Does OS matter anymore for security?

Does OS matter anymore for security?

Summary: Whenever I've touched on the sensitive topic of Linux vs. Windows or Apache vs.

SHARE:
TOPICS: Security
149

Whenever I've touched on the sensitive topic of Linux vs. Windows or Apache vs. Microsoft IIS security, I expected the usual flame treatment and nasty name calling to fly.  It's usually taken as gospel in many IT circles to assume that Windows Security is an oxymoron; anyone who dares to suggest using Microsoft IIS 6.0 for a public web server faces serious ridicule.  To see if there was any truth to this presumption that Windows Server is fundamentally insecure, I looked up these hacking statistics from www.zone-h.org for 2003 to 2004.  Not only did it not show that Windows was hacked more often, but just the opposite.  The Linux servers were actually getting hacked and defaced far more often than the Windows server and Apache was also being hacked and defaced more than Microsoft IIS.

While most security research comparing various operating systems and applications focus on statistics for the number of vulnerabilities and their criticality, zone-h takes a completely different approach by looking at actual server compromises.  Even more significant is that these are not theoretical hacks in the laboratory but actual website defacements that were confirmed by the public.  Zone-h is essentially a centralized "score board" for hackers who want bragging rights for their handy work.  While the source of the data is highly despicable, there is no denying the value of such data being collected regardless of the source because of its accuracy.  When a website is hacked and defaced, there is little room for interpretation for what has transpired because the proof is in the humiliating public defacement.  While these particular defacements are often the work of recreational hackers who hack for sport and not the work of a professional criminal who hacks for financial gain, the techniques uses to compromise the servers are usually identical.  Zone-h accurately portrays itself as the pulse of the Internet because they accurately sample server compromises based on recreational hackers using the standard tools of the trade.  Why is this significant? It is very difficult to obtain this information through other means because most companies are not eager to report server compromises.  Zone-h brings these attacks in to the light so that they're not just swept under the rug, and forces companies to take vulnerabilities seriously.

At the end of the zone-h report for 2003-2004, the author concludes (accurately, in my experience) that the argument about which OS is more secure is totally irrelevant since most modern exploits are against applications and not the operating system hosting them.  This is true because servers are rarely deployed wide open on the Internet without a firewall.  A properly configured firewall minimizes the vulnerability footprint to only permit the ports necessary for a specific application to work, which means the application is the only thing exposed to the hacker.  The zone-h report doesn't actually prove which OS is more secure, only that the OS is mostly irrelevant and the Windows server security jokes are more myth than fact.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

149 comments
Log in or register to join the discussion
  • I am curious..

    how do they know when a website has been defaced?

    My IIS servers, used strictly for OWA, were defaced on a regular basis. Luckily, the people doing the defacing didn't realize that the webpages they were changing were never seen by anyone :)
    Patrick Jones
    • They send proof to Zone-H

      The hacker sends a link to zone-h for verification as soon as they do the deed. They have some automated way of verifying the hack.

      As for your OWA server, I serious doubt you have one. Either you don't know what you're doing by hosting a server that gets routinely defaced or you're pulling my leg and spreading FUD. IIS 6.0 has far fewer flaws than Apache. http://blogs.zdnet.com/Ou/?p=44
      george_ou
      • Actually, I have two..

        As I said they "were" routinely defaced not "are." They are not anymore, especially since the company ponied up for a firewall. And, as I stated, I didn't care if the page was defaced because it was never seen. The hackers could not get to my OWA files and I figured that it gave them something to do so they would not try to hack my other systems. Guess what, it worked. Not a pretty way to do it, but you do what you can with what you got :)
        Patrick Jones
        • Oh and...

          these were not IIS6.0 servers.
          Patrick Jones
      • With the proof..

        so they rely on the hacker(s) sending in the information? IMHO, that really does not make their data that trustworthy. You have no way of knowing if they got all the hacks. There could be hundreds of defacements that don't get sent in. Not to say that they couldn't all be Apache/Linux or Windows/IIS, but it does mean that their data is, well, worthless. It reminds me of those "polls" you see in the newspapers and you read the fine print to find out they only asked like 500 people. That is not a good sample group when your city has over 2 million people in it.

