Ok, I'll join the discussion. If you want to harden a system you usually remove all unnecessary binaries and make directories with binaries immutable, so that you can't add new binaries or remove them (I usually do this by enabling the read-only jumper on SCSI disks, because it's hard to circumvent...). The problem with windows is that the same binary might contain the code for several network services, so if you need one, you can't remove the binary for another.

Also the most important point in security is simplicity. I for one want to understand every aspect of a system, because I think it's a necessity for keeping base installations of servers secure and designing good systems. For all the UNIX systems I administer, I know exactly what different components do and also know how most of the kernel works internally. Also there aren't any configuration options that I wouldn't understand, or those that I don't understand belong to applications I don't need. Can you say the same about windows? Do you know what each dll or exe file contains and do you know if you can simply delete it? Do you know what all the different options in the registry mean?

Also being able to compile things by yourself, you can guarantee that components you don't need aren't included in your binaries. Plus I'm not that interested in different configuration options or how fine-grained permissions the system provides, because those are irrelevant when you provide a service to non-trusted users; non-trusted users should never have any permissions. Of course the servers providing the service should run under minimal permissions.

I'd also point out that you can't easily compare the numbers of linux and windows vulnerabilities. The problem is that each linux distro has several CDs of applications for building a complete desktop or server system. For example quite a few linux distros include programs like gimp, but windows doesn't include programs like photoshop. For any vulnerability found on any of the CDs shipped with a distro, the vendor of the distro has to release a security advisory. The amount of programs is huge and most of them are never installed on a standard system, these programs just add up to the total sum of advisories released.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/144/18415#18415