Experts slate NT security

NT will never be as secure as the mainframe's MVS operating system or even Unix, warned leading IT analysts and security specialists last week.

The Windows NT registry, which holds key information on NT configuration, including passwords and access to resources on the NT system, is "virtually unprotected".

Drew Blandford-Williams, who heads up Axent Technologies' SWAT team investigating security hacks, told PC Week: "The NT registry is extremely vulnerable." The default password under Windows NT is just seven characters long and is padded out with zeros to make it 14 characters."

Blandford-Williams noted that dictionary programs used to break in to systems by finding valid passwords can submit half a million passwords per second on an NT PC. "The sophistication of hacking is so good," he commented.

NTBugTraq, a Web site run by Russ Cooper, is among many Web sites which highlight security holes in Windows NT. On the site, Cooper claims, a dictionary program could be used to crack an NT-encrypted password with a success rate of 60%.

Microsoft has a SWAT team in place to combat security issues with its software and a dedicated Web site at www.micro-soft.com/security. David Bridger, senior product manager for NT Server at Microsoft, denied the security risk in NT, and added that with NT 5.0, Microsoft will offer Kerberos security software and use the Active Directory to store security information.

Carl Hawe, director of computer strategies at analyst group Forrester Research, said: "(NT) would not be my first choice for a secure system."

Although Hawe expects the forthcoming release of NT 5.0 to fix some issues with security, he said NT will still not offer the same level of maturity as Unix, where a reasonable level of care has been taken in building in security. For instance, Hawe pointed out, NT is handicapped by backwards compatibility with technology such as NetBeui, which is insecure.

Dataquest analyst Kim Brown went further, arguing against Microsoft's plans to become a major enterprise player. "NT will never be as secure as MVS or Unix. Nor does it scale and the reliability simply isn't there," he commented.