Forgot your password?
typodupeerror
Security Software Microsoft Linux

Study Finds Windows More Secure Than Linux 796

Posted by Zonk
from the an-interesting-definition-of-secure dept.
cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."
This discussion has been archived. No new comments can be posted.

Study Finds Windows More Secure Than Linux

Comments Filter:
  • by Spudnuts (21990) on Thursday February 17, 2005 @01:21PM (#11701437)
    In a previous job at a datacenter where we ran Red Hat Enterprise Linux, I frequently got the comment that there seemed to be a lot more Linux patches than Windows patches. All of the updates for optional software (I tried to do minimal installs and/or remove optional things, but the dependencies sometimes made this awkward) simply made the systems seem more needy than the Windows systems.

    Many of the vulnerabilities were of low risk to us, but it was rare for the system owners to say that even with this low risk that it was acceptable to hold off on applying the patches.
  • by Oriumpor (446718) on Thursday February 17, 2005 @01:22PM (#11701463) Homepage Journal
    The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.


    Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.


    Come on, who runs a Windows box on the web without heavy firewalling, software firewalling (blackice with autoblocking for instance) and regular audits?

    The same goes for Linux. Security is not something to be taken lightly. People should NOT be putting machines out in the open. The best practice used to be Firewall critical servers. The best practice has become Firewall, IDS, and monitor the crap out of anything touching the internet.

    These tests are always like comparing a Factory Model to a Nascar Stock Car.
  • by rpdillon (715137) on Thursday February 17, 2005 @01:23PM (#11701476) Homepage
    This "article" doesn't actually provide with any information in what WAY the results were obtained.

    From an admin perspective, I want to know what the vulnerbilities were, and what their definition of "vulnerable" is - especially if they say "Windows had 30 days of vulnerbaility, versus 71 for Linux".

    On that topic, when are we going to get past the label "Linux"? There is no such thing. There's RedHat, SuSe, Gentoo, and Debian (among hundreds of others) and they all handle security differently. I'm sure I could find distros LESS secure than Windows, and I'm sure I could find distros unquestionably MORE secure, as well.

    Ah, well, I guess I'll wait for the report. I would have preferred a headline:
    "OS Zealots Face Off in an Anecdotal RedHat vs. Windows Web Server Security Showdown - IIS Triumphs"
  • Simplistic study (Score:2, Interesting)

    by Bender0x7D1 (536254) on Thursday February 17, 2005 @01:24PM (#11701481)
    It really bothers me that simple studies such as this grab the headlines. If you really want to determine which server is more vulnerable, study real servers belonging to real companies handling real traffic/data that someone wants to get.

    Also, deciding on a configuration that an "average administrator" would have instead of a "wizard" seems questionable unless they determined those settings by examing dozens (or hundreds) of actual system configurations. Determining something is "too advanced" for an average administrator to use without actually examining real systems seems too arbitrary. Can anyone define the skill level of an average administrator?

    You can't determine how secure something is if you aren't going to use its security features. If M$ has all of their security features turned on by default and Linux doesn't, that doesn't mean M$ products are more secure than Linux, it just means that they have a better configuration out of the box. (Not that I believe that, but I use it for the sake of arguement.) While it is important to have fail-safe defaults, it is far more important for someone to know what they are doing. Unfortunately, too many companies don't understand that and hire people who don't know what they are doing.
  • by Blitzenn (554788) on Thursday February 17, 2005 @01:29PM (#11701569) Homepage Journal
    All that really says is that the foundation is secure. It doesn't say that Windows will be free from succesful attacks or that Linux will not.

    Try this analogy on, If you buy both Porsche and a dodge neon. Park them both on a city street and leave them overnight, unattended. Which one is most likely to get stolen? Anyone with common sense says the Porsche. But the Porsche has a much better security system than the neon has. But gosh, nobody want the neon either, so it doesn't need the over zealous security. Now that's a bit of a stretch for a Windows vs Linux comparison, but it does denote the reason why a Windows server is going to quickly 'become' insecure, while the less secure Linux platform is probably going to fine and left alone.
  • by nothingx (809091) on Thursday February 17, 2005 @01:34PM (#11701641)
    ... what they're paid to do. How much does a license cost to run Windows 2003? How much does Apache cost? Really, it's not that surprising that full-time salaried employees can build a better server. I mean, that's what they're paid to do. I don't get excited when the guy at the donut store gets my order right, why should I care that Microsoft's server works?

    I don't know about other people, but I don't run Apache because I think it's more secure. I run it because it's free, opensource, and secure enough for my needs.
  • by GoNINzo (32266) <GoNINzo@nOspAm.yahoo.com> on Thursday February 17, 2005 @01:34PM (#11701651) Homepage Journal
    Yeah, I know we're used to this FUD but let's take a bit closer look.

