Is The Windows Server Environment More Secure Than Linux?

[Chris]

Which server environment is more secure? Windows or Linux? This question has been debated to the nth degree at the various computer forums, blogs, and numerous other places.

A study conducted by Security Innovation may give a more definitive answer, although it will probably just re-ignite the old arguments. In an extensive white paper, the Security Innovation team compared, amongst other things, the number of vulnerabilities each server environment faced. The study also compared the amount of time a security risk remained a risk to the server setup in question.

This was done in order to determine which environment was most at risk. In order to present solid findings, the team tested their data under the different installation configurations available. The white paper offers cumulative results and they may surprise some readers.

See the article for some of SI's findings

Among other things, the study concludes:

"On balance, as security practitioners, we know that both the Red Hat and Microsoft solutions can be used to provide a secure solution when deployed and administered with the right skills and under the right policy. Based upon both counts/lifecycles of bugs and the absence/presence of qualitative drivers of security, it appears that Microsoft may have an edge in many environments.

Put another way, looking at the software security factors that each vendor has the ability to directly affect - software security quality and security response - the data shows that a web server workload built using Windows Server 2003 has fewer security vulnerabilities requiring customer mitigation or patching than a similar workload built on Red Hat Enterprise Linux."

Microsoft potentially safer than Linux? The reaction should be quite interesting.

PS: Security Innovation runs IIS 5.0

Read the white paper

[mushroom]

FUD to the n'th degree

Microsoft vs Linux Reports - Sheer Waste Of Time? http://www.cxotoday.com/cxo/jsp/arti...033&cat_id=908
Linux Swiss Cheese? Not Likely... http://linuxblog.sytes.net/index.php...Likely....html

And how do you compute avarages when not all the vulnabilities are not fixed

Quote:

Currently, 6 out of 45 Secunia advisories, is marked as "Unpatched" in the Secunia database.

http://secunia.com/product/1174/

[redcircle]

I hate it when they refer to Red Hat as Linux. That is just one distribution. That would be like sayin Mac's are more reliable than PC's because you compare a Mac to an Emachine.

[mikmik]

Red Hat is a Linux distro! They said 'a comparable Linux distro' and then named Red Hat 4.

What could possible be wrong with that? Touchy, touchy, the fact that some Linux people are so defensive, suspicious, and paranoid does little to add credibility to the Linux community, and by association, Linux OSes.

Also, good point about the unpatched stuff, but they are all not critical, 2 out of 5 on that scale. Pretty minor. And having a patch, and having it installed are two different animals entirely.

A better indication would be how many systems in use are patched up.

The proof is in the pudding, there is no mass exodus to one OS or the other, and peoples careers depend on these choices. If one was so much better than the other, well, wouldn't the sys and net admins with their heads on the line use it??



One more (an article about getting rid of windows)ExtremeTech:

Quote:

Recent articles have pointed to Linux distributions including Mandrake, Red Hat, and Gentoo, whose default settings leave them vulnerable to what's called a fork-bomb attack. This is a type of denial-of-service attack that can overwhelm a system by rapidly launching more processes than the OS can manage, effectively bringing the system to its knees. Default settings on Debian-based distributions like Xandros OCE do not leave them vulnerable. For the Mac, severe security issues are fairly rare, but there have been incidents such as the remote scripting vulnerability uncovered last year. So while the Mac has been a less juicy target for digital miscreants, history doesn't mean the Mac won't be vulnerable to future attacks

[flood6]

It all makes sense now...

The rest of the story.

[mikmik]

I can't fuck1ng believe it, it refreshed before I could hit submit. F_UCK IT!

[mikmik]

Anyways, most of what I wanted to say is here:
antiOnline

I had put that it doesn't matter who funds it - that is certainly a warning flag, but all the drugs, medications, pesticides etc., etc, are studied by the companies funded reasearch.

It is then evaluated on its methodology, and recreatability of the results.

So, saying it is no good because of that is like saying you don't know because you haven't evaluated the methodolgy and/or data.

I want to show two direct quotes here that sum up my opinion to date about most of these debates:

Quote:

So do you really think that the guys doing this study had GAIM and OpenOffice installed? Mine sure as shit doesnt. It's a stripped RH box, doing basic Web/FTP services. And it has had more patches then my Win2k Box with IIS. Whats that add up to? Nadda. Why?
Different box doing different jobs with different exposure. (FYI, my RH box had 137 patches, and we ARE talking about RH, not SuSE in this study, right?)

I guess the really furstrating part of this discussion, Gore, is the fact that several of us think that you have the knowledge and skill set within Linux to strongly dispute this study, yet all you can manage to do is a "My OS is better then your OS" rant. SDK and myself to name a few a seriously interested in why you feel so strongly, and WHAT technical FACTS you have to back it up.

By this point we all know you hate Windows, but personally I think it is a bit like saying you hate Ford's. Why do I care? Until you put a technical side on your opinion, it is nothing more then bad taste, like enjoying Punk Rock.... :O read Roberta Bragg or a few of TigerShark's tutorials, and Windows CAN be secured. Even with "Tons of software on it". I dont give a crap that you think SuSE the OS to end all OS's, I care about the WHY.

