Sorry, but you have been abused by a FUD document sponsored by Microsoft. It's impossible to secure Windows because in its mosts basics components, Windows do not have what is needed for security. Unix have these security concepts, so can be secured. Security requires control. If you have control, you can do security. If you have not the control over something, you can not secure it.

1-A protection against unkown security issues

Windows have no security mechanism for protecting you against an unknown security incident. You can protect your Windows against the past, but never against the present and surely not against the future. Just look about BIND and IIS. Both of them have a lot of vulnerability. I never patched my BIND daemon and any one is welcomed to try to hack in it. Why ? Because it is already protected by its original configuration using a generic UID with almost no rights and running in not a single but 2 CHROOT, one of them being on a /jail partition mounted with option like nodev and RO and with only a restricted shell as available tool. The guy can even not do a simple LS.

How do you protect IIS or MS SQL against the vulnerability a guy will publish tomorrow ? You can not.

2-Secured by default

The second problem with your position is that you don't consider the default security level of the product. If your SysAdmin forget about a security option or is so unqualified that he just do the minimum, he will not increase the security, but will not reduce it so much under the default level. An error in security config is almost always somethings forgotten where it should not be. If your system is totally exposed like Windows is, it will stay dangerous if not managed by the most qualified SysAdmin.

Under Unix, a novice will activate what he needs and will still have a secure server. OpenBSD and Slackware are both secured by default. Just re-open what you need and you will be secure.

If your security is high by default and you are qualified for improving it or at least not reducing it, you have a good security level.

If it's high by default and you reduce it a little bit, you will have a medium level.

If your security is low by default and you do not improve it or reduce it, you have a low level. If you can improve it a little bit, you will reach a medium level. But can you think you are able to improve it so much ?

3- Do you think it's possible to masterize Winboose ?

Microsoft themselves do not masterize Windows. The Metabase, the Registry and the lot system libraries are all critical components of Windows, but nobody control them. All of them are not documented. Windows can not have more than one version of a library at a time, so you are forced to run a mixture of library that no other one ever tryed. Doing some reverse engineering on them is almost impossible because too much critical data must be reverse engineered simultaneously.

On the other side, Unix, and even more Open Source Software, are very well documented and easy to masterize. Once you can control the system, you can secure it. Here is no security without control, and there is no control in Windows. At the end, there is no security in Windows.

You can have a full control under Unix, so you can secure it.

I did protect my Unix box because it's possible to do it. Unix have the security mechanism needed for that. Can you believe that I'm certified by Microsoft ? Yes I am. But I switched to Unix because I had no control in Windows but had it in Unix.

finally, here are some points that show how this study is nothing more than pure shit :

1-Based on the number of incidents and without any consideration for the impact. Many incidents under Unix are things like a predictable temporairy file name during the installation. Under Windows, it's almost always a remote exec as Admninistrator.

2-Based on the number of incident, counting the number for both the OS and applications for the Open Source, versus only the OS for Windows.

3-Without any consideration for security mechanism able to block incident by default, like the UID and CHROOT I used for protecting my BIND even against unkown threats.

4-Many organizations are using the same Open Source Software, so all of them will send an alert for a single and unique security weakness. Red Hat, Suse, Mandrake and many others will send an alert if something happened in OpenSSH. For Microsoft, a single incident will receive a single alert.

Just remember about that : No control, no security.

Nobody have control in Windows (Metabase, Registry, DLL and more), so nobody can do real security in Windows.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/127/17318#17318