LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Is Linux security better than windows security? (https://www.linuxquestions.org/questions/linux-security-4/is-linux-security-better-than-windows-security-891469/)

harry142 07-13-2011 07:27 AM
Is Linux security better than windows security?
 
hello friends
Please give me the answer

Thank you

tronayne 07-13-2011 11:25 AM
Yes.

Why? Well, Unix and Linux systems do not permit privileged execution of programs by an ordinary user (that would infest the operating system, wipe out disk files, or the other "fun" stuff that, in Windows, is far too easy to accomplish); this, of course, presumes that system security is not compromised by the administrator fooling around with things better left alone.

You may want to take a look at http://en.wikipedia.org/wiki/Compari...dows_and_Linux for details.

Hope this helps some.

acid_kewpie 07-13-2011 11:30 AM
for balance, i'll also say "no" as it's much more complicated that you can cover with a one word answer. The biggest security issue is usually the user, not the software.

win32sux 07-13-2011 11:20 PM
There is no way to answer this question properly without knowing what you mean by better security. For example, are you referring to the overall number of public vulnerabilities present in either OS in a given time frame? The speed at which the developers distribute security fixes? The amount of security features the OSes offer? Stuff like that my be quantified in such a way that a semi-objective argument could be made as to which one is better with regards to specific factors. But, as hinted by acid_kewpie, security is so much more (it is, after all, a continuous process), and in the end most of it will depend on things other than the OS software.

In the right hands, either GNU/Linux or Microsoft Windows can meet most administrators' and/or users' security requirements. If you pick either of those OSes over the other because "it's more secure", then I'd say you're off to a bad start and you should get your security posture evaluated, as you may have serious vulnerabilities in areas which have been overlooked due to focusing on the choice of OS.

sundialsvcs 07-14-2011 07:22 AM
As usual, "that depends upon the system and its owner."

Windows has a very powerful security model that is effectively turned off in literally millions of "Home Edition" Windows boxes around the world. So, all that programming doesn't do a dam bit of good.

Linux has Pluggable Authentication Modules (PAM), which allows any sort of authentication scheme that you wish to use, to be, well, "plugged in" at strategic points just by editing a configuration file. (There are also, of course, PAM modules that can be fixed into the kernel so that no one can "remove the locks.")

Linux also normally has features, such as Access Control Lists (ACLs) and Extended Attributes, but many folks know about the chmod and chown commands and nothing more, as though nothing at all had actually advanced since the earliest Unix days.

The bottom line, though, is that effective system security is a human process, not a product nor an operating-system feature. The computer's great at enforcing rules ("yes" or "no"), but it's only a dumb machine, doing whatever it's been told.

salasi 07-15-2011 03:57 AM
Quote:
Originally Posted by harry142 (Post 4413708)
Please give me the answer
The answer? As you may have already noticed, you'll probably get as many answers as respondents, if not more. In the interests of trying to define some corner points:
  • there are a number of reasons that there is no such thing as Linux security: Technically, Linux is a kernel, and there is really no point in discussing the security of a kernel alone, because the system is so much more that the kernel, and a hole in the security of some of the non-kernel stuff can be just as fatal to your desire for security (mind you, you may not need anything very complex, or directly software-related, if you've got a user)
  • You were probably thinking of 'a distro' really, rather than 'kernel' and while all distros are variations on a theme, there can be enough difference in, say, how quickly problems are fixed to make a real difference (although, in this regard, MS is usually worse and less transparent, in speed of fixes)
  • In general (and this is a wild generalisation) most Linux distros do a decent job with giving you an install that is reasonably secure out of the box, but the builders of the distro itself don't know what you will do with it, and you will have to take responsibility of what you do from the point that you install it.
  • Whatever you think of the security of a system 'out of the box', usually the first thing that the user does when the system comes out of the proverbial box, is that they take measures to mess up the security. As a (vaguely related) example of this tendency, bear in mind that MS has recently turned off 'autorun' by default. This has been a well-known idiocy for a decade or so, but apparently MS thought if they turned off this 'convenience feature' there would be a revolt amongst the users (and they would all just turn it back on) so that it wasn't worth doing. It turns out that this has been actually a very significant improvement (although, anyone with any sense could have manually changed the autorun status)...so a big part of the problem was user laziness (or the perception of what the user would consider as excessively inconvenient...personally, I would consider cleaning up after an intrusion as a real inconvenience, but maybe these users consider this as 'somebody else's problem').
  • One part of the answer (I'd describe this as one canonical answer, if that wasn't open to too much misinterpretation) is that most Windows end users have problems with security and most Linux don't (as far as I can tell); you could regard that as conclusive, but it really isn't. If you fsck up your Linux security badly enough, you can make it as bad as the typical Windows user would make it. It is your computer, you can do that, but you probably shouldn't, if you know what is good for you. But, you probably don't know what is good for you, and you really need to know what you are doing to keep the system secure.
  • I'd also like to echo this, from win32sux, "either GNU/Linux or Microsoft Windows can meet most administrators' and/or users' security requirements"...but, while it is true, it is also true that most users will, if allowed, take their system in entirely the opposite than the one that leads towards security. Now, it isn't completely clear whether the cause is lack of knowledge, a feeling of 'it'll never happen to me' or plain, pig-headed, stupidity (but, it seems as if it is done most thoroughly when all of the above are brought to bear on the situation), but it is what happens.

