Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Five Years Later, Windows 2000 Looks Naïve



 By: Larry Seltzer
2004-12-29
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: Microsoft got a lot of things right with Windows 2000, but security wasn't one of them. The changes made for Windows Server 2003 indicate just how wrong Microsoft was.

I remember roughly when Windows 2000 "went gold"—when Microsoft finalized the shipping code for the product. It was mid-December 1999, and the product officially "shipped" in February 2000. I was writing part of a Windows 2000 book so I had early access.

Five years ago is a long, long time in this day and age, especially when it comes to security. A lot has happened since then, and things are far worse now than they were. Can we forgive Microsoft for being naïve about security in Windows 2000? I might have thought so at one point, but not anymore.

Yes, the real work on Windows 2000 was done as the Internet boom was at its most stupid, with people selling groceries online and Fedexing bags of dog food, but Microsoft wasnt that kind of company. It was run by experienced people who should have known better.

Resource Library:
Melissa, the first great Internet mail worm was already 9 months old when Windows 2000 went gold. Network-based buffer overflows went back to the era of the Morris Worm (1988), when DOS was still mainstream and dinosaurs roamed the earth. We had lots of other indications that more sophisticated attacks would become easier, such as the introduction of SATAN (Security Administrator Tool for Analyzing Networks).

Instead, Windows 2000—and this applies most especially to Windows 2000 Server—shipped with all manner of services turned on by default. This is the most fundamental mistake Microsoft made. I dont think Microsoft would defend this decision anymore, after they changed direction so thoroughly in Windows Server 2003.

And, yet, security was definitely much on the minds of Microsoft developers when they designed Windows 2000; they just had the wrong approach to it. I asked Microsoft to comment on the fifth anniversary of Windows 2000 and what it said about security, and they reminded me of a long list of security-related features that they said made Windows 2000 a better product.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

EFS (Encrypting File System) is not a perfect defense, but its a great physical security tool. Windows 2000 integrated PKI, IPSec and Kerberos. As the Microsoft spokesperson reminded me, "Windows 2000 launch also saw the payoff of our decade-long push for relaxed government regulation of encryption, and Windows 2000[s] was the first operating system to ship worldwide with strong (128-bit) encryption built in."

Perhaps Microsoft approached security as just another list of features to include in the product? You might get that impression, especially since Microsoft brags that "Windows 2000 still holds the highest level of Common Criteria evaluation for the richest set of functions in a general purpose operating system." But they also claim that the Windows 2000 development process included security code reviews and a special internal penetration test team.

I wish I could say otherwise, but whoever penetration-tested the original Windows 2000 used a rubber sword, and the security audits missed important problems. It wasnt until Windows XP Service Pack 2, only a year or two ago, that Microsoft got the right attitude about security. All you need to do is to look at Windows 2003 Server, especially with the forthcoming Service Pack 1, to see how wrong they were about security in Windows 2000.

Check out eWEEK.coms Windows Center at windows.eweek.com for Microsoft and Windows news, views and analysis.

The resistance in Microsoft that delayed this change in strategy is actually an admirable trait. Microsoft doesnt want to do things that break programs and make products harder for customers to use. Lets hope they keep the right attitude and point their considerable talents from here on towards making products that are both accessible and secure, out of the box.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  

More from Larry Seltzer



  Reader Comments: Five Years Later, Windows 2000 Looks Naïve
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


