SAN FRANCISCO — Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers. The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, "Security Showdown: Windows vs. Linux." One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint. "I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical," said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux. Their research could contribute to the debate about which system costs more for companies to operate. Linux costs less to acquire, but Microsoft is trying to convince buyers that its software is less expensive to run and manage. Read the rest of the article at the Seattle Times.
Linux is fantastic, but Windows is very good as well, its just got a terribly security flawed multiuser design. No matter what you compare whether its a Ferrari to a Ford there will always be people who go "OMG WHAT? A Ford CAN be faster than a Ferrari!?!?!?!?!??! WHAT THE HELL!? NO WAY" but then you have to sit back and say yes.. its not actually that suprising if a Ferrari is not setup properly and the ford is, then the Ferrari will be more flawed and vunerable than the ford. *SHOCK* *HORROR* Also, companies, large or small, who use Linux on servers for whatever purpose - you can almost guarantee that they will have Windows running on servers. The point is that Windows and Linux are both very good operating systems, but they are good in their OWN areas in computing, whether it's Data Warehousing, Database management, WebServer, File Server, Backup Server.. whatever.. And when i say that i'm not suggesting that Windows is better at "this" and Linux is better at "that", it all depends on the type of system your running, what the computer is required to do, the size of the system, the need for security (whether its on the net or on an internal network with IP Masquerading.. routers, firewalls e.t.c) Also bear in mind they say they used a "bare" Windows system and a "bare" Linux system (both web servers) - i believe that most likely it was abit of "pot luck" that the "default" install of Windows Webserver was more secure.. But which IT Professional.. no matter what idiot he is is not going to patch his system, whether its Windows or Linux, and a patched Linux system is alot more secure (*or can be) than Windows. *when i say "can be", i am merely refering back to the fact that the "user" ie, "IT Professional" in this case, should be keeping updates on a very regular basis, if not automated.
That's very true. If you don't know what you're doing in terms of security, you can still setup a lame security system under any OS.
I can't believe anybody's actually buying this round of FUD*. I've never seen nor heard of an objective, independant study of OS security where Windows even fared well, let alone better than a Unix derivitive. Every time you see a study like this where Windows looks really secure, or clearly has a lower total cost of ownership (even though Linux is free), there's an unusual coincidence they typically share: they are financially backed by Microsoft. Case in point: Recently, a specific Australian tech firm published an "independant" security brief on Windows security VS Linux security. When Windows came out extremely favorably, the firm was asked by several independant firms (mainly universities) to substantiate their data. A week later, the brief was retracted by the Australian firm, as they claimed they may have made some mistakes when interpreting their data. It was later discovered that Microsoft had given the same company some hundreds of thousands in the form of a grant just prior to the article's publication. This kind of thing goes on all the time. If you can't compete through product performance, do it through propaganda and litigation. I'll post the articles I got that information from as soon as I find 'em in my browser history. In the meantime, I encourage you to do your own truly independant study. For example, fingerprint webservers for popluar websites, some which run Windows/IIS and some which run Linux/Apache. Then, average the typical uptime these sites report. Seeing any patterns yet?
Alright, I feel stupid pimping my own posts, but look at this. Microsoft is admitting that Windows can and is getting rooted, by spyware of all things, which installs itself automatically. This would not and could not happen with Linux, BSD, Solaris, BeOS, MacOS, SystemV, or any other operating system I can think of. Some unique "features" of Windows make this possible: * Windows allows users to runs as administrator by default * Windows is a monolithic system, not modular. Programs have free reign over the whole system * User seperation and file security is mainly superficial * Even low-level users have write access to the root directory * The web browser is partially embedded into the kernel as a speed hack (to make IE load faster) * ActiveX I hate to even compare the security models of Linux and Windows, as there really isn't much to compare. But Linux is a modularly designed operating system. It compartmentalizes access and priviledges into seperate and clearly differentiated subsections, which can be tightly controlled and regulated. Hypothetical security evaluations, such as the parent of this thread, clearly don't take this into account. As further emphasis, the NSA's Security-Enhanced Linux project further enforces the privilege seperation already in place in the Linux kernel. This isn't even possible on a Windows system, due to its monolithic nature. It had to be implemented on a modularly designed OS, or the NSA most certainly would have implemented it on the market-share OS. After all, it is Windows systems which flood the internet with a vast majority of junk packets, junk mail, worms, and other Internet polution. The NSA's ultimate goal is to make Windows more secure in the long run, therefore making the Internet a better place (see their site).
