Microsoft Windows 2000 Security Test Goes Awry
Recently, Microsoft put a Web server running Windows 2000 beta and Internet Information Server (IIS) outside its firewalls and challenged the public to hack it. Almost immediately, site visitors reported problems with the code.
August 23, 1999
Recently, Microsoft put a Web server running Windows 2000 (Win2K) beta and Internet Information Server (IIS) outside its firewalls and challenged the public to hack it (http://www.windows2000test.com). The company announcement described the move as a good method to test the security of the new OS. Almost immediately, site visitors reported problems with the home-page HTML and Javascript code, frequently serious enough to prevent access. Services on the site, such as a site guest book, a GET service, and other functions, failed for many visitors. In addition, the server was down several times, once for about 8 hours. The site's status logs, which are posted, indicated that the outages were frequently unrelated to security, although service attacks clearly strained the system.The Linux community responded by announcing its own challenge, exposing a PowerPC-native version of Linux to the hacker community (http://crack.linuxppc.org/). After 7 days of continuous service, the server was rebooted when it hung, a problem apparently connected to a problem with RAM.Microsoft has issued the following statement explaining the goals and the problems of the test site. Microsoft Clarifies Issues on Windows 2000 Test SiteOn Monday, August 2, Microsoft put a Windows 2000 test server on the Internet to solicit feedback from its beta customers. The test server is scheduled to be online for approximately two weeks to test the capacity of the servers and analyze data from Windows 2000 beta testers. One of the key objectives of the test site is to provide Microsoft with valuable product feedback to improve and enhance the security of the operating system overall.Most sites on the Internet are placed behind a "firewall" -- a security system designed to protect the network from hackers and other threats such as excessive network traffic. However, this site was deliberately left unprotected as part of the test process; allowing unusually heavy traffic would test the system under high stress, help Microsoft to identify and fix networking issues, and help Microsoft ship a more reliable Windows 2000.Microsoft alerted testers to be aware of overloading the system in the "Ground Rules" section of the site, but some testers disregarded these rules and sent millions of random network packets to the server, which caused some downtime.It's important to note that system downtime is not synonymous with a security problem. Given that the site is designed for beta testers, Microsoft anticipated that there would be periodic downtime as updates and modifications were made and specific issues investigated. This is a normal part of such a test.The Windows 2000 test server is a 500Mhz Pentium II processor with 256MB of RAM running one of the latest builds of Windows 2000 Server Beta. There has been great interest in the site -- on average; it experiences roughly 500kb of traffic per second. There have been several attempts to compromise the system's security, including "fragment packet" attacks and network port scanning. So far, all such attempts have failed, and the site has yet to be compromised. A team of engineers is monitoring the site 18 hours a day, and 4 bugs have already been identified and fixed.During the first day the site was on line, while final configuration and testing was being done, the site received an unexpectedly high volume of traffic and experienced some downtime related to the following issues:1. The site is running a simple "guestbook" application that permits users to post their comments to the site. Someone posted a comment containing an HTML tag -- called a "META Refresh tag" -- into the text of their message; when people viewed this message, their Web browsers interpreted this as a valid HTML tag, which redirects users to another Web site. This is not an issue with Windows 2000 or Microsoft Internet Information Server. Instead, the issue lies in the application's input data filter. To respond to this issue, Microsoft increased the level of filtering to prevent the posting of comments that include HTML tags. 2. Since Microsoft did not anticipate such a high level of traffic, some of the site's event logs -- which were left on their default configurations -- became overloaded. 3.A major electrical storm in the Seattle area on Tuesday afternoon caused problems with the network operations center, forcing some system downtime.Product testing is essential in designing a secure operating system. This site was designed to test the beta release of Windows 2000, exposing it to above-normal loads of Internet traffic to ensure that the product is as solid as possible when released. In addition to this site, Microsoft has undertaken numerous steps during the beta lifecycle to ensure security of the product, including rigorous third party testing by independent security vendors.It's important to note that the presence of this site does not imply that Microsoft supports or promotes hacking. Additionally, the site is not meant as a publicity stunt, a challenge or a contest, it is simply a test site. The company plans to keep the site operating as planned through the beta test cycle.
Read more about:
MicrosoftAbout the Author
You May Also Like