Fog Creek Software
Discussion Board




Is Linux more Secure Than Windows?

This topic is a preemptive haven for people whose immediate reaction when asked how to build a reliable Windows server is "Use Linux." Thank you dear. Tell me why here, and use the other topic for talking about what I asked about.

Joel Spolsky
Friday, November 07, 2003

OS-religion issues aside, as someone who worked as a sysadmin for close to 10 years, and works with both Linux and Windows servers on a daily basis, I would say that neither is more secure than the other, "out of the box". No system is secure when first installed. That being said, Linux is more capable of being secured - it's configuration is less opaque and kernel and user space are better segmented from each other. The fact that it comes from a unix design heritage (as opposed to the desktop single-user model that Windows has evolved from) leads to much better system administration tools and practices.

Computer security is really the act of progressively raising the bar to protect the system from compromise. No system can be provabily secure. Under Linux, I can raise the bar higher, making compromise much more difficult, in less time, with less effort, and less cost than under Windows. I can say that Linux is demonstratibly more stable a platform than Windows, and I say this with far, far more Windows admin experience than Linux experience.

Windows is a very, very complex platform to administer - the simple interface masks a great deal of complexity, and creates the illusion of ease of use. Many solutions to system problems don't lend themselves to logical deduction - they are single solution problems that are solved by following Microsoft kb articles. Complexity is the number one opponent to security. With Linux, you can strip the system down, so that it does one thing and one thing only. Under Windows, this is very difficult, if not impossible to do. For this reason alone, Linux is much more securable than Windows.

Wayne Earl
Friday, November 07, 2003

That was an insightful, reasoned, and fair treatment of the two operating systems.

I don't want to see any of that here again ever.

Alyosha`
Friday, November 07, 2003

Topical (CNet):

An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel, stored at a publicly accessible database ... only developers who used that database were affected--and only during a 24-hour period, he added.

http://news.com.com/2100-7355_3-5103670.html?tag=nefd_top

just watching
Friday, November 07, 2003

Insightful?

3 paragraphs of fanboyism without a single fact to back up a word he says?

Insightful on slashdot maybe.

steve
Friday, November 07, 2003

I think you missed the point. My post was to state that in my opinion, Linux is more "securable" (that is: better able to be secured) then Windows, not that it is more "secure" I base my opinion on my own professional experience of administering significant numbers of systems of both OSes. Each type of system has it's place - use the one most appropriate for the particular problem you are facing. Base your decisions on the facts at hand, rather than OS religion.

In Joel's case, if he has to personally admin the system, then Windows is almost always the correct choice, simply because of his level of expertise with the platform. Admin experience is a significant factor in determining the appropriate platform to run the task at hand.

On the other hand, perhaps I was trolled by a Disciple of Bill. Not all zealots read Slashdot or use Linux. :-)

Wayne Earl
Friday, November 07, 2003

just watching - yeah. Makes one wonder

a - if it has ever been done before (if so it hasn't been detected)

b - if something similar has ever been done to Windows (you'll never find out)


Friday, November 07, 2003

Personally, I prefer Linux, but I think that any admin worth their salt will tell you the same thing about security: you have to keep up with patches or your system will be compromised.  The question is: how do you make that maintenance cost low?

Joel: if you want to administer a Linux server without having to mess around with the usual garbage associated with re-compiling and re-installing system services, might I recommend http://www.debian.org/ ?  Debian's update system is automatic, free, reliable, fast, and (if you use the "stable" distribution) designed *specifically* for administrators who don't want to spend a lot of time messing around with running systems.

The caveat is that the system can be quite difficult to install initially, especially if you have esoteric hardware.  However, beyond the initial installation, *no* upgrade (barring the use of new kernel features) should require re-installation or downtime.  I have been using the same installed image continuously for almost 5 years now, and I've twice duplicated the system by copying the drive onto another machine and tweaking a few system settings, then upgrading or installing new packages.

In fact, you can totally automate the installation of security patches.  Debian comes by default configured to install security updates, so if you tell a "stable" machine to "apt-get update && apt-get upgrade" on a nightly basis, it will get any new security updates and install them while you sleep.  (Understandably, you may want to be present to observe this process.  In practice, however, I have never seen a security update fail.)

Glyph Lefkowitz
Friday, November 07, 2003

Cool, a Joel-Troll! Now I've seen everything!

When answering the question "(why) is Linux more secure than Windows?" you will have to define what Windows is, and what Linux is.

These systems are in a constant flow of change and highly configurable, and it only takes 1 "insecurity" to make the system as a whole vulnerable, so when you finally finish defining what you mean by "Windows" and by "Linux" and ask the "why..?", you will get answers that will include new vulnerabilities and new patches that emerged after your definition was completed.

So the short answer to "(why) is Linux more secure than Linux" is:
Don't ask! Nobody will actually tell you why, but you will still get a million answers, and the most usable answer will probably be: Don't ask!

Martin A. Boegelund
Friday, November 07, 2003

Probably depends on the software you are trying to deploy.
If the software is backed by simple 90s stack (webserver<->major language<->database<->os) then I suppose going with you are competent with.