    One is that as someone pointed out earlier [slashdot.org], the 'linux enthusist' has accepted research grants from Microsoft before. That's a little suspect.

    Two is the data they present as 'proof' that windows is more secure, the delay between announcement and patch. "the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup". Besides the point that it doesn't prove one more secure than the other, Microsoft has released patches the same day they announced the exploit because they've kept it supressed.

    Three, if your server is behind a firewall (as all web servers should be!), you need to protect two ports and the software associated with them. Did they limit the study to just those details? Or was this a stock install of these machines directly on the internet?

    And fourth, there was no demonstration, this was simply an announcement by two guys who ran some numbers against an undisclosed exploit database. Which thing was it that ran 71 days or stretched everything that long? How many total exploits was it? If I had 2 exploits on redhat, one at one day and one at 141 days, but 10 exploits on windows varying from 1 day to how many days for the ASN exploit... which is more secure again?

    Stock install, no patches, then yes, I would say the windows server is more 'secure' than the linux server, dispite vulnerabilities in each. But that's like saying that this screen door is more secure than this paper door.

  • by OwnedByTwoCats (124103) on Thursday February 17, 2005 @01:51PM (#11701901)
    I'm not sure that Dr. Ford is a Linux guy. He may claim he's a Linux guy, in an attempt to make his 'conversion' story a more compelling argument for the side he 'converted' to.
  • by n0-0p (325773) on Thursday February 17, 2005 @01:55PM (#11701967)
    It's pretty easy to make Apache chrooted under linux. With Apache2 you still need to allow dynamic libraries though, which often bothers people. Having hardened both Windows and Linux servers on a regular basis, I'd pick Linux every time. It can be locked down much more than Windows. I haven't found anything that compares to a combination of PP buffer protection on binaries, chroot jailed services, iptables, and SELinux policy. I just don't understand why more vendors haven't tried to create default installs that support this level of security.
  • by tacocat (527354) <tallison1 AT twmi DOT rr DOT com> on Thursday February 17, 2005 @02:00PM (#11702054)

    The article states that the configurations where done using the typical, basic options that an adminisrator may do and not any kind of security wizard.

    I would like to know how many companies are out there that would take their pimply faced intern and have him to a default installation for an internet server with databases on it. They may have found a valid point, but their premise is fucking retarded.

    I have always given MSFT the benefit of the doubt that they would have the option to configure a server with the intention of meeting security requirements and similarly doing the same with Linux and then see who's the most secure. While Microsoft has made ground against the *NIXes of the world, I really don't believe that a reasonable attempt at security is any better on Windows than it is on Linux. Considering the damage they've been suffering, I would expect their default installations to be increasinbly severe.

    I would equate this study to testing the security of a 4 foot high brick wall or a 3 foot high set of four horizontal wires. The wall is obviously more secure, until you turn on the high voltage supply to the electric fence...

  • by Assmasher (456699) on Thursday February 17, 2005 @02:06PM (#11702144) Journal
    LOL, tell me about it. Ever wrote a SOAP web service that you wanted to do things besides call other COM objects/CORBA objects? Fo' gedd aboud it... ;)
  • by RedHat Rocky (94208) on Thursday February 17, 2005 @02:10PM (#11702205)
    They not only said generic builds, but HYPOTHETICAL builds. As in they didn't actually setup machines, rather it is all a thought experiment.

    As to whether it was a poor experiment or not, show me the data.
  • Re:Integrity? (Score:3, Interesting)

    by Phisbut (761268) on Thursday February 17, 2005 @02:14PM (#11702268)
    It said the criteria "included" the number of vulnerabilities. It didn't say that was the whole basis of the study; it was just one factor. Hardly a reason to dismiss the study.

    From TFA :
    On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.

    Even if they "included" the number of vulnerabilities and did not base their report on that, they drew their conclusions from the number of "days of risk"... ain't much better if you ask me... it's what? 71 days of risk of seeing a misconfigured page defaced for Red Hat versus 30 days of risk of having all your credit card information stolen on Windows?

  • by Monkelectric (546685) <slashdot@monkele c t r i c . com> on Thursday February 17, 2005 @02:27PM (#11702452)
    Open Source has gone as far as it can as a novelty act,

    As far as it can go as a novelty act? Apache runs 50% of the internet, Firefox alone has has 25 million downloads, Bind runs a large portion of the DNS infrastructure. YOU are the novelty act with your shiny graphics that consume 50% of your CPU, worthless office applications that "enable business" by locking up constantly, and not being able to boot XP without a 150mb footprint.

    We were here before you and we'll be here after you're gone.

  • by LuSiDe (755770) on Thursday February 17, 2005 @02:30PM (#11702496)
    This is probably FUD but we need solid arguments to debunk it. Slashdot, Groklaw et al can contribute to this but saying its 'crap' right away because of the conclusion which you may dislike is not entering the discussion from a pragmatic or rational point of view (quite the contrary).

