We take the underlying premise that the Windows software program is a secure operating system, and aims to show how complex security management processes (combined with businesses' failure to properly implement security features) have resulted in today's myriad system insecurities.
Back in the 1980s, security was a prerequisite for corporate IT professionals whose mainframes and mini computers managed networked, multi-user environments and business-critical applications. The arrival of the PC gradually changed all that by enabling people to create small Local Area Networks (LANs) for workgroups to share files, printers and so on at a fraction of the price of a typical mini system.

When Microsoft developed the DOS operating system for the PC, it was designed to be easy for non-technical individuals to use. Security wasn't a great concern. Even when the successor to DOS – Windows 3.1.1 – started to be widely deployed in LANs, security remained something of a sideline issue.

By the time Windows NT appeared, systems developer Microsoft understood that in order to position the product as a business-critical operating system the organisation had to introduce security. Not easy, since the Microsoft user base had become accustomed to an open operating environment. Thus the security features built into NT were passive, and had to be actively turned on.

More security than meets the eye People today are much more aware of the need for security, which is now prominent in Windows 2000 and XP. Even with XP applications, there's a lot more built-in security than first meets the eye. Additional security features are there, but often users are not familiar with how to activate them.

Consequently, a lot of business operating systems are being left wide open and, whenever they are hacked or data is lost – or confidential information is being leaked – it's the operating system that shoulders the blame. More commonly, though, it's because the end user has not taken the time to configure in-house systems correctly.

The very fact that Windows network security requires time and painstaking effort is really the key to the whole issue. Although security features are there in Windows, traditionally Microsoft hasn't provided the tools that make it easy for end users to manage them.

One such tool, namely Microsoft User Manager for NT 3.5.1 and NT 4.0, allows you to manage the configuration of user accounts. However, it only lets you look at one machine at a time. As long as you only need to manage accounts created on a server this is fine – but if you want to control user accounts located on the workstations then User Manager has to be appointed for EVERY workstation.

The very fact that Windows network security requires time and painstaking effort is really the key to the whole issue. Although the security features are there in Windows, traditionally Microsoft hasn’t provided the tools that would make it easy for end u

Active Directory: a panacea? For those organisations that have adopted Windows 2000 on their servers and Windows XP on the desktop, Microsoft has now produced Active Directory. In use, Active Directory identifies all resources on a network and makes them accessible to users and applications.

In truth, this is a much more viable way of controlling security. That said, it's very much an all-or-nothing approach. Controlling the configuration of every machine, all of the security and workgroups on the network by way of Active Directory is a major task. For many existing Windows users, changing security over from an NT4 domain model to the Active Directory model is a daunting prospect. Not surprisingly, a gap in the market opened up for third parties offering add-ons for managing Windows network security.

Some of them adopted security tools originally written for other operating systems such as UNIX and bolted on a new component to enable Windows management as well. Such solutions fall into two categories. The first focuses on a generic front end for controlling multiple operating systems. Unfortunately, the differences between the operating systems are so great that the front end becomes too generic and the security features severely limited.

The second approach is to develop a bolt-on specifically for Windows. Often, the bolt-on is so different from the other parts of the product that it looks and feels like a separate entity.

Another common issue with bolt-on solutions is the need for agents to be installed. With operating systems like UNIX or VMS a single server may be responsible for 200 users. Where the number of servers is relatively small, it's quite reasonable to install security software on each machine. That said, a 200-user Windows network may well involve 10-15 servers and 200 Windows desktops.

To audit and manage all of those machines effectively requires agent software to be installed on all machines. Although some security vendors have reduced the requirement to 1-in-5 or 1-in-10 workstations, it's still a tedious task – particularly when upgrades have to be rolled out every so often.

Source

SMT

Postscript

Ian Turner is product development manager at Security Centre plc