Is security in the Windows operating system lax, or are Microsoft operating systems merely an easy target?
Hackers have zeroed in on Microsoft. Data from Attrition.org show that from August 1999 to March 2001, nearly 60% of server defacements took place on a Windows-based server. Data from Netcraft.com show that in that same time period, NT/ 2000 represented 22% of all Web servers deployed. So a Microsoft server is three times more likely than a Unix server to be attacked. Why the disproportion? Blame a combination of hackers being focused on Microsoft and Microsoft's blind spot about security. What specifically is the "blind spot"?
The blind spot grows out of their historical focus on putting power in the hands of users, a focus that doesn't fit well with most accepted security practices. Nor does it help you sell to enterprises, which want to put power in the hands of administrators who can keep a tighter control on security. Microsoft is trying to change that. How is Windows security improved over NT?
The design of Win2k included lot more security features. But from a security point of view, software is always most vulnerable when it first comes out. And newer software is always more vulnerable than older software. That's why when Win2k was released, we recommended that it wouldn't be security-ready until the third quarter of 2001. We think they are right on schedule. And with the patches that are coming, Win2k will achieve greater security levels than NT towards the beginning of 2002. How is this changing?
As Microsoft moves to a more enterprise-oriented culture, they are revising their ways of doing business. For example, their Secure Windows Initiative represents a move to make their own internal processes more responsive to security issues and problems. They are also working to educate developers and promote better testing standards. We think there is a 50% chance that by 2004, MS server operating systems will be more secure than the norm. But there is also a 30% chance that by 2003, something will happen to cause MS to shift its overall direction away from security-- something that no one can foresee, like the rise of the Internet five years ago. There is a 20% chance that the Secure Windows Initiative will fail. I believe that Microsoft is sincerely trying to walk the walk. Will they stick with it, or will they fail? No one knows. What are some key security issues IT managers should consider before and while migrating to the Windows 2000 OS?
Active Directory is still a big issue because there is a temptation for outside consultants to get overly elegant with an AD design -- and elegance is an enemy of security. There is also a tendency for companies to design overly complex AD deployments, which makes it harder to use some Windows 2000 security features. We also admonish our clients not to use any first generation product right away because of security concerns that need to be addressed. That's why we are telling clients not to use ISA server until the end of this year. How does Windows security compare with Unix?
Microsoft certainly doesn't have the monopoly on security bugs. One reason for today's firewall market is the bugs in Sun's operating systems. But Solaris has been around for long time now, so some of its earlier security issues have been worked out. Today Windows is catching up with Unix in terms of security. Gartner believes by the end of 2001, Windows will have been sufficiently tested to be suitable for security-critical applications. And with MS's desire to be a serious enterprise player, they've put in place major process changes to make their security better. Linux, on the other hand, is a mixed bag. If Linux vendors effectively manage the open source process, they will produce products that get more secure faster than proprietary OSes. However, merely repackaging source code and splashing open source on shrink-wrap boxes will do little to increase Linux security. Is all the bad publicity about Windows security (or lack thereof) warranted?
Enterprises need to understand that hackers typically target companies like Microsoft because it has a lot of power over users. Add to that the press surrounding research from consultants like Gartner Group, which believes that a dominant vendor like Microsoft should be held to a higher standard. We sometimes tend to sound overly harsh, but in the long run, we feel the criticism of Microsoft security is well deserved.
John Pescatore is a vice president with Gartner's Research organization. He has 22 years of experience in computer, network and information security, including stints with the National Security Agency, US Secret Service and Entrust Technologies and Trusted Information Systems.