Study Finds Windows More Secure Than Linux 796
cfelde writes "A Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers." In addition to the Seattle Times article, there is also coverage on VNUnet. From the article: "The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, 'Security Showdown: Windows vs. Linux.' One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint."
Hope This Study Didn't Cost Much (Score:3, Interesting)
Many of the vulnerabilities were of low risk to us, but it was rare for the system owners to say that even with this low risk that it was acceptable to hold off on applying the patches.
Basic is not just stupid, it's asking for it (Score:3, Interesting)
Come on, who runs a Windows box on the web without heavy firewalling, software firewalling (blackice with autoblocking for instance) and regular audits?
The same goes for Linux. Security is not something to be taken lightly. People should NOT be putting machines out in the open. The best practice used to be Firewall critical servers. The best practice has become Firewall, IDS, and monitor the crap out of anything touching the internet.
These tests are always like comparing a Factory Model to a Nascar Stock Car.
The article doesn't actually tell you anything (Score:3, Interesting)
From an admin perspective, I want to know what the vulnerbilities were, and what their definition of "vulnerable" is - especially if they say "Windows had 30 days of vulnerbaility, versus 71 for Linux".
On that topic, when are we going to get past the label "Linux"? There is no such thing. There's RedHat, SuSe, Gentoo, and Debian (among hundreds of others) and they all handle security differently. I'm sure I could find distros LESS secure than Windows, and I'm sure I could find distros unquestionably MORE secure, as well.
Ah, well, I guess I'll wait for the report. I would have preferred a headline:
"OS Zealots Face Off in an Anecdotal RedHat vs. Windows Web Server Security Showdown - IIS Triumphs"
Simplistic study (Score:2, Interesting)
Also, deciding on a configuration that an "average administrator" would have instead of a "wizard" seems questionable unless they determined those settings by examing dozens (or hundreds) of actual system configurations. Determining something is "too advanced" for an average administrator to use without actually examining real systems seems too arbitrary. Can anyone define the skill level of an average administrator?
You can't determine how secure something is if you aren't going to use its security features. If M$ has all of their security features turned on by default and Linux doesn't, that doesn't mean M$ products are more secure than Linux, it just means that they have a better configuration out of the box. (Not that I believe that, but I use it for the sake of arguement.) While it is important to have fail-safe defaults, it is far more important for someone to know what they are doing. Unfortunately, too many companies don't understand that and hire people who don't know what they are doing.
All that really says is... (Score:2, Interesting)
Try this analogy on, If you buy both Porsche and a dodge neon. Park them both on a city street and leave them overnight, unattended. Which one is most likely to get stolen? Anyone with common sense says the Porsche. But the Porsche has a much better security system than the neon has. But gosh, nobody want the neon either, so it doesn't need the over zealous security. Now that's a bit of a stretch for a Windows vs Linux comparison, but it does denote the reason why a Windows server is going to quickly 'become' insecure, while the less secure Linux platform is probably going to fine and left alone.
They're only doing... (Score:2, Interesting)
I don't know about other people, but I don't run Apache because I think it's more secure. I run it because it's free, opensource, and secure enough for my needs.
Yet another joke study... (Score:3, Interesting)
One is that as someone pointed out earlier [slashdot.org], the 'linux enthusist' has accepted research grants from Microsoft before. That's a little suspect.
Two is the data they present as 'proof' that windows is more secure, the delay between announcement and patch. "the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup". Besides the point that it doesn't prove one more secure than the other, Microsoft has released patches the same day they announced the exploit because they've kept it supressed.
Three, if your server is behind a firewall (as all web servers should be!), you need to protect two ports and the software associated with them. Did they limit the study to just those details? Or was this a stock install of these machines directly on the internet?
And fourth, there was no demonstration, this was simply an announcement by two guys who ran some numbers against an undisclosed exploit database. Which thing was it that ran 71 days or stretched everything that long? How many total exploits was it? If I had 2 exploits on redhat, one at one day and one at 141 days, but 10 exploits on windows varying from 1 day to how many days for the ASN exploit... which is more secure again?
Stock install, no patches, then yes, I would say the windows server is more 'secure' than the linux server, dispite vulnerabilities in each. But that's like saying that this screen door is more secure than this paper door.