tekhead2 07-15-2011 02:42 PM
I think another point to consider is the costs of security in a Windows environment. Out of the box you will still require software to fully secure an environment or desktop. The open source community, this includes Linux , BSD, etc provides all of the needed tools you would require to secure an entire enterprise environment. Granted you have to consider the different software you will require and build out a setup for your purposes, but when you think about needing a spam filter for exchange environments, and needing corporate antivirus for all of your servers and desktops, then you add to that the malware and drive by attacks, and you find yourself spending a lot of time and money on security. With Linux and open source.. you just need time , maybe more time, but when you come away from it you really know that you know that your stuff is setup and secure to the best of your knowledge and understanding and you can do more with less resources.

acid_kewpie 07-16-2011 01:25 AM
Let's remember that the OP has posted two near identical questions in a few minutes and not posted since...

vandien76og 07-16-2011 02:05 AM
Quote:
Originally Posted by tronayne (Post 4413931)
Yes.

Why? Well, Unix and Linux systems do not permit privileged execution of programs by an ordinary user (that would infest the operating system, wipe out disk files, or the other "fun" stuff that, in Windows, is far too easy to accomplish); this, of course, presumes that system security is not compromised by the administrator fooling around with things better left alone.

You may want to take a look at http://en.wikipedia.org/wiki/Compari...dows_and_Linux for details.

Hope this helps some.
To find the answer ask yourself what do you expect from Linux distros? Check carefully your needs, analyze them. I hope you will be satisfied.
For more details check this link with this question: Why Linux is better? http://www.whylinuxisbetter.net/. I hope you will find the correct answer and you will be satisfied when you read the argumentations. It depends according the users needs.

kasl33 07-16-2011 02:40 AM
security is only as good as the person implementing and maintaining it. To my knowledge, Windows 7's firewall has never been cracked. Linux is also secure if you run the proper software as well - however a good password really goes a long way - especially if you use an encrypted file system.

dEnDrOn 07-16-2011 03:23 AM
Quote:
Originally Posted by harry142 (Post 4413708)
hello friends
Please give me the answer

Thank you

i'd suggest not to indulge yourselves in these kind of questions...these can't be answered in a line.
its very foolish to draw some conclusions....every system has its own pros and cons.
But still if you want to research a bit,then take a look at these and then tell what you concluded (if you can)...

comparison of linux and windows security

Security Report: Windows vs Linux

good luck...^_^

acid_kewpie 07-19-2011 12:20 AM
Quote:
Originally Posted by dEnDrOn (Post 4416338)
i'd suggest not to indulge yourselves in these kind of questions...these can't be answered in a line.
its very foolish to draw some conclusions....every system has its own pros and cons.
But still if you want to research a bit,then take a look at these and then tell what you concluded (if you can)...

comparison of linux and windows security

Security Report: Windows vs Linux

good luck...^_^
so why are you indulging them?? Why is it that so often the worst questions attract the most answers? This dude is not coming back, why do people keep responding?

win32sux 07-19-2011 12:29 AM
Even though the OP isn't returning, I see no reason why this discussion should be stopped. As far as I'm concerned, the topic is totally compatible with LQSEC and everyone is free and welcome to share their relevant thoughts and points of view here.

kasl33 07-19-2011 12:59 AM
Quote:
Originally Posted by dEnDrOn (Post 4416338)
i'd suggest not to indulge yourselves in these kind of questions...these can't be answered in a line.
its very foolish to draw some conclusions....every system has its own pros and cons.
But still if you want to research a bit,then take a look at these and then tell what you concluded (if you can)...

comparison of linux and windows security

Security Report: Windows vs Linux

good luck...^_^
Everyone who goes to these articles should check the dates on them. One of them talks about Windows Server 2003 and is from 2004. That's highly outdated; Unless things have changed in about the past 2 months, Windows 7 / Server 2008 firewalls have yet to be cracked (if it has been cracked, please let me know!).

