Security Watch: Microsoft Wants to Be It

SAN MATEO (04/18/2000) - We in the security slice of the technology industry like to fancy ourselves on occasion the center of all things digital. (OK, we admit it's pretty much a constant sentiment.) It's thus quite gratifying when the mainstream press picks up on a security issue to help define perhaps one of the most formative events to strike the technology industry since ... well, since the last crop of technology antitrust litigation.

We are of course talking about the landmark nonagreement between the U.S.

Department of Justice and Microsoft Corp. at the beginning of this month. But what does this have to do with security, you ask? In one of the accounts we read, a journalist decried the manipulation of the commonly adopted Kerberos authentication protocol by Microsoft to attain further penetration of the Unix back-office market.

Frankly, we don't see what the problem is: If you like Microsoft products, use them -- everywhere. If you don't like Microsoft products, don't use them -- at all. Simple, no? Well, maybe not.

We've highlighted the Microsoft-Kerberos issue in this space before, although in a more flattering light. As is well established by now, Microsoft is using a rarely implemented data field within Kerberos authorization tickets to contain Windows-specific authentication data. The field is undeniably part of the Kerberos specification, although there is some debate over its original intended use. Most widely adopted Kerberos implementations do not support the way Microsoft is using this field. The upshot is that you can enjoy broad compatibility, with one critical exception: Windows 2000 clients cannot access Windows-based services unless they are authorized by a Windows 2000 Kerberos domain controller.

Like the journalist we mentioned earlier, many are hypothesizing that this is an underhanded ploy to force non-Windows Kerberos shops to buy Windows 2000 Servers, a variation on the "embrace, extend, extinguish" business practice that Microsoft has been accused of many times in the past. Microsoft's defense that it is trying only to provide more robust functionality for Windows customers (extend) doesn't hold water, because the company has refused to release the specifications of the "authdata" field to others, forcing the purchase of a Windows 2000 Kerberos domain controller. This is more subtle than extinguish -- call it "infiltrate and forcibly assimilate."

Is Microsoft's nipping at the edges of the Internet monopoly with teensy extensions to Kerberos a good or bad omen for customers? We hope it doesn't take a government-mandated breakup to answer this question. A customer-driven coup, already under way with Linux and open-source movements, may finally break Microsoft of its bad habit of extorting capitulation to Windows dominance and force it to make each product a stand-alone market leader. This may require a serious commitment to non-Windows versions of these products, however, and that's not something Redmond has indicated a willingness to undertake.

The other main remedy, opening the Windows source code, is probably a nonissue, as evinced by the Kerberos incident. Most of the world seems to think currently that publishing details of a product (including portions of source code) serves only to improve security. In fact, we almost laughed ourselves into a seizure recently when reading a competitive review of Windows Media Player that actually criticized Microsoft's publication of a detailed Software Development Kit, leading to the inevitable hack that allows anyone to hijack copy-protected content. Does anyone truly think withholding the trivial authdata spec justifies the revenue from selling a couple Windows 2000 servers into a few highly Kerberized shops? There is only a small fig leaf left over Microsoft's "trade secrets," and we think it's more bureaucracy than maliciousness that prevents the last critical details from leaking out.

So, when Mr. Gates hires Carlos Santana to play his hit "Give me your heart ... or else forget about it" at the launch event for Windows 2000, is that the decision that he really wants to force customers into? After considering the ramifications of the Kerberos incident, we're not sure. He could just be angling to make a breakup look like a palatable punishment, while plotting much broader infiltration of the market after the dust settles.

So what'll it be? Will you sell your soul to Microsoft today in the hope that a single-vendor, end-to-end strategy will prevail over the best-of-breed approach? Or will you remain locked in a wait-and-see stance hoping to get all the best that Microsoft has to offer, with none of the overhead? Should we rely on one company to secure the Internet?

Of course, all of this could be just another ploy by the tort bar to keep the parade going (tobacco, guns, software), and as such it will probably drag on past any meaningful result for IT decision makers. Or are you already considering how to build a secure e-business infrastructure with or without Microsoft? Send responses, whether or not you use Outlook, to

Stuart McClure is president and CTO and Joel Scambray is a managing principal at security consultant Foundstone (

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Department of JusticeFoundstoneMicrosoft

Show Comments