Study Finds Windows More Secure Than Linux

cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."

Integrity?

[samtihen]

Well, apparently this is the second time Microsoft has come out on top of a research project by Mr. Richard Ford.

http://www.virusbtn.com/magazine/articles/letters/ 2004/01_01.xml

Apparently there was some question to the validity of an earlier project because it was sponsored by Microsoft.

However, I would like to note that both researchers seem very well educated, especially in computer security. And, additionally, they both note that a lot more could be done to lock down the Linux server.

Re:Newsflash... ONE Linux Fan..

[EvilTwinSkippy]

Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.

Um, no. Your average system administrator earns about $62k has at least 2 years experience, and generally a bachelors degree in a related field. At least according to most industry figures.

The job title also entails tweaking system configurations for security, evaluating patches, etc. etc.

Re:A lot more could certainly be done...

[jc42]

Why would it take a patch to make a server run in a chroot jail? This can be done with any program. It requires no cooperation from the program itself.

Of course, running anything chrooted usually requires making a list of subprocesses that the program calls, and linking them into the program's directory tree. You'd want to do this in this case, because web servers typically do invoke some subprocesses. Not always, of course; some web sites are completely static. In any case, this doesn't require any sort of patch; just a list of what files are needed in the chroot area.

So what's in the OpenBSD chroot patch? What sort of vulnerability existed without it?

Re:These studies are pointless. Both can be secure

[dioscaido]

What on earth are you talking about? Are you trying to imply that sql injection is a windows only problem? And about 'winsock' crashing... do you know of a vulnerability we don't? Or are you harking back to windows 95 vulnerabilities? The fact is, the parent post is the one that is Insightful. Both Linux and Windows servers can be secured very easily. The XP desktop might still have issues, but Win2k3 server is solid and secure.

I've seen it in action

[Eskimore_]

I did some work at a local University a while back. The faculty I worked in used HP-UX for their core services, Linux on the desktop, a couple of Solaris labs and 1 small (less than a dozen) windows lab. The other faculties used Windows almost exclusively.

The faculty that ran the *nix based services had almost no complaints of intrusion or other security problems from the "global" IS department of the university, while some of the windows using faculties were being threatened with losing their internet access because of too many security breaches.

No, this isn't a study. But it's evidence of how it works in the real world.

The reason I think *nix is more secure is because of how configurable it is. You can configure almost anything. Hell, you could write your own TCP drivers if you felt like it (not that I've ever known anyone to do that). On Windows you're limited to the security options given to you from the vendor. Or you have to pay a 3rd party for their innovation... With *nix the power is in your hands.

'Out of the box' software/systems are usually never ready for production environments right? But sufficiently tweaked most systems can be reasonably secure and centrally manageable. I just think that level of tweakability is higher with *nix. /my2cents

Bruce Schneier on Linux security

[frozenray]

Which is more secure, Windows or Linux? It depends on whom you ask. Here's what Bruce Schneier, a reputable security researcher and author of "Applied Cryptography" and other computer-security related books has to say on the matter:

Linux Security

I'm a big fan of the Honeynet Project (and a member of their board of directors). They don't have a security product; they do security research. Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them.

They just released a report about the security of Linux:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.

It's also important to remember that this paper focuses on vulnerable systems. The Honeynet researchers deployed almost 20 vulnerable systems to monitor hacker tactics, and found that no one was hacking the systems. That's the real story: the hackers aren't bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months.

Why? My guess is a combination of two reasons. One, Linux is that much more secure than Windows. Two, the bad guys are focusing on Windows -- more bang for the buck.

Bruce Schneier
Posted on January 06, 2005 at 01:45 PM
------------
Different methodology, different results. My money's on Schneier.

Re:More FUD

[1u3hr]

A study comes out saying Windows is better than Linux? Question the results

Having read TFA, the "study" consisted of counting security flaws for RH and Windows, and comparing how long it took to issue patches -- from the date of the vulnerability being announced. This is really shallow; we've seen lots of such studies and laughed at them. I note the spin put on this is "One of them, a Linux fan, runs an open-source server at home..." which makes it look like a Linux zealot has been hacked in his own home, while the happy Windows guy is unscathed. In fact, it was all hypothetical, there were no trials of real servers (none mentioned anyway), just "potential" vulnerabilities in default setups.

Re:More FUD

[Zebra_X]

The same cannot be said about MS IIS. Worse, the odds are very good that many the IIS exploits were in the wild prior to when they were first publicly reported, while most of the Apache exploits were, in all likelihood, patched prior to the first exploit.

Did you read the article? The server tested is Windows 2003. The web server is IIS 6.0. These "many exploits" that you refer to, which ones are they? Last time I checked there were no reported remote exploits for IIS 6.0. There ARE exploits for 2003 as a platform, but not for 6.0 as a product.