        I didn't see on their site where they list the hacks by webserver and not OS. The true test of OS security not mattering would be the number of Windows Apache hacks versus the number of Linux Apache hacks.
        Patrick Jones
        • And another problem..

          On none of these hacks, that I can see, do they tell you how they got into the system. So there is no way of knowing if it was a Linux hack, Windows hack, Apache hack, or IIS hack.
          Patrick Jones
    • how?

      were you using urlscan? or was this a honeypot? or BS?

      - Sam
      JoeMama_z
      • What do you mean?

        I would check the default page every once in a while to see if it was hacked. Then I would just change it back and wait for it to get hacked again. It was sort of a "honeypot" since at the time we did not have a firewall. The owners did not want to spend the money. So I thought that giving the hackers something to keep their attention was better than having them try to get into my other systems.
        Patrick Jones
  • Lies, Damn Lies, and Statistics

    As most every system admin here - Windoze and *NIX can attest to is that the CONFIGURATION of the server matters MUCH more than the OS. A properly set up Windoze server can be more "secure" than an out-of-the-box default setup for Linux.

    But these attacks are the hardest to defend against. A determined cracker, armed with root kits or vulnerability exploits attacking a SINGLE MACHINE is VERY tough to defend against. Its your skill vs. his, and its debatable whether Windoze or Linux aids you more in your defense.

    My arguement against using Windoze is because of WORMS. As I stated above, a determined cracker can break down any defense, but his attack is NOT automated - he has to sit there and spend HIS time to attack your machine. A worm self-replicates and attacks automatically - without human intervention, which makes its impact MUCH more damaging. Windoze is plagued with worms - and more are deployed every day. These worms attack NOT the "expert" setup machines I described above - but rather clueless user's machines.

    So if you want to compare the top 1% of managed computers to see if Windoze/IIS or Linux/Apache is better - will your statistics MEAN anything?
    Roger Ramjet
    • Statistics?

      I agree in whole here. But I need to point out, at least 70-80% of the world's Web Server are running some variant of *NIX are they not?

      SO to turn on the "EAR" of what NBM'ers says about "Windows" being attacked more, because it is on more machines (via trojans, viruses and the Like), I guess the point here is that same, more machines run Apache/*Nix that host web services than IIs? No?

      But in BOTH Windows and *NIX a GOOD (not just paper trained) admin could lesson the changes of getting hacked or even 0wn3d ...
      Linux_4u!
    • you seem to contradict yourself

      Your wrote "As most every system admin here - Windoze and *NIX can attest to is that the CONFIGURATION of the server matters MUCH more than the OS"

      At the end you mention "So if you want to compare the top 1% of managed computers to see if Windoze/IIS or Linux/Apache is better - will your statistics MEAN anything"

      Answer - Ofcourse the statistic is valid, because badly configured or not configured boxes are not Microsoft or Linux security problems.
      If it wasnt then it would be like saying - "I got robbed but I left my door unlocked and open. Well, duh no wonder you got robbed".
      Security is only as tight as it its enforcement.
      zzz1234567890
    • How many "clueless" users run servers?

      The article topic is server security. So I think yu're changing the subject.

      Still, worth pointing out the other article on ZDNet which says that worms intended for everyone are getting to be less frequent as cracking becomes more professional.

      As in so many other areas, unpaid amateurs are eventually replaced by those working for money.
      Anton Philidor
  • Uh, yes. Your argument has almost as many holes as Windows does.

    While phishing requires the user to be, let's face it, stupid, an OS that's easy to break into makes all the difference.

