Linux, OpenBSD, Windows NT / 2000
Server Comparison: Contents
- Introduction Linux, OpenBSD and Windows NT / 2000
are discussed as server operating systems.
- Applications Required
applications available only on one platform selects that platform;
required applications not available eliminates a platform.
- Applications Supplement OS
Some Windows applications are just helpers filling gaps in the OS.
- Niche Area Support Windows has
more niche area applications.
- Application Integration
Tight application integration has benefits but also ties
a user more tightly to the product line.
- Vertical Market Products
Windows has a big current lead but Linux is a natural
for vertical market applications.
- Included With Core OS
UNIX systems typically include a greater array of full function
server applications than Windows.
- Open Source Applications
All open source applications are arguably part of the OS
because they are available under similar licenses at no
additional cost. What's avaialble is examined.
- OS Versions and Fragmentation
There is just as much diversity in the Windows product line as
in different versions of UNIX.
- Application Summary Windows
has more applications but Linux has enough at a much better
cost benefit ratio to be a serious contender. OpenBSD is
appropriate in specific environments.
- Stability and Reliability
- Security Introduction Those with
strongly Windows or UNIX backgrounds rarely understand the
security of the other family.
- Windows Security
- FAT vs. NTFS Choosing a
FAT based file system on NT gives up both security and a highly
reliable file system.
- Windows, FAT and Dual Boot
Dual boot is the only justification for FAT and has no business
in a business environment.
- NT File and Directory Security
NT has a very sophisticated file and directory security system and
significant system access controls not available in UNIX.
- Poor Windows File and Directory Security
Tools Poor tools make NT's sophisticated security unnecessarily
difficult to use.
- NT Throwaway Security
Microsoft has discarded useful security with horrible default
- Password Hashes
Windows NT and 2000 password hashes are pathetically weak because
of backward compatibility concerns.
- NT Too "Easy" To Be Secure
It's really not desirable that non technical users can set up
what should be sophisticated servers on the Internet.
- Recent Windows E-Commerce
Compromises Intruders systematically targeted 40 e-commerce
sites using well known vulnerabilities as much as three years old.
- Breaking IIS Exploits.
Two steps, one trivial and one which is admin 101, break most
IIS exploits, without patches.
- Window's Single User
Origins In the past Windows single user origins have protected
it from many serious exploits.
- UNIX Root Compromises
UNIX's true multi user origins have exposed it to more serious
- NT Rootkit Compromises
Intruders now have all the tools needed to gain remote administrative
access on Windows systems.
- Unneeded Services
Windows makes it difficult or even impossible to turn off
unneeded services while retaining necessary functionality.
- Windows Complexity
Windows is highly complex and getting more complex with each
release, assuring a unending supply of bugs for intruders to
- Default Installs OpenBSD is the
only system in this comparison that is secure by default.
- OpenBSD Origins
OpenBSD was begun as a separate project with the goals to create
a reliable and secure system.
- Secure by Default
Many services typically turned on by default are turned off in OpenBSD;
file and directory access is more restricted than other UNIXs.
- "Four years without a
remote hole" OpenBSD claims that no system installed with
default settings has been remotely compromised in four years.
- OpenBSD Daily Security Audit
*BSD systems include a Tripwire like auditing function built in
and turned on by default.
- Quantitative Comparisons
Few quantitative measures are readily available to compare operating
- Web Defacements
The attrition.org record of web site defacements is one quantitative
measure of web server security if used with care.
- Linux and other UNIX
Defacements No definitive conclusions can be made from
recorded Linux and OpenBSD web site defacements.
- Windows Defacements
Windows NT and 2000 web sites which are definitely a minority
of all web sites account for a clear majority of web site
- Linux: A Security Middle Ground
Linux security is not as good as OpenBSD but better than Windows and
it can easily be hardened to a significant degree.
- Firewall in Red Hat 7.1
Install By including firewall setup in the install, Red Hat
allows a hard shell to be wrapped around otherwise mediocre
- Firewall Problems
Unfortunately Red Hat picked the now obsolete IP Chains and the
system configuration tool doesn't work with the firewall.
- OpenBSD Firewalls
The OpenBSD firewall is off by default and defaulted to
allow all traffic when first turned on.
- Back to Linux Firewall
Picking the most secure Red Hat firewall option is likely to
require some manual configuration.
- Default Install Conclusions
OpenBSD is the security leader with Linux second and NT / 2000 a
distant third; both open source systems can be hardened to almost
any degree while Windows is a significant hardening challenge.
- Intrinsic Security Comparisons
Intrinsically Windows is not significantly less secure than UNIX
but this is not a real world question.
- Development Model, Bug Fixes, Security & Reliability
- OpenBSD is built by
a tightly coordinated team with a clear emphasis on high quality
code and security at the expense of features. Bugs are fixed very
quickly and a single, up-to-date "patch branch" free of any known
significant bugs always available.
- Security Notification
lists Some leading security e-mail lists are mentioned
and the SANS SAC list recommended.
- IP Filter Bug the
conditions necessary to exploit a security bug the
OpenBSD team described as "serious" are examined.
- Linux is built by a large
loosely coordinated team with a large active user base. Bugs are
common but fixed very quickly. Multiple distributions introduce
issues not faced by OpenBSD.
- Microsoft Microsoft's
unquestionable first priority is making a profit. Then come long
feature lists, ease of use (learning), and performance. Security
is at best a fifth place priority. Most buyers want features and
don't care about security and Microsoft obliges. Their products
cannot possibly be as secure as OpenBSD or Linux.
