Security is a perennial concern for IT administrators. Managers need a framework to evaluate operating system security that includes an assessment of base security, network security and protocols, application security, deployment and operations, assurance, trusted computing, and open standards. In comparison to Windows, Linux provides superior to comparable security capabilities except in the category of assurance. The challenge in evaluating Windows and Linux on any criteria is that there is not a single version of each operating system. It’s important to keep in mind that there are philosophical differences in the design of Linux and Windows. The Windows operating system is designed to support applications by moving more functionality into the operating system, and by more deeply integrating applications into the Windows kernel. Linux differs from Windows in providing a clear separation between kernel space and user space. This matters because the ability to make either operating system more secure varies depending on architectural design. For users, the evolution of Linux and Windows has all the trappings of a muscle car drag race. Users may have their favorite but at the same time continue to assess the competition. Microsoft has shown a great willingness — no doubt spurred on by industry cynicism and the growing adoption of Linux — to dedicate massive resources to Windows security. Microsoft and Linux both provide support for authentication, access control, audit trail/logging, Controlled Access Protection Profile, and cryptography. However, Linux is superior because it offers, in addition, Linux Security Modules, SELinux, and win bind. The user of a Linux system can decide to add additional security mechanisms to a Linux distribution without having to patch the kernel. Various access control mechanisms have been built on top of LSM; for example, building compartments that keep applications separate from each other and from the base operating system, which limits the impact of a security problem with an application. Linux base security is further enhanced by applications, such as Tripwire, that enable System Integrity Check functionality to periodically verify the integrity of key system files and warn those responsible for system security whether a file’s contents or properties have been changed. A limitation of Windows base security is MSCAPI, which trusts multiple keys for code signing. Microsoft’s model focuses on providing one build of a product that can enable weak or strong encryption simultaneously. Although modules are not all signed by one key, since MSCAPI trusts a large number of root certifying authorities, and trusts multiple keys for code signing, it takes only one key to be compromised to make the entire system vulnerable to attack. This can happen either by having an authorized code signer accidentally disclosing his private key, or by having a certifying authority issue a certificate in error. This has already happened once, when VeriSign mistakenly signed two certificates in Microsoft’s name and released control of these certificates to unauthorized individuals.
Linux’s and Windows’ support for network security and protocols are comparable. Both include support for IPSec, an open standard for cryptography-based protection at the IP layer. IPSec verifies the identity of a host or end point and ascertains that no modifications were made to the data during transit across the network and encrypts data. OpenSSH, OpenSSL, and OpenLDAP are available on Linux, and corresponding closed source implementations — SSH, SSL, LDAP — are available on Microsoft systems.
Linux is somewhat superior due to continuing security issues with Microsoft IIS and Exchange/Outlook. Apache and Postfix are cross-platform applications and tend to be more secure than corresponding Microsoft products. Application security for Linux is also enhanced with firewalling built into the kernel, and Snort is an excellent intrusion detection system. One notable recent addition to the Linux kernel for x86-based systems is Ingo Molnar’s exec-shield, which provides protection against attacks from buffer or function pointer overflows and against other types of exploits that rely on overwriting data structures or putting code into those structures. The exec-shield patch also makes it more difficult to conduct a shell-code exploit. Since exec-shield operates transparently applications do not need to be recompiled. Microsoft is taking strides to redesign the security of its products and provides patches for its installed base. Still, security issues in legacy Windows products persist and complicate this task. This leaves many Microsoft users exposed to security threats, since patches must be well documented prior to deployment. Also, the tendency for Microsoft to mix data and program code in its applications, e.g., ActiveX, can allow untrusted data from outside the system and can cause the activation of arbitrary code with untrusted data. In some cases, Windows even allows digitally signed code to be supplied from outside the system, which means a local systems administrator can’t audit the code. Instead the system administrator is dependent on whoever signed the code to perform an appropriate code review.
Application security is improved for Microsoft-only applications on the .Net Framework. Of course, for IT shops with heterogeneous platforms, e.g., Linux, Windows, UNIX, and especially for applications built on Java, application security for Microsoft-only products is limiting.
