I've been responsible for the security of Solaris and Linux servers to the tune of about 2100 server-years, and you're overlooking (or ignoring) some very major issues, the biggest of which are stack protection and software design.

Our mailserver here is to be replaced in a few weeks, but in the interim the old one still runs the version of sendmail you're complaining about. Why? Because the system in question has two layers of stack protection, so the bugs have no impact at all. Linux has had this for a few years, Solaris even longer (since 2.6). When will MS get stack protection? Or, for that matter, when will MS rewrite the Windows messaging system so that user processes cannot get admin privs for the asking? When will they de-link their various applications so that they cannot be attacked through each other?

Our policy here is that no server without stack protection may be accessed from outside the firewall, period. My experience proves this a very prudent decision, I've never had (in those 2100 server years) a single stack protected machine compromised, whereas I've had a number of others rooted (or whatever it is MS people call it), and hundreds of MS boxes compromised in other ways which would have been impossible under Linux or Unix. Yes, they were fully patched, had downloaded fresh AV files the night before, and all of them were well firewalled. That's what's creepy about having MS systems running, just using IE or Outlook can compromise the entire network. What a relief it was to me when we dumped Outlook, and started switching users from IE to Mozilla and Phoenix. We're now piloting Lindows and Mandrake as desktops for non-technical staff, so that we can completely bail on MS at the end of our current agreement. As head of IS security, I must drool at the prospect. No viruses or buffer overflows, ever again!

Make whatever arguments you like, but don't expect me to forget all of my experience and just accept them.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/157/19795#19795