Windows 2000 Special: Safe as houses?

Windows 2000 is the safest operating system Microsoft has ever shipped - at least that's what officials at the software giant are saying. Not a great claim considering the track record of its predecessor. So can you rely on the new OS? And what extra features does it provide?

An increasingly relaxed attitude to encryption from the US government means Windows 2000 will ship with 128-bit encryption - significantly stronger than previous versions.

The theory is simple: the stronger the encryption, the harder to break. But its effect on business transactions could be far-reaching. "If your email is encrypted it doesn't matter who gets into the system," said Dave Birch, consultant at security specialist Hyperion. "It means you don't have to rely on either the operating system or the network for total security."

The new OS also contains extra support for VPNs (virtual private networks), PKI (public key infrastructure) and smartcards.

Birch believes the key feature is Windows 2000's support for smartcard PKI. "The fact that Microsoft is pushing PKI is important," he said. "It's been the general opinion for a while that PKI is critical to business-to-business ecommerce.

"Everyone is now implementing the same basic standard. But Microsoft's seal of approval is important."

So Microsoft is hardly breaking new ground, but the company's continued adoption of security standards is important. Dominic Storey, technical director at PKI specialist RSA, said: "Its biggest impact will be highlighting security as an issue. Many business still don't see that as essential."

According to Storey, despite the added features, there are limitations in the OS which will become increasingly apparent - not least that the success of alternatives like Linux means it's unlikely to be an entirely Microsoft enterprise in the future.

"Security is a heterogeneous issue," Storey warned. "In reality business systems don't just have one operating system but a mixture of platforms. You can't solely rely on the security features in Windows 2000 - there's a big difference between a secure operating system and a secure enterprise."

Perhaps the operating system's greatest weakness will be its size. Storey added: "There's something like 30 to 60 million lines of code. Inevitably there are going to be some bugs and issues."

Hyperion's Birch agreed: "Anything that complicated has inherent security problems."

The point is echoed by Deri Jones, security services marketing manager at NTA Monitor. "The first rule of security is that 'simple is best'. Anything that complicated is bound to have problems.

"There are some new features in Windows 2000, but not really enough," Jones continued. "Many of the extra features sound interesting and useful, but my gut feeling is that it will have a long list of security problems."

So what advice can security managers take from all this speculation? The resounding viewpoint is one of wait and see. "It may give people a false sense of security," NTA's Jones said," but even if it was just an upgrade from NT - rather than a complete rewrite of the entire operating system - we'd still say, don't touch it for six months."