March 23rd, 2005

Is Windows more secure than Linux for web serving?

Posted by George Ou @ 2:49 am

Categories: Security

Tags:

At the risk of starting another holy war, I had to comment on this story. Robert Lemos reports?on a study?that concludes Windows is more secure than Linux for Web serving. Although the test was funded by Microsoft, the two authors of the study did publish all test methodology so that it can be independently scrutinized and repeated. In general, vendor-funded studies almost always favor the vendors that fund them. This statistic obviously makes sense, since no company would ever fund a study that they either expected to lose or if they couldn’t get the researchers to "fudge" the numbers in their favor. The big question here: Is this a case of fudging the numbers or is there some truth to it?

Since this was primarily a comparison of Web server technology, we’re mainly talking about IIS 6.0 and Apache 2.x. From a real world standpoint, it can be argued that other vulnerabilities pertaining to the underlying operating systems and other non-Web related components for Windows or Linux are less of a security priority.?A locked down Web server will only have TCP ports 80 and 443 open on the local firewall, whether you’re talking about Linux IPChains or Windows Firewall. Therefore, the only thing that is exposed beyond the Ethernet adapter of the server is IIS 6.0 or Apache 2.x, and these are the main things we need to worry about when evaluating Web servers. So let’s compare these two platforms’ security track records.

If we look at the SecurityFocus Web site vulnerability search page and we type in keywords "Apache 2" and "IIS 6.0", we will see that there is basically only one security advisory for IIS 6.0 since its inception, and we can see that there are many advisories for Apache 2. Unfortunately, the results don’t really elaborate on what this actually means in terms of severity of the advisories. A better?security research site is secunia.com which does go into much more detail with nice graphical analysis. When I searched Secunia, I found the following results.

IIS 6.0 track record:
IIS 6.0 has?only three advisories listed for for the last two years and none of the advisories were rated beyond moderate.?Two advisories were moderate and?one was rated low. Only one was not patched.

Apache 2.0.x track record:
Apache 2.0 has 22 security advisories and two were not patched. One was rated high,?seven were rated moderate, and 13 were rated low.

Both comparisons were from the year 2003 to 2005 and represent the most modern versions of their respective platforms, so it’s a pretty fair comparison. Based on this information, it is easy to conclude that IIS 6.0 has a much better track record than Apache 2.0.x and that Apache needed to be patched more frequently. In light of this data, we have to wonder if Windows 2003 server really is better than Linux and Apache for the purpose of Web serving. What do you think? Talkback and let your opinion be heard.