I think that is what he is saying, and I think he is correct to some extent.

No matter how secure your machine and OS are, if you implement a program and put that program (or service or whatever you want to call it) on an open port, then you are leaving the care and security of that port up to that program.

If that program is weak, or otherwise low security, then your machine is now only that secure.

It's the whole "chain as strong as its weakest link" deal.

There are really two areas of security when it comes to infection vectors: "Clients", i.e. computers that are simply used to view/use things, and "Servers" i.e. computers that serve things up for viewing/using. So really when you ask a question, you have to qualify it by which area of computing you're talking about.

As a client, Linux far, far, far out-strips Windows in security. However, a lot of the same security could be achieved on Windows by simply ditching the default web browser and e-mail client and using something with fewer published exploits. Notice I didn't say use something "more secure", I said "fewer published exploits". That being said, there are still quite a few exploits that will work on Windows even if you're using non-default browser and e-mail client, that would not work on Linux. As a client OS, I would say run anything other than Windows. Here Mac OS X is probably the safest as it happens to be the most rarely-used OS that is actually "comsumer-grade". The reason is pretty simple: the fewer people use something, the less attractive it is to exploit.

As a server, it's much closer. Windows servers are usually dedicated to serving applications and it's very rare that someone uses it as a "client" by opening up a web browser or e-mail application and viewing data from an untrusted source. At worst someone might open Internet Explore on their Windows server in order to visit TechNet. Once you remove Internet Explorer and Outlook from the mix, Windows is a lot "safer". Microsoft has put a lot of work into much safer default configurations and much better security architecture in their servers (such as IIS and Exchange). Your average Win2K3 server is just about as safe as your average Red Hat 4 server at this point.

When it comes to serving things, Linux actually loses a lot of it's security advantages over Windows, because it opens up a lot more attack vectors. Now you have to worry about have safely Apache, Sendmail, BIND, etc handle requests. You are also subjected to a lot of the weaknesses presented by bad LAMP applications. There are quite a few PHP exploits going around for badly designed web-applications. Linux is suceptible to SQL injections just like Windows. Now it's not so much of an OS comparison as it is an application comparison.

So for a home user just surfing the web and checking e-mail, any OS that is not Windows will be much safer than doing the same thing on Windows.

For acting as a server, the safety of any OS is really relative to the skill of the admin at setting up the system and keeping it updated, as well as the admin's understanding of firewall configuration and knowing which services they can safely run vs. which ones they can disable without negatively impacting the job the server is doing. It also has a lot more to do with running safe applications on your server than it does with which applications you're running. The base install of Apache and IIS are both pretty safe, but with one bad PHP or ASP application, either one can be hurt pretty badly.

So...my own PC would be a "client" but the big bulky thing at work that runs the entire network would be a "server," correct?

I noticed you also mentioned Win2k3 and RH4. Do you think Win2k3's improved security has come at the expense of other important issues (e.g., flexible usage, ease of use, etc) or not?

I have heard the UNIX / Linux is more popular in servers than Windows. Is that true? If yes, why?

Thanks!

Win2K3 has more things turned off or not installed, by default, than earlier versions of Windows (2K, NT4, etc) so in that respect it's not as easy to get started actually doing things. Other than that, it's not really missing anything. I used RH4 for my Linux example simply because Red Hat is the most common server distribution used in corporate or commercial environments. Another example would be SuSE Linux ES.

As for what is the "most popular" server, there's no good way to determine that. Some sites try to gather data on "how many domains run on ____", but that is heavily skewed by hosting sites who's customers often don't know, much less care what OS their site is being run on. There also is no good way to determine how many internal servers run mission-critical application inside companies and aren't visible from the Internet at all. I suppose an analyst firm like IDC might have some idea, but that's mostly based on sales figures, from what I gather.

Another complicating factor is that what you run for servers varies widly by industry. Some industries have very special software and the main vendors for that software only write it for a certain platform. Other industries require specialized hardware, and it only runs a certain OS, etc.

There isn't any one "best" answer that covers every situation. What OS is the most secure depends almost entirely on how competant the system administrators are. Which one is the most popular depends a lot on external support by other vendors (hardware, software).

If you're asking "is Linux less safe than other OSs", then the answer is: generally it is not less safe, but a novice sysadmin trying to run lots of services on Linux could certainly be more open to attacks than an expert Windows admin who carefully chooses what services to run and how they're configured. If you're asking "is Linux not a good server OS?" the answer is: Linux would not have survived and broken out of the hobbiest/enthusiast camp and into main-stream acceptance if it wasn't any good.

I think too many people focus on nit-picking about whether X is better than Y and don't spend enough time concentrating on just learning how to use X or Y more effectively, depending on which one they feel best fits their needs.

Yes, you are a client to the server... think of it as you in a restaurant as a customer, and the server is the person that serves you food. It's that simple in concept.

Linux is more popular as a server because mainly it is more stable as an operating system and is a lot more configurable, notice how many distributions (distro) of Linux there is... Linux is just the Kernel, every distro is built around the kernel to suit the need of job in hand, so the linux webservers are probably at the most basic the kernel with the server software and some security, with some basics around it to control it all. So because the kernel runs just what it needs to be the server, there are a lot less complications and it's faster and more stable, and only on the rarest of occasions (if at all) they crash, linux servers will be up and running for months on end with not a single reboot.

Windows however is a little different I'm afraid. The only thing is has on it's side is it's friendly user interface hence a favourite in small/medium sized businesses, yes it can be very powerful if you delve deep enough into Windows, but Linux is infinitely deeper... i mean, you can do ANYTHING you like... take it down to the source code and recompile to make it work EXACTLY your way. Take Windows to a bigger business, and I can bet you they will use Linux for mission critial operations on the server. I heard the US defence/army/government only uses Linux because they can and will strip down the code and look for any bugs that can pose a security hole, they can't do this with Windows.

I think you would be very, very surprised to find out which very large companies (and government agencies) use Windows for very critical applications. I'm not a Windows fan, but making black & white judgements and blanket statements don't help anyone.

I sell & install enterprise-grade software for a living and I have to tell you that the market is as fragmented and opinionated as individual posters on sites like this. There are die-hard Windows shops, and die-hard UNIX shops. They all have their reasons. In my case, I recommend to most of our customers that they use the Linux or Solaris verions of our product, because with our particular software they happen to be the better choices, but that is not true of all software or for all situations. I'll still recommend our Windows software to customers who don't have anyone skilled at administering UNIX-like systems.

PS for all the touting of "flexibility" of Linux in recompiling things from source, guess how many times I have seen a true customized kernel running on a server in an enterprise environment? Zero. Enterprise organizations do not want non-standard stuff. They want 100% stock software so that it's fully supported by the vendor. The only shops that actually do build custom kernels are vendors who build network devices, such as the company I work for. Even then we haven't done anything very drastic to the kernels on the systems we ship. We start from a base SLES installation and peel away the pieces we don't need and make a few minor modifications to the kernel config, but it's probably 95% standard SLES. There are very, very few companies who actually drastically customize the kernel even for what you might consider ver specialized network devices.

So yeah, the benefits of Linux don't really have to do with the flexibility. In most cases the reason shops use Linux is because it's cheaper (from a licensing standpoint) than Windows or commercial UNIX, or because they believe it's easier to secure than Windows servers (read as: they think they don't have to patch as often, i.e. it's cheaper).