Linux vs. Windows security

Microsoft and Linux both provide support for authentication, access control, audit trail/logging, Controlled Access Protection Profile, and cryptography. However, Linux is superior due to Linux Security Modules, SELinux, and winbind. The user of a Linux system can decide to add additional security mechanisms to a Linux distribution without having to patch the kernel.

Various access control mechanisms have been built on top of LSM; for example, building compartments that keep applications separate from each other and from the base operating system, which limits the impact of a security problem with an application. Linux base security is further enhanced by solutions, such as Tripwire, that enable System Integrity Check functionality to periodically verify the integrity of key system files and warn those responsible for system security whether a file's contents or properties have been changed.

A limitation of Windows base security is MSCAPI, which trusts multiple keys for code signing. Microsoft's model focuses on providing one build of a product that can enable weak or strong encryption simultaneously. Although modules are not all signed by one key, since MSCAPI trusts a large number of root certifying authorities, and trusts multiple keys for code signing, it only takes one key to be compromised to make the entire system vulnerable to attack.

This can happen either by having an authorized code signer accidentally disclosing their private key, or by having a certifying authority issue a certificate in error. This has already happened once, when Verisign mistakenly signed two certificates in Microsoft's name and released control of these certificates to unauthorized individuals.

Network security and protocols

Linux and Windows support for network security and protocols are comparable. Both enable support for IPSec, an open standard for cryptography-based protection at the IP layer. IPSec verifies the identity of a host or end point and ascertains that no modifications were made to the data during transit across the network and encrypts data. OpenSSH, OpenSSL, and OpenLDAP are available on Linux and corresponding closed source implementations -- SSH, SSL, LDAP -- are available on Microsoft systems.

Linux is somewhat superior due to continuing security issues with Microsoft IIS and Exchange/Outlook. Apache and Postfix are cross-platform applications and tend to be more secure than corresponding Microsoft products. Application security for Linux is also enhanced with firewalling built into the kernel. And Snort is an excellent intrusion detection system.

One notable recent addition the Linux kernel for x86-based systems is Ingo Molnar's exec-shield, which provides protection against attacks from buffer or function pointer overflows and against other types of exploits that rely on overwriting data structures and/or putting code into those structures. The exec-shield patch also makes it more difficult to conduct a shell-code exploit. Since exec-shield operates transparently applications do not need to be recompiled.

Microsoft is taking strides to redesign the security of its products and provides patches for its installed base. Still, security issues in legacy Windows products persist and complicate this task. This leaves many Microsoft users exposed to security threats since patches must be well documented prior to deployment.

Also, the tendency for Microsoft to mix data and program code in its applications, e.g., Active X, can allow untrusted data from outside the system and can cause the activation of arbitrary code with untrusted data. In some cases, Windows will even allow digitally signed code to be supplied from outside the system, which means a local systems administrator can't audit the code. Instead the system administrator is dependent on whoever signed the code to perform an appropriate code review.

Application security is improved for Microsoft-only applications on the .NET Framework. Of course, for IT shops with heterogeneous platforms, e.g., Linux, Windows, Unix, and especially for applications built on Java, application security for Microsoft-only products is limiting.

Recommendations

Linux provides superior -to comparable security capabilities in comparison to Windows. Still, the security of a Linux system is largely dependent on the choice of a Linux distribution and the kernel it is based on and the skill of the IT staff to implement and support a Linux system.

In selecting an operating system consider architectural design and the quality and feature/functionality of its components.
Since your success in implementing and maintaining a secure operating system rests with your IT shops, make sure that they have the training and expertise to deploy, manage, and troubleshoot.

Keep in mind the differences and distinctions between operating systems will remain relevant for the foreseeable future even with the potential of Web services and the use of abstraction layers to simplify application resource allocation and manageability.
For CIOs and CTOs security will continue to be a key area of focus due to business continuity and regulatory mandates.

We recommend that users start with an analysis of their operating system security by becoming familiar with key security capabilities that are required to meet the organization's need for functionality, which will reduce risk and ensure compliance.

If you are considering migration to a different operating system or upgrading your current product, select an operating system environment based on a qualitative analysis of security capabilities -- not point products. Formulate discipline on the part of the IT manager and system administrators who need to understand how to apply security best practices.

If you are seeking a quantitative analysis of security vulnerabilities in Windows, Linux or other operating systems start with a quantification of remote exploits vs. writes application attacks.

Looking at the security errata for a Linux distribution such as Red Hat or SUSE can do this. A list of operating system vulnerabilities with explanations can be found at www.securityfocus.com. Keep in mind that the severity of the attack and not just the number of attacks is also a key metric.

However, when business needs are combined with an understanding of operating system security capabilities functional requirements can be fulfilled, risk reduced and compliance ensured.