Home About UsOur mission, Our name, Contacting us Events & Topics Articles Business General Technical Surveys FAQ

Windows vs. Linux Security

by Ed Sawicki
Accelerated Learning Center
Tailored Computers

March 25, 2005 (updated June 6, 2006)

This article contains excerpts from Ed's new book called Advanced Linux Networking and Security published by Course Technology and available now. The book does not contrast Windows and Linux security. This article does.

If you spin a fable often enough people will eventually see it as the truth. So it is with Windows versus Linux security. Consider these two popular fables spun by the anti-Linux crowd:

1. Linux has more security holes than Windows. Windows is more secure.
2. If Linux were as popular as Windows it would have just as many security problems.

That these two statements contradict one another should be your first clue that these are not facts.

The facts tell a different story.The problem is that facts are seldom a component of the many articles that have been written on this subject. Articles focus on skewed statistics and apples-to-oranges comparisons, such as the number of reported security issues for each operating system.

The Open Source nature of Linux and Linux applications encourages the discovery and reporting of security issues through peer review - even trivial issues not likely to be exploited by an attacker. If there are many reported security issues, the Open Source community is doing its job. Most security issues are discovered and fixed before anyone is attacked.

Contrast that with the closed source nature of Windows that results in reported security issues only after users suffer a successful attack. In the Windows world, secrecy (aka security through obscurity) is used to try to minimize attacks but this has the unfortunate effect of exposing a large population of users to attack when the secret can't be kept. Two decades of history with Windows shows that the secrets aren't kept often.

Security Architecture

Linux and Windows have a dramatically different security architecture. The built-in firewall of both is just one example of the differences. The Windows firewall is, to be kind, minimalistic. It only filters inbound packets and the rules must be simple - generally too simple to be useful to an experienced administrator. Anyone concerned with and knowledgeable about security will purchase another firewall.

The Linux firewall has functionality that rivals expensive commercial firewalls. Its rules allow fine-grained control over stateless and stateful packet filtering. The Linux firewall is extensible, allowing new filtering capabilities as the need arises.

Linux is a network engineer or admin's dream, allowing almost any conceivable form of NAT, port translation, and packet mangling. This allows transparent proxies, sophisticated QoS and policy routers, and much more.

The firewall has so much functionality that it challenges the development of simple to use user interfaces. The biggest problem with the Linux firewall is figuring out how to configure it. A Windows admin would hate it. Experienced Linux/UNIX admins, accustomed to learning and finding answers in non-pedagogical ways, have less difficulty.

Let's look at other important aspects of the architecture differences.

Filesystem Structure

Linux and other UNIX-based operating systems follow a tradition of structuring the filesystem so like files are kept together in the same directories. Programs (binaries) are kept in different directories than data files. Binaries that should only be used by the superuser are kept in different directories than binaries used by all users. Data files that are static are kept in different directories than those that are dynamic.

Filesystem permissions and ownership are used to prevent users from running programs and accessing data files they're not supposed to. These same security mechanisms restrict the actions of programs and daemons.

By placing like files in their own directories, system admins can use security tools like ownership, permissions, attributes, and mount options to better protect these files. Some implementations of Linux systems carry this further by making immutable those portions of the filesystem that contain static files. Tailored Computers does this with its sealed systems. You can't attack what you can't modify.

Windows may create the illusion that this same discipline exists, but it doesn't. Go to one of the directories beneath C:\Program Files and you'll see binaries mixed in with other types of files. Windows system configuration data (the Registry) is mixed in with Windows programs (binaries). The fine-grained separation of file types is absent from Windows.

Daemons & Services

Services in Windows are analogous to daemons in Linux/UNIX. When running Linux daemons, the system admin chooses the user the daemon runs as. Admins that are focused on security tend to create separate user accounts for every daemon that's run. Each of these user accounts has its permissions in the filesystem set so the daemon only has access to files and directories that are absolutely required.

In the diagram below, the named daemon is running as a user called named. The ntpd daemon runs as user ntpd and the httpd daemon runs as user httpd. User named only has permissions to access the /var/lib/named directory. It cannot access any of the other two directories. A successful attack against the named daemon does not affect the /var/lib/ntpd or /var/lib/httpd directories.

A successful attack against a vulnerable daemon tends to only impact that daemon and its corresponding parts of the filesystem. Other parts of the system are insulated from the attack.

