Another Windows NT security hole

W ell, well - there's another big flap about Windows NT and security. Counterpane Systems recently an- nounced that it has discovered flaws in Microsoft's implementation of Point-to-Point Tunneling Protocol, which is used in many commercial virtual private networks (VPN). The flaws supposedly lead to password compromise, disclosure of private information and server inoperability in VPNs running under Windows NT and 95.

A look at the white paper - describing the problem - shows that the major crux of the security problem is that old bugaboo: the weak encryption NT uses for backward compatibility with pre-NT (that is, LAN Manager) systems. I wrote about this last year (NW, Aug. 4, 1997, page 22), spotlighting L0phtCrack 1.5, an application used to break into NT servers. Not surprisingly, L0pht's chief spokesperson, the well-known hacker Mudge, is listed as co-author of the Counterpane study.

Now there are other deficiencies pointed out in the white paper, but it's the backward-compatible, weak authentication that gets the most play. But as Microsoft points out in its response, a fix for this - allowing you to turn off the LAN Manager authentication - was posted on Microsoft's Web site more than a year ago. Another flaw noted, however, was that some installations of Windows 95 were unable to use the stronger NT authentication method and had to rely on the weak Lan Manager authentication. Neither Counterpane nor Microsoft was able to pinpoint for me a way to identify which Windows 95 installations could not use NT authentication. I did learn that all installations of Windows 98 will support strong authentication "out of the box." I just might revise my thinking on the business use of this new operating system, which appears to be targeted at the home entertainment market.

There's even better news to come late this year, or early next year, with the release of Windows NT 5. The default authentication method will be an implementation of MIT Version 5 Kerberos. While it will still be possible to turn on LAN Manager and NT authentication (again, for backward compatibility), in general, the L0pht will have to find another way to bash Microsoft and NT Server.

Like UnixWare and Novell DOS before it, NetWare for Macintosh will be spun-off to another company for future development and support. Later this month, it will be announced that Prosoft Engineering, best known for custom software, will acquire all of Novell's Macintosh products. It's rumored that the first new product will be an improved NetWare client for Macintosh, one including native TCP/ IP support. The downside is that Macintosh connectivity will no longer be included in the NetWare "Red Box" but will have to be purchased separately.

Kearns, a former network administrator, is a freelance writer and consultant in Austin, Texas. He is also author of the twice-weekly Network World Fusion Focus: Windows NT. He can be reached at wired@vquill.com.