Microsoft is downplaying the significance of two recent security concerns that could affect Windows NT.
The first of these, which is called Domain_Create_Alias, allows domain users to continually create new user groups, until the server becomes resource-starved. It was introduced as a feature to allow for easy group creation. However, it can be used to instigate a denial-of-service attack, although the company denies it poses a serious threat.
"It's not a problem, in the fact that it's a documented feature since the release of [NT] 3.1," said Karan Khanna, product manager of the Windows NT security team at Microsoft. "There are many other low-hanging fruits to create denial-of-service attacks."
Despite this claim, Microsoft has a fix, called CREATALS.EXE, which is available to anyone who requests it, Khanna said. Even this fix has its problems, however, and some users have noted that it can conflict with some Registry settings.
Khanna also said the company is working on a more user-friendly version of the tool.
The second NT security concern emerged when a security consultant group -- Counterpane Systems, in Minneapolis -- recently showed how flaws in the Point to Point Tunneling Protocol (PPTP) can be used to exploit NT virtual private network systems. The PPTP vulnerability is due to faulty password obfuscation and encryption algorithms within NT, which allows for a brute-force dictionary attack to gain access to passwords, according to Bruce Schneier, Counterpane president.
Microsoft is aware of this problem and has put a paper on its Web site that describes it and suggests remedies. It can be found at http://www.microsoft.com/communications/pptpfinal.htm.
Ed Muth, group product manager at Microsoft, said NT 4.0 is shipping standard with the vulnerabilities and needs the fixes to be more secure. In the longer term, Microsoft plans to make changes in the forthcoming NT 5.0 to address the problem, according to Muth.
Microsoft Corp., in Redmond, Washington, can be reached at http://www.microsoft.com.