If it takes you N hours to figure out how to get Perl to filter out malicious sql text out of dynamically created insert strings. But it takes you 15 minutes to figure the same thing out in VB.Net.. it's no competition. Why N hours? It probably takes the same 15 minutes to translate the regex, but can you determine for sure the behavior of your Perl's regex in the face of other (like ones that forces your regex engine to hang itself parsing forever) attacks? Which regex engines do you know best? Maybe you happen to know vbscript's regexp engine inside and out and happen to know how to work around the issues better than you know Perl's. It works the same the other way around.

Know BCP and DMO is blazing fast for exports? How do you do that with Postgres? Love Apache's mod_rewrite? How do you do that properly with asp.net and IIS6? An admirer of OpenBSD's security audits but uses windows? Can you find someone to make time to read a good book on ISA Server/Checkpoint and a good book on Windows Internals? Are you ready to dig into registry and reorder TDI drivers?

So in my opinion, It really depends on where your competence rest. And what problem you are trying to solve. You mix that with the project limitations and you should get something figured out.

I think some of us here are too quick to make fun of Wayne.

Li-fan Chen
Friday, November 07, 2003

Look, userland and kernel are different. If everybody was to count the number of problems on anything that ran windows, that would be different. Remember, linux is just a kernel, most problems they are counting are in the userland, should I count one for windows if I make a c program that uses strcpy for input and I can overflow the stack?

Anyway, anybody can quote numbers until the cows come home. Use whatever you are happy with.m

fw
Friday, November 07, 2003

"No system is secure when first installed."

Secue as in 100% secure is an unobtainable dream, but some default installs are more secure than others. For that very reason I've chosen OpenBSD to power my server. That the install isa breeze and comes with almost everything I need AND nothing more than that (no, not 1005 pointless image viewers, not 567 text editors, not 382 window managers, and not 47 implementations of ping) is a huge plus as far as I'm concerned. Less is truely more in my case.

essentially, if you need a server and aren't going to limit yourself to MS-only products - do yourself a favour and have a look at the BSDs and not only Linux.

Lennart Fridén
Friday, November 07, 2003

I'm thinking about this transaction log shipping thing.  I don't care how much you patch.  You are crazy if you open 1433 toward the internet.  You're just asking for trouble.

Three words.

VPN, VPN, VPN...

christopher baus (www.baus.net)
Friday, November 07, 2003

Just a note about Debian security updates:

Glyph, you say you can totally automate security updates. Somehow it's true, BUT I don't think it's a very wise thing to do. Sometimes you have to restart some service linking to an updated library, or you have to check something. Anyone using Debian security updates should read the DSAs (Debian Security Advisories) before upgrading, for at least two reasons:

1) You could find valuable information about the upgrade, as things to do before/after it. I admit that most of the times you have to do nothing, but anyway...

2) Reading security advisories makes you learn about your system. And that is good (at least, from a security point of view).

A random Debian Developer,

Esteban Manchado Velázquez
Friday, November 07, 2003

I would also suggest Debian (or any other Linux distribution with frequent security updates) if you wanted a (Linux) system that is easy to keep update. With Debian, the announced security holes are fixed typically in a few (usually 1) day after the patch is available. The patches for the programs are also published very quickly (say usually in 24 hours after the discovery of teh bug) by the developers. This means that on the avarage you'll have a patch in 2-4 days after a bug has been announced.

Now copmare that with windows: 2-3 SP/year? The installation is also quite easy with Debian - two commands issued on the command line. Now compare that with windows: you download the patch for a certain application for the website of the vendor(*) using a browser, then you click on the icon, then a GUI starts, then you click 'Next>>' a few times, and in the end you most probably have to restart (or not).

(*): Let's don't forget, that when we refer to Linux, we usually mean a distribution, which contains all the software you need to run a server (if you are luck enough - Debian has more that 9000 software packages). At the same time, you have to acquire the needed applcations separately for windows, which means that probably you also have to look for the patches at different websites.

Laszlo Marai
Friday, November 07, 2003

Oh, and one more thing - I don't want to convince you about using Debian, or linux, where I was trying to get at is that you might have had a hard time with linux, because you didn't use the right tool/distribution and yopu shouldn't judge based on those experiences.

Laszlo Marai
Friday, November 07, 2003

Laszlo, I'd recommend you not speak of that which you don't understand.

Windows hotfixes come out every few weeks. Security hotfixes are generally available within a week of the announcement of the vulnerability, and *obtaining* and installing a hotfix for Windows is five mouse clicks (I just counted - did an update while typing).

As for automatic update services, I'd have to seriously question a sysadmin who allowed automatic updates on their server.

Philo

Philo
Friday, November 07, 2003

I've just been updating the laptop, as holiday time is coming up again.

