The question was recently raised as to why we choose to work with Windows
NT technologies on some projects, rather than one of the various *NIXs
(e.g., Linux or one of the various flavors of Unix). Security and
reliability are among a few of the well-known concerns about using an
NT-based platform. Consequently, I drafted this document to address some of
these issues and to document some of the advantages of going with NT.
Security
Windows NT initially got a bad wrap for its security problems. This was
largely due to Microsoft's emphasis on ease-of-use at the expense of
security. While ease-of-use still remains at the forefront of Microsoft's
product-development efforts, it might appear that MS has finally heard the
voice of concern and has begun taking strides to fix the problem. In fact,
last year Windows NT won Britain's highest level of
security certification:
After more than a year of intensive testing, the U.K. Information
Technology Security Evaluation Criteria (ITSEC) certification board awarded
Windows NT Server 4.0 and Windows NT Workstation 4.0 and E3/FC-2
rating-generally acknowledged as the highest security evaluation possible
for a general-purpose operating system. The security standards agency
evaluation included examinations of the source code and design
documentation of Windows NT 4.0 with Service Pack 3. Testers also had
direct access to the engineers who designed and tested the server operating
system. 1
Further, Microsoft has announced plans to work more closely with the U.S.
federal government to ensure high-level SSL encryption, which will
make secure transactions, such as e-commerce purchase transactions, even more
secure:
Microsoft Corp. today announced plans to support FIPS 140-1 and FORTEZZA,
two key federal cryptographic standards important to the protection of U.S.
government communications. As part of a broader federal security
initiative, Microsoft plans to include in future products National
Institute of Standards and Technology (NIST) FIPS 140-1-validated
cryptographic modules as well as native support for secure sockets layer
(SSL) Web communications using FORTEZZA. This support underscores
Microsoft's continuing commitment to meet the security requirements of its
federal customers. This commitment already includes supporting several U.S.
Department of Defense initiatives, including the Defense Messaging System
(DMS), Medium Assurance Messaging, Desktop and Network Security Frameworks,
and Public Key Infrastructure, as well as trusted systems initiatives such
as C2 compliance and evaluation.2
Further, Windows 2000 (W2K) is being touted for having even greater refinement
in the areas of security, reliability, and performance.
Leading security specialists at Internet Security Systems (ISS Group) have
concluded that Windows 2000 represents a great leap forward for the
security of Microsoft products. In addition, it raises the bar for the
entire industry by integrating leading-edge security technologies, as well
as addressing the lessons learned from one of the world's most prolific
operating systems. This combination of innovation and experience makes
Windows 2000 the most secure operating system Microsoft has ever shipped,
and certainly one of the most secure in the industry today. See the details
of this study at http://www.iss.net/w2k/.3
Reliability
As with security, Windows NT reliability has improved drastically over the
past few years, through OS revisions and service pack releases. NT4
represents a major reliability enhancement over previous versions:
Microsoft has improved the reliability of Windows NT Server 4.0, providing
a comprehensive set of updates in Service Pack 5 (SP5). Strengthened with
the improvements in Service Pack 4 and Service Pack 5, Windows NT Server
provides the highest reliability and availability. Reliability is one of
the most powerful characteristics of the Windows NT Server operating
system. The system ensures high availability of information and services
in three ways: by uniformly handling hardware and software system faults,
protecting user programs from each other as well as the system, and
providing data and system recovery mechanisms. Windows NT Server has the
ability to tolerate faults while still maintaining the availability of the
system, applications, network resources, and data.4
Once again however, W2K is being touted by high-profile professionals in
the industry as being a leap forward in the product's quality.
Overall, dot.com IS managers indicated that they were very pleased with the
scalability, reliability, and manageability improvements they found in
Windows 2000 over Windows NT. . . . [but their study was] inconclusive in
the area of directory services (specifically the use of Active
Directory)-the dot.com IS managers interviewed had not yet made extensive
use of the policy/procedure and management extensions built into the new
directory server.5
Michael Dell, chairman and CEO of Dell Computer Corp., also came out in
support of this new version of the OS."If you care about stability,
reliability, and manageability, you should run [Windows 2000] across your
enterprise," said Dell.