xr㶲(;; YڦxiJV,Ҍ3JEĘ"Hʗ䬗v8x %ٞq2D th4{$ W7-gL:9)ٟG,zIj}ݻ@BezNULsJԶnL7n[c3P/a᳙(,Q  tjOt0]2xԵ;k:&gek/cߨ[`&`1ZlR!ۗ#: rWӺ#~hzNdRr-2訞þʲnMw3a[mޡlطGZ*մ*rM)֎o[©̝ w֨n~wUMSZw>ʑC[wn5-%u`(:n{'Owq@.{A~$Vj}& D%\.I&0h5&ttڽ~X}AFI?jnkMюR=2,gfV҈ gUUj,qT~6.vEv l,aR422V,]鮘FȏwAժ}yڽ鑳59m}jz ݹGtHM Wh:w Nկz O|iuHz>5401\]Z-$5IULxE$Y)ir\Cj ݖeB_ȻX_KŗG)H73ǚ -#4ɔSHu t:99~}EjV㭱J+҄& 9B:A`ܺNR49Vϡ8蟉$Wm4@r5YSl؅ R捇o4x M XRU>hI"E[fŢKdoF" 23~B(pHqbNbO}ದyp!jYY6'*taeIUis[ӢKsqnUOVЂ)WC EhYf7-vIQM}{QkJ jGExQo+rOLf[ԑplP)uu~L>NR'}:;SjZi};Ni(|I}Ѧޣ8ݘXiI70i|V8; uCuӹga {>0kJY=D57 l"&q}s)к`yna2C?FlEnP>X^0 jp3*~s=w= } wAk 6G~[>l0s0N\IQo Ч dQJ d$@!-i]R@Az68 -,rrl++~#y-#!bTLZ'9Tv{B#Tz(΍gR1eb -d[b~Il eV&vϏaZLboD6], S mo3-mu{6 z`N&'syjVRTECzdEgO6}ˁ)s#O̡ Gx}lj?DŽ8ǷF#˰`xhyAu!@3~ ~6ۇ-}Ȧ5}j0&{b6g{A3uOP#'Կ ;7u9\v,_zt?GcNEikJ/ι_n2MS|(n^ßf1d_w\ճ&VAB glCC2{ޡ[Y3R;= Mrʳ"#@7X>ť`N)mtй+>q^v.iԚv ei[I%ͺ7RumIJۥa]hk%T87Bj^¢ym<2D֑`9HM^>V "fˣQ4lJ Ւd6\{8`OEMĽ~G*+i#SOodV-iV9ҴZZ,<>kp6X"@@7wM)mT.mT^͇gΧމ;i6E7{Lӧ=<fM\?&)'V L Mڊ(1@/ŵaa{68c*tҝŅebiQ;k-)eS_HZQ6Ϯ[- V!0\0|pT30`,e?#OMR^-!z0kMug 7aT5cclq-Z ;rm۽Ϧ sq, bjt,g @QRo> \!EX+LTBYad[s6/|}xN`'\sW["LJ}#Nݡe-m*I-b]Pr)SLZ06AaeL䱯^t@FM@X G\d`АBrAa T+S//' 7]@.&D~Ê?DNQcG=.C+DÜU^oVw.$JPVbrxɡUT9*J8;|%ZA~~Ļ8 iF @rFg}qs`~62Msg67_u>tɕK-˰p c.Z$ c`׊._kOWbL['ʂX hO7`sk'k0ECV0! H*7hІ{egjڳVU;OP(;Ђw>k-4{J[dEλԲ'**5P6>*0GnG=W֌H+ c5}u:*ZW}ZXY :څHi3 9Sf5NkqvϷ h#քY[ў#WX tV ЛiQ~gVɲ Նgy>cIpR|5y->p7poj%O@(1C?9dN u3 U sf> W||0jZ5}tNNxT!"kq(n} #;"#NR3̍e?f#Z7pTJJ\ $J+A:er,×~a51r&]X4N>ML laƭbR/\f ?+:TfDU5}5?>nVɵGZV?fIRTP]\Hӛ&#UX)TԒP/YTAtevdi&x9L5Ll'P`R(S&ZD]Rx*+nQ/ewS? &i^IW:.ky*1a2N$D knIG:aF*ݔ[Y`'\U%P-HjYt>80xnX N zW8pL\'eM=J6z7EM+v@l+J9wwGc&Q@Z: GYdQ.