I went to Office updates. To download the MSDE security patch I first of all have to go from Windows update to Office update, then install everything else, reboot, and then go to Windows Update and Office update as well. I then get click a couple of times, and click on a button called install. After half an hour I check to find that the button called install has taken me to a page which tells me I'm on the wrong MS site and has a link to another SQL page. There are various links on that page and I click on the likely one. A few minutes later I check progress to see that the link has sent me to an error message. I go back, down the page, and start to install the full SQL .exe. I then go back, and read more carefully; for the fun of it I click on the link I got the error message on before and this time it takes me to the right page. I abort the other installation and click on the other link which then starts the 11MB download, which it appears doesn't actually check if you have anything that needs patching until you have downloaded the same patch.

Yep, just like you Philo, I install MS security patches while typing. This no doubt explains why both of us have hundreds more posts than most other frequent posters :)

Stephen Jones
Friday, November 07, 2003

>Security hotfixes are generally available within a week of the announcement of the vulnerability, and *obtaining* and installing a hotfix for Windows is five mouse clicks (I just counted - did an update while typing).

One week? and you find this acceptable? To be vunerable for a week?

fw
Friday, November 07, 2003

vulnerable even

fw
Friday, November 07, 2003

Security is a topic where there are no saints.

Look at the OpenSSH exploits for example: this is open source, and a lot of the developers and architects are crypto-weenies, and *still* we have new exploits, and "do not use *any* version older than...." warnings.

So, my claim here is more in the nature of an anti-claim: we cannot establish who's the "most secure" by using a has-no-security bugs criteria. We also cannot establish it by using the severity of bugs.

Portabella
Friday, November 07, 2003

"Now copmare that with windows: 2-3 SP/year?"

Obviously not a Windows admin.  Wednesday is patch day at Microsoft, and there are new "critical" security patches to apply every week, along with many others.

If you are maintaining more than one or two computers, this gets old very fast, especially since every patch needs to be researched and tested to make sure it doesn't break mission-critical software x.  Realistically, once a week is about as much as anyone can keep up with.

Being vulnerable for a week is not the end of the world - and applying a patch that's going to break things is much worse.  Historically, most attacks come months after the original patch is released, so if you can keep up to the patch schedule your risk is low enough.

The real question is not how many SPs and/or patches are released per year, but how many vulnerabilities are discovered per year.

Bah Humbug
Friday, November 07, 2003

Joel, what about your current development/production environment - Microsoft software not run on Lx: no VB, MySQL, IIS, etc. Is your staff know Linux shell and development tools?

Linux default installation is not* secure. Your system administrator can create very secure Linux.

Evgeny Gesin /Javadesk/
Friday, November 07, 2003

> Linux default installation is not* secure.

Of which distribution?

Mandrake now (since 9.1 at least) has security options for installation. Choose "Paranoid", and (whilst humming the  Black Sabbath tune) install away. RedHat has the same.

Or try Trustix.

Portabella
Friday, November 07, 2003

Dell has no interest in taking sides in the OS wars. In fact, they are probably more tied to MS than any other OEM. They're very faithful--they have rarely dealt with a non-MS OS (partially because, unlike HP, Compaq, and IBM, they don't have their own in-house OS) and they have not jumped onto the Linux bandwagon nearly as loudly as others. They're also very monogomous; note that they're the only major OEM that has *never* shipped an AMD system. (Up until last time I checked; don't know if they're doing or will do any Opteron stuff.) They aren't interested in making a point about OS superiority, they just want to make as much as they can from whatever product they sell. So why do you suppose they charge $149 to host a site on Windows and only $129 for a similar site on Linux?
http://www.dellhost.com/dhproduct/overview.aspx?segment=dedicated&category=web&sku=d2800
Why would they offer yet another platform to maintain at a *lower* cost? Can't be feaures--the Linux site comes with MySQL and the MS one doesn't have any database at all, not even Access.** Hmm... *scratches head*

** and don't go on about MS-SQL vs. MySQL; I think we can all agree that any database (even the lowly MySQL, which powers Slashdot's ~2 million hits/day) is better than no database at all.

brian
Friday, November 07, 2003

>we cannot establish who's the "most secure" by using a has-no-security bugs criteria. We also cannot establish it by using the severity of bugs.

Really? We can't agree that there's a difference between the script-kiddie-launched, self-replicating, network-overflowing MS mail/web/sql virus du jour and an obscure SSH flaw that has to be manually exploited on a per-machine basis?

Eh, no reason to, I guess. Bill Gates thinks security is not an OS's responsibility; instead, users (who don't know the difference between a real error message and a web page designed to look like one) should set up and properly configure firewalls, as well as regularly install multi-MB patches over a dialup line.
http://www.itbusiness.ca/index.asp?theaction=61&sid=53897

Of course, he forgets to mention that sometimes one patch breaks another, thus adding another layer of difficulty to the question of whom do you trust and when...
http://www.siliconvalley.com/mld/siliconvalley/business/columnists/gmsv/5049501.htm?template=contentModules/printstory.jsp
But I'm sure they've got that all worked out now. MS would never make the same mistake twice. Oh, wait...
http://www.theregister.co.uk/content/6/33814.html

brian
Friday, November 07, 2003

My experience is that Linux is more securable than windows.

