Five Years Later, Windows 2000 Looks Naïve

 
 
By Larry Seltzer  |  Posted 2004-12-29 Email Print this article Print
 
 
 
 
 
 
 

Opinion: Microsoft got a lot of things right with Windows 2000, but security wasn't one of them. The changes made for Windows Server 2003 indicate just how wrong Microsoft was.

I remember roughly when Windows 2000 "went gold"—when Microsoft finalized the shipping code for the product. It was mid-December 1999, and the product officially "shipped" in February 2000. I was writing part of a Windows 2000 book so I had early access. Five years ago is a long, long time in this day and age, especially when it comes to security. A lot has happened since then, and things are far worse now than they were. Can we forgive Microsoft for being naïve about security in Windows 2000? I might have thought so at one point, but not anymore. Yes, the real work on Windows 2000 was done as the Internet boom was at its most stupid, with people selling groceries online and Fedexing bags of dog food, but Microsoft wasnt that kind of company. It was run by experienced people who should have known better.
Melissa, the first great Internet mail worm was already 9 months old when Windows 2000 went gold. Network-based buffer overflows went back to the era of the Morris Worm (1988), when DOS was still mainstream and dinosaurs roamed the earth. We had lots of other indications that more sophisticated attacks would become easier, such as the introduction of SATAN (Security Administrator Tool for Analyzing Networks).

Instead, Windows 2000—and this applies most especially to Windows 2000 Server—shipped with all manner of services turned on by default. This is the most fundamental mistake Microsoft made. I dont think Microsoft would defend this decision anymore, after they changed direction so thoroughly in Windows Server 2003. And, yet, security was definitely much on the minds of Microsoft developers when they designed Windows 2000; they just had the wrong approach to it. I asked Microsoft to comment on the fifth anniversary of Windows 2000 and what it said about security, and they reminded me of a long list of security-related features that they said made Windows 2000 a better product.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. EFS (Encrypting File System) is not a perfect defense, but its a great physical security tool. Windows 2000 integrated PKI, IPSec and Kerberos. As the Microsoft spokesperson reminded me, "Windows 2000 launch also saw the payoff of our decade-long push for relaxed government regulation of encryption, and Windows 2000[s] was the first operating system to ship worldwide with strong (128-bit) encryption built in." Perhaps Microsoft approached security as just another list of features to include in the product? You might get that impression, especially since Microsoft brags that "Windows 2000 still holds the highest level of Common Criteria evaluation for the richest set of functions in a general purpose operating system." But they also claim that the Windows 2000 development process included security code reviews and a special internal penetration test team. I wish I could say otherwise, but whoever penetration-tested the original Windows 2000 used a rubber sword, and the security audits missed important problems. It wasnt until Windows XP Service Pack 2, only a year or two ago, that Microsoft got the right attitude about security. All you need to do is to look at Windows 2003 Server, especially with the forthcoming Service Pack 1, to see how wrong they were about security in Windows 2000. Check out eWEEK.coms Windows Center at windows.eweek.com for Microsoft and Windows news, views and analysis. The resistance in Microsoft that delayed this change in strategy is actually an admirable trait. Microsoft doesnt want to do things that break programs and make products harder for customers to use. Lets hope they keep the right attitude and point their considerable talents from here on towards making products that are both accessible and secure, out of the box. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel