Is Windows more secure than Linux for web serving?

Is Windows more secure than Linux for web serving?

Summary: At the risk of starting another holy war, I had to comment on this story. Robert Lemos reports?

TOPICS: Security

At the risk of starting another holy war, I had to comment on this story. Robert Lemos reports?on a study?that concludes Windows is more secure than Linux for Web serving. Although the test was funded by Microsoft, the two authors of the study did publish all test methodology so that it can be independently scrutinized and repeated. In general, vendor-funded studies almost always favor the vendors that fund them. This statistic obviously makes sense, since no company would ever fund a study that they either expected to lose or if they couldn't get the researchers to "fudge" the numbers in their favor. The big question here: Is this a case of fudging the numbers or is there some truth to it?

Since this was primarily a comparison of Web server technology, we're mainly talking about IIS 6.0 and Apache 2.x. From a real world standpoint, it can be argued that other vulnerabilities pertaining to the underlying operating systems and other non-Web related components for Windows or Linux are less of a security priority.?A locked down Web server will only have TCP ports 80 and 443 open on the local firewall, whether you're talking about Linux IPChains or Windows Firewall. Therefore, the only thing that is exposed beyond the Ethernet adapter of the server is IIS 6.0 or Apache 2.x, and these are the main things we need to worry about when evaluating Web servers. So let's compare these two platforms' security track records.

If we look at the SecurityFocus Web site vulnerability search page and we type in keywords "Apache 2" and "IIS 6.0", we will see that there is basically only one security advisory for IIS 6.0 since its inception, and we can see that there are many advisories for Apache 2. Unfortunately, the results don't really elaborate on what this actually means in terms of severity of the advisories. A better?security research site is which does go into much more detail with nice graphical analysis. When I searched Secunia, I found the following results.

IIS 6.0 track record:
IIS 6.0 has?only three advisories listed for for the last two years and none of the advisories were rated beyond moderate.?Two advisories were moderate and?one was rated low. Only one was not patched.

Apache 2.0.x track record:
Apache 2.0 has 22 security advisories and two were not patched. One was rated high,?seven were rated moderate, and 13 were rated low.

Both comparisons were from the year 2003 to 2005 and represent the most modern versions of their respective platforms, so it's a pretty fair comparison. Based on this information, it is easy to conclude that IIS 6.0 has a much better track record than Apache 2.0.x and that Apache needed to be patched more frequently. In light of this data, we have to wonder if Windows 2003 server really is better than Linux and Apache for the purpose of Web serving. What do you think? Talkback and let your opinion be heard.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Is the J2EE with Sun Servers better than Linux and Windows

    I'm sorry, but your topic is rediculous. It's purely pedantic to propose that windows is secure. Linux has many followers, and well that it should. Now take a look at some servers with muscle. Who are you kidding?
    • Doesn't Apache run on both Windows and Linux?

      You said that Secunia was tracking issues with Apache 2.0 and IIS 6. Granted that IIS is almost surely running on Windows, but where does Linux come into this? Are you making unwarranted, illogical leaps?
    • Newspeak?

      ..I'm sorry, but your topic is rediculous. It's purely pedantic to propose that windows is secure...

      Thanks for clearing that up.
      Pretty persuasive argument you have there.
      Did you read the blog?
      And if the topic is so ridiculous, why?

      • Newspeak? Nah, just ignorance

        The original poster appears not to be a native speaker, but likes big words.
    • yet another round of pointless banter

      first of all, java_programmer, you've spelled ridiculous incorrectly, which i think is ridiculous when you throw words like pedantic into your sentences.

      second, hasn't everyone learned at this point that there are goods and bads to both? come on, let the war go. what a bunch of crap. i work with both, i'm competent in both, and both have some MAJOR annoyances. so stop bickering and do your jobs.

      if i've annoyed you, well, that's redecoulous!
  • risk

    "At the risk of starting another holy war...."

    If you didn't want to risk it then why the title:

    "Is Windows more secure than Linux for web serving?"

    Why not a title like:

    "Another M$ funded study finds Windows web server to be secure"????

    Course that wouldn't get you as many readers.

    Maybe it's because this is another pro-M$ article from the web IT news site funded by M$....
  • Comparisons

    Apache was a VERY stable web server - during its 1.x.x days. The change to version 2 was more revolutionary than evolutionary (IIS 6 was evolutionary from IIS 5). There were major issues with migration and stability as the 1.3.x Apache was replaced with the 2.0.x. To focus on the 2.0.x Apache is like focusing on - say, the reliability of a vehicle in its 3rd model year. The negative statistics of the 1st year, and partially negative statistics of the 2nd year tend to bring the rating down in the 3rd year - even if all of the "kinks" have been worked out. SO what model year is Apache 2.0.x in, and how far back are you taking statistics from?
    Roger Ramjet
    • Completely agree

      Not only that, but how many web servers out there do run Windows Server 2003? What is the ratio of said servers to Linux (and Windows) servers running Apache 2.x? If all those IIS 5 and IIS 5.1, not to mention IIS 4, boxes were replaced with the IIS 6 boxes, would you only see just 3 advisories. I think not.
      Bata Srki
    • All stats were from 2003 - 2005

      Your argument would be fine if it weren't for the fact that the stable Apache 1.3 had many vunerabilities in the 2003 - 2005 timeframe as well. Many more than IIS 6.0.