    I'm gonna give it a try and quote here what I read in the VNUnet article (which is the most informative one IMO since it contains a few details, in contrast to the other one) and try to express some reasoning. Until the real analysis is out we cannot be sure about anything though.

    analysed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat Linux.

    Classic strategy: minimize your enemy by defining it tightly as a dogma, then attack that dogma. I've seen this from Sun Microsystems as well. Basically, they ignore e.g. Novell. At least Novell is also a big player in terms of market share.

    That said I remain interested in learning why they chose to compare to Red Hat and Red Hat alone.

    "Vulnerability counts are much higher with Red Hat than with Microsoft," said Dr Ford.

    Definition of 'vulnerability counts' and which vulnerabilities are counted. For example, lets say Red Hat has a patch for OpenLDAP while i run LAMP or LAPP then who cares about the fact that there's an OpenLDAP patch? Not me.

    In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat.

    71 days is long! How they got to these numbers is also very interesting. For example, does this include e.g. the Mozilla bug which was alleged to be known (but not fixed) in 2001? It reminds me about MSIE for which vulnerabilities took long as well and remember 1 patch != 1 vulnerability either.

    "I am a huge Linux fan, and I have a Linux server in my basement. The first time I saw the statistics I thought someone had mucked about with my database."

    "There are some people who are sceptical [of the results]," said Dr Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."

    Statements like these may just as well be from astroturfers. Its also a classic strategy: basically, you play as if you're convinced by the study you conducted yourself while you expected a different result. In all honesty, why would you believe the judgement about the conclusion ("FUD!") from someone who hasn't read the study over the one from the person who's got convinced by his own study? This is why there's not much we can currently do except arguing over the existing details! This is why we need to stress about where the missing details are. This is why we cannot judge yet.

    One last note:
    "You would be a fool to make platform decisions without thinking about security," said Dr Ford. "When you choose a platform you have to factor in the costs of intrusion. It is not just the costs of a break in; it is the time spent running around making sure no one gets in."

    With that last statement he Dr Ford basically says to take this study with a grain of salt because thats precisely what he hasn't researched!
  • by skogs (628589) on Thursday February 17, 2005 @02:32PM (#11702526) Journal
    I second this. Also, I am sure they tried to crack their own boxen, and tried to crack eachother's boxen. All the linux vulnerabilities are well documented, and I am sure they used each one to see how easy it was. All of microsoft's bugs are not necessarily well documented, if at all, precisely because it is closed source and unviewable.

    While windows can indeed be secure enough for most situations if well administered, the truth is that most is not well administered and even then there is the constant possibility that somebody will take a whack at it and actually find a new code break. Nobody really takes a whack at a linux boxen and finds a new flaw. All the flaws are relatively easy to find on your own.

    Check those stacks everybody.

  • by Slime-dogg (120473) on Thursday February 17, 2005 @02:33PM (#11702533) Journal

    People who don't know what they are doing should definitely not be running a web server. I'm sorry, but it is far easier for someone to pay $4/month for geocities to host their personal web site than it is to configure IIS, run dyndns (or call ISP and set up a static IP address), etc. etc.

    Stupid people running stupid web servers is the reason why we had code red in the first place.

  • by Hardwyred (71704) on Thursday February 17, 2005 @02:35PM (#11702568) Homepage
    You should try chrooting an apache process that runs in User-mode linux. I run all of my servers out of UML now, even samba and my wireless access point. It keeps my server busy, but it always pained me to see it idle anyways.
  • do I care? (Score:3, Interesting)

    by Anonymous Coward on Thursday February 17, 2005 @02:39PM (#11702608)
    I have a Linux server with qmail and publicfile. No other open ports except SSH which is firewalled to a small set of hosts, runs on a different port, works with keys only, and doesn't use PAM. I haven't rebooted or patched anything on it in months. Unless there is a remote root hole the kernel I won't bother with it.

    Maybe Red Hat is less secure than Windows, who cares. They both have greater than zero security holes, which makes them both insecure. All I know is I have a fairly secure server and I know how to set up another one for zero dollars on my lunch break. Plus djb has a $500 reward for security holes in his software, I don't see Microsoft even pretending they have anything like that.

    Folks, don't fool yourself. Both Windows and Linux distros are mostly crappy software full of holes. It doesn't need to be that way, and admins shouldn't need to be "wizards". But that's how it is.

    At least with Linux you 1) don't have to pay and 2) have access to the source code. I don't see how Windows can ever win this argument, except maybe with inexperienced or ignorant admins, or special windows-only software.
  • by khasim (1285) <brandioch.conner@gmail.com> on Thursday February 17, 2005 @02:51PM (#11702802)
    Funny thing that seems to be missing in the discussion so far: I don't see anyone pointing out that this is a "sample of one" study. So any generalization at all about which system (or admin ;-) is more secure is laughable at best.
    This "study" can't even hit that lofty goal.