Quote:

And with the industry and its appointees now turning out reports the independence of which is increasingly being questioned, even valuable information now risks getting lost amidst accusation and counter-accusation.

I am really very, very, tired of people and organizations with vested interests, especially if it is just a personal ego matter, that blanket recommend anything by saying "it is better".

The real information and rational discussion is lost among all the "I can shout louder than you" rhetoric.

The worst and dangerous thing I see is people who are so misinformed as to be out of touch. I have seen people on a forum here in Kelowna, not a computer or web forum, just town discussion, that think Windows is dangerous to use, or that it is to overwhelming to figure out what is the right way to approach security and safely interacting on the internet.

I don't even care if one is "more secure" or not, because the difference is negligeable in practice.

There are to makes of car on the road. 90% are secured with retina scanners, and 10 % are secured with dna analysis (assuming they are both reasonably similar in complexity. They both take termendous amounts of skill and learning/experimental time to break.

Don't tell me that anyone in their right mind, would spend all the effort to learn to break into one tenth of the cars when they can just as easily have access to 90%.

It is software, there are differences to be sure, but in spite of the so called cost differences ( I think windows server with SQL is about 15 or twenty thousand dollars) why do they both continue to be used, and in some areas, MS systems are used 2 to 1 or even three to 1 (I got this from netcraft on SSL use).

There is no big if even very signifigent change in the ratios of use, is there? That is something I would like to see, as well as hard figures on successful hack breakins.

User knowledge far outweighs any security advantages that may or may not exist.

In other words, I doubt, overall, there is any difference.

Don't try to tell me the dna is better security

--------------------------

I just found this: Linux Insider

Quote:

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft (Nasdaq: MSFT) produces more secure code than its open source rivals.

In an academic study due to be released next month, Dr. Richard Ford, from the Florida Institute of Technology, and Dr. Herbert Thompson, from application security firm Security Innovation, analyzed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat (Nasdaq: RHAT) Linux.


Stats Don't Lie
"Vulnerability counts are much higher with Red Hat than with Microsoft," said Dr. Ford. "I am a huge Linux fan, and I have a Linux server in my basement. The first time I saw the statistics I thought someone had mucked about with my database."

PS I like sites that just deal with the matters at hand, and don't even mention any controversy or opinion on which is better. There are debates on all kind of computer forums, and computer review and repoting Magazine's forums, and most of the debates are the same - pointless and irrelevent to fact.

[flood6]

Quote:

Originally Posted by mikmik

I just found this: Linux Insider

Quote:

PS I like sites that just deal with the matters at hand, and don't even mention any controversy or opinion on which is better. There are debates on all kind of computer forums, and computer review and repoting Magazine's forums, and most of the debates are the same - pointless and irrelevent to fact.

While I certainly don't have time to go point-by-point, I'll just mention that the RSA thing you mentioned is what this thread is about. It's the same story Chris mentioned in the original post.

Second, I'll go ahead and say it: Anyone who says "Stats Don't Lie" is wrong. Not opinion, no question about it, wrong.

Most Linux users have used Windows before, most Windows users have never used Linux. That automatically makes the average Linux user more informed and able to compare the two than the average Windows user.

Finally, I'll concede that the vocal Linux superfans don't do anyone any favors when they spout "Linux is better, Windo$se suXor" type of statements. I can understand sharing an opinion, but being a blind zealot is just foolish. Blindly defending Windows simply because doing so puts you in the minority is equally foolish.

I like Linux much more than Windows. I have found it better suits my needs on a desktop and to serve my sites. I'm not mad at Bill Gates, I don't think Windows users are automatically stupid. If someone enjoys using Windows or any other MS product then they should keep using it.

[mikmik]

all from flood6

Quote:

While I certainly don't have time to go point-by-point, I'll just mention that the RSA thing you mentioned is what this thread is about. It's the same story Chris mentioned in the original post.

Second, I'll go ahead and say it: Anyone who says "Stats Don't Lie" is wrong. Not opinion, no question about it, wrong.

Okay, I thought that, it is on a Linux site, so I was just impressed with the report and how it was presented being there. And I couldn't agree more, stat CAN lie, and it is almost a science these days to manipulate them. Further more, some methodologies are hard for most to understand at all, let alone interpret.
That said, they don't all lie. But the confidence in them is justifiable low, that is for sure.
I was too harsh criticizing people for using others evaluations to support their arguments. I do it, I am emotional.
(If I am out of line, I stand to be corrected, anytime, please just say so. It is fun to get angry, but I always feel bad afterwards. Enough excuses, it is my responsibility, not yours!)

Quote:

Most Linux users have used Windows before, most Windows users have never used Linux. That automatically makes the average Linux user more informed and able to compare the two than the average Windows user.

