Microsoft adds security to Win 2000

Microsoft adds security to Win 2000

February release will include authentication, other tools for three versions

By Michael Cheek

GCN Staff

REDMOND, Wash.'Microsoft Corp. will send the government a late Valentine's Day gift on Feb. 17 in the form of extra security embedded in three versions of the forthcoming Windows 2000.

Craig Beilinson, lead Win 2000 product manager, said testing began early this month for the final release candidates: Windows 2000 Professional for one- or two-processor desktop systems, Windows 2000 Server for up to four-way workgroup servers and Windows 2000 Advanced Server for up to eight-way departmental servers.

Around June, Windows 2000 Datacenter Server will come out for hardware with up to 32 processors, four nodes and 64G of RAM, Beilinson said.

Win 2000 integrates several proof-of-identity and encryption technologies, said Shanen Boettcher, another Microsoft product manager.

Double checking

Kerberos authentication checks both sides of all transmissions between a server and client to assure identity. Fortezza, smart card, biometric and some Internet authentication protocols are part of all Win 2000 server versions, Boettcher said.

Microsoft's Active Directory with Intelli-Mirror will restrict users to the files and devices for which they are authorized. For example, an administrator could restrict a user to only one application with severely limited file access.

IntelliMirror would recreate the restricted user's setup no matter what client PC is used. Even files on the local drive would be accessible only if the administrator allowed it.

Active Directory's Access Control Lists, commonly referred to as ACLs and pronounced 'ackles,' manage users' access rights to everything on the network. The ACLs and other components come with a strong security lockdown, said Scott Culp of Microsoft's security response team.

'We don't want to ship a Fort Knox configuration and force users into a secure environment,' Culp said. 'We're targeting a spot that balances security with usability. The default load is a lot tighter' than for Windows NT.

Security levels

A Security Configuration Toolkit will let administrators set up a template for the Active Directory and other network components, Culp said. Default templates will be included for low, medium and high security.

Win 2000 natively supports a public-key infrastructure and permits encrypting files and folders under a new file system. The file system will upgrade NT File System drives automatically on installation and is compatible with 16- and 32-bit File Allocation Tables, Beilinson said.

A mouse right-click can encrypt any file, but the encryption stays on the system, Beilinson said. Users without access rights cannot get into the file, but the authorized user can transfer the file around easily.

Although encryption is much stronger in Win 2000, it is far from perfect security, said Josh Benaloh, a cryptographer with Microsoft research.

'The whole product line has weak cryptography that I wouldn't trust with anything of value,' Benaloh said, blaming tools and export restrictions that weaken PKI. Benaloh said he hopes for eventual support of 1,024-bit public keys but would prefer 2,024-bit keys. He said future Win 2000 versions will have better tools.

inside gcn

  • urban air mobility (NASA)

    NASA seeks partners for urban air mobility challenge

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above