    From TFA:
    The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.
    It wasn't even comparing one Linux admin vs one Windows admin.

    They had agreed to run in the "most basic configuration" for their systems.
    Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
    The "study" was setup to limit the options available to the admins.

    The only information that can be gained from this "study" is the identity of two people who are too stupid to be trusted with any actual security study.

    A real study would be having both of them setup their systems, any way they wanted to, and having every step documented and the reason for it given.

    Then put both servers on the Internet and compare the compromise rates.
  • Re:The Real Truth... (Score:3, Interesting)

    by colmore (56499) on Thursday February 17, 2005 @03:19PM (#11703146) Journal
    "Although, interesting enough, if Darwinism really works, Windows users may ultimately adapt to having to always struggle to keep their boxes secure, and perhaps even end up being better than most Unix gurus at home computer security. Time will tell."

    Sigh... because I feel like being an asshole today:

    Unless you're thinking about a future in which Windows users have a greater chance of surviving and producing offspring, and the genes for being a security-minded windows user are passed off to the next generation, you aren't talking about Darwinism at all. What you're talking about is the school of hard knocks.

    And because I *really* feel like being an asshole:

    Interesting should have been an adverb.
  • by drsmithy (35869) <.moc.liamg. .ta. .yhtimsrd.> on Thursday February 17, 2005 @05:13PM (#11704582)
    OpenBSD runs chroot() Apache. Does IIS have similar capability?

    It doesn't really need to. chroot is a unix-ism to circumvent the inherent insecurity that comes from the necessity under unix to be root to do "useful" things (like bind to low network points). Since the Windows security model is completely different (ie: it's more complicated than unix's "if UID != 0 then apply_security()"), the concept of chroot doesn't really need to exist.

  • Re:More FUD (Score:2, Interesting)

    by Anonymous Coward on Thursday February 17, 2005 @05:19PM (#11704663)
    I think the flaw in this post is that you assume that open source software is more secure because people "COULD" look at the source code. I think its been proven several times that you can't quantify security by its OSSness or lack there of. COULD and SHOULD are two different things.

    Personally, I do feel that apache is more secure than many OSS projects but with apache we have many third party modules being used which are not secure. In general web servers have extensions enabled on them that open the flood gates for more attacks.

    For example, a webserver may have mod_php, mod_perl or any number of third party add-ons. apache httpd may be safe, but how many "problems" have we seen with PHP in the past few years. People don't like to talk about it because PHP is the big OSS competator to ASP/ASP.NET.

    Likewise, an IIS server most likely has ASP or ASP.NET enabled and possibly another language like PHP, PERL, or (insert here). I think its more common for IIS servers to just run microsoft languages though and so microsoft has an opportunity to lock that down further. (if they do or not is another story)

    I'm subscribed to bugtraq and i see an equal number of linux security vulnerabilities to windows. Why? Because with linux, you have a kernel written by one group and a ton of third party software. Each programmer or group may have different knowledge of secure programming. At microsoft, they have the same people making the same mistakes.. and bad as that is its a subset of the total mistakes they could make. You can't just look at kernel holes, but rather all common software that most distros have. Look at gentoo or fedora.. if it were paper we'd have no trees left. Likewise with microsoft's :)

    In case you haven't guessed, I'm not a fan of either system. :)
  • This is news? (Score:2, Interesting)

    by katorga (623930) on Thursday February 17, 2005 @05:40PM (#11704903)
    C'mon. Linux is more securable than Windows. More options, more things to lock down, and more access to the kernel to create hardened installations (ie the NSA kernel).

    Windows is easier to secure than Linux. It takes the length of a reboot to install a high security INF from NSA, NIST, SANS or other security site. Lack of access to internals limit the ability of most users to really tweak its security.

    Both OS's need to be installed, patched and hardened prior to network connection. Both OS's need competent administrators or all bets are off.

    Windows is more susceptable to malware/virus attack, but as Linux installations gain marketshare they will get hit as well. Thats a fact of life.
  • by Glamdrlng (654792) on Thursday February 17, 2005 @06:52PM (#11705745)
    Every time someone does one of these studies they start from the same flawed logic. They calculate exposure time as "time from vulnerability disclosure to patch availability". In Microsoft's world, a vulnerability doesn't exist until they've disclosed it. And guess what? They don't disclose it until there's a patch available. They're also quick to brand any researchers who post vulnerabilities before they get patches as irresponsible.

    So it's a self-fulfilling prophecy: Microsoft products will always have lower exposure time for vulnerabilities because most Linux distro maintainers practice full disclosure.

Remember, UNIX spelled backwards is XINU. -- Mt.

Working...