Most Windows services run as privileged users with access to most or all of the rest of the system. Successful attacks result in the entire computer being compromised.

Jails

If an attack against a vulnerable daemon is successful, the attacker may be able to access or affect those portions of the filesystem that the daemon's user account has permissions to. If more than one daemon runs as the same user, daemons that are not vulnerable may still be affected by the attack.

The solution is to confine daemons to only the portion of the filesystem they require access to. They'll have no access to other portions of the filesystem even though they may have permissions there. This is accomplished with the chroot feature of Linux/UNIX and is often called "putting a daemon in jail".

The diagram below shows that the chroot function allows an administrator to declare that a certain directory appear to the daemon as the root (/) directory. In this example, the named daemon thinks the /var/lib/named directory is its root directory. It cannot get to directories outside of this /var/lib/named jail.

Some Linux daemons, such as BIND8, require that the system admin goes through quite an effort to put the daemon in jail, thereby discouraging junior admins from doing it. Other daemons, such as djbdns, do this on their own without any admin participation or cooperation.

Although rare, vulnerable daemons may be attacked in such a way that the attacker is not confined by the chroot jail. For these cases, we need a better jail. Virtual machines are the answer.

Virtual Machines

Linux/UNIX daemons vary in the degree of trust admins have in them. Once a daemon has had more than a few security issues, many experienced admins no longer trust it and seek alternatives. Security issues in sendmail, for example, caused admins to adopt alternatives like qmail, Postfix, and Exim, which have a better security architecture.

If admins must run a daemon they don't trust, they'll tend to put that daemon on another computer to isolate it from the daemons they do trust. Alternatively, admins can provide that isolation with virtual machine technology so the untrustworthy daemon can run on the same computer safely.

Linux supports three robust virtual machine technologies:

• User Mode Linux or UML - Open Source software
• Xen - Open Source software
• VMware - commercial software

User Mode Linux requires that the virtual machines must also run Linux. VMware and Xen allow virtual machines to run other operating systems such as Windows. We'll focus on UML here.

The untrustworthy daemon runs inside the UML virtual machine, which is running another independent copy of Linux. This diagram shows a Linux system running two virtual machines each running three daemons.

If the vulnerable daemon running in the UML is successfully attacked, everything outside of the UML is insulated from the attack. There can be more than one UML running on the same computer - this diagram shows two.

To keep resource consumption down and to maximize security, UMLs should only have software installed that's required. A hand-tooled, minimalistic Linux installation and configuration is best but standard Linux distributions can be used.

Advanced Security

Linux has advanced security features that most system admins are unaware of or are vaguely familiar with. For example, POSIX capabilities allow an admin to limit the capabilities of his system. He can prevent the kernel from loading modules that were not loaded at boot time. Limitations can be placed on which processes may send which signals to others. Processes not running as root may be able to bind to TCP and UDP ports below 1024. The list goes on and on.

Secure Enough?

Though the Linux design allows very secure systems to be built, popular shrink-wrap Linux distributions are not installed securely. You must add administrator labor to achieve a level of security that experienced computer security people would consider secure enough.

Don't expect that you can achieve the same level of Linux system security as someone knowledgeable and experienced in Linux and system security. No graphical user interface can take the place of the human security expert - that is, unless we develop expert systems that mimic the human expert.

In spite of its security strengths, Linux is not the answer to all secure environments. There are applications that require better security than Linux has to offer.

Culture

In addition to the technical reasons why Linux/UNIX is more secure than Windows, there's also culture. The Linux and UNIX communities have fostered an awareness of and an appreciation for security at every level. From the programmer who builds security into her application to the system admin who uses every tool in his bag of impressive security tricks, Linux and UNIX-based systems are inherently more secure than their Windows counterparts because we demand that they be more secure.

In the Windows community, security is not a high priority. Users who claim that security is important have seemingly infinite patience. They've been waiting over two decades for it; all the while spending money on band-aids like virus scanners, spyware scanners, etc.

---

Ed Sawicki is the President of the Accelerated Learning Center (ALC) and Tailored Computers. ALC has been offering courses, worldwide, in UNIX since 1979 and Linux since 1998. Tailored Computers provides consulting and custom systems based on their Linux-based, sealed system technology.

back