- System Tradeoffs
is a long discussion of how various factors interrelate when
building a system. The basis for some quantitative comparisons
is outlined but the necessary data not typically available.
- Open Source Code Review
insures a more secure end result than the closed proprietary model.
Review by black hats is an essential, and in the long run, beneficial
part of the review.
- Security Conclusion OpenBSD
is the security leader but pre hardened Linux versions present
some interesting challenges. Both can be hardened as needed. Long
Windows NT and 2000 security feature lists don't make secure systems
and lots of bugs assure continued large scale intrusions.
- Scalability typically means how many
processors a single machine can use or how many machines can be clustered.
I'm going to discuss it from the perspective of small businesses and
the ability make effective use of resources by moving processes and
adding machines as needed.
- System Performance Benchmarks
measure a very specific and limited set of functions that may not
reflect live environments. Performance affects total costs.
- Static Web Pages For years
PC Magazine's unrealistic static page web server test has made
Linux and Apache look much slower than NT / 2000 and IIS.
- Other "Benchmarks" give very
different results. Each OS looks better or worse depending on the
specific task(s) performed.
- Hardware Requirements Windows
systems generally have significantly higher hardware resource requirements
than Linux or OpenBSD.
- OS Performance Comparisons
In text mode Linux and OpenBSD should be somewhat faster than Windows
and in GUI mode Windows tight integration should give it some advantage.
- Price Performance Ratio When
total system price (including licenses) is comparable,
Linux and OpenBSD should run circles around
NT and 2000.
- Scalability As Cost Effective Performance
Businesses small enough to run on a single server should consider keeping
everything on one server; slightly larger businesses should consider
Linux or OpenBSD for web, FTP, or list servers.
- Relocating Server Applications
UNIX systems can easily be moved to other machines and applications
split or moved separately; Windows NT and 2000 lack this flexibility.
- Ease of Use and Ease of Learning
The difference between doing something the first time, ease of learning, is
almost universally confused with doing it repeatedly which is ease of use.
System administration has much more repetition than end user computing.
- Windows Lacks Automation
Without third party tools, Windows NT is almost totally devoid of
automation tools and Windows administrators typically lack scripting
- Smart Monkey Administrators
Windows is designed to hide computer workings from users which might make
sense on an end user computer but not on a server which should only ever
be touched by technical staff.
- System Logs and Monitoring
Servers create logs that need to be reviewed and analyzed.
- Windows System Logging
Though windows can log a variety of events and provide log services
to applications, it has almost no tools to work with the resulting
- UNIX System Logging is
almost unlimited in what can be logged and where it can be sent.
Because all logs are text files or have conversion utilities,
analysis possibilities are unlimited.
- Limited Windows Monitoring
NT includes extensive auditing capabilities but results go to logs
with no useful analysis tools. Process monitoring is spotty and
performance, not security oriented.
- Tlist Is Not PS The only
tool remotely like the UNIX ps command is the Resource Kit, tlist,
which is a limited function, semi useful tool.
- Support Options Except for WordPerfect a decade ago and
IBM, I've never been favorably impressed with commercial computer
- Microsoft Non Support
If you can't find the answer on their web site, I've not found calling
Microsoft to be worth the effort.
- Microsoft Consultants
Skilled consultants who really know the products exist but finding
them reliably is another matter.
- Open Source Documentation is
available free on the Internet. Lazy Windows ways of insert CD, default
install, run product are not sufficient; most open source products
require some reading of documentation.
- Usability Conclusion The easy to
learn mechanics of Windows hide repetitive tedium. Differences in
different Windows lines and major changes every five or so years
undermine Microsoft claims for easy to use. In the long run UNIX skills
are more transportable.
- Staff Issues What matters is not how much UNIX or
Windows administrators cost but the cost per managed unit which could
reasonably be machines or users or even some workload measure.
- Scripting Skilled UNIX administrators
will automate all routine tasks on the machines they are responsible for
and thus likely to be more efficient and satisfied.
- Reliability Impact on Staff There
is little that is more frustrating than troubleshooting problems for
which their is no explanation so Windows administrators will typically
experience high levels of job frustration.
- Total Cost of Ownership Windows 2000 costs much more.
Security and reliability are much
cheaper on Linux and OpenBSD. Usability is a mixed bag.
If needed applications are available on open source systems,
they have to have a lower TCO than Windows.
- Summary and Recommendations Windows is an
expensive system that typically delivers too much unneeded functionality
and unwanted security and reliability surprises compared to free or low
cost open source systems that can easily be made to reliably do what
- Moving Away From Windows Few companies
today can dispense with Windows servers, but many more than are, could
find cost saving uses for Linux systems.
- Application Choice Over Valued
Though the issues are very different in consumer and business
desktop markets, it makes no sense to spend extra to get unreliable
and insecure servers, able to run applications they never will.
- Introducing Linux to a Windows
Environment Shops not already highly Windows centric and with
a mix of platforms and loosely integrated applications will have a
much easier time introducing Linux.
- Gaining Linux Experience Initial
Linux experience is best gained at home on an old or low cost second
computer and not a dual boot system. KVMs make this practical.
- First Linux Project A low visibility
technical use of Linux, e.g., a DHCP, FTP, relay mail, or cache server,
is likely to be the best first use for a Linux server.
- Conclusion In my experience, NT
servers never quite measured up to UNIX servers, and my mirrored server
experiment settled the matter. Windows 2000 is way too little, too
late to matter.
Top of Page -
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is