1. Buy "Real World Linux Security".  The only reference you need to lock Linux up tight.  Unfortunately most distros (I'm certain of RH 7 thru 8) deliver X with tcp port 6000 open.  Although there may be no known holes in XFree at the moment, X is too huge (and I consider myself rather knowledgeable about X's low level and internals) to be certain that leaving the tcp port open is a good idea.  Its not, and should be disabled - especially when you're on the road, connecting to non-firewall protected networks.

2. The heart of Unix security and Win32 security exists in the fact that kernel space can only be accessed by root or administrator authorization.  Unix, out of the box, provides a well defined multiuser environment which provides a well defined context with respect to who can install device drivers, who can change permissions, and who has access to what. 

The FUNDAMENTAL problem with Windows security is that users are accustomed to running administrator privs 100% of the time.  This is a "usability enhancement" which allows users to install any/all programs without performnig the pesky task of swithing from "my account" to admin, over and over, when you want to install software.

Additionally, installing any software, not just user mode software becomes a priv'd task in Windows.  Correct me if I'm wrong (for I'm no Win32 expert), but would not a user mode application install have full access to the registry, able to wipe it clean if the app were malicious or poorly designed?  Why RealPlayer and Quicktime can "steal" the file associations at will? 

The Unix analogy is the /etc/ directory (much maligned by Windows devs/users).  However, in Unix, /etc/ is fully protected from access by non-root access (which is all users 99% of the time - it takes a deliberate move to make yourself root).  So no matter how malicous or poorly designed the program, if the OS integrity is intact, then no user mode application can corrupt /etc/.  System setting remain consistent, and can only be changed by root.

3. There appears only one place for programs to be installed in Windows: the "/Program Files" directory.    Out of the box, windows XP gives you only 2 options:  the user is admin (can do everything, all the time), or the user is a moron (cannont install anything at any time).  There is no differentiation between a user installing a pure user mode application and a device driver  No matter how malicious the intent of a user mode app, if the OS is secure and intact, the user mode app can only affect the user that installed the program and the file which he has access to.  Not so when you are admin, you can easily and unknowingly destory the entire system.  While Win32 maintains a very robust kernel and chacl capability, the security is almost universally overridden by the default installation of assining all users as admin.  And this because the usability of windows has not followed the same clean design as the kernel was given.

4. On a corporate network, Windows is hardly remotely adminstratable.  That is, for an admin to maintain blocks of machines, all amdin tasks must be made through GUI manipulation.  While theoretically possible, it is practically not feasible, to remotely admin windows boxes. You know the windows admin, because he carries CD's and floppies around from desk to desk, installing or upgrading software.  The Unix admin maintains cron jobs on his users' computers which poll for updates and install when necessary.  A practice which has been useful and honed over decades of use.  Yes, windows can be maintained by remote GUI desktops - but again, it goes one at a time.

Of all these, the fundamental problem of Windows security is that all users run as admin all of the time.  That is the worst and most exploited of all Windows security sins.

nat ersoz
Friday, November 07, 2003

>> Linux default installation is not* secure.
>
>Of which distribution?
>Mandrake now (since 9.1 at least) has security options for installation.
>Choose "Paranoid", and (whilst humming the  Black Sabbath tune)
>install away. RedHat has the same.

Ok, default installation of RedHat gives some basic firewall rules: close* all ports, open some* ports, open all* ports.

But that is not enough!

I'd like to address you to excellent book "Building Secure Servers With Linux" by Michael D. Bauer. It worsts money!

Evgeny Gesin /Javadesk/
Friday, November 07, 2003

Actual counts of security issues and the severity of each issue is my empricial basis for stating that one system is more secure than another. I believe this is the only rationale that will convince you that system ____ is more secure than Windows.

How many security updates have you had to install on your Windows servers vs. how many updates do you have to install on other OSes?

The answer is probably the only one that is free of religious arguments and personal preferences.

Our experience is this: we have two server plaforms in our company that are similar to your situation; SQLServer on Windows 2000 Server and MySQL on Mac OS X Server.

Our findings based on my fundamental premise: MySQL on Mac OS X Server is more secure than SQLServer on Windows 2000 Server.

We also use MySQL replication and it works very well.

(An aside: this reflects our usage of FogBugz. We host the database on MySQL on Mac OS X, while we host the frontend on Windows. We delayed our FogBugz purchase for at least 6 months, because of the reliance of Windows/IIS as the host for FogBugz. This was based on the security issues and problems we had with another application that was (and sadly is) completely tied to Windows Server/IIS and SQLServer.)

Willie Abrams
Friday, November 07, 2003

Port      State      Service
22/tcp    open        ssh                   
139/tcp    open        netbios-ssn           
6000/tcp  open        X11                   

FYI: A typical Redhat 8.0 distro after a default install, with no hardening.

Note: not all ports are open, only the ones which were opted for (mostly).  This box should be hardened, if running in "the wild", by turning off X11's TCP connection (flag -nolisten tcp).  The netbios port was intentionally turned on (samba to allow for SMB sharing),but should also be turned off when running in the open.  SSH is the only exposed port which should be allowed open when running outside a firewall.

