April 1, 1997 1:15 PM PST
Microsoft puts out more fires
Today, a report in the Electronic Engineering Times spread the word that a new tool available on the Internet could harvest lists of user passwords from Windows NT servers. Officials at Microsoft (MSFT) jumped to NT's defense, insisting that the operating system is safe and that sensible security policies are enough to minimize any risks associated with the software.
The Electronic Engineering Times reported that a utility now circulating on the Net could let a hacker gain access to an entire registry of users and their security passwords. The software was originally written with the innocous goal of moving NT users to Unix, but the report said the tool could be manipulated to bypass the Windows NT security framework. The hacker code is being circulated through a mailing list on the Internet.
However, Mike Nash, director of marketing for Windows NT Server, said the tool could only be used this way if the hacker had already obtained an administrative password. In other words, an administrator--someone whose job it is to govern security on the network--would have to either allow outsiders to access the server or give the information away.
"The conditions that would have to occur for this person to break in would have to be fairly significant," said Nash. "There has to be a lot of 'what ifs.'"
Nash said a company's security policy would have to be pretty lax for the hacker code to become a concern. And even if the lists of passwords leaked out, Nash says, they would be encrypted, making them virtually useless to most hackers.
In other words, Microsoft argues that the odds against this kind of security breach actually happening are so great as to be insignificant. In fact, no bug fix will be offered to address this specific breach.
Still, reports of another security problem following on the heels of a series of security holes found in Microsoft's Internet Explorer browser may make some users wary of the popular operating system. Windows NT has also has its share of problems, including a "service pack" or bug-fix release for the operating system that introduced more bugs than it fixed.
Microsoft knows this and is anxious to reassure users that a strong security policy can prevent these kinds of breaches. Nash said customers need to make sure their administrators know how to implement appropriate policy for their networks.
"Any system with an insecure set of policies could be subject to an attack," Nash noted.
The company has also posted several utilities and accompanying information help customers bolster the security of their Windows NT Server systems.