Windows 2000 to Feature Enhanced Security

By John Makulowich, Senior WriterEven as the launch date of Windows 2000 Professional and Server recedes faster than an echo in Yellowstone Park, the array of features available in these operating systems will impress the federal market. Among the primary benefits for customers such as the Department of Defense likely will be enhanced security for both users and administrators.For those out of town lately, Windows 2000 Server is the spanking new name for the next big release of Windows NT Server as well as its family of products. That includes the Windows 2000 Advanced Server and Windows 2000 Datacenter Server. The release date, according to an Oct. 26 announcement by Redmond, Wash.-based Microsoft Corp., is now Feb. 17, 2000, more than a year behind schedule. No price for Windows 2000 has been set yet, company officials said.Along with Windows 2000 Server, the Windows 2000 Professional, the operating system targeted to business, builds on Windows NT with features such as enhanced security, reliability and performance for those on the user side.Security, according to Peter Houston, lead product manager for Windows 2000 Server, is one area where key improvements were made. For example, the new system extends support for multiple authentication protocols."Authentication is proving who you are. Windows 2000 Server and its Active Directory will support smart cards, biometric-type devices, Kerberos and PKI," Houston said. "It integrates the Active Directory and delivers flexible data protection in distributed environments. For one thing, it enables secure Internet business transactions."On the desktop/user side, Windows 2000 Professional carries a new feature for secure file systems, according to Russ Madlener, lead product manager for Professional."The user will notice a way to encrypt file systems through a new encryption attribute. If you right click and choose properties, an advanced button will offer the opportunity to activate 40-bit encryption, thus preventing access to your files," Madlener said.One issue cropping up among network administrators is deployment, or the order, if any, in which to install the different packages. Deployment does not have to occur in any particular order, but lots of customers will deploy Professional instead of Server because it will work with NT 4.0, Houston said."There are different degrees of deployment to consider, depending on your requirements. For example, are you looking for improved reliability of the kernel? Do you want to increase object limits? The ultimate upgrade would involve domain controllers, servers and desktops to Windows 2000," Houston said. Analyst Jeffery Maxick of Madison Securities said the enhanced security features are one of a number of improvements that will bring Microsoft more government business. Windows 2000 is "definitely a huge project for Microsoft. It's a much more robust platform than Windows NT 4.0. It's going to offer a lot more features that customers will be able to use," he said.That will enhance Microsoft's appeal when contending against operating systems offered by, for example, Sun Microsystems, Palo Alto, Calif., according to Maxick. For both government and commercial sectors, "the target market is enhanced by this new product offering," he said.In upgrading to Windows 2000, it seems clear that network administrators are well-advised to have a plan and carry a checklist, given the number of ways to tackle the task of migrating to the improved software. Whether upgrading in place, restructuring or even consolidating domains, developers and administrators will have a wealth of tools and guides to accomplish the tasks. For example, a Deployment Planning Guide should be available on the Microsoft Web within the next month.Another interesting aspect of the Server product is the metadirectory strategy supported by the Zoomit VIA product, first released in November 1996, from Zoomit International of San Francisco. It allows the integration of different directories into a single metadirectory while it improves their functionality. "We believe this approach will speed up the adoption of Server in the enterprise. It solves the problem of how to integrate the data about users and machines that reside in many different directories," said Houston.Using what he called a "hire-fire" scenario, in which you must add a new hire to many different directories and provide multiple levels of access and then, if a worker is fired, remove that person from the system, the Zoomit product performed well with Active Directory. Zoomit is important for Active Directory because AD allows the network administrator to delegate privileges to a very granular level; for example, to the human resources department that processes applicants for hire or fire."For example, you can give permission to a supervisor to reset user passwords but not create user accounts. We can precisely control the rights. You will find help-desk loads will go down as people in the network become more self-managing," Houston said.As for Windows 2000 Professional, the focus was complete integration with the Microsoft browser, Internet Explorer 5.0, to make the Web pervasive and to fully exploit browsing the Internet. Among the added advantages for users is the ability to search a hard drive via the browser as well as see an expanded history of commands issued via the browser's address bar."While there was a lot of focus on the user interface, it was not to dramatically change it. We tried to basically take certain areas and tweak them to make people more productive," Madlener said. "You will see that in the way we combined dial-up connections, added [virtual private network] connections and made the UI adapt with menus by monitoring what the user does." Another modification power users will like is the improvements to the O/S registry with the addition of the Microsoft Installer Service. The challenge here was to get the O/S to better recognize what happens during the installation of third-party applications and utilities. It was not only a process of tweaking the code, but educating vendors about where to install their products, specifically the DLLs, or Dynamic Link Library. In fact, Madlener said the System 32 folder or directory may be read-only in the future to prevent malfunctions to the O/S.