Other services can be enabled, FTP server, HTTP server, etc.  But the install and config should be specific to a server dedicated to that purpose.

nat ersoz
Friday, November 07, 2003

To preface my comment, I should say that I don't really have much technical knowledge of security issues in Linux and Windows.  I do my desktop computing on Windows boxes.

It seems to me that at least part of the question over which OS is more secure is unrelated to how secure or securable each OS is. 

There are many more Windows systems out there than there are Linux systems.

It seems to be the case that more hackers write viruses/worms/etc. to attack Windows systems than to attack Linux systems. 

I don't know whether this is because there are many more Windows systems (and so more havoc for the hacker to wreak) or because the Windows systems are made by Microsoft (and more hackers are MS haters).  In the end, though, I don't even think the reason matters.

Even if Windows is slightly more secure or securable (on a technical level) than Linux, the number of hackers writing exploits of Windows security weaknesses makes me think I'd be more secure on Linux.  Hackers devote more resources to hacing Windows.  I'd rather be on a different system (even if slightly less secure) where there isn't as much efforts being devoted to hacking my system.

If Linux is as secure/securable or more secure/securable than Windows, that simply tilts the decision even more in favor of Linux.

And yes, I do realize that there are plenty of hackers trying to exploit Linux, too.  But I very much doubt that their efforts amount to even a small fraction of the efforts being devoted to hacking Windows.

Herbert Sitz
Friday, November 07, 2003

> We can't agree that there's a difference between the script-kiddie-launched, self-replicating, network-overflowing MS mail/web/sql virus du jour and an obscure SSH flaw that has to be manually exploited on a per-machine basis?

I didn't mean that there were no differences at all, security-wise... and I agree with a previous poster that a security bug *count* is probably the best way of establishing the differences. Since security is a hot topic, though, there will be all kinds of political arguments over the proper way to count :)

I do think your example is a bit specious. What's stopping someone from automating the SSH flaw and distributing it to script kiddies? If the difference is only "that someone hasn't done that yet", then the claim of better security is on pretty shaky ground.

Portabella
Friday, November 07, 2003

I think you should divide the question into three:
1. What do I need for a dev machine on the intranet ?
2. What should I use for an intranet server?
3. What should I use for an internet server ?

And the answers are:
1. whichever OS you like, but update it centrally from time to time and *don't* let anyone from within your intranet computers use internet access (this is not a joke, look at what happened to valve. you can, however, use linux user mode from within such a machine: http://www.gentoo.org/doc/en/uml.xml )

2. This is a tough call, using windows server in an intranet is pretty nice and fluent as long as you don't try the wacky stuff (workgroup + domains + IIS + apache + MS directory + other file sharing techniques), installing linux requires knowledge but read point 3 and you'll see linux is your only option anyway...

3. As far as I can tell using linux should be the best option for an internet server. I mean a server which supports a decent web server (apache), a nice DB (oracle, mysql etc.) , perl etc. and has a firewall. Bill gates latest "we don't supply firewalls, for that you will need to buy a firewall software" remark is bad, it is bad because it shows the utter lack of understanding of the nature of a hack. first and foremost - kernels are hacked, not higher layers of software. if the kernel is secure (see "good netfilter/iptables config" pseudo entry in any FAQ) the OS is secure as well. True, from time to time a "cultural hack" is found, like the I love you letter but most of the time the high level hacks, the ones which do actual damage are kernel level hacks (offcourse you can always argue that by not securing the kernel this becomes a user land problem but that would require all different apps to try and stop the same malicious source, which is stupid). So, linux (or other open source maintained distributions like OpenBSD) is the way to go, it has plenty of virtues (open source, good community, fast response, good track record, don't undermine the user).

But then again, remmember that using linux requires LOTS of hours learning, tweaking and understanding what you are doing while with windows its all point and click (you can never know what this point and clicks end you up with, but thats good old MS)

S.Kedem
Friday, November 07, 2003

OpenBSD, baby.

Screw Linux.

Clutch Cargo
Friday, November 07, 2003

Security is a PROCESS, not a PRODUCT.

Any system is only as secure as the admin.

There is nothing in Linux that makes it inherently better (or inherently worse) than Windows.

I think the only OS that can be called "inherently more secure" is OpenBSD, and it accomplishes that by sacrificing a lot of functionality, which diminishes the surface of attack.

Myron A. Semack
Friday, November 07, 2003

nat,

"The heart of Unix security and Win32 security exists in the fact that kernel space can only be accessed by root or administrator authorization."

Gotta call bullshit here.  A user-mode process under Windows can't touch kernel memory, even if it is running as Administrator.  Using the SYSTEM accounts, it's possible.  But you can't log in as SYSTEM.

"Correct me if I'm wrong (for I'm no Win32 expert), but would not a user mode application install have full access to the registry"

The registry has security controls on it, just like the filesystem.  Regular users can not arbitrarily write to random parts of the registry.

Now, to install an application that has sytem-wide effects, you do have to run it as administrator (no different than Linux).  And you don't even have to log out to do it.  You can simply use RunAs, which works like sudo does under Linux.

"the fundamental problem of Windows security is that all users run as admin all of the time."

