Special feature
Windows NT security: Kudos, concerns, and prescriptions

https://doi.org/10.1016/S0167-4048(99)80065-0Get rights and content

Abstract

Whether or not Microsoft's Windows NT's security capabilities are adequate is the basis for considerable controversy. Windows NT is built on a defensible security model. It also offers many security-related capabilities such as the NT File System's (NTFS's) granular permissions, the User Manager for Domains' Account Policy settings that allow control over password length, bad logon limit, and so forth, multi-tiered privilege assignment, challenge-response authentication, reasonably sophisticated auditing and others. Detractors on the other hand point to the large number of security-related vulnerabilities that have emerged in relatively few years and complain about problems such as an outdated security model, weak out-of-the-box security, weaknesses in implementation of network services and protocols, immaturity, and so forth. Rather than directly addressing this fascinating controversy, this paper enumerates areas in which improvement in security capabilities is most needed. It then recommends a strategic direction for Windows NT security, presenting suggestions such as stabilizing one release, fixing the security-related problems due to Windows NT's backward compatibility capabilities, addressing the weaknesses in networking, adhering to accepted standards more often, and others. Ultimately, however, the user community will drive whether needed changes will or will not be incorporated into future releases ofWindows NT.

References (5)

  • E. Schultz

    Planning for Windows NT 5.0 Security

    Network Security

    (March, 1998)
  • D. Brezinski

    Windows NT Vulnerabilities and Defenses: The Tao of Security

    Windows NT Magazine

    (August, 1998)
There are more references available in the full text version of this article.

Cited by (0)

The assistance of Jesper Johannesen, who reviewed and provided suggestions for a previous version of this paper, is gratefully acknowledged.

Dr. E. Eugene Schultz, CISSP, is Research Director/Trusted Security Advisor and Visiting Scholar Global Integrity Corporation (an SAIC Company) and Purdue University.

View full text