of those systems, but it seems to me that the obvious solution to the "problem" is to exchange hats. Make some high up corporate wonk the "Administrator" (AKA "root"), and then have him dole out the desired subset of administrative permissions to the actual administrator, who would NOT be a full administrator so far as the OS is concerned.

Instead of the administrator granting rights to others, the company grants rights to him.

-- Charles Underwood Farley (chuck@u.farley), March 06, 2000.

If Microsucks Windoze 2000 "rights" setup is as obscure as it has been in the past for NT, and for applications like ACCESS, then it is another poorly thought-out pizza crap foisted on the market, to maintain or steal market share, even though it's not near ready for prime-time.

If I was still interested on being on the "cutting edge" I would be going balls out to get into Linux related stuff.

-- A (A@AisA.com), March 06, 2000.