The number of patches and time required to test and deploy them can increase operational costs. Other factors can impact the ease or difficulty of patching a system, include determining if a patch is backward-compatible and can be implemented without breaking an application.
The magnitude of patching a Windows system is complicated by the tight integration of a Windows application runtime environment and operating system.
In contrast, under Linux the application runtime environment is a user space process and is not part of the operating system. The tight integration of a Windows operating system increases the number of potential security exposures; in effect, this means a Windows server patch is not a feature but often a requirement.
To meet that requirement, and adding to the complexity of the solution, is the variety of Microsoft partners and independent software vendors who provide patch management, and the need to evaluate which package works best for a given organization. The number of Windows patches will continue to grow because of the non-trivial nature of exploits like Blaster, Code Red, Sasser, and others. Patch management under Linux is often easier because of the separation of kernel and user space, which reduces the number of potential significant security exploits.
Although every Linux distribution comes with patch management tools, system vendors and independent software vendors are also releasing third-party tools. Patch management on a Linux system provides more transparency than a similar process under Windows. Linux distributions provide all changes, which are applied to every package.
Since Linux is open source, unlike Windows, there is unrestricted access to the history of all of the source code. Also, with Linux there is often more flexibility to use either a GUI or the command-line to patch a system. Fundamental changes in the security capabilities of Windows and Linux are vital since they are positioned as the top two operating systems, based on new server shipments.
However, advances in operating system security are only as good as the users who take advantage of them. How secure an IT infrastructure is will vary not only based on the Linux distribution and Microsoft product and service pack deployed, but also by what patches customers choose to implement. Another major change with Linux v2.
The NSA researchers worked on Linux security modules to support type enforcement, role-based access controls, and multi-level security in the v2. SELinux, using a security scheme known as Domain Type Enforcement, can limit the impact of compromised applications or network services by separating applications from each other and from the base operating system.
For example, Immunix offers a set of products, including StackGuard, and sub-domain LSM modules to configure a process to a specific system call. Today, Linux has a powerful, flexible mandatory access control architecture built into the major subsystems of the kernel. The system mandates the separation of data based on confidentiality and integrity requirements, so any potential damage, even by a superuser process, is confined on a Linux system.
Linux v2. This enables multiple algorithms e. With security abstracted to the protocol level, applications are less vulnerable to a potential exploit. Cryptographically signed modules are not yet a part of Linux, but if the issues about implementing such a feature can be resolved it will prove useful in preventing unsigned modules from being accessed by the kernel.
One of the issues that continues to plague Windows users is buffer overflow. Linux users will appreciate the ability to use the exec-shield patch, which is available with the Linux 2. Exec-shield enables protection against a variety of exploits that attempt to overwrite data structures or insert code within these structures. Since a recompile is not required for the exec-shield patch to work, this makes it easier to implement. Also, the addition of a preemptive kernel, also in v2.
Many Linux users depend on non-open source drivers and other binary modules from hardware manufacturers and systems providers. The problem is that although adding these drivers and modules is often useful, it is not necessarily beneficial to the operation of a Linux system. For example, a non-open source driver or binary module can overwhelm a system call and change the system call table.
The Linux v2. This feature promotes stability, but does not place any new restrictions from a security point of view to stop a determined hacker from writing a malicious module.
Perhaps one of the most innovative developments for Linux users is User-mode Linux UML , which is a patch for the Linux kernel that allows an executable binary to be compiled and executed on a host Linux machine. There are a number of advantages to UML, but the more compelling attribute is the ability to use it as a virtual machine.
Since processes within UML are not allowed access to the host system, it can be used as a sandbox to test software, run unstable distributions, and examine activities that could otherwise pose a risk. UML will eventually lead to a fully virtualized environment for security infrastructure.
My goal here is to provide a framework for users to increase their understanding of Windows and Linux security capabilities.
The following analysis is by no means comprehensive and is intended as a starting point for end-user evaluation. As the technical innovation of Linux and Windows continues, so will the discourse on which is more secure. The overall finding of this analysis is that Linux provides more secure capabilities than Windows. Qualitative Score. Antivirus, firewalls, intrusion detection software, Web servers, email, smart card support. Installation, configuring, hardening, administration, vulnerability scanners.
Install and configuration tools come with Windows, no specific hardening tool, admin GUI, security by default has been emphasized lately. Microsoft participates in open standards but has some proprietary standards. Linux is superior. The user of a Linux system can decide to add additional security mechanisms to a Linux distribution without having to patch the kernel.
Various access control mechanisms have been built on top of LSM; for example, building compartments that keep applications separate from each other and from the base operating system, which limits the impact of a security problem with an application.
Although modules are not all signed by one key, since MSCAPI trusts a large number of root certifying authorities, and trusts multiple keys for code signing, it takes only one key to be compromised to make the entire system vulnerable to attack. It has even deployed ML models to scan for potential threats continuously and has the biggest malware signature database.
But the persistent attacks using any potential or unpatched vulnerabilities of the operating system are leveraged by hackers for their nefarious ends.
So the Windows operating system does not come with some inherent flaws that make it more vulnerable than other platforms. Microsoft has also taken a very proactive stance of rolling out regular Windows updates so that any vulnerabilities can be patched quickly. Windows comes with an Anti-Malware software by default which is very capable of detecting all kinds of malware with the help of things like signatures, YARA rules and reputation checks, even though it will not safeguard the organisation against more advanced attacks.
In addition to this, Windows also has a sandbox installed in its stores, which safeguards a PC from threats which other security systems may have missed. Also, Windows makes use of code signing checks, which leads to less data tampering.
On a Windows device, code signing is done both at the time of installation and the first run of an application. Mac OS has a reputation for being secure by default. But that mostly means that it is not operating several network services out-of-the-box which can be attacked.
The T2 chip also presents a default tactic of obstructing the free and open-source software from loading up. Macs face fewer viruses compared to the Microsoft Windows operating system.
PCs have been more popular, with the number of Windows operating systems connecting to the web far exceeding those of Macintosh or Linux. The result has been an influx of cyber attacks targeted at PC users and the Windows operating system.
It consists of many mechanisms which are enforced by the kernel. This protects against modifications by processes without a particular entitlement, even when executed by the root user or a user with root privileges.
Linux is entirely open-source, unlike other operating systems, meaning one literally has thousands of people around the globe tearing apart the Linux source code on a daily basis. The open-source community looks for every single security vulnerability and then issues a security patch for it.
The more people you get to look and review your code, the better. A lot of industry experts say that Linux could be safer than both Windows or macOS. Linux has advanced options to sandbox any process and the reason why some analysts and users view Linux as more secure than Windows and macOS.
Linux implements various aspects of security that are intended to complement each other. Fedora applies Security-Enhanced Linux by default, which implements a diversity of security policies, including forced access controls, which Fedora embraced early on. In Multiprocessing, every process has a separate address space and CPUs can be added for increasing computing power. Windows Support Multithreading , meaning many threads are created from a single process for increasing computing power.
In multithreading, many threads of a process are executed simultaneously where common address space is shared by all the threads. It has a robust and efficient file system. File system is represented as a hierarchical tree under the same root.
Skip to content. Change Language. Related Articles. Table of Contents. Improve Article. Save Article.
0コメント