And he takes that personally: Dell runs Windows 2000 on his own laptop; his
company runs its Web site with it.6
Another issue to consider when looking at reliability is viruses.
As Linux users are quick to point out, their environment remains largely
virus-free to date, but this may soon change as the user base increases.
Where Microsoft has already dealt with this issue and a plethora of
virus-protection options exist, Linux remains virtually unprotected, as
pointed out in an article titled, The Coming Linux Plague:
Linux (and the other versions of Unix) desperately needs credible
anti-virus software to stave off the coming epidemic before it happens.
Think of it as a flu-shot.7
So this all beckons the question: Is a *NIX platform a better way to go?
Darryl Braaten, a member of the Site Server list on 15seconds.com had this
to say:
"There is definitely more effort put into making some versions of *nix
secure. But in general I would not call it better or worse then NT in
general. I have a few machines sitting in the clear [and] the only one
that was
ever compromised was a Redhat Linux box."8
Robert Chartier, also of the list, further commented by pointing out that a
lot of times it's more about the quality of the team, not the operating
system, that makes the biggest difference in the security of a system:
"One of the points I did try to get across was that on
either system there are steps that have to be taken to secure the box down,
you just have to know how to do it properly and unfortunately a M$
certification just does not cut it. I would look more at experience than
certification."9
So the consensus from the community seems to be that an *NIX-based platform
is not the be-all, end-all quick fix to the issue of stability and security
that some might contend. Further support comes from a recent ZdNet article
entitled "Microsoft's Not The Only Security Foul-Up":
All of the Unixes, including BSD, Linux, SCO and Solaris, have more than
their share of security problems. Think about it. The recent rash of
distributed denial-of-service attacks were all launched from unsecured
Solaris systems. And, much as I rag on Outlook, the all time champion
application for security holes must be that Unix mail transfer agent, which
still sends most e-mail along its way: Sendmail.
Windows, Linux, whatever. If you want your systems to be trouble-free, you
need to take a lot of trouble. Hard work and due diligence are the only
real security answer."10
Vendor Support
Now that we have taken a stab at defending the NT platform, let's
focus on some of the advantages.
One of the greatest advantages to choosing any product that will be the
foundation of your business is vendor support. In an article in
NetworkWorld.com, Mike Daher, vice president at MicroStandard Distributors,
said:
"Until [system builders] get the support we need from Red Hat, until they
come to us instead of thinking we all have to come to them, open source and
Linux is going to continue to be all hype.
"I'm no more of a fan of Microsoft than the next person, but I can say that
the support we get from Microsoft is superior, and less expensive.
Microsoft always comes to our door, they bring demo units, keep us
in touch with their engineers, and certification for our people costs only
$2000 each, on-site. Red Hat wants $5,000 a person and we have to fly our
people to Durham, [N.C.]."11
Platform-Dependent Rapid Application Development (RAD) Support
As if that wasn't enough of a reason to seriously consider an NT-based
platform, look at the tremendous advantage provided to developers writing
Active Server Pages (ASP) with the use of Site Server. Site Server is a
collection of COM objects that extend the capabilities of ASP, and thus
have the ability to significantly reduce the amount of time and effort
needed to develop a Web application. It features components that aid in
the production of Personalization and Membership functionality, commerce,
and auction solutions, and more. Marc Tabini, a noted Site Server developer, said:
"Microsoft Site Server is something similar to a team of engineers
available for building advanced websites. In the hands of a well-trained
developer, Site Server can do miracles as demonstrated by the Barnes and
Noble, and Dell online stores."12
A book on the topic of Site Server introduces the product by saying:
In this sort of environment, starting from scratch in a complex, scalable
site can be an expensive task. Site Server 3.0 gives you a head start in
putting your site together and building a scalable
configuration.13
Finally, there is the matter of what industry leaders are doing that should
be considered. What after all, is a better indication of a product's
viability than what your predecessors have chosen to do. Compaq and
CyberSource have both come out in support of the Site Server Commerce
Edition, Commerce solutions, and the implicit NT platform.14
An independent survey conducted by Netcraft also provides some useful
information.