I prefer to use Linux, but Windows has come a long way and is working their way slowly away from everything being set in the registry.

tronayne 07-20-2011 07:41 AM
This morning's mail included a Technical Cyber Security Alert, number TA11-200A (available at http://www.us-cert.gov/cas/techalerts/TA11-200A.html). Although not specific to platform, the content may be of some interest:
Code:
                    National Cyber Alert System

              Technical Cyber Security Alert TA11-200A


Security Recommendations to Prevent Cyber Intrusions

  Original release date: July 19, 2011
  Last revised: --
  Source: US-CERT


Overview

  US-CERT is providing this Technical Security Alert in response to
  recent, well-publicized intrusions into several government and
  private sector computer networks. Cyber thieves, hacktivists,
  pranksters, nation-states, and malicious coders for hire all pose
  serious threats to the security of both government and private
  sector networks. A comprehensive security program provides the best
  defense against the full spectrum of threats that our computer
  networks face today. Network administrators and technical managers
  should not only follow the recommended security controls
  information systems outlined in NIST 800-53 but also consider the
  following measures. These measures include both tactical and
  strategic mitigations and are intended to enhance existing security
  programs.


Recommendations

  * Deploy a Host Intrusion Detection System (HIDS) to help block and
    identify common attacks.

  * Use an application proxy in front of web servers to filter out
    malicious requests.

  * Ensure that the "allow URL_fopen" is disabled on the web server
    to help limit PHP vulnerabilities from remote file inclusion
    attacks.

  * Limit the use of dynamic SQL code by using prepared statements,
    queries with parameters, or stored procedures whenever possible.
    Information on SQL injections is available at
    <http://www.us-cert.gov/reading_room/sql200901.pdf>.

  * Follow the best practices for secure coding and input validation;
    use the secure coding guidelines available at:
    <https://www.owasp.org/index.php/Top_10_2010> and
    <https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/305-BSI.html>.

  * Review US-CERT documentation regarding distributed
    denial-of-service attacks:
    <http://www.us-cert.gov/cas/tips/ST04-015.html> and
    <http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf>.

  * Disable active scripting support in email attachments unless
    required to perform daily duties.

  * Consider adding the following measures to your password and
    account protection plan.* Use a two factor authentication method
    for accessing privileged root level accounts.

  * Use minimum password length of 15 characters for administrator
    accounts.

  * Require the use of alphanumeric passwords and symbols.

  * Enable password history limits to prevent the reuse of previous
    passwords.

  * Prevent the use of personal information as password such as phone
    numbers and dates of birth.

  * Require recurring password changes every 60-90 days.

  * Deploy NTLMv2 as the minimum authentication method and disable
    the use of LAN Managed passwords.

  * Use minimum password length of 8 characters for standard users.

  * Disable local machine credential caching if not required through
    the use of Group Policy Object (GPO). For more information on this
    topic see Microsoft Support articles 306992 and 555631.

  * Deploy a secure password storage policy that provides password
    encryption.

  * If an administrator account is compromised, change the password
    immediately to prevent continued exploitation. Changes to
    administrator account passwords should only be made from systems
    that are verified to be clean and free from malware.

  * Implement guidance and policy to restrict the use of personal
    equipment for processing or accessing official data or systems
    (e.g., working from home or using a personal device while at the
    office).

  * Develop policies to carefully limit the use of all removable
    media devices, except where there is a documented valid business
    case for its use. These business cases should be approved by the
    organization with guidelines for there use.

  * Implement guidance and policies to limit the use of social
    networking services at work, such as personal email, instant
    messaging, Facebook, Twitter, etc., except where there is a valid
    approved business case for its use.

  * Adhere to network security best practices. See
    <http://www.cert.org/governance/> for more information.

  * Implement recurrent training to educate users about the dangers
    involved in opening unsolicited emails and clicking on links or
    attachments from unknown sources. Refer to NIST SP 800-50 for
    additional guidance.

  * Require users to complete the agency&apos;s "acceptable use
    policy" training course (to include social engineering sites and
    non-work related uses) on a recurring basis.

  * Ensure that all systems have up-to-date patches from reliable
    sources. Remember to scan or hash validate for viruses or
    modifications as part of the update process.


All times are GMT -5. The time now is 03:28 PM.