Re:Newsflash... ONE Linux Fan.. (Score:3, Interesting)
Re:A lot more could certainly be done... (Score:5, Interesting)
Most Basic and typical installation (Score:3, Interesting)
The article states that the configurations where done using the typical, basic options that an adminisrator may do and not any kind of security wizard.
I would like to know how many companies are out there that would take their pimply faced intern and have him to a default installation for an internet server with databases on it. They may have found a valid point, but their premise is fucking retarded.
I have always given MSFT the benefit of the doubt that they would have the option to configure a server with the intention of meeting security requirements and similarly doing the same with Linux and then see who's the most secure. While Microsoft has made ground against the *NIXes of the world, I really don't believe that a reasonable attempt at security is any better on Windows than it is on Linux. Considering the damage they've been suffering, I would expect their default installations to be increasinbly severe.
I would equate this study to testing the security of a 4 foot high brick wall or a 3 foot high set of four horizontal wires. The wall is obviously more secure, until you turn on the high voltage supply to the electric fence...
Re:Hardly scientific isn't it? (Score:3, Interesting)
Re:The security of a server... (Score:3, Interesting)
As to whether it was a poor experiment or not, show me the data.
Re:Integrity? (Score:3, Interesting)
From TFA :
On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.
Even if they "included" the number of vulnerabilities and did not base their report on that, they drew their conclusions from the number of "days of risk"... ain't much better if you ask me... it's what? 71 days of risk of seeing a misconfigured page defaced for Red Hat versus 30 days of risk of having all your credit card information stolen on Windows?
Re:It's a defensive posture (Score:3, Interesting)
As far as it can go as a novelty act? Apache runs 50% of the internet, Firefox alone has has 25 million downloads, Bind runs a large portion of the DNS infrastructure. YOU are the novelty act with your shiny graphics that consume 50% of your CPU, worthless office applications that "enable business" by locking up constantly, and not being able to boot XP without a 150mb footprint.
We were here before you and we'll be here after you're gone.
Quoting the relevant bits. (Score:4, Interesting)
I'm gonna give it a try and quote here what I read in the VNUnet article (which is the most informative one IMO since it contains a few details, in contrast to the other one) and try to express some reasoning. Until the real analysis is out we cannot be sure about anything though.
Classic strategy: minimize your enemy by defining it tightly as a dogma, then attack that dogma. I've seen this from Sun Microsystems as well. Basically, they ignore e.g. Novell. At least Novell is also a big player in terms of market share.
That said I remain interested in learning why they chose to compare to Red Hat and Red Hat alone.
Definition of 'vulnerability counts' and which vulnerabilities are counted. For example, lets say Red Hat has a patch for OpenLDAP while i run LAMP or LAPP then who cares about the fact that there's an OpenLDAP patch? Not me.
71 days is long! How they got to these numbers is also very interesting. For example, does this include e.g. the Mozilla bug which was alleged to be known (but not fixed) in 2001? It reminds me about MSIE for which vulnerabilities took long as well and remember 1 patch != 1 vulnerability either.
Statements like these may just as well be from astroturfers. Its also a classic strategy: basically, you play as if you're convinced by the study you conducted yourself while you expected a different result. In all honesty, why would you believe the judgement about the conclusion ("FUD!") from someone who hasn't read the study over the one from the person who's got convinced by his own study? This is why there's not much we can currently do except arguing over the existing details! This is why we need to stress about where the missing details are. This is why we cannot judge yet.
One last note:
With that last statement he Dr Ford basically says to take this study with a grain of salt because thats precisely what he hasn't researched!
Re:Not only that, but I find this quote odd.. (Score:3, Interesting)
While windows can indeed be secure enough for most situations if well administered, the truth is that most is not well administered and even then there is the constant possibility that somebody will take a whack at it and actually find a new code break. Nobody really takes a whack at a linux boxen and finds a new flaw. All the flaws are relatively easy to find on your own.
Check those stacks everybody.
