I remember roughly when Windows 2000 “went gold”—when Microsoft finalized the shipping code for the product. It was mid-December 1999, and the product officially “shipped” in February 2000. I was writing part of a Windows 2000 book so I had early access.
Five years ago is a long, long time in this day and age, especially when it comes to security. A lot has happened since then, and things are far worse now than they were. Can we forgive Microsoft for being naïve about security in Windows 2000? I might have thought so at one point, but not anymore.
Yes, the real work on Windows 2000 was done as the Internet boom was at its most stupid, with people selling groceries online and Fedexing bags of dog food, but Microsoft wasnt that kind of company. It was run by experienced people who should have known better.
Melissa, the first great Internet mail worm was already 9 months old when Windows 2000 went gold. Network-based buffer overflows went back to the era of the Morris Worm (1988), when DOS was still mainstream and dinosaurs roamed the earth. We had lots of other indications that more sophisticated attacks would become easier, such as the introduction of SATAN (Security Administrator Tool for Analyzing Networks).
Instead, Windows 2000—and this applies most especially to Windows 2000 Server—shipped with all manner of services turned on by default. This is the most fundamental mistake Microsoft made. I dont think Microsoft would defend this decision anymore, after they changed direction so thoroughly in Windows Server 2003.
And, yet, security was definitely much on the minds of Microsoft developers when they designed Windows 2000; they just had the wrong approach to it. I asked Microsoft to comment on the fifth anniversary of Windows 2000 and what it said about security, and they reminded me of a long list of security-related features that they said made Windows 2000 a better product.
EFS (Encrypting File System) is not a perfect defense, but its a great physical security tool. Windows 2000 integrated PKI, IPSec and Kerberos. As the Microsoft spokesperson reminded me, “Windows 2000 launch also saw the payoff of our decade-long push for relaxed government regulation of encryption, and Windows 2000[s] was the first operating system to ship worldwide with strong (128-bit) encryption built in.”
Perhaps Microsoft approached security as just another list of features to include in the product? You might get that impression, especially since Microsoft brags that “Windows 2000 still holds the highest level of Common Criteria evaluation for the richest set of functions in a general purpose operating system.” But they also claim that the Windows 2000 development process included security code reviews and a special internal penetration test team.
I wish I could say otherwise, but whoever penetration-tested the original Windows 2000 used a rubber sword, and the security audits missed important problems. It wasnt until Windows XP Service Pack 2, only a year or two ago, that Microsoft got the right attitude about security. All you need to do is to look at Windows 2003 Server, especially with the forthcoming Service Pack 1, to see how wrong they were about security in Windows 2000.
The resistance in Microsoft that delayed this change in strategy is actually an admirable trait. Microsoft doesnt want to do things that break programs and make products harder for customers to use. Lets hope they keep the right attitude and point their considerable talents from here on towards making products that are both accessible and secure, out of the box.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer