On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet

July 6th, 2005

Does OS matter anymore for security?

Posted by George Ou @ 1:39 am

Categories: Security

Tags:

Whenever I’ve touched on the sensitive topic of Linux vs. Windows or Apache vs. Microsoft IIS security, I expected the usual flame treatment and nasty name calling to fly.  It’s usually taken as gospel in many IT circles to assume that Windows Security is an oxymoron; anyone who dares to suggest using Microsoft IIS 6.0 for a public web server faces serious ridicule.  To see if there was any truth to this presumption that Windows Server is fundamentally insecure, I looked up these hacking statistics from www.zone-h.org for 2003 to 2004.  Not only did it not show that Windows was hacked more often, but just the opposite.  The Linux servers were actually getting hacked and defaced far more often than the Windows server and Apache was also being hacked and defaced more than Microsoft IIS.

While most security research comparing various operating systems and applications focus on statistics for the number of vulnerabilities and their criticality, zone-h takes a completely different approach by looking at actual server compromises.  Even more significant is that these are not theoretical hacks in the laboratory but actual website defacements that were confirmed by the public.  Zone-h is essentially a centralized "score board" for hackers who want bragging rights for their handy work.  While the source of the data is highly despicable, there is no denying the value of such data being collected regardless of the source because of its accuracy.  When a website is hacked and defaced, there is little room for interpretation for what has transpired because the proof is in the humiliating public defacement.  While these particular defacements are often the work of recreational hackers who hack for sport and not the work of a professional criminal who hacks for financial gain, the techniques uses to compromise the servers are usually identical.  Zone-h accurately portrays itself as the pulse of the Internet because they accurately sample server compromises based on recreational hackers using the standard tools of the trade.  Why is this significant? It is very difficult to obtain this information through other means because most companies are not eager to report server compromises.  Zone-h brings these attacks in to the light so that they’re not just swept under the rug, and forces companies to take vulnerabilities seriously.

At the end of the zone-h report for 2003-2004, the author concludes (accurately, in my experience) that the argument about which OS is more secure is totally irrelevant since most modern exploits are against applications and not the operating system hosting them.  This is true because servers are rarely deployed wide open on the Internet without a firewall.  A properly configured firewall minimizes the vulnerability footprint to only permit the ports necessary for a specific application to work, which means the application is the only thing exposed to the hacker.  The zone-h report doesn’t actually prove which OS is more secure, only that the OS is mostly irrelevant and the Windows server security jokes are more myth than fact.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 149 Talkback(s)
OS security???
I totally agree with the idea that most exploits are application level. True, there are exploits at the OS level and ALL operating systems can be exploited. That said, the trend is to exploit weakne... (Read the rest)
Posted by: mpasaa Posted on: 02/09/07 You are currently: a Guest | | Terms of Use
I am curious..  Patrick Jones | 07/06/05
They send proof to Zone-H  george_ou | 07/06/05
Actually, I have two..  Patrick Jones | 07/07/05
Oh and...  Patrick Jones | 07/07/05
With the proof..  Patrick Jones | 07/07/05
And another problem..  Patrick Jones | 07/07/05
how?  JoeMama_z | 07/06/05
What do you mean?  Patrick Jones | 07/07/05
Lies, Damn Lies, and Statistics  Roger Ramjet | 07/06/05
Statistics?  Linux_4u! | 07/06/05
you seem to contradict yourself  zzz1234567890 | 07/06/05
How many "clueless" users run servers?  Anton Philidor | 07/07/05
Uh, yes. Your argument has almost as many holes as Windows does.  HypnoToad | 07/06/05
Who said anything about Phishing?  george_ou | 07/06/05
what worm....  JoeMama_z | 07/06/05
Defaced problems Virus & Worms Problems  tuqui | 07/06/05
When was code red?  george_ou | 07/06/05
give me a break....  JoeMama_z | 07/07/05
I say this  cashaww | 07/06/05
Observational versus experimental statistics  palmwarrior | 07/06/05
That's funny, because I tried that last time  george_ou | 07/06/05
Take a couple of deep breatths....  palmwarrior | 07/06/05
I shouldn't have generalized  george_ou | 07/06/05
So what's the two together show?  voska | 07/07/05
Did you read my conclusion?  george_ou | 07/07/05
Of course an experiment allows better control...  Anton Philidor | 07/07/05
You tried and failed...  Richard Flude | 07/06/05
You sound angry Richard  toadlife | 07/06/05
The difference  Richard Flude | 07/06/05
oooh - "mandatory access controls"  toadlife | 07/06/05
It's pretty much even now.  george_ou | 07/06/05
Might sound like but isn't  Richard Flude | 07/06/05
re: It's pretty much even now  Richard Flude | 07/06/05
I'm talking in the context of web servers  george_ou | 07/06/05
Did you even read my conclusion? Do you even know?  george_ou | 07/06/05
What?  Richard Flude | 07/06/05
Talking past each other, I think.  Anton Philidor | 07/07/05
Great timing, George!  Yagotta B. Kidding | 07/06/05
Nice spin  george_ou | 07/06/05
No spin  Yagotta B. Kidding | 07/06/05
Smells like spin, looks like spin, it must be spin  george_ou | 07/06/05
Yep!  FreeBSD | 07/06/05
Or another conclusion might just be ...  ShadeTree | 07/07/05
Compare to deployment rate  tommyhigbee | 07/07/05
EXACTLY!!! My thoughts are the same....  shawkins | 07/07/05
This tells me 2 things....  JoeMama_z | 07/06/05
The article doesn't say which OS is better  george_ou | 07/06/05
Bait and switch title for article....  palmwarrior | 07/06/05
Sorry you don't like the title, but please read the conclusion  george_ou | 07/06/05
Hmm...  clintoca@... | 07/06/05
But Windows 2003 is locked down by default.  george_ou | 07/06/05
Give it a break  Richard Flude | 07/06/05
IE is locked down by default on Win2003  george_ou | 07/07/05
Prediction  Richard Flude | 07/07/05
Re: prediction  toadlife | 07/07/05
Not Completely true  Dave P. | 07/08/05
Stop with the FUD  george_ou | 07/08/05
If you want to go down that road...  toadlife | 07/08/05
So what?  george_ou | 07/09/05
I wasn't arguning with you George  toadlife | 07/09/05
OS does matter of course!!!  cheong00 | 07/06/05
homepage defacement stats :-/  arny27@... | 07/07/05
I merely state the facts  george_ou | 07/07/05
Get the Facts campaign  arny27@... | 07/07/05
Stop putting words in my mouth  george_ou | 07/07/05
Too subjective  tommyhigbee | 07/07/05
No.  Grayson Peddie | 07/07/05
Getting a little desperate george?  Reverend MacFellow | 07/07/05
It is YOU that sounds desperate.  No_Ax_to_Grind | 07/07/05
Funny, coming from you bitty  AmusedAtItAll | 07/07/05
You are right, I call a crook a crook.  No_Ax_to_Grind | 07/07/05
i'm sure apache does get hacked more that iis  wimbo_z | 07/07/05
How much did Microsoft pay you, George Ou?  systemcleaner | 07/07/05
This is a joke right?  Reverend MacFellow | 07/07/05
These responses have the flavor of people...  Confused by religion | 07/07/05
Good try George! or should I say Milly?  Reverend MacFellow | 07/07/05
Wow! what stinging repartee!!  Confused by religion | 07/07/05
Sad isn't it?  No_Ax_to_Grind | 07/07/05
The world would be a dreary place...  Anton Philidor | 07/07/05
Spot on Milly! (nt)  No_Ax_to_Grind | 07/07/05
SELinux  davidr69 | 07/07/05
Of course some are better  wresnick | 07/07/05
More to it...  MightyPenguin | 07/07/05
Nope, it breaks it down by mass-attacks  george_ou | 07/09/05
Summary statement on a secure server?  Anton Philidor | 07/07/05
I never favored any platform  george_ou | 07/07/05
Thanks.  Anton Philidor | 07/07/05
Here are some brief answers  george_ou | 07/08/05
Maybe you should take the blinders off.  papatator | 07/07/05
How dare you use common sense! This is the talkbacks!!!  No_Ax_to_Grind | 07/07/05
Pitch in the dirt  Real World | 07/07/05
Most of the people talking back didn't even read my conclusions  george_ou | 07/07/05
Why even bother George?  BFD | 07/07/05
Some of us do try..  Patrick Jones | 07/07/05
You fire admins like that  george_ou | 07/07/05
No it is not...  Patrick Jones | 07/07/05
You were not clear  george_ou | 07/07/05
If I wasn't clear then I apologize..  Patrick Jones | 07/08/05
No apology needed, just stick to the question  george_ou | 07/08/05
Message has been deleted.  slack9999 | 07/13/06
The truth is, IIS is just as secure and  No_Ax_to_Grind | 07/07/05
Geek fight! Geek fight!  ejhonda | 07/07/05
Not really about which is the worst operating system...  Anton Philidor | 07/07/05
Agreed  george_ou | 07/07/05
Message has been deleted.  slack9999 | 07/13/06
OK - glad to  murph_zZDNet Moderator | 07/07/05
The irony!  whisperycat | 07/07/05
Unlike yourself I am not limited to one thing.  No_Ax_to_Grind | 07/07/05
i have to comment.  wimbo_z | 07/07/05
Did you read my post?  No_Ax_to_Grind | 07/07/05
You, an incomplete defense?  Anton Philidor | 07/07/05
There are days my friend...  No_Ax_to_Grind | 07/07/05
i stand corrected.  wimbo_z | 07/07/05
But...  rapson | 07/08/05
Message has been deleted.  slack9999 | 07/13/06
And you are ..... ?  whisperycat | 02/05/07
Amusing "report"  AmusedAtItAll | 07/07/05
Limited value data.  Anton Philidor | 07/07/05
No, it just shows you have no understanding of how zone-h works  george_ou | 07/07/05
Where does it state...  Patrick Jones | 07/07/05
Look here  george_ou | 07/07/05
Ask the founder this..  Patrick Jones | 07/07/05
Never claimed it was a scientific study  george_ou | 07/07/05
True, you didn't claim it was scientific..  Patrick Jones | 07/08/05
Data quality  Anton Philidor | 07/07/05
And once again Zone-h appears to be running linux webservers  zara994x | 01/13/06
Message has been deleted.  slack9999 | 07/13/06
Exactly  Richard Flude | 07/07/05
Another thing to consider...  DB_z | 07/07/05
Not claims, proof  george_ou | 07/07/05
Doesn't change my point.  DB_z | 07/08/05
Actually, George, the zone-H report says nothing about security  murph_zZDNet Moderator | 07/07/05
Actually, you didn't read my blog  george_ou | 07/07/05
Actually, I did  TtfnJohn | 07/07/05
I know what the author said  george_ou | 07/08/05
Netcraft's statistics are not that reliable either  toadlife | 07/07/05
Message has been deleted.  slack9999 | 07/13/06
Just defacement?  emcee_z | 07/07/05
What's that saying about statistics and lying?  Update victim | 07/08/05
Read my conclusions again  george_ou | 07/08/05
But you did quote...  t8 | 01/18/07
Yes, no, and more to the point  xstep | 07/09/05
Market Share Anyone?  tyler_107@... | 07/10/05
Message has been deleted.  slack9999 | 07/13/06
Contradiction noted  t8 | 01/18/07
I see you point ...  fredsmith6 | 01/19/07
OS/Network/Application Security  mdephillip | 01/30/07
What bragging rights is there in hacking a windows server?  ehabh | 02/03/07
OS security???  mpasaa | 02/09/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    Click Here