      I think you didn't read the section where I said that all numbers were from 2003 to 2005.
  • Its not a Matter of which one is "more secure"

    It doesn't matter which one has more security vulnerabilities, because all software has security vulnerabilities they just haven't all been discovered yet. Its more important to know which software is being targeted for exploitation. The software can be a full of holes as swiss cheese, but if no one is trying to exploit those holes it really doesn't cause any problems. M$ is the #1 target of hackers right now so that makes their software automatically less secure.
    • Agreed that it's not a matter of vulnerability counts...

      ...but it's definitely not a matter of perceived threat, either.

      Threats are variable, you have no control over threats. It's smart to avoid threats wherever possible, but you can not predict them with any ongoing accuracy.

      And I'd disagree with or refine rather your summary statement as well: Linux has been largely documented as the #1 target for interactive-attack-oriented-incidents, meanwhile Windows is clearly the #1 target for mass-malware incidents. And depending on the study, these statistics usually exceed relative populations; which makes them both rather significant.

      Security is not an inverse of threat; it's a matter of impact reduction. You aren't afraid to have a wreck because of the wreck - you fear the wreck because the possibility to cause death, personal injury, or any relevant cost scenarios that could result from it (loss of license, loss of transportation, insurance rate increases, lifelong guilt from killing a family of four, etc). "Security" largely has more to do with the means to reduce those costs, given a wreck, than it does to prevent the wreck itself. The same is true in computing.
      • Most cogent argument so far

        Wow. This person actually brought the discussion into a moment of reality.

        Let's see if George is deep or just a spectator.
    • Wow

      Who can argue with that?
      IT Scion
    • You think? We're talking about servers!

      MS might have a stranglehold on the desktop, but Apache has an undisputed presence on the server. I though that > 50% of webservers ran Apache, but this link suggests it's currently nearer 70%:

      Hence there is a *considerable* incentive to *find* a security vulnerability in Apache. So on what basis do you say that people are only trying to exploit Microsoft's software? Why restrict yourself to only 25% of all webservers? You make no sense. Are you saying that crackers *expect* to find more weaknesses in IIS than in Apache?
  • The day is going to come...

    The day is going to come when MS software is going to be more secure than other vendor's software. Of course most people will laugh at this but given the effort they are putting in, and seeing results like these (even if some people still can't accept it) it's just a matter of time.

    Let me give this example: When MS released Windows 95, they said they wanted to make Windows "the ultimate" gaming platform. I was laughing about this statement because at the time the only way you could get high-demanding games to run fast was to go into DOS mode. I could not understand how Windows could ever provide a faster, better environment for games.

    Yet, here we are, with Windows by far the most popular platform for games. Look at benchmarks between Linux/Windows and Mac/Windows and see how Windows beats those in performance.

    My point? Don't underestimate MS. People who do usually end up losing out.

    Just accept that it could happen, as we start seeing these results as an indication of what's to come.

    • Is another company going to buy Windows from MS?

      Are they going to change the underlying OS?

      That's the only way I see it..
    • Yes, it could happen

      but not unless Microsoft bites the bullet and builds an entirely new operating system from scratch. Or takes the Apple OSX approach and builds their GUI on top of exiting UNIX kernel.

      As long as MS continues to patch their ancient desktop operating system and call it a server they and are doomed to spend their life on the bottom rung of secure technology.
      • It Could Happen?

        "Or takes the Apple OSX approach and builds their GUI on top of
        exiting UNIX kernel."

        Except that M$ had the chance to do this with NT and blew it.

        I actually had high hopes for NT back in the day. I recall
        reading about NT, and thinking that it could be a fresh start for

        Nope. Guess not.

        There are M$ lovers that think Redmond can do no wrong.

        But let's be rational. With the money M$ has, they SHOULD have
        the greatest operating system in the world !

        Their stuff should be bulletproof.

        Even IF they had to start fresh like Apple did, their OS should be
        perfect by now. Virus Proof. No hacks possible.

        Yet, it's not. And I can't figure out why.

        Maybe money can't buy class.
        • No such thing

          A bullet proof OS is a dream. MAybe many years from now it will change but no one is putting out anything close to bullet proof(Especially for Web servers or desktops). I'm sure in theory it is possible but the OS would be the most limited and inconvenient system on the market and no one would buy it. Not able to figure why there is no perfect OS? Here's just a couple of reasons but there are plenty. A hole in an OS may not be a hole until technology takes a next step. Humans design the OS. For every user friendly feature there is more surface to attack. You say "let's be rational" and think anyone debating your post will automatically be an MS lover but you weren't rational and I'm not an MS lover.
          IT Scion
  • Erroneous numbers

    The measures of this study would be laughable if it weren't for the techno wannabes buying in...

    I have a better reason that Windows is more secure: the box is heavier; therefore it would require hackers that were physically stronger to pick it up, open it, install it and then hack it.

    Or maybe Windows is more secure because it has more characters in its name than Linux. Passwords with more characters are more secure, right?