dougturn's WebLog : So, is Windows Server 2003 more secure than Red Hat Linux?

So, is Windows Server 2003 more secure than Red Hat Linux?

According to this Linux guy, it is...

Interesting read.

Published Saturday, February 19, 2005 8:42 AM by dougturn

Comments

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

Depends on the user

Saturday, February 19, 2005 9:52 AM by z

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

I wouldn't call him a "Linux guy".

A more proper title might be "Microsoft grant recipient" from Florida Institute of Technology.

http://www.microsoft.com/presspass/press/1997/Apr97/GRANT.asp

Saturday, February 19, 2005 10:09 AM by Eric

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

Who cares, I only worry about MINE.

Saturday, February 19, 2005 11:07 AM by .

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

Any blanket statement such as "operating system X is more secure than operating system Y" is fundamentally fallacious. It depends on the OS role and on the administration personnel.

Saturday, February 19, 2005 11:56 AM by Mihai Limbasan

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

W2K3 is also cheaper - do you know the hourly rate of IBM & other consultants in the Linux field? (~$100/hr for enterprise customers). It's the dirty secret of the Linux industry.

Linux & other OpenSource "freebies" are the best bait since mankind put bread morsels as bait for fishing.

Saturday, February 19, 2005 12:07 PM by SBC

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

$100 per hour?

Tell me again why are we working for Microsoft?

Saturday, February 19, 2005 12:14 PM by Eric

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

That's the billing rate. Also take a look into H-P, Accenture and other high-flying IT consulting shops in the Enterprise Linix industry.

It's market economics (supply-demand & all that). It has nothing to do with working @ Microsoft or even IBM, H-P, etc..

Saturday, February 19, 2005 12:24 PM by SBC

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

http://librenix.com/?inode=2654

Saturday, February 19, 2005 12:45 PM by SBC

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

As I pointed out on another MSFT blogger's post, the vulnerability list includes all packages present in the default OS install. Since RHEL ships with Apache, postgresql, etc., there are a lot of holes that have nothing to do with the OS...for a fair comparison, you'd have to add IIS and SQL Server vulnerabilities.

Saturday, February 19, 2005 2:45 PM by Anonymous Coward

# Interesting replies, so far, thanks guys.

As far as the comment about the grant, it was 8 years ago, and the guy has obviously moved into the Linux space AFTER the grant. Surely you don't believe he moved over into the Linux space as some covert opp? You know better than that. Even the conspiracy wonks would laugh that one off.

The comments about being a blanket statement/it depends on the user... No argument here. Good point.

As far as billing rates, I don't have the data either way. Nice blog, though :-)

As far as the *default OS install*, MS has 4 different default installs of W2K3. Two of them install IIS, the other two don't. So it depends on the MS install you compare against. Like most *studies*, you (not you specifically, just in general) can bend them appropriately to prove whatever point drives your agenda. I don't believe there are any open security issues with either IIS or SQL Server at present (feel free to correct me if I've missed anything recent, but I believe MS is current on both products).

My whole point in posting the link was that it interested me to hear a Linux fan admitting something that unbiased research clearly indicates these days... This perception that MS has much worse security problems than other platform vendors, it's just way off base. It's fueled by emotion, and propped up by stale data.

Saturday, February 19, 2005 4:22 PM by Doug Turnure

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

"propped up by stale data"

Hold your horses.
Remember the report isn't out yet.

You are being equally guilty of using "vaporous data".

Saturday, February 19, 2005 6:14 PM by Eric

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

Well, first of all we are talking about a report nobody read it yet.
Of course can be fun to acknowledge or deny something you did not know yet, but how productive is that?

From my own experience, I do not trust to keep any of my important information on a Windows machine.
All the penetration I encountered with Linux was mainly generared by admins not paying enough attention to the system for long periods of time.
When they do, the Linux is rock solid. And this is mainly because each administrator do have the power to customize the system exactly as he please to meet his requirements.

Just one example I experimented with a couple of years ago for a former employer:
A modified version of bash who refuse to start from command line a suid program unless the user who require that it is into a hardcoded list.
To fool the hacker more, there was a segmentation fault message printed out in case of denial, simulating that the program was launched but crashed by it own fault. More than that, the potential hostile action was logged into a hidden log encodded, includding many information about the attempt(IP address of intrudder, process Id he gain control to , time etc...).

Of course, this it is not a protection to make a stand against a very skilled hacker for a long time.
Security by obscurity it is not security, any toddler know that.
However, most of the script kiddies are going to stick on the tape, like all the pottential worms.

Flexibility and oppeness means security. This is the reason I personally claim that Linux, BSD and possible open Solaris it is the way to go.

Saturday, February 19, 2005 8:43 PM by DragonSt0rm

# OK, so the report isn't out yet

But you do realize the guy that did the report IS the guy stating the results, right? He's read it.

And that the guy is a known Linux advocate...

This statement "I do not trust to keep any of my important information on a Windows machine.
All the penetration I encountered with Linux was mainly generared by admins not paying enough attention to the system for long periods of time."

is very telling to me. You see, Windows Server 2003 has no known unpatched holes at present. I don't argue that BOTH (note BOTH) systems are adequate security-wise if admins pay attention to them.

How can you give the obligatory *don't trust Windows* speech on one hand, and turn around and acknowledge that admins have to keep an eye on their Linux boxes? It's inconsistent.

All I am saying, and the nut of this thread, is this: the belief that W2K3 is not secure is bogus.