    I also find difficulty accepting the argument that it is the application running on the OS only; as if the OS itself has little holes that worms can tunnel through, it becomes that much easier to break through.

    Oh dear, did I say "worms"? Yup. The vast majority of worms, if not them all, came about due to poor design, security holes, or outright sloppiness on Microsoft's part (as a secure monopoly, why worry about quality or stability? The sheep will continue to graze at the tainted grass...). And as IIS, IE, Office, and Outlook (or Exchange) are all TIED INTO THE OS to whatever degree (which is MS's own claim and to an extent it's true; even if the applications are loosely tied in and can be removed they still are...), it makes it all too easy.

    Nevermind the registry, and I thought the INI files of old school were bad enough...

    Windows it a house of cards with too many bent cards at the foundation. And, no, the OS itself is not made irrelevant with a firewall. Anything that can remain hidden when going through the firewall looking like safe data (but isn't) and then open up once inside (WORMS!) renders any firewall useless. Once again, to repeat, WORMS. These are Microsoft's unspoken invention thanks to poorly written software that seems to do more to openly welcome hackers with warm cookies and cool milk and a note asking Santa Hacker what they want...
    HypnoToad
    • Who said anything about Phishing?

      You sound pretty confused here since I never mentioned anything about Phishing attacks. By the way, Phishing is OS agnostic.

      Additionally, you're misinformed. The vast majority of worms can easily be stopped at the firewall. A properly configured server will not have unnecessary services running. Windows 2003 leaves out all unnecessary services and features off by default.
      george_ou
    • what worm....

      I don't know of any worm for windows that doesn't infect by either RPC ports, or email. neither of which should be exposed by a web server.

      And get real, worms are a Unix invention from way way back in the day before any MS OS even had network connectivity. Not saying they haven't flourished under windows but i am saying they started with Unix. The registry isn't that bad, fairly easy to work with if you understand the structure.

      In short your arguments address end user problems and most of them are invalid. stick to the content at hand.

      - Sam
      JoeMama_z
      • Defaced problems << Virus & Worms Problems

        >I don't know of any worm for windows that doesn't infect by either RPC ports, or email.

        Did you hear about Codered?, Maybe no.

        >worms are a Unix invention

        That does not change the fact that 99.9% of the worms are for Windows.

        The problems that Virus & Worms arise are huge compared with cracker defaced sites problems.
        tuqui
        • When was code red?

          Code Red was a couple years ago. A properly configured firewall that blocked outbound access from the DMZ would have stopped it even for vulnerable servers. We're talking about what is relevant today.
          george_ou
        • give me a break....

          the origional post stated that worms were a windows invention. Since we are bringing up ancient history have you head about slapper?

          99.9% of worm are for windows, yup this is true, and it takes 2 minutes to secure a web server from %100 percent of them. The virus and worm problem is more an administrative problem than an OS problem (not to say the OS couldn't use some work.)

          - Sam
          JoeMama_z
  • I say this

    As long as the root is not compromised, the system is safe. I have
    shepparded many people from Windows to Linux, and even with
    the learning curve, few have returned from to Windows.
    cashaww
  • Observational versus experimental statistics

    Recommendation: Stick to using number of vulnerabilities and their criticality.

    Analysis:
    Others have pointed out how your summary of the observed success rates for attacks do not provide good estimates for the for vulnerability of operating systems that are hosting sites on the web. Even if you had good estimates and those estimates supported your point, such estimates would not be sufficient to prove that one operating system was more secure than another. Turning the argument around, it is even harder to use such statistics as an indication that all operating systems are equally secure.

    One simple model for separating types of statistics is between summaries of uncontrolled observations and summaries of controlled experiments. Observational studies can show relationships between things like (a) rates of successful attacks and (b) operating systems but they can never show that the rate of success is caused by anything intrensic to the operating system. Controlling an experiment (type of attack versus selected OS configuration) comes a whole lot closer to showing cause and effect.
    palmwarrior