"We've seen a significant increase in the number of e-commerce customers
using a Microsoft platform, especially among our top-tier customers," says
Doug Isom, product marketing manager at CyberSource. "Customers choose to
implement Microsoft Site Server Commerce Edition because it's proven to be
a high-performance, highly scalable and reliable solution. In addition,
it's an easy platform to develop to, it comes with a complete set of tools
and it's designed for ease of integration with value-added services like
those we provide at CyberSource."15
Site Server Commerce Edition has shown tremendous momentum among
e-commerce businesses and top shopping sites. Several surveys from
Netcraft, an
independent research organization, show that:
Site Server Commerce Edition powers 70% of commerce server sites in
Shop.org's top 100 shopping sites, while its closest competitor has only
15%. 82% of commerce server sites in Ziff-Davis/Interactive Week's top 500 Web
sites use Site Server Commerce Edition, compared to 8% who use its closest
competitor. An October 1999 Netcraft survey of sites using SSL (Secure Sockets Layer)
security certificates shows that 73% of sites using commerce servers use
Site Server Commerce Edition to power their e-commerce solutions, while 10%
use its closest competitor.16 These surveys demonstrate that Site Server Commerce Edition is not only
widely adopted, but more of the successful sites using commerce servers
today use Microsoft Site Server Commerce Edition than any other commerce
server.17
Site Server Commerce Edition is a key component of Windows DNA along with
Windows NT and Windows 2000, Microsoft's SQL Server(tm) database, Microsoft
SNA Server and Microsoft Visual Studio. Microsoft Commerce Server 2000 --
the next generation of Site Server Commerce Edition -- will also join the
Windows DNA family when it is released later this year. Commerce Server
2000 is designed to simplify the process of building sophisticated,
customer-centric Internet and extranet selling sites.18
"Site Server Commerce Edition on Windows 2000 is an even better platform
for building e-commerce solutions than Site Server Commerce Edition on
Windows NT 4.0," said Kevin Kenefic, a senior engineer in Compaq's
enterprise solutions and services division.. "And when Microsoft comes out
with
Commerce Server 2000 later this year, that's going to improve the picture
even more."19
About the Author
Neal Cabage is the lead application engineer for Iconixx in the company's
Santa Monica, Calif., office. He can be reached at ncabage@iconixx.com.
Footnotes
1. British Government Confirms High Security of Microsoft Windows NT 4.0
http://www.microsoft.com/PressPass/features/1999/05-03ntsecure.asp
2. Microsoft Enhances Windows NT-Based Support For Key U.S. Government
Security Standards - Plans to Provide FIPSS 140-1-Evaluated Cryptography
and Support For Secure Web Communications Using FORTEZZA
http://www.microsoft.com/PressPass/press/1998/Aug98/FIPSPr.asp
3. Security Services Launch Showcase
http://www.microsoft.com/WINDOWS2000/guide/server/features/securitylaunch.asp
4. Reliability and Fault Tolerance in Windows NT Server
http://www.microsoft.com/NTServer/fileprint/exec/overview/reliability.asp
5. Proving-the-Point: Interviews with Next-Generation Windows 2000 dot.coms
http://www.microsoft.com/windows2000/guide/server/reviews/dotcoms.asp
6. Dell says Windows 2000 is ready to roll
http://www.networkworld.com/news/2000/0216windowsroll.html
7. The Coming Linux Plague
http://www.securityfocus.com/frames/?content=/templates/article.html%3Fid%3D2
8. 15 Seconds, Site Server ListServ
Administrated by 15Seconds: http://www.15Seconds.com
List Archives/Search: http://local.15Seconds.com/search
Subscription Information: http://www.15seconds.com/listserv.htm
Advertising Information: http://www.internet.com/mediakit/
9. Ibid.
10. Microsoft's Not The Only Security Foul-Up
http://www.zdnet.com/sr/stories/column/0,4712,2457967,00.html
11. Red Hat takes heat over certification
http://www.networkworld.com/news/2000/0313redhatbash.html
12. Professional Site Server 3.0, Wrox Publishing, Page 2.
13. Professional Site Server 3.0 Commerce Edition, Wrox Publishing, Page 2.
14. Performance Gains on Windows 2000, Customer Successes Build Momentum
for Microsoft Site Server Commerce Edition
http://www.microsoft.com/presspass/features/2000/02-15ssce.asp
15. Ibid.
16. Ibid.
17. Ibid.
18. Ibid.
19. Ibid.
