> I think a lot of you Linux people on the "windows sucks"
> bandwagon should wake up and take a look at the security
> improvements of windows 2000 enterprise server, in an
> active directory environment (btw, centrally managed, for
> the previous posters), and stop beating down every report
> you hear that Windows security has improved.

What improvements? MS products are still only as secure as you make them... except for the never-ending flood of code flaws that take forever to get addressed, and the default install-anything-and-everything mentality that leads to having to patch root exploits in services you don't even use. Exchange 2000 Server is a perfect example - it won't even install if you aren't running the NNTP service, never mind whether you actually want to provide your users Usenet groups or not! If anything, Microsoft has been getting WORSE in that trend lately - think "Universal Plug and Play" for an easy and well-publicized target in that respect.

Aside from that, the real security pros and cons remaining between Microsoft and *nix tend to be centered around the complex layers of the ACL security model and the comparatively simple (and restrictive) owner/group/other ownership-based permissions model in the *nix world.

It's easier to set all sorts of odd little permissions structures up in the ACL world, but it's also easier - a LOT easier - to accidentally make something accessible (or inaccessible) that shouldn't have been, somewhere in the tangled mess of inherited permissions.

By comparison, the simpler ownership-based methodology results in a scheme that requires more careful planning from the administrator in terms of delegating responsibility and setting up non-trivial permissions structures for resources that need varying access levels available to various groups, but that careful planning is generally rewarded with a better security structure and far, far easier troubleshooting of said security structure in the event of problems.

Finally, the last real set of pro-vs-con in terms of security is simply that it's a hell of a lot more difficult to effectively administer an MS server even if you ARE the administrator, which affords a dubious and vague sort of "protection" against the black-hats in that they're generally ... as crippled as the real administrator is. Of course, this isn't anything to rely on, as more and more "t00lz" get released that make heavy use of the possibilities of the RPC service. By comparison, the *nix world can do anything from anywhere else as easily as they can sitting right there at the desktop - which is a great boon to both the legit administrator AND to the blackhats; but then you shouldn't be RELYING on your system being inherently difficult to administer as a "security measure" anyway, so it's probably a Good Thing overall for security if you ARE reminded that root access is, well... root access.

> you try Windows95 or NT, and say "it sucks, its insecure"
> and stick with that point of view for years to come.
> ...
> If you would like my opinion on Linux (and I run both,
> remember, I make my judgments based on facts); I think
> Linux is archaic, and is a step backwards for computing.

Kettle to Pot, re: blackened surfaces - there's more to the *nix world than Linux. There's even more to the OPEN SOURCE *nix world than Linux. Ever tried a BSD?

Microsoft makes the best GUI on the market. Hands down, no real contenders, that's all there really is to it. HOWEVER - until they learn how to produce modular code instead of a tangled spaghetti mess that requires a system reboot every time you do something as trivial as change your domain membership or - god help us all - your MPEG PLAYER, they're not going to get my vote for producing good CODE.

> It's simplicity is its downfall, learning it is a joke -
> sorry, but if I am to call myself an IT professional, I
> would like to to mean that I actually need expertise to
> run whatever I specialize in.

Uh... correct me if I'm wrong, but... did you just accuse a *nix of being *too easy to use*, and suggest that MS products are more difficult...?

:: boggles ::

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/127/17335#17335