| |||||
Linux, OpenBSD, Windows Server Comparison: Intrinsic Security ComparisonsA question that's sometimes asked is what about the intrinsic security differences between operating systems. If someone who knows what they are doing and takes full advantage of the features a system is capable of, how do the systems compare in terms of security? We've mentioned that Windows includes a very sophisticated file and directory permission system, that's by default effectively turned off, and rarely used to advantage. Some knowledgeable persons have attempted to make comparative evaluations of the intrinsic capabilities of Windows versus UNIX systems. The conclusions I've seen have been along the lines that though there are differences with each system having limited advantages or disadvantages in different areas, that overall the systems are roughly comparable, and that one cannot say that UNIX is significantly more secure than Windows or vice versa. I think there is a serious flaw in the question. Asking about the intrinsic security differences between Windows and UNIX systems is the same as asking how the systems would compare in some hypothetical world in which all system administrators are thoroughly trained and have ample time to do their jobs, and not the real world that they are used in. First, there can never be a definitive answer that would be widely accepted, but even if there was it would have no practical value. As much of the discussion has already shown, many, perhaps most administrators are not well trained, and Windows administrators are generally less well trained than UNIX administrators. Further, nearly all administrators are routinely under significant time pressures. Windows Is not Meant to be a Secure SystemOne thing that Microsoft has surely accomplished is to build a feature rich and tightly integrated environment. For Microsoft products to be fully functional, the systems on which they run, need to have an array of services (often proprietary) turned on, that provide the infrastructure on which the different products interact. When looking at lists of steps to harden a Windows NT or 2000 system, two items will likely be present: disable file sharing and turn off NetBIOS networking services. From the outside, these are two functions that make a computer look like a Windows computer. Certainly from a user perspective, turning off these will take away the capabilities that make the computer, a useful Windows computer. How else do Windows' users move files around other than by disk shares? Admittedly Windows servers located in a DMZ can and should be configured differently than Windows servers on an internal LAN just a UNIX computers in a DMZ should be set up differently than their counterparts on an internal LAN. Still, it's been my experience when installing various Windows products, that in either the instructions, prerequisite lists, or troubleshooting lists, there will be references to services that must be turned on in order for the product to work. The more products and capabilities installed on any specific Windows computer, the more Windows like the computer will need to look, to perform as intended. To a much lesser degree this is true of UNIX or any other computer; the more functions performed by the computer, the harder it is to secure, but UNIX systems rarely require any significant services not directly related to the needed functions. It is typically easier to turn off functions on a UNIX computer than a Windows computer, and to install specific capabilities on a UNIX computer without needing other, not directly related services, to be enabled. The real choice comes down to a highly functional, more or less typical Windows server that can never be highly secure, versus a highly secure UNIX based server than can only be used for a very limited, deliberately restricted, set of functions. If you choose functionality, you are likely to select Windows. If you choose security, it will be on a hardened UNIX server. If you compromise, theoretically you might pick Windows, but practically this is likely to mean a UNIX server, that is not significantly hardened. If you choose Windows, the question is not "Can the system be made highly secure?" If you do, you likely defeat the very reasons for having selected Windows in the first place. The question should be "Can Windows be made adequately secure for its intended purpose?" The answer is a qualified yes. If the Windows server is placed in a suitable environment where it is protected by firewall(s) and network intrusion detection system(s) and its intrinsic host security features are used well, it's likely to be adequately secure. In such an environment, the primary vulnerabilities are likely to be at the application level. If the application is very complex, when comparable application systems are built on Windows servers and UNIX servers, the Windows version is likely to be only somewhat more vulnerable than the UNIX counter part. 
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|
|||||