Sunday, February 20, 2005 9:33 AM by Doug Turnure

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

Hi Dough,

What I did claim, is that a good admin can do WAY more on a Linux system than on a Windows one.
- Can you edit the sourcecode of cmd.exe to
disallow some stuff? I can doit in bash.
- Can you modify the code on IIS to add extra security checkings? I can do it on Apache.
- Even I can modify the kernel on a Linux box to deny some basic rights if I know that for my particular application I do not need them.
You can not do it on a Windows machine.
etc...

Also, while I can not recommend to anyone to keep his server unpatched, you may want to read this link.
"""Honeypot Project: Unpatched Linux Systems Last Longer than Windows """ at:
http://www.eweek.com/article2/0,1759,1752343,00.asp

Sunday, February 20, 2005 10:07 AM by DragonSt0rm

# I agree with all of these claims

If you want to edit the stuff, you can do so. No arguments there. You're right on all accounts

I just don't believe it's always a good idea to let folks edit their OS components and addons. Perhaps a philosophical difference, but I'm of the opinion that encapsulated components allow a system to last longer.

As far as the linked article, I'd argue (as you also said) that it's foolish to put either OS on the web unpatched. No doubt Windows systems are attacked more often, which might (or might not) influence the numbers.

Sunday, February 20, 2005 1:54 PM by Doug Turnure

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

Hi Doug (sorry for first typo)

> No doubt Windows systems are attacked more
> often, which might (or might not) influence
> the numbers.

Of course does have a influence. This is the reason I am against one operating system fits all. My 1/3 rule state that: any organization who want to survive under attack must not have more that 1/3 systems running the same platform.

Let's assume that Windows have 90% of market share and Linux 10. If a worm once infected a computer will try to search for another 100 IP to infect, here are the numbers of infected computers function of step#:
# Windows Linux
1 1 1
2 90 10
3 8100 100
4 729000 1000
5 65610000 10000
6 5904900000 100000
7 531441000000 1000000
8 47829690000000 10000000
9 4304672100000000 100000000

In 9 steps all the Windows into our galaxy are to be down since in step 6 the number of infected computers is bigger than Earth population :-)

Homogenous networks are a disaster from security point of view. So, it is a duty for any CIO into any company to take care to have a heterogenous network.

Sunday, February 20, 2005 3:01 PM by DragonSt0rm

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

“-Can you edit the sourcecode of cmd.exe to
disallow some stuff? I can doit in bash. “

>>>It took me 15 minutes to write an application called NewCMD.exe that looks and acts like the regular cmd.exe except it does whatever I code it to. I will post it so you can use it and change it how you would like.

”- Can you modify the code on IIS to add extra security checkings? I can do it on Apache. “

>>>Try using ISAPI filters or HTTP Handlers if you want to add an extra layer of security to all requests that run to IIS.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/6d670f0d-4b72-454b-bf01-6a24bdd794c3.asp

http://support.microsoft.com/kb/307985/EN-US/

”- Even I can modify the kernel on a Linux box to deny some basic rights if I know that for my particular application I do not need them.
You can not do it on a Windows machine.”

>>> It sounds like you want something more like Windows XP Embedded. http://msdn.microsoft.com/embedded/default.aspx. The good part is depending on what you want to limit, you might just be able to change a registry setting or write a small amount of code to prevent something. (i.e. you could catch the event for the action they are performing)

Monday, February 21, 2005 2:03 PM by Brendon Schwartz

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

Hi Brendon,

> It sounds like you want something more like > Windows XP Embedded.

No. Why do I have to go to the strugle to create myself a server operating system from a embedded one? When what I realy need it is a server operating system with the ability to change some stuff ?

The open source give us the ability to do whatever we want to from whatever we consider to be the appropiate starting point.

Without artificial inducted rules who do not have nothing in common with:
- technology
- security
- performance
- TCO
but only with a company wish to control what and how much a custommer and/or partner can do.

Tuesday, February 22, 2005 8:23 AM by DragonSt0rm

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

I do understand your point about wanting to have the ability to change the code, if you use the .NET platform you will find that the windows community is becoming more open with class libraries and sample applications. Check out http://www.gotdotnet.com/ then look at the workspaces.

Thursday, February 24, 2005 11:21 AM by Brendon Schwartz

# good

Very nice blog.

Thursday, September 01, 2005 12:36 PM by Misho

# dougturn s WebLog So is Windows Server 2003 more secure than Red Hat | Wood TV Stand

PingBack from http://woodtvstand.info/story.php?id=6676

Monday, June 01, 2009 1:46 PM by dougturn s WebLog So is Windows Server 2003 more secure than Red Hat | Wood TV Stand

# dougturn s WebLog So is Windows Server 2003 more secure than Red Hat | Hair Growth Products

PingBack from http://hairgrowthproducts.info/story.php?id=4916

Saturday, June 13, 2009 8:48 AM by dougturn s WebLog So is Windows Server 2003 more secure than Red Hat | Hair Growth Products

New Comments to this post are disabled

dougturn's WebLog

This Blog

Syndication

Search

Tags

Archives

Blogs I read

Events

So, is Windows Server 2003 more secure than Red Hat Linux?

Comments

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# Interesting replies, so far, thanks guys.

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# OK, so the report isn't out yet

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# I agree with all of these claims

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# re: So, is Windows Server 2003 more secure than Red Hat Linux?

# good

# dougturn s WebLog So is Windows Server 2003 more secure than Red Hat | Wood TV Stand

# dougturn s WebLog So is Windows Server 2003 more secure than Red Hat | Hair Growth Products