With deployment and operations, Linux has a slight edge over Microsoft, since most administration is done through a command-line interface. A variety of installation and configuration tools, e.g. up to date, YaST2, and Webmin, are available from Linux distribution providers. Bastille Linux is a hardening tool that supports Red Hat, Debian, Mandrake, SUSE, and Turbolinux Linux distributions. In contrast, most Microsoft system administrators use a GUI that can be easy to use but also allows mistakes in configurations easily. Despite the fact that some people believe that it is possible to train anyone to be a Windows system administrator in one week, the question is how much will they understand about administration? The overall majority of Microsoft security problems are due to poor configuration during deployment and operations. Installation and configuration tools come with Windows, and Microsoft provides guidance in hardening domain controllers, infrastructure servers, file servers, print servers, IIS servers, IAS servers, certificate services, and bastion hosts. However, there is distinction between hardening infrastructure and hardening the operating system.
The metric that defines operating system assurance is Common Criteria (CC), an ISO standard (ISO 15408). There is a hierarchy of evaluation assurance levels — for instance, EAL1 through EAL7. The Common Criteria evaluation is valid only for a specific system configuration of hardware and software. Windows has received a superior EAL to Linux; it has achieved EAL4, while Linux recently achieved EAL3. SUSE is planning to achieve EAL4 by year-end. Government organizations, primarily, require CC assurance. Even though assurance requirements started primarily with government accounts, and in particular the U.S. Department of Defense, they are applicable in a commercial setting as well. However, most customers do not need to meet the same level of assurance as the Department of Defense.
Trusted Computing is an architecture that prevents tampering with applications and enables secure communication with a vendor. A number of vendors, like Intel, Microsoft, and IBM, are embracing the potential of this emerging technology. At present, this capability is more vision than reality and neither Linux nor Windows is superior at this time. Microsoft’s vision of Trusted Computing is related to digital rights management. The open source community currently sees little value in Trusted Computing.
Linux is superior to Windows because it supports open standards. Although Microsoft also supports a number of the same open standards, like IPSec, IKE, and IPv6, it also embraces and extends standards. For organizations with heterogeneous systems and a requirement for interoperability, “standards” that have been extended with proprietary code makes consistent flaw detection and bug fixing more time-consuming and difficult. An example of this is Microsoft’s extension of Kerberos, a standard protocol. Microsoft added an authorization capability to the Kerberos ticket, and although Kerberos was initially defined for this specific purpose, the functionality was never used. Moreover, Microsoft embraced and extended the Kerberos standard by specifying the process for other applications to share the authorization data field in the ticket. Microsoft’s version of Kerberos is not completely interoperable with the standard, so IT managers who use Microsoft Kerberos will find it harder to deploy and manage Kerberos across a heterogeneous IT environment and will prefer an all-Windows IT infrastructure.
If the criteria for a secure operating system are open source, then Linux is clearly superior to Windows. Microsoft’s Shared Source Initiative is an attempt to meet customer requirements for looking at source code. Yet, in large part, Shared Source subscribes to a “look, but don’t touch” philosophy. The governments of Russia, the United Kingdom, China, and NATO participate in Microsoft’s Government Security Program. Despite the pragmatism of this initiative to add transparency and emphasize partnership, there are varying requirements organizations must meet to access and use Microsoft source code. For example, not all source code for Windows can be viewed online, so a user who wants to do a build and test an application must plan an on-site visit to Microsoft’s headquarters.
Security considerations in Linux and Windows continue to fuel the debate on which is better, an open source or closed source operating system. Industry logic is that an operating system based on open standards and open source enables interoperability, improves bug detection and fixes, and is superior to a model of security through obscurity. Open source also forces Linux distribution providers to be absolutely transparent in the production process. Every step can be re-run by users, and this enables incremental security on a Meta level. Windows, for which no source code is available, does not enable equivalent transparency. While Linux provides equivalent to superior security capabilities in comparison to Windows, the security of a Linux system is largely dependent on the choice of Linux distribution, the kernel it is based on, and the skill of the IT staff in implementing and supporting the system. Since your success in implementing and maintaining a secure operating system rests with your IT shops, make sure that they have the training and expertise to deploy, manage, and troubleshoot. Formulate discipline on the part of the IT manager and system administrators who need to understand how to apply security best practices.