Lead with Knowledge

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Is Microsoft's change in Kerberos security a form of 'embrace, extend, extinguish'?

LAST WEEK, I mentioned in passing that Microsoft had included in Windows 2000 a nonstandard version of the Kerberos security protocol. This subject bears a little more explanation.

The Kerberos standard is named for the mythological three-headed dog that guards the gates of Hades. It's used to authenticate users logging on to a server. Unlike NT LAN Manager (NTLM) authentication -- the LAN Manager-style authentication in Windows NT 4.0 -- Kerberos uses a more efficient "single sign-on" method to maintain security between users and servers on a variety of operating systems. Kerberos was originally developed at the Massachusetts Institute of Technology (MIT) in the early 1990s. The Internet Engineering Task Force (IETF) then adopted it as a networking standard (see for details).

Microsoft released Win2000 Feb. 17, with Kerberos replacing the weaker NTLM security protocol. But outside observers noted angrily that PCs using Win2000 Professional couldn't exchange authorization information via standard Kerberos with Unix servers and others. This keeps the servers from providing access control in a domain -- unless the servers are Win2000.

Critics said Microsoft's change to the standard was part of an "embrace, extend, and extinguish" strategy. "They want to force everyone to use ... a Win2000 server," said Ted Ts'o, a former member of MIT's Kerberos development team, in the April 2000 Linux World (see

During much of the Win2000 beta test, networking pros demanded that Microsoft reveal the secrets of its modifications to Kerberos. Microsoft developers said at various times that the company would do so.

On April 28, after my last column had been written, Microsoft posted on its Web site a document that explains the changes (see Microsoft had made use of an Authorization Data field that IETF had left undefined for future use.

The posting only raised more suspicions. To run the self-extracting file that installs the document, you must click OK to accept a nondisclosure agreement. It states that the information in the document is a "trade secret of Microsoft" and you aren't licensed to use future versions or extensions of the standard.

Of course, you can bypass the agreement by opening the self-extracting file in WinZip before viewing it. The federal law's definition of "trade secret" stipulates that "the owner thereof has taken reasonable measures to keep such information secret." So it's unlikely that Microsoft could legally enforce nondisclosure.

The mere threat of legal action, of course, is enough to chill most competitive development. Jeremy Allison, a member of the open-source Samba project, said in an Internet newsgroup, "This, of course, is a very clever way to pretend to distribute the spec, whilst making it completely impossible to implement in open-source Kerberos servers" (see

I sent an e-mail message to Microsoft asking about the "trade secret." A spokesman said an official response was held up in the aftermath of the "I Love You" worm that affected Microsoft's e-mail system.

Meanwhile, Bryan Muehlberger, principal at DirectPoint Information Group, a St. Louis-based Microsoft Certified Solution Provider, offered a sympathetic view.

"Microsoft has made use of an available field, but not in a way that it was intended to be used -- and, of course, didn't document or mention this change anywhere," Muehlberger said. "In Microsoft's defense, they have to use the field this way. Basically, Microsoft has included in this field the SIDs [security identifiers] that specify a user's role/access to a particular resource. Since all resources in a Win2000 environment are protected by access control lists, if Microsoft did not include the SIDs in this field, then the resource would have to contact the Domain Controller for this information -- just like it does with NT LAN Manager authentication -- which hurts in terms of optimization."

What's your opinion? Send me your thoughts, using "Kerberos" as the subject.


Operating Systems

SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top


Introducing Primus Quick Resolve. Click to download a fact sheet.
Download the J.D. Edwards CRM white paper. Visit
Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!

E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training

Copyright 2001 InfoWorld Media Group, Inc.