No, they don't.  Not in any kind of corporate environment, anyway.  Active Directly has a very powerful approach to security, which is considerably more granular than the simple UGO setup that *nixes offer.

In a home environment, most user's run as administrator, and rightly so.  It's their computer, and they can do whatever they want.

On a Linux system, you shouldn't be logged in as root 24/7 because one typo can bring a system crashing to a halt.  However, Windows Administrator is NOT the same as Linux root.

Now one suggestion that's been made over and over again is "Why not keep user accounts running as regular users, and have it ask for the admin password when they want to do something like install software?".  OSX does something similar.

The problem with this approach is that it gets users comfortable with the idea of entering their Administrator password whenever something asks for it.  It's only a matter of time beofre someone makes an application that looks just like the "Enter Admin Password" dialog, and then you'd have a whole new class of security breaches.

"There appears only one place for programs to be installed in Windows: the "/Program Files" directory.  "

Not true.  Applications can be installed anywhere.  It's just very convenient to keep them all in one place.  It's no differen than the /bin and /usr/bin directories in Unix. 

"On a corporate network, Windows is hardly remotely adminstratable."

Again, wrong.  There are tools like SMS and SUS for remote administration.  You can use GPO's to manage the registry of client machines (inlcuding grabbing updates from a network).  If you want something more sophisticated, there are tools like Altiris.

Also, Windows is fully scriptable, just like Unix.  The Windows Scripting Host is a very powerful tool.  Coupled with the Task Scheduler (equivalent of cron), you have all the same automation tools available to a Unix admin.

Myron A. Semack
Friday, November 07, 2003

I don't think that 'more secure' is even a question you can answer.  I use linux,  I use it on my two desktops and my router / webserver etc.  For me,  there's no question that it's the most secure option available.  Windows is not an option. 

*but*  This is *only* because:

1) I've used linux for a long time and am familiar with updating and hardening it.
2) I've not really used windows in a 'hostile' environment.

Web forums aren't really going to answer the question, there's the odd whackjob who equates linux and mozilla with the apocalypse (see most linux posts here, there's always someone).  Then there's the other extreme who call all windows users idiots (see everything ever written on slashdot).

Personally,  I think linux is an excellent server platform that will continue to eat UNIX's lunch and continue to threaten Windows' dominance.  But I take a long term view, and I realise that it's all a matter of personal preference.

Having said all that,  microsoft's shoddy client software has ruined email, I'm sick to death of those damned 400k virus attachments filling up my mailbox.  That doesn't fill me with confidence in IIS, SQL Server 2k and co.

Michael Koziarski
Saturday, November 08, 2003

You're right on most tnings in your last post Myron, but I would take issue with you over the virtues of Windows scripting language. There is nothing comparable in Windows to the flexibiltiy of the command line in Unix; by combining commands you can do pretty well everything, and there are more than thirty years of collected commands to play with.

Stephen Jones
Saturday, November 08, 2003

Have you actually used WSH?  It's downright amazing.  It's not just a glorified batch file (ala Unix shells).  WSH gives you an amazing amount of flexibility.

Check out: http://cwashington.netreach.net/ and look at the automated stuff that's possible.

Before I discovered WSH, I though there was no real scripting solution for Windows (without a third party).  Boy was I wrong.

Myron A. Semack
Saturday, November 08, 2003

As someone who's used Unix shells extensively, my perspective is that the most important thing about the shell is that it's

1. standard
2. bullet-proof

It's *not* very high-level, but "glorified batch file" is manifestly wrong.

If the shell isn't sufficient you can always use Perl or Python (or other languages) and generally the API integration is very good.

Interestingly, the Linux developers resist, tooth-and-nail, attempts to move to a higher-level language like Python. Wisdom or stupidity?

I've only dabbled in WSH, but I must ask why Microsoft is coming up with *yet another shell* in the Longhorn push. Clearly *they* see some inadequacy, real or perceived.

Portabella
Saturday, November 08, 2003

WSH lets you use VB script or Jscript. Both are great and I've seen whole applications written in Jscript, but I think you have little idea about how powerful Unix shell commands are.

It's not just that there are hundreds of pages of them; it's the fact that you can combine them to pretty well do anything you want. They represent thirty years of experience doing things with Unix systems. VB sript and Jscript were not written with sysadmins in mind.

Stephen Jones
Saturday, November 08, 2003

Portabella,

UNIX programmers refuse to move to higher level languages because of stubbornness.  As a UNIX programmer who avoids python at all costs myself, I can sympathize.  Some of this is because you have a lot of very experienced programmers with a massive investment in C.  I don't have this same massive investment of ten to twenty years, but I have to confess that I keep making a heavier investment because I haven't found anything that offers me as much capability or flexibility.

The religious flame war about system security is kind of funny to watch though.  I've gotta side with the folks that say security depends on the quality of the admin.  Even my favorite server OS, OpenBSD, can get hacked from time to time.  Keeping it secure requires keeping the system up to date and watching what's going on, just like any other system.

