Novell, Microsoft Finger-Pointing Continues

• 03/22/2000

In mid-February, Novell (www.novell.com) attacked with an article on its Novell Directory Services (NDS) Web site that claimed to expose a bug in Microsoft’s Active Directory. Microsoft (www.microsoft.com) countered, saying the alleged bug was in fact a feature. Novell went on to cite the support of BugNet.com (www.bugnet.com) -- a Web resource that tracks software bugs across a number of platforms -- for the bug designation. Microsoft responded that the Active Directory element was misunderstood by both parties.

The controversy swirls around inherited rights, a feature used by both directory services. Users can inherit rights based on membership in user groups, but top-level user groups inherit all of the rights and permissions of all of the groups below them. This isn’t always a desirable thing. A top-level IT administrator, for example, could gain access to any manageable resource in a directory -- including sensitive corporate data.

To prevent administrators with general administrative privileges from gaining access to sensitive resources, NDS has an inherited rights filter (IRF). The IRF’s security model prevents unauthorized administrators from controlling or accessing protected resources. With this safeguard, only the administrator or administrators who created the resource in the first place can modify it.

In Active Directory, according to Novell, an administrator who doesn’t have access to a particular resource can take control of the resource from the administrator who created it. In a report on its Web site, BugNet.com validates Novell’s claim: "Even after following the instructions provided to us by Microsoft in the report entitled ‘Novell Wrong About Windows 2000 Security Hole,’ we still think there is an issue here."

Microsoft agrees that an Active Directory administrator can take control of a resource belonging to an equal or lower-level administrator, but Microsoft says the scenario is a feature.

"Microsoft believes that … there are excellent reasons why an administrator should be able to reclaim ownership and control of an object, in a carefully controlled way," states Microsoft's rebuttal. "If [an administrator] becomes unavailable or leaves the company, the enterprise needs a mechanism for regaining access to the [resource] that does not depend on [his or her] availability and cooperation."

Further, Microsoft says, any changes a rogue administrator makes to a protected resource can and should be audited in the first place.

"The Take Ownership right provides a controlled and auditable way for the administrator to reclaim access to the [resource]," Microsoft says. "It is effective because the administrator can reclaim control. It is auditable because when it is exercised, it produces an entry in the security audit log and also becomes apparent to [the rightful administrative owner of the resource]."

If the NDS administrator who created a resource leaves a company without granting anyone access, an organization is locked out. That company must contact Novell for help, reset the administrative password itself, or use a third-party utility to do so. Novell also provides a "back-door" into NDS through a utility called DSDUMP and a password, which is changed regularly. Microsoft maintains that no such backdoor exists in either Windows NT or Windows 2000.

Russ Cooper, moderator of the Windows NT BugTraq discussion list (www.ntbugtraq.com) and a former NetWare administrator, says the controversy boils down to a fundamental difference in each company’s security philosophy.

"From Microsoft's perspective, a company should be able to control its own environment," Cooper says. "The feature that allows a Domain Administrator to retake ownership over any object within the domain means that a company can take actions over delegated objects should, for example, the delegated administrator leave the company. From Novell's perspective, they believe their customers may not want to trust their Domain Administrator."