Is Windows more secure than Linux for web serving?
Summary: At the risk of starting another holy war, I had to comment on this story. Robert Lemos reports?
At the risk of starting another holy war, I had to comment on this story. Robert Lemos reports?on a study?that concludes Windows is more secure than Linux for Web serving. Although the test was funded by Microsoft, the two authors of the study did publish all test methodology so that it can be independently scrutinized and repeated. In general, vendor-funded studies almost always favor the vendors that fund them. This statistic obviously makes sense, since no company would ever fund a study that they either expected to lose or if they couldn't get the researchers to "fudge" the numbers in their favor. The big question here: Is this a case of fudging the numbers or is there some truth to it?
Since this was primarily a comparison of Web server technology, we're mainly talking about IIS 6.0 and Apache 2.x. From a real world standpoint, it can be argued that other vulnerabilities pertaining to the underlying operating systems and other non-Web related components for Windows or Linux are less of a security priority.?A locked down Web server will only have TCP ports 80 and 443 open on the local firewall, whether you're talking about Linux IPChains or Windows Firewall. Therefore, the only thing that is exposed beyond the Ethernet adapter of the server is IIS 6.0 or Apache 2.x, and these are the main things we need to worry about when evaluating Web servers. So let's compare these two platforms' security track records.
If we look at the SecurityFocus Web site vulnerability search page and we type in keywords "Apache 2" and "IIS 6.0", we will see that there is basically only one security advisory for IIS 6.0 since its inception, and we can see that there are many advisories for Apache 2. Unfortunately, the results don't really elaborate on what this actually means in terms of severity of the advisories. A better?security research site is secunia.com which does go into much more detail with nice graphical analysis. When I searched Secunia, I found the following results.
IIS 6.0 track record:
IIS 6.0 has?only three advisories listed for for the last two years and none of the advisories were rated beyond moderate.?Two advisories were moderate and?one was rated low. Only one was not patched.
Apache 2.0.x track record:
Apache 2.0 has 22 security advisories and two were not patched. One was rated high,?seven were rated moderate, and 13 were rated low.
Both comparisons were from the year 2003 to 2005 and represent the most modern versions of their respective platforms, so it's a pretty fair comparison. Based on this information, it is easy to conclude that IIS 6.0 has a much better track record than Apache 2.0.x and that Apache needed to be patched more frequently. In light of this data, we have to wonder if Windows 2003 server really is better than Linux and Apache for the purpose of Web serving. What do you think? Talkback and let your opinion be heard.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Is the J2EE with Sun Servers better than Linux and Windows
Doesn't Apache run on both Windows and Linux?
Newspeak?
Thanks for clearing that up.
Pretty persuasive argument you have there.
Did you read the blog?
And if the topic is so ridiculous, why?
Joe
Newspeak? Nah, just ignorance
yet another round of pointless banter
second, hasn't everyone learned at this point that there are goods and bads to both? come on, let the war go. what a bunch of crap. i work with both, i'm competent in both, and both have some MAJOR annoyances. so stop bickering and do your jobs.
if i've annoyed you, well, that's redecoulous!
risk
If you didn't want to risk it then why the title:
"Is Windows more secure than Linux for web serving?"
Why not a title like:
"Another M$ funded study finds Windows web server to be secure"????
Course that wouldn't get you as many readers.
Maybe it's because this is another pro-M$ article from the web IT news site funded by M$....
Comparisons
Completely agree
All stats were from 2003 - 2005
http://secunia.com/product/72/
I think you didn't read the section where I said that all numbers were from 2003 to 2005.
Its not a Matter of which one is "more secure"
Agreed that it's not a matter of vulnerability counts...
Threats are variable, you have no control over threats. It's smart to avoid threats wherever possible, but you can not predict them with any ongoing accuracy.
And I'd disagree with or refine rather your summary statement as well: Linux has been largely documented as the #1 target for interactive-attack-oriented-incidents, meanwhile Windows is clearly the #1 target for mass-malware incidents. And depending on the study, these statistics usually exceed relative populations; which makes them both rather significant.
Security is not an inverse of threat; it's a matter of impact reduction. You aren't afraid to have a wreck because of the wreck - you fear the wreck because the possibility to cause death, personal injury, or any relevant cost scenarios that could result from it (loss of license, loss of transportation, insurance rate increases, lifelong guilt from killing a family of four, etc). "Security" largely has more to do with the means to reduce those costs, given a wreck, than it does to prevent the wreck itself. The same is true in computing.
Most cogent argument so far
Let's see if George is deep or just a spectator.
Wow
You think? We're talking about servers!
http://news.netcraft.com/archives/web_server_survey.html
Hence there is a *considerable* incentive to *find* a security vulnerability in Apache. So on what basis do you say that people are only trying to exploit Microsoft's software? Why restrict yourself to only 25% of all webservers? You make no sense. Are you saying that crackers *expect* to find more weaknesses in IIS than in Apache?
The day is going to come...
Let me give this example: When MS released Windows 95, they said they wanted to make Windows "the ultimate" gaming platform. I was laughing about this statement because at the time the only way you could get high-demanding games to run fast was to go into DOS mode. I could not understand how Windows could ever provide a faster, better environment for games.
Yet, here we are, with Windows by far the most popular platform for games. Look at benchmarks between Linux/Windows and Mac/Windows and see how Windows beats those in performance.
http://www.barefeats.com/mac2pc.html
http://www.linuxhardware.org/article.pl?sid=04/10/12/1725246
My point? Don't underestimate MS. People who do usually end up losing out.
Just accept that it could happen, as we start seeing these results as an indication of what's to come.
Peter
Is another company going to buy Windows from MS?
That's the only way I see it..
Yes, it could happen
As long as MS continues to patch their ancient desktop operating system and call it a server they and are doomed to spend their life on the bottom rung of secure technology.
It Could Happen?
exiting UNIX kernel."
Except that M$ had the chance to do this with NT and blew it.
I actually had high hopes for NT back in the day. I recall
reading about NT, and thinking that it could be a fresh start for
M$.
Nope. Guess not.
There are M$ lovers that think Redmond can do no wrong.
But let's be rational. With the money M$ has, they SHOULD have
the greatest operating system in the world !
Their stuff should be bulletproof.
Even IF they had to start fresh like Apple did, their OS should be
perfect by now. Virus Proof. No hacks possible.
Yet, it's not. And I can't figure out why.
Maybe money can't buy class.
No such thing
Erroneous numbers
I have a better reason that Windows is more secure: the box is heavier; therefore it would require hackers that were physically stronger to pick it up, open it, install it and then hack it.
Or maybe Windows is more secure because it has more characters in its name than Linux. Passwords with more characters are more secure, right?