Linux, OpenBSD, Windows Server Comparison:
Intrinsic Security Comparisons
A question that's sometimes asked is what about the intrinsic
security differences between operating systems. If someone who
knows what they are doing and takes full advantage of the
features a system is capable of, how do the systems compare in
terms of security? We've mentioned that Windows includes a very
sophisticated file and directory permission system, that's by
default effectively turned off, and rarely used to advantage.
Some knowledgeable persons have attempted to make comparative
evaluations of the intrinsic capabilities of Windows versus UNIX
systems. The conclusions I've seen have been along the lines
that though there are differences with each system having limited
advantages or disadvantages in different areas, that overall the
systems are roughly comparable, and that one cannot say that UNIX
is significantly more secure than Windows or vice versa.
I think there is a serious flaw in the question. Asking about
the intrinsic security differences between Windows and UNIX
systems is the same as asking how the systems would compare in
some hypothetical world in which all system administrators are
thoroughly trained and have ample time to do their jobs, and not
the real world that they are used in. First, there can never be
a definitive answer that would be widely accepted, but even if
there was it would have no practical value. As much of the
discussion has already shown, many, perhaps most administrators
are not well trained, and Windows administrators are generally
less well trained than UNIX administrators. Further, nearly
all administrators are routinely under significant time
pressures.
Windows Is not Meant to be a Secure System
One thing that Microsoft has surely accomplished is to build a
feature rich and tightly integrated environment. For Microsoft
products to be fully functional, the systems on which they run,
need to have an array of services (often proprietary) turned on,
that provide the infrastructure on which the different products
interact. When looking at lists of steps to harden a Windows NT
or 2000 system, two items will likely be present: disable file
sharing and turn off NetBIOS networking services. From the
outside, these are two functions that make a computer look like a
Windows computer. Certainly from a user perspective, turning off
these will take away the capabilities that make the computer, a
useful Windows computer. How else do Windows' users move files
around other than by disk shares?
Admittedly Windows servers located in a DMZ can and should be
configured differently than Windows servers on an internal LAN
just a UNIX computers in a DMZ should be set up differently than
their counterparts on an internal LAN. Still, it's been my
experience when installing various Windows products, that in
either the instructions, prerequisite lists, or troubleshooting
lists, there will be references to services that must be turned
on in order for the product to work. The more products and
capabilities installed on any specific Windows computer, the more
Windows like the computer will need to look, to perform as
intended.
To a much lesser degree this is true of UNIX or any other
computer; the more functions performed by the computer, the
harder it is to secure, but UNIX systems rarely require any
significant services not directly related to the needed
functions. It is typically easier to turn off functions on a
UNIX computer than a Windows computer, and to install specific
capabilities on a UNIX computer without needing other, not
directly related services, to be enabled.
The real choice comes down to a highly functional, more or less
typical Windows server that can never be highly secure, versus a
highly secure UNIX based server than can only be used for a very
limited, deliberately restricted, set of functions. If you
choose functionality, you are likely to select Windows. If you
choose security, it will be on a hardened UNIX server. If you
compromise, theoretically you might pick Windows, but practically
this is likely to mean a UNIX server, that is not significantly
hardened.
If you choose Windows, the question is not "Can the system be
made highly secure?" If you do, you likely defeat the very
reasons for having selected Windows in the first place. The
question should be "Can Windows be made adequately secure for its
intended purpose?" The answer is a qualified yes. If the
Windows server is placed in a suitable environment where it is
protected by firewall(s) and network intrusion detection
system(s) and its intrinsic host security features are used well,
it's likely to be adequately secure. In such an environment, the
primary vulnerabilities are likely to be at the application level.
If the application is very complex, when comparable application
systems are built on Windows servers and UNIX servers, the
Windows version is likely to be only somewhat more vulnerable
than the UNIX counter part.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|