Win2000 gives security boost

Federal systems administrators and users who have long bemoaned the security, or lack thereof, in Microsoft Corp.'s operating systems will have something to look forward to next year in the release of Windows 2000.

Administrators in particular have had problems with the current default configuration for Windows NT 4.0, which leaves every entry point into the system open until an administrator turns it off manually.

"You're never going to eliminate people finding new vulnerabilities—that's why we have pencils with erasers," said David Jarrell, technical director of the General Services Administration's Federal Computer Incident Response Capability (FedCIRC). "[But] when you ship something with [so many] vulnerabilities built in, you're going to have people with problems."

By integrating the security functions within the operating system and giving users the ability to choose from among several different levels of security, rather than a single level, Microsoft hopes to entice the many federal customers that did not want to risk their networks' protection.

At the bottom level, the company has integrated all of the security management with its new Active Directory.

The directory is designed to give an organization a view of all the systems and software in its computing environment. Administrators can use the directory to define exactly what resources individual users can access, said Shanen Boettcher, product manager for Windows 2000 server security.

"The directory is the central store for security," Boettcher said. "You want to have a model that's consistent in this distributed environment."

Windows 2000, which is to be released on Feb. 17, will enable administrators to establish different ways of controlling access to systems, such as passwords, software- or hardware-based digital certificates, biometrics or even Kerberos, an advanced security technology based on the use of cryptographic keys. Active Directory enables an administrator to define which authentication technique to require for each system.For the configuration of Windows 2000, the Microsoft security team has developed several different default settings, and it also will allow administrators to create their own templates of settings to apply to groups of users, said Scott Culp, security product manager for the Microsoft Security Response Team.

The default configurations will include basic high, medium and low settings, but even the highest will not come with all of the settings turned off, as much as some may want that choice, Culp said.

"We don't want to ship a 'Fort Knox configuration' and force people into a secure environment," he said. That type of setting would frustrate as many users as the previous "turned on" configuration did, he said.The basic configurations will provide a starting point, while a Security Configuration Toolkit will give managers with more expertise to tinker with the settings or walk less-experienced managers through the process.

"We're going to make it much easier for people to make the decisions they need to secure their system," he said.

FedCIRC has been talking to federal system administrators about the need to set different levels of security from the beginning, Jarrell said. Last week the office put online a guide to securing Windows NT systems—developed by Trusted Systems Inc. and commissioned by the National Security Agency—that recommends many of the same security techniques Microsoft is building into its software.

Microsoft's Security Response Team, which verifies the existence of vulnerabilities and helps develop fixes and documentation, works closely with all of the Microsoft product teams, and its experience and knowledge is built into products.

The team recently has focused on making it easier for system administrators to find and install the patches and fixes they need.

In the past month, hackers have defaced more than 60 federal World Wide Web sites (see box). Almost all were exploited through a hole in Microsoft's IIS 4.0, a vulnerability that the company discovered and issued a fix for more than a year ago, according to FedCIRC.

But both Microsoft and FedCIRC realize that though it is easy to provide the fixes, it is not as easy to ensure that people use them, especially because the information provided by vendors is often too technical and complex for administrators. "We can produce all the patches in the world, but they still need to be installed," Culp said.

The Microsoft Security Response Team is developing an addition to the Microsoft Download Manager that will provide a Web interface to make is easier for even beginning administrators to understand the technical information, Culp said. The administrators can define what their systems looks like, and the Download Manager then will provide links to all the patches, fixes and documentation that is needed."We're trying to make this as easy as we can, but there is no way to make the patches appear [automatically] on someone's machine," Culp said.

Although automatic installation would be ideal, this is a good step forward, and something that FedCIRC has been trying to develop on its own this year, Jarrell said.

"When we kicked FedCIRC off earlier last year, one of the things we insisted on was that vulnerabilities and alerts would be published at two [technical] levels," he said. "This will be good, and I'll want to talk to them because that will fit nicely into what we're doing."

***Hackers' ReachA sampling of federal World Wide Web sites hacked since Oct. 25:* NASA Jet Propulsion Lab Acquisition Division—acquisition.jpl.nasa.gov* Space Shuttle Flight Tracker, NASA Johnson Space Center—flight.jsc.nasa.gov* Federal Occupational Health, Department of Health and Human Services—www.foh.dhhs.gov* National Institute on Alcohol Abuse and Alcoholism—www.niaaa.nih.gov* USDA Rural Development—www.rurdev.usda.gov* Energy Systems Division, Argonne National Labs—www.es.anl.gov* Solid State Theory Group, National Renewable Energy Laboratory—www.sst.nrel.gov* Naval Medical Research Institute—www.nmri.nnmc.navy.mil* U.S. Tax Court—www.ustaxcourt.gov* Department of Energy, Office of Procurement and Assistance Management—www.pr.doe.gov* Defense Commissary Agency—www.deca.mil* Naval School of Health Sciences—www-nshs.med.navy.mil* U.S. Minerals Management Service—www.mms.gov* Overseas Private Investment Corporation—www.opic.gov* Department of Veterans Affairs—www.va.gov* Department of Energy, Richland Operations Office—www.hanford.gov* U.S. Geological Survey Pauxtent Wildlife Research Center—monitoring2.er.usgs.gov* U.S. International Trade Commission—www.usitc.gov* Shore Intermediate Maintenance Activity (SIMA) San Diego—www.simasd.navy.mil* Defense Information Systems Agency—dssg-web-srv.ncr.disa.mil* U.S. European Command—www.eucom.mil