I have to give you that one, it is a very good point. I have my own experiences with both, and windows is much more usable ie. interoperability between programs and most importantly, intuitive structure and naming for file system.
The Windows documentation blows Linux distros away.
But of course then I am getting into desktop users category, and not sys and network admins.
So when Linux users say they find Linux more secure and more powerful, I understand that. They are not your average users either, more adept at programming and setting up security.
That is the main reason I keep at it (when I can) by trying distros out, and learning Linux here and there.

I want Linux to be accessible to everyone! I greatly fear monopolies, and I love the idea of a community co-operating and working together. That is why I think it is important to realize that there is a way to go before Linux is will make big market gains. I am about to try ubuntu as soon as I download it. Xandros is getting close, it has a magnificent help/getting started manual that is apparent.(Easy to see it is there/find)
Lets face facts so it can be improved, and not worry about Microsoft's ethics and exaggerate the shortcomings of Windows. It is the only way (IMHO).

Quote:

Finally, I'll concede that the vocal Linux superfans don't do anyone any favors when they spout "Linux is better, Windo$se suXor" type of statements. I can understand sharing an opinion, but being a blind zealot is just foolish. Blindly defending Windows simply because doing so puts you in the minority is equally foolish.

I like Linux much more than Windows. I have found it better suits my needs on a desktop and to serve my sites. I'm not mad at Bill Gates, I don't think Windows users are automatically stupid. If someone enjoys using Windows or any other MS product then they should keep using it.

YEAH!!! I also think criticism of both is necessary and to be encouraged.

Here is a link - I was reading about the new Mandrakelinux Corporate Server 3.0 on eWeek Linux.
I was looking at the ratings for each for 'security' and 'documentation' particularly.

I really want to support and encourage people yo make this kind of information common for all. I think it is the way to respectfully, and therefore adds mondo credibility, spread the Linux word.

I am sure people are leery to switch, or even think about anything in this area at all, if the 'information' is presented in a objective, non-judgemental (obviously biased or passionate) way.

Again

Quote:

I can understand sharing an opinion, but being a blind zealot is just foolish. Blindly defending Windows simply because doing so puts you in the minority is equally foolish

Hahahaha.... GUILTY!

[flood6]

Ubuntu is awesome. I'm sure you're already aware, but for the sake of others, you can get Ubuntu disks delivered to your front door for free, you don't even pay for shipping. Each set includes a live CD that you can boot from and test it out without it effecting your hdd at all. In nearly all cases it will automatically find your internet connection and network and you can be using Linux in the time it takes to boot your box. Here is the info: http://www.shipit.ubuntulinux.org/ Ubuntu is a good distro to try because, while not perfect, it is very polished and is based on the most stable and widely supported Linux distro, Debian.

I agree that even the most user friendly distros have a way to go before they can appeal to the masses. It's odd because I have said before that I have no doubt that I can set my grandmother up with Mandrake or Linspire, give her email and browser icons, spend a little time showing her how to use it and she'll be fine. It is people who know more about Windows that will be more resistant to change, they will get frustrated.

I'm not an average computer user. I get a kick out of compiling software from source. The first time I saw a little window scroll with text that represents C++ being converted to binarys, I giggled like a school girl. The first time I modified my operating system at the code level, I was approaching the point of arousal. Knowing how to log into my web server via ssh, modify a file located there with vi, and do a little web browising via lynx from that computer half a continent away is like gnostic knowlege. I keep my data backed up and have a blast tinkering with my computer in ways that are physically and legally impossible with Windows.

I never really "liked" Windows, I like Linux. The above paragraph puts me outside the mainstream (the arousal part probably puts me WAY outside the mainstream). I recommend GNU/Linux to people whom I think it would work for: people who use illegal copies of Windows, geeks, grandmothers who just want to check email and visit their church's website, and people who aren't satisfied with Windows.

Linux superfans spout propaganda that rivals Microsoft's. Again, I say this is a disservice because people might be encouraged to try Linux based on one of those wild claims and get royally upset when they find out it wasn't true.

I don't mind people liking Windows and/or hating Linux; there are valid reasons to do both. But when this monolithic company lies and misleads the world I'll point the finger and proclaim, "BS".

I'm all about capitalism (ahhh...that member...the bearded shrink...you know who I'm talking about, Mik, I can't remember his name right now) once wrote something along the lines of how capitalism has gotten us this far and picking up the hammer and sickle didn't really appeal to him. I totally agree, often the hardcore free software people get going and I just want to gag on the utopian hand holding they go on about.

But like you said, it's nice using free software and being able to pitch in where you can, even if it is just answering questions and submitting bug reports.

Well, I'm about out of tangents to go off on.

Later.

-Damian

[mikmik]

flood6, we have very similar attitudes! Minstrel is the guy who said that, it sounds like. I always defend M$ for playing 'the game' and being an example of free enterprise. A little mix of ethics in there, a little less short sighted greed, and I am capitalist all the way.

I am a geek too, and I am looking forward to learning some borland or such right away. Then I will be able to compile code.

I've used Java SDK and Netbeans for java applets, and it is a thrill to have something work that you've compiled. I am actually pretty happy if my divs line up, also. LOL