Clay Dowling
Saturday, November 08, 2003

"Gotta call bullshit here.  A user-mode process under Windows can't touch kernel memory, even if it is running as Administrator.  Using the SYSTEM accounts, it's possible.  But you can't log in as SYSTEM."

OK, perhaps I simplified ever so slightly.  A user running as admin can install a device driver, and then access whatever they like through a user mode app which accesses the newly installed driver.

The bottom line is that a user with admin privs can access kernel memory.  Done.  Same in linux, same in windows.

Admin privs are compromised  when users run as admin as a matter of fact.

nat ersoz
Sunday, November 09, 2003

Joel, in regard to your comment about two clicks to securing the Windows system: in many Linux distributions (such as Debian or Mandrake), you can automatically install updates
from the command line, (or even from a graphical utility).

While you still have to wait for the update to become available, it is usually shorter than the Windows update becomes available. With Windows, you always rely on Microsoft to provide the update, while on Linux you have a choice to circumvent the vendor, and install the package from the source before it is available from the vendor.

Shlomi Fish
Sunday, November 09, 2003

I'm not quite with you on this Nat.

To the best of my knowledge you are dealing with a ring system. Kernel mode is ring 0 and user mode is ring 3.

Now some drivers, video drivers, for example, have to access the kernel, so I suppose it would be theoretically possible for a virus to install a device driver which then accesses the kernel. As all it could probably do would to to blue screen the machine I don't see the point. There is much more harm it can do in rewriting the registry or the file system or whatever.

Running in user mode, or using the compatibility template if absolutely necessary, would stop some viruses from installing, but as has been said, in a corporate network everybody is normally running as a user with limited rights.

You certainly shouldn't run as Administrator with a DSL or cable connection - Ah, if only I could get one how gratefully I would downgrade myself to mere user!

Stephen Jones
Sunday, November 09, 2003

Stephen,

Even though a device driver may not access the kernel, there is nothing to prevent a driver from accessing the kernel.

If I am a virus writer, and you are a user without admin privs, the worst I should be able to do is infect/delete the files which you have access to.

If however, you're running as admin, I can install a simple device driver which allows me to map any physical page, read/write any device, and delete any file. 

As an added bonus, I won't show up in the process list when a user hits Ctrl-AltDel for the Taskman.

nat ersoz
Sunday, November 09, 2003

Not sure it's that clear. You can probably delete any file without touching the kernel, since admin normally owns the whole machine.

To do this in kernel mode you would presumably have to write an alternative I/O driver - a bit of a sledgehammer to crack a nut. And there's still the question of Windows File Protection.

Bear in mind that we are talking about home and SOHO machines here; anything in a company will be on a domain and running in user mode.

If you run as a user all your important files are going to be owned by that user, so a program could overwrite them anyway I would have thought.

Stephen Jones
Sunday, November 09, 2003

> UNIX programmers refuse to move to higher level languages because of stubbornness. 

That I  can believe.....

> I have to confess that I keep making a heavier investment because I haven't found anything that offers me as much capability or flexibility.

... but this I can't.

Bourne shell lacks both structures and arrays. Stuff I can do in 2 seconds in any high-level development language is tedious and difficult in shell.

I think shell is used with a kind of "less is more" attitude.

Portabella
Sunday, November 09, 2003

I think any arguments against the BASH have to be weighted down due to the ubiquitous availability of much more robust alternatives such as Perl from the Linux command line. 

Certainly, BASH is a stripped down language for automating common tasks, but that is what it was designed for. You can hardly fault sed for not allowing access to the networking stack.

BASH is about running small, linkable applications to get specific tasks done. Perl is much more intelligent and moving from BASH to Perl has a learning curve of less than an hour.  And Perl makes any scripting language commonly available on Windows appear laughable.

Dustin Alexander
Monday, November 10, 2003

Two things:

1. I like Perl. I have made a lot of money with Perl over the years. Perl on Unix, in the hands of a guru, is a very powerful tool indeed. I have been on (and led) project teams that built enterprise server applications in Perl. Even Perl on Windows is pretty much stable these days.

But every time I release Perl code to production, it scares the hell out of me (because Perl syntax is so abstruse that it's hard to know what remaining bugs may lurk). And although it's nice to be able to use Perl on Windows to drive COM objects, I confess that I usually prototype my Automation scripts in VBScript, and then port them to Perl once they're working. It's quicker that way.

2. "Is Linux more secure than Windows?" is a nonsensical question. Windows does a lot of things that Linux doesn't try to do (ACLs, for example), and if you need those features, there's no contest.

Beyond that, security on either system is obviously only as good as your patching habits.

Jeff Carroll
Tuesday, November 11, 2003

I agree with jeff, admittedly most of my experience is in configuring linux(this carefully drings me round to my point):
I had very little difficulty configuring the gateway in my flat to be fairly secure.  But then i'm *used* to linux, i use linux at uni, and i use it at home.
On the other hand in windows i would merely have had to click share connection and enable firewall and i'd have a moderately secure set up. 

We could argue the neither setup is very secure (i'm not a network guru)... I *feel* that my linux setup is more secure than a standard windows setup, but the reverse would probably be true of an experienced windows user...