Re:They do mention they are not "wizards" (Score:3, Interesting)
People who don't know what they are doing should definitely not be running a web server. I'm sorry, but it is far easier for someone to pay $4/month for geocities to host their personal web site than it is to configure IIS, run dyndns (or call ISP and set up a static IP address), etc. etc.
Stupid people running stupid web servers is the reason why we had code red in the first place.
Re:A lot more could certainly be done... (Score:3, Interesting)
do I care? (Score:3, Interesting)
Maybe Red Hat is less secure than Windows, who cares. They both have greater than zero security holes, which makes them both insecure. All I know is I have a fairly secure server and I know how to set up another one for zero dollars on my lunch break. Plus djb has a $500 reward for security holes in his software, I don't see Microsoft even pretending they have anything like that.
Folks, don't fool yourself. Both Windows and Linux distros are mostly crappy software full of holes. It doesn't need to be that way, and admins shouldn't need to be "wizards". But that's how it is.
At least with Linux you 1) don't have to pay and 2) have access to the source code. I don't see how Windows can ever win this argument, except maybe with inexperienced or ignorant admins, or special windows-only software.
It doesn't even come up to that level. (Score:3, Interesting)
From TFA: It wasn't even comparing one Linux admin vs one Windows admin.
They had agreed to run in the "most basic configuration" for their systems. The "study" was setup to limit the options available to the admins.
The only information that can be gained from this "study" is the identity of two people who are too stupid to be trusted with any actual security study.
A real study would be having both of them setup their systems, any way they wanted to, and having every step documented and the reason for it given.
Then put both servers on the Internet and compare the compromise rates.
Re:The Real Truth... (Score:3, Interesting)
Sigh... because I feel like being an asshole today:
Unless you're thinking about a future in which Windows users have a greater chance of surviving and producing offspring, and the genes for being a security-minded windows user are passed off to the next generation, you aren't talking about Darwinism at all. What you're talking about is the school of hard knocks.
And because I *really* feel like being an asshole:
Interesting should have been an adverb.
Re:A lot more could certainly be done... (Score:3, Interesting)
It doesn't really need to. chroot is a unix-ism to circumvent the inherent insecurity that comes from the necessity under unix to be root to do "useful" things (like bind to low network points). Since the Windows security model is completely different (ie: it's more complicated than unix's "if UID != 0 then apply_security()"), the concept of chroot doesn't really need to exist.
Re:More FUD (Score:2, Interesting)
Personally, I do feel that apache is more secure than many OSS projects but with apache we have many third party modules being used which are not secure. In general web servers have extensions enabled on them that open the flood gates for more attacks.
For example, a webserver may have mod_php, mod_perl or any number of third party add-ons. apache httpd may be safe, but how many "problems" have we seen with PHP in the past few years. People don't like to talk about it because PHP is the big OSS competator to ASP/ASP.NET.
Likewise, an IIS server most likely has ASP or ASP.NET enabled and possibly another language like PHP, PERL, or (insert here). I think its more common for IIS servers to just run microsoft languages though and so microsoft has an opportunity to lock that down further. (if they do or not is another story)
I'm subscribed to bugtraq and i see an equal number of linux security vulnerabilities to windows. Why? Because with linux, you have a kernel written by one group and a ton of third party software. Each programmer or group may have different knowledge of secure programming. At microsoft, they have the same people making the same mistakes.. and bad as that is its a subset of the total mistakes they could make. You can't just look at kernel holes, but rather all common software that most distros have. Look at gentoo or fedora.. if it were paper we'd have no trees left. Likewise with microsoft's
In case you haven't guessed, I'm not a fan of either system.
This is news? (Score:2, Interesting)
Windows is easier to secure than Linux. It takes the length of a reboot to install a high security INF from NSA, NIST, SANS or other security site. Lack of access to internals limit the ability of most users to really tweak its security.
Both OS's need to be installed, patched and hardened prior to network connection. Both OS's need competent administrators or all bets are off.
Windows is more susceptable to malware/virus attack, but as Linux installations gain marketshare they will get hit as well. Thats a fact of life.
Doublethink in action (Score:3, Interesting)
So it's a self-fulfilling prophecy: Microsoft products will always have lower exposure time for vulnerabilities because most Linux distro maintainers practice full disclosure.