When assessing security issues of migrating to Microsoft's Windows 2000 operating system, it might be wise to consider the experience of ArchMedia. The Boston-based interactive marketing and public relations firm converted 12 machines in May in a "bizarre migration" that exposed its network for several hours and cost the company thousands of dollars in estimated billable hours.
"We used our own IT staff and found that, in addition to major hardware and software incompatibilities, we also suffered problems with intranet security and VPN access. The downtime cost us several hours of billable work, e-mail access was crippled, our virus-detection utilities ceased to function, and Internet access was spotty at best. In the end, the so-called 'networking solutions' offered by Windows 2000 were not necessarily worth the change" says Teresa Smith, ArchMedia's general manager.
Not exactly a ringing endorsement for Windows 2000. Yet once security issues were sorted out, Smith says ArchMedia noticed measurable productivity gains from enhanced file sharing and Internet sharing. Smith's advice: invest the time and money for a full-scale test lab to detect security glitches before you migrate. "If I had to do it over again, that's what I'd do," Smith says.
Before you migrate, analyze
Experts and other Windows 2000 adopters echo Smith's counsel: planning and testing, they say, are keystones in a network-migration strategy that helps you both
"The issue is not so much about security as much as access control. When you move a set of files from NT to Windows 2000, those access rights don't travel," says Bill Mackin, executive vice president of Tranxition Corp., a Beaverton, Ore.-based company that provides network migration tools.
Mackin recommends pre-migration security audits to assess what information needs to be available to individual users after machines and data are moved. This makes it easier for administrators to reconfigure permissions and map access rights to appropriate individual users once the migration is complete.
"Mapping a Windows 2000 migration to only one building or one domain is fairly simple," adds Marcus Goncalves, chief knowledge officer of Virtual Access Networks in Lawrence, Mass. "But if you're migrating beyond the boundaries of your (physical) network, you may want to put in place a virtual private network, or use encryption tools running Secure Sockets Layer, or even Secure Socket Shell, for data traversing the Web to remote sites."
Lock down the system
Heterogeneous environments running both NT and Windows 2000 on desktops face the additional pressure of maintaining security for both OSes, notes John Pescatore, a vice president with Gartner Group of Stamford, Conn. "It's not rocket science," says Pescatore, "but it does make it more complicated when you start adding Active Directory servers to an NT environment where the trust relationships in your NT domain controller already are set up."
On the server side, Gartner is advising companies to move cautiously. And thus far, research indicates that users are taking that counsel to heart, particularly with Microsoft's own new firewall product, Internet Security and Acceleration (ISA) server. "ISA is Microsoft's attempt to be more security-focused, but thus far I think they've had mixed results," observes Cliff Rittel, director of information technology for ADCS Inc., a document-conversion company headquartered in San Diego, Calif. "We're not deploying ISA yet."
Pescatore applauds this wait-and-see approach. "We've been telling companies not to migrate until their applications dictate -- until they know all their applications are compatible with Windows 2000," he says. At ArchMedia, for example, Smith says her company was well into its migration before discovering certain software it had purchased didn't work in the Windows 2000 environment.
Active Directory: security boon and bugaboo
One of the biggest security planning helps and headaches migration veterans report revolve around Active Directory, Microsoft's trademarked centralized and standardized system for automating network management. The good news, says Rittel, who ran a pre-migration test of several hundred NT machines, is the more "granular" security Active Directory showed during migration planning and testing. The security improvements boosted user-access control by giving Rittel greater ability to determine what individual users could see on the network.
The big thing about Windows 2000 is the organizational units and grouping of objects that stem from AD's group policy feature, Rittel says. "There are hundreds of thousands of ways to lock down what users can access," he says, "whereas in NT you had to give them the entire ball of wax. As a system administrator, that was always a security concern."
Similarly at Peace Health, an Oregon-based health care system, which is also running a migration test lab, Senior Network Analyst Andy Landen says AD's ability to focus permissions on specific user groups has been a major security boon. "We have lots of people who need lots of (access) rights, so in the past we've pretty much given them the keys to the kingdom," he says. "The fact that I can narrow down to a specific level and can create accounts in a trust area is huge."
But that type of control can also present problems, especially if your IT staff lacks sufficient training, notes Bill Wall, chief security engineer with communications equipment company Harris Corp. of Melbourne, Fla. "It's possible to lock down the security template so tightly it becomes impossible to use. You could wind up turning off services you really need, like user commands and user shares. It's even possible to deny remote entry to your own Registry," says Wall, whose company moved from an NT environment to Windows 2000 about a year ago. Adds ADCS' Rittel: "Windows 2000 definitely takes the skills of your system administrators to the next level. Otherwise, you're looking at a very large consulting bill."
An ongoing process
Migration veterans also caution against letting your guard down after the migration is complete. Once you are up and running with Windows 2000, Mackin recommends designating someone in your enterprise to oversee security audits on a regular basis with automated third-party software that removes human error from the process. These audits could spot loopholes and security leaks as you add applications or upgrade machines.
In addition, IT pros must be also be vigilant about installing security patches that have been coming out of Redmond at a fairly steady clip. That's a lesson the University of Vermont School of Business Administration learned the hard way this spring after migrating five servers supporting about 1,300 users -- including three computer labs.
"We live behind the campus firewall," explains John Ritter, information system specialist at the business which is the only part of the university running the Windows 2000 platform. "We interface with Unix boxes and store our sensitive data there," he says. "We're basically running NT security, although we do run Internet Information Server (IIS) on two servers."
But because the school runs on a subdomain, exposed to the outside by being attached to the root domain of the University, a hacker in China was able to invade the network and alter a few Web pages before the IT staff got around to deploying a new security patch. Ritter shudders to think what might have happened had his data been severely altered during the breach. His advice: "Take time to be aware that the patches are out there. Then take time to apply them right away."
Garry Kranz is an independent business and technology journalist based in Richmond, Va. Reach him at email@example.com.