|eR)*`7%ɠK= j ;!O}+tSZ1wOXO\dK!OWƒ"'!Z+53,qvë eVqm^?3Z cS7=J _BQ`nо(&wmOI@ NEw%]w7!)hl{ٗΚC9h5ÏOM1k0vhR`QfjmX#ǎFD_!m Be\קk,SVXKr!}&=C٠lGkhN؆{+^+[̚_f·?ĄB?JNx0(G@RPOh[#N۽vZgp6" BtX 1te}E/R)Q\(뉞OYi{L$((9Q{_[a(ۗo1Mr!}J_cN/Ͳh<"]{pУXJqk'ҽ8 $ubSP݃/Zr;0y!D(o l"HtSOkԛC2L:&r֚S%[@csOӖO|BaJ;Da2u?Is6uYX[NhAS:%ə$F=)*ښIդ"8I5F4A2 uIH? Md4XPW Pق'59ܻ8^]|عm|d`=`l)Za"|)Nr >i^`e>%;yRb QגZ4ҫoeW!9 |Ds`*=SL aʕCrWkb~]4ZU$=ݝ:F`cIŃ O~ؑq eީӊN|u +KׅNo͗W3k{R̵jПdeNx>HАYc=p>}⌜00;z[oue's C7+i{޽s¾"CWq :+`*9$XhHn e_"2NIJn/:}L9zdM#}%3 =ћ4/ Zw2g@m[8 ́)ӡ\Ec6E9ҷq\Y-DCtutoe{/b#" mC̜@- rF{,6|p4uYDx?E^?;ۊ2A-&:*bb [6_;]b%ާ,xDޤdId+]$e%!-(yLmRrX+&qOwO(69-S HLuHv̜ܘ)+hL:/{=__?!7- qwllgp{lDW]uQoTnp*S 4i~c+mvO5fbԆehWxWx# fl#ݺ*k]Wabuq pַ̽;o,P-Adj_ʟ:7@JA+:ic>!9rǮb_1 ϖB}6qS;mO5p2oP]ߚ'40Ȼ9f;ff5@NPdxmF$5?h۾a+@mն-0Vg`EQ&zf0m-m,ѩ{Gr*eX -}-'ϒvZw>pzlï^Jif-e։5V$1"*NhVl+P2aDKo]1p<L-Np`]g32ε7 O|^_VW-v /*`5m{;hOw>#nb1DKb@/]j ѐ}L^=}̋,̈2T7(=ⵝ~Ge3ጠٿgG^;P`܀I*ZWqi1s/?3{>ŧ!;:qCb$Ju {a3 ΰ.$o,S`',?h6Wh`am!_`n3u˻y+I1q0Ga(KRVa?~/F%&ТC>y|g [DpS\x?*Ɲ@ ņ&O FVVrc[atSQe~ۘ1P8K[n]Kpf$& oqCv]J 2,aB6Ew}EQDp vUTr@Ym+A#샒=%hٵL!,q')DsQ,?Ñ:-[VAXz- D9DNE0H^XA0;%pD]bɤ6 ͤ<87%\a8FSYh9W!cbwj\.he,zVdqK2&/ #z{֘1h*B UٜA5ZRU BIӕsxCQ58[jbxc;XykaQkS;XifKyb+n'-浻sx"(ͪNDf`h*yPc-* ;,Otm6A~}lMᗚk<烔KpʭBף6:F.&r&U"cmܪJ~bGlsgTjQME8oXcA<`zҧEd#usg楒V,T)[g?01,֐cFv)edO}TK;eZz;-9~8fl9|w\ۭ5>^:]Lcda b^twᷭkd, lS:uh&n*16J)t|{HI-g:w:cD̋:t#jaeYN 6Ƕl[va|Duv7H Xp,Px:IoF K7LG*%_[Gx9ʵVܞVkJU5}Tbt8ŤiUh9!mF(qxaixf/ )/O L%& J!47\CP |P*S7R(?hUeQb+Y75 U@ě8AnIݲY:/A>co۹I XPpӅMA9(WTD~N ̋XH t4*$:Wzm;A=~G{DLRO\q\؀!,E||z['AU}H?Km1Ahb#3FP0\Ǎ ~h/ew[= d.yt稯-dN`#o M0<ˏ@xpI<R+Ժ :My–2&.V< ?ra)rA1HSvFX~k[7?__RHe t083a*F2*mG{/׽nrj&[ք ᑰ 5" y6")(ĴF#1Cay 19S̮r'_A1S|6XP؟?pk7%H0Zinn) &.X`3O,2E<Ox}:; ܕiV!5;0 0aY:oN+r P:ς͈s!aZ; MꪂOJBveX &zđukwy |3fY3{8~kBOz%ruW0`A='i92bg4t\K =>1's;1h^]]|&gk$g׭}<\%9n]too;u{{}ٺn_s3 ca/慾,g6OFYi1;eNq(M1B*rK xU" /%Lqx&<>vbD(/& F8 |acꥧyzzljŵv_LǗ%֌fyS+NЦo1!c҇zIc r!>E.Z'}ҽlIJ/6//23_3ʯz}I8QޅnF9rz})കQ~'π>gvq^_>5ڧпvF?Ӿ(3s/Q?/akt2Ƨw2N|o'O'>N^f ?eCyF?(d^f%e\]f_O7CtAt3U\W_\gOe{Y_c}OYߧ >>eoʁo2ڿh&s$eCP̐.Np3Kqʠ/ޯVD=VbMdG,DlG\%[n3'Og6^K(c#h .Ñpۿ{e?|k2xwI0>ۓ{g\pm⦠ϻHڗ-AkOWxP[ЙqFޢD)Fyk@ǡ[x7JnAmzg4`/{̧dA]eGӠ[Y"B8#w0dH= 30vڢ{衜+ 7\xoc D́a[@R'|(VT+[-WJr= fDDã*R%}e`R++PPफ़h[iRo視 yVi8an%[z"z5~L@-1"/c@6of!3^86սD<gu~o2P e Sbb{ˈTbT|Jx}sϛm|LڸAÆo^Ėٵv"n<4Nwz:d@4ǝaƹr40Ow[h xqn9SYF  T zdKdp!gB-ҋKt!NPeD˺Uk:՞/k)(u–'*F'B.Nm`ؼ!:0BkNX?/ C||',ʉ pN1Q.`})}[fc%ݤ1{7a61!%_f]3&cc6Hm\wrlCknܙ%O_Zo/TùLHd v"ѱwPFvƒ_ r:'쭰F |m)۾b,ӧ6M\-On\{.|ۃOa`a?>N@U}C 1,̠AR(sMaMăW n,˽g#9=ASh4ϛW5EX{" szn%()%y+L9(م0U7VAgL3SY,> N_dvO~5B+π 8>eC[gI2T~kJ=*P=eZPO] n",gIo=G}k_VeńK]hFʪv\z#tnR'9"Ź oPm<% *`>.X&">m?9`"E3 "@"drtPŗ;ױ) Mm'#84B>ԼlQ޺%76x}҄ O1Su .Ыv>cx 'Lw65Tc *۳|?Oe Lt8?Bs`ܐ}olI CO?s^nT "+1 <&Eߟ2"L- Ԧ?MSw(\*],1Ał?vLw99 3/&U@EqDgPy 6s6Na^|ۺ+AўYmw|h[d%+^FHM`WH؂{XiWe1RpCV)tOደANt3CkW5`/=H]3(n)ZF1uVB\ (ct!L?Qa˟]lׁR#nHGTFM®":q`x];=k{.**kWȅnTx囤9mAU  =[=܋;ɾ ^f+3sƫӳ- ɤ{%̅AdagZ-*?҂o/ Q\F$30(ylHK9m5G0X1'(RGQv7}MaN*)Asa#El ;ApN7\29LgѸGgd#V+5%ӫrul#"|f`*H Ay,O~փ!gn耵gk݄6 g]9,Mc|Rc90޳`=`Z>]x O!0gWP Y-f1%Dv88)ҡCCĞB4fƲ 7cP.oX]-'B@:S .x CG,$?ˋ}P 399.@OI"cXM1}aE|S<'\B;W?aMd|Zk/o?XY/5;χ<|;Xyx(~']f(FRqO\|j8(>^tc3u㖗7O~pxy*mGӽ>mA0}U}!Y/7 ~c Whc<y&F{kfuU+kD;ydMn+:cSEᘸe=)jaKm9n~;1{l~r[)CUs̥D/4^JB\qrh6