Study finds Windows more secure than Linux

[devpon]

Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers.

The researchers said security management is a key factor in the cost of running any system. "We need a real factual comparison here," said Herbert Thompson, the other researcher.

Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.

On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.

But they concluded with statistics showing that the Windows setup had a clear advantage over the Linux alternative.
The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.

Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.

http://seattletimes.nwsource.com/htm...ecurity17.html

So, for all you "wizard" system administrators out there, is this article even worth discussing?

[cheyenne1212]

Who funded the research lol.
lol

Apache Web server and Windows IIS server are both unsecure if the person managing them knows nothing about the server. On the other hand Apache and Windows IIS are very secure servers if the person managing it knows the ins and outs of the server.

[gore]

A new study done recently in Michigan found that stupidity spreads faster than the packets on the internet.

[devpon]

Good point gore, it just seems like there are alot of studies coming from different angles all of a sudden.
As has been mentioned over and over, it basically comes down to the admin. of said system(s) to maintain it properly.

[zencoder]

who wasted their money on this stupid study? what value does it really add to the industry? what good is it, besides inflating the self-opinions of two narrow minded pencil necks?

<killfile>

Next.

[MrLinus]

Hrmm... so has anyone used IIS 6 yet and/or seen any vulnerabilities for IIS 6 yet? I suspect that the comparison is done between Apache 2 and IIS 6. While some truth to it, it's too new to say yet how secure it is. I understand, however, that IIS 6 is a major variation from IIS 4/5.

Something to consider before outright "sloughing" it off. Additionally, a look at this one might be of interest:

Source: Linux Insider

A Linux enthusiast at the RSA Conference in San Francisco has reluctantly concluded that Microsoft (Nasdaq: MSFT) produces more secure code than its open source source rivals.

In an academic study due to be released next month, Dr. Richard Ford, from the Florida Institute of Technology, and Dr. Herbert Thompson, from application security Get a Free E-Commerce Start-up Kit from Verisign firm Security Innovation, analyzed vulnerabilities and patching and were forced to conclude that Windows Server 2003 is more secure than Red Hat (Nasdaq: RHAT) Latest News about Red Hat Linux.

Stats Don't Lie

"Vulnerability counts are much higher with Red Hat than with Microsoft," said Dr. Ford. "I am a huge Linux fan, and I have a Linux server Save up to $189 on the HP ProLiant ML110 server. Latest News about Servers in my basement. The first time I saw the statistics I thought someone had mucked about with my database."

The pair examined the number of vulnerabilities reported in both systems and the actual and average time it took to issue patches. In all three cases Windows Server 2003 came out ahead, with an average of 30 "days of risk" between a vulnerability being identified and patched compared to 71 from Red Hat.

But the academics acknowledged that some intangibles, including the relative attractiveness of Windows as a target for hackers, could skew the results. Nevertheless, many attacks these days are aimed at Linux servers rather than Windows systems.

Important Factors

"There are some people who are skeptical [of the results]," said Dr. Thompson. "We would encourage them to replicate this type of study. If you see flaws please tell us."

The pair said that they lacked the funding to test other operating systems, such as the Apple (Nasdaq: AAPL) Latest News about Apple OS X Latest News about OS X kernel, although they thought it was "amazingly" stable.

The long term aim is to set up a Web site so that system administrators could assess security vulnerabilities before investing in computer platforms.

"You would be a fool to make platform decisions without thinking about security," said Dr. Ford. "When you choose a platform you have to factor in the costs of intrusion. It is not just the costs of a break in; it is the time spent running around making sure no one gets in."

That all said, stats may not lie but interpretation can be erroneous.

[zencoder]

Alright, I'll cave. From everything I've seen and done, IIS 6 is a much better product than any previous iterations.

But with the inherent risk and potential proglems with Web Servers, deploying one in a hostile environment without having an experienced admin (or capable admin with proper security documentation) is like playing Russian Roulette with an automatic pistol. It's not a matter of if you get cracked, but when.

[MrLinus]

But with the inherent risk and potential proglems with Web Servers, deploying one in a hostile environment without having an experienced admin (or capable admin with proper security documentation) is like playing Russian Roulette with an automatic pistol. It's not a matter of if you get cracked, but when.

But that's true regardless of which web server it is.

[zencoder]

My point exactly.

who wasted their money on this stupid study? what value does it really add to the industry? what good is it, besides inflating the self-opinions of two narrow minded pencil necks?

Sorry, on reflection I realize I wasn't clear on that. This appears to be nothing more than a 'my OS is better than your OS' with a thin veneer of 'official study' applied.

Yes, neither one is acceptable, regardless of platform, without proper hardening.

[The Duck]

These kinds of tests have already been done numerous times, with windows usually coming out on top (maybe microsoft is paying them??), but it doesn't matter if windows is said to be more secure if you leave ports 137, 138 or 139 open now does it? Same thing goes to all OS's out there...

God I'm sick of these windows vs linux discussions