News

Index Server Security Holes May Impede Deployments of W2K

• By Scott Bekker
• 02/08/2000

Two potential vulnerabilities were discovered last week in the Index Server component that ships with – and is installed by default in – Microsoft’s Windows 2000 Server and Windows 2000 Advanced Server platforms. Both vulnerabilities would compromise in some way the security of a Windows 2000 Server, either by allowing malicious users to view --but not change, add, or delete -- files on a Web server, or by revealing where directories are physically located on a server.

While the two most recent vulnerabilities are probably relatively minor in nature – especially because Windows 2000 hasn’t even officially shipped yet and because Microsoft (www.microsoft.com) has already provided fixes to patch the problem – the publicity surrounding them further serves to chip away at Microsoft’s already shaky quality-control reputation.

According to Dan Kusnetzky, director of worldwide operating environments with analyst firm and consultancy International Data Corp. (www.idc.com), a single misstep could indeed be disastrous for Microsoft. In Kusnetzky’s account, Microsoft has succeeded in winning over lower-end, business department-type accounts in most enterprise environments. It’s for this reason, Kusnetzky says, that Microsoft essentially owns the corporate desktop.

The software giant has not, however, succeeded in breaching the enterprise backroom, an enclave populated by cynical, seasoned IT managers, mainframes and RISC/Unix. Security issues and stability problems – the hallmarks of Windows NT’s enterprise experience thus far – are anathema to this crowd.

"Microsoft has spent so much time presenting the wonders of this software and saying how it will solve every problem for every person everywhere always that it will be almost impossible for them to live up to everything they’ve said," Kusnetzky says. "Because of this incredible hype, every misstep will get the closest scrutiny and will be immediately publicized. And missteps certainly won’t sit well with corporate IT staff who make decisions based upon standards compliance, stability, consistent support and a variety of issues that business people don’t always consider."

Russ Cooper, president of Ontario-based RC Consulting and moderator of the Windows NT BugTraq discussion list (www.ntbugtraq.com), says that because IT organizations have either decided to go ahead and deploy Windows 2000 1.0 or are waiting for a follow-up service pack release to begin their deployments, the latest publicized vulnerabilities probably won’t matter.

"I don't think it will make a difference. Some folks weren't going to go with the 1.0 version anyway, so they're supported by the report. And those that have already [deployed Windows 2000] are happy to see [Microsoft] being responsive as ever," Cooper says. "And those that were thinking about going with it will, hopefully, be reminded they have to stay up-to-date on these things always."

As far as Mark Housler, a systems administrator with American Partners Federal Credit Union (www.apfcu.com), is concerned, the recent Windows 2000 vulnerabilities might not be serious in and of themselves – but could ultimately serve as a sign of things to come after Windows 2000 enters general availability and is thereafter subjected to an expected deluge of attacks.

"It gets kind of scary when you think of the relative few number of folks who’ve had a crack at it so far," Housler says. "What will happen when they release the final version and it hits millions of PCs? Every high school kid worth his ‘NIX will be out trying to make the boys from Microsoft look bad."

On the whole, however, Housler acknowledges that because most savvy IT managers will choose not to install Index Server during Windows 2000 setup, the latest vulnerabilities are somewhat limited in scope.

"[I agree that] this particular item is of little consequence, and I would simply not install [Index Server], myself," he says. "At the same time, Microsoft should make a definite effort to educate customers about problems that they’ve already found. Not everyone is as studious as they should be when doing research prior to a product installation or upgrade."

Index server provides catalog and search services for Microsoft's Windows NT and Windows 2000 operating systems. In this sense, it provides the Windows NT/2000 equivalent of an Internet search engine and is tightly integrated with Microsoft's Internet Information Server (IIS) Web server platform.

Index Server is available with the Windows NT 4.0 Option Pack, can be downloaded separately, and ships with both Windows 2000 Server and Windows 2000 Advanced Server.

These vulnerabilities are especially critical in nature when Windows 2000 Server and Index Server are deployed in e-commerce implementations. By exploiting either of these two vulnerabilities, malicious attackers could gain access to sensitive, mission critical corporate data -- such as market research information about customers' buying habits or actual customer financial information such as credit card numbers or auto-draw bank account information. – Stephen Swoyer