I see most arguments of linux vs windows as being pointless (eg. those immediately after blaster, et al) with hoards of linux evangelists using it as an example of poor windows security, even though MS had a patch out before the incident... 

We also see people talking about how much the MS patches have to fix, but this is merely because a) it can find everything that needs to be fixed, all at once, and b) many require reboots, and most people would probably not enjoy multiple reboots.  Meanwhile in this time there have been a dozen updates to a dozen different programs in a generic linux system.

By default neither system is anymore or less secure, they each different approaches to security, which leads them open to different problems.

Oh, and Windows or more popular, and thus a more "profitable" target for any hackers/script kiddies out there.

--Oliver

Oliver Hunt
Wednesday, November 12, 2003

Come on people, haven't we learned by now that the least "secure" OS is the one with the latest hack or virus headline.  You can have ports off, and kernels patched and users rights allowing them to do nothing but run text editors, and still someone will find a way to do something they shouldn't be doing.

I have to wholeheartedly agree with those posting about security being in the hands of the admin.  It just doesn't matter what OS you've got.  If the administrator is on-the-ball, you're OS is as secure as it can be...
...until the next hack or virus comes out, that is.

Security is an ever moving target, and no operating system is secure if the OS hasn't been patched properly, or if passwords aren't protected properly.

Which is easiest to patch?  Depends on which OS the admin is familiar with, doesn't it?  If the admin is comfortable with the steps to patch the OS then it's easy to maintain.

As for what users can access in their OS, it again falls in the hands of the admin.  Admins can control this to very specific rights in just about any OS I'm aware of.

Trevor B
Saturday, November 15, 2003

When comparing Linux with Windows as a secure server, you shouldn't use a desktop distribution of Linux such as Mandrake or RedHat as the point of comparison on the Linux side. (At least, not the default install of them...)

The more secure of Linux and Windows would have to be Linux, hands down - if you've chosen an appropriate distribution of Linux, and haven't decided to install every single available software package. A base installation of Debian, for example, simple won't contain X or the numerous security-hole-prone services that are installed by default in Windows and the "recommended" installations of some of the desktop distributions of Linux.

If you want a really secure system, you're probably best off selecting either OpenBSD or one of the Linux distributions that are working on security above all other considerations.

Of course, if you've got expertise with Windows and don't know (or want to know) how to do things the UNIX way, then you might be better off sticking with Windows. At least until they start renting software out instead of selling it...

Keith
Sunday, November 16, 2003

security issues affect all, at one point more for one than other ..
careful configuration and regular update and monitoring helps as seen in Openhack challenge.
http://www.eweek.com/article2/0,4149,741388,00.asp
Surprisingly Microsoft was not compromised once, Oracle and Sun were hit.

The Openhack III was successfully protected by Argus pitbull, even after hackers gaining root access. The same concept is now part of Windows 2003 and XP Professional under Software permissions policy. Once enabled, just being administrator is not sufficient to execute any program. the code needs to provide evidence of its source, either particular path, registry key, signature, etc. 

Kunal
Tuesday, November 25, 2003

I don't know about the real security of Windows vs Linux.

What I do know is that I do not like to put trust in a single vendor. If you buy Windows, whatever version, you put your trust in a huge corporation, with internal conflicts and decisions taken for political reasons, or to please stockholders, instead of for technical reasons. And yes, I'm working for a quite large (high-tech) corporation, smaller than Microsoft.

Yes, Linux (and some of the other free *NIX dialects) are also developed by big groups of people. But there is insight into the process, there is peer-review, and you can study the code (as if I would) if you want to. And the development of the Linux kernel is not done for profit, nor driven by stockholder expectations. And I trust Linus Torvalds, and the people he's chosen.

That is why I'm not running anything under Windows at home. I'm not a Linux guru, but using the documentation available, and the wonderful Gentoo  http://www.gentoo.org  distribution, I can keep my system (on 24/7, on ADSL) up and running and at least fairly secure. I upgrade regularly (using only "emerge sync" and "emerge system" or "emerge world" every other day, or if there's a patch that needs installing). And I'm not paying any Windows taxes while doing so.

Magnus
Wednesday, December 03, 2003

"Last time a flaw was discovered in Windows, it took me two clicks to patch it."

Come on! Even Windows Update patches require more than two clicks, and then they usually require a reboot.

"Last time a flaw was discovered in SSH, it took me four hours of compiling and messing around to patch it."

Is this a delayed message from 1996? Most of the mainstream distributions have had automatic updates for years. Last time a flaw was discovered in openssh, Red Hat Network carried a fix and up2date had it patched within minutes of me ticking the box.

I suppose you might have used a source distribution of openssh, but one would have to wonder why if you don't apparently have the confidence (or possibly skills) to administer such things.

The Badger
Wednesday, December 10, 2003

It does not take four hours of messing around with source to patch an SSH vulnerability. Under Debian, a simple apt-get update; apt-get upgrade ssh will suffice. Similar solutions exist for other distributions.

Jonathan Pearce
Tuesday, December 16, 2003

*  Recent Topics

*  Fog Creek Home