Over the past fifteen years, Linux has built its brand around security and flexibility. The open source community and many technology aficionados berate Windows for its security flaws, and hail Linux and Apple as the platforms for serious, reliable computing. Few serious studies have rigorously compared the platforms in the wild, and those that do are often accused of bias. Temporarily setting aside the prejudice that most have regarding the issue, could it be possible that in certain instances, Windows Servers are indeed more secure than Linux?
From a kernel-level perspective, few would argue that Linux is not more secure. The platform has had fewer critical vulnerabilities and its code is widely available for inspection and review. The SELinux extension provides very fine-grained permission and program control, while the large user and vendor base ensures that the platform is rigorously tested and hardened against any discovered vulnerabilities.
The Windows kernel, on the other hand, is much more malleable and subject to change. Each major release features a significant rewrite of the underlying source code, and requires vulnerability testing behind closed doors. Microsoft engineers follow best practices during development, and it’s admirable that they achieve even the current low level of bugs and security vulnerabilities in production deployment, however the development process simply does not have the scale, manpower, and iterative evolution that the Linux kernel enjoys.
Where the Windows operating system has an edge, however, is in server-side applications. Most of the key server software that runs on Windows machines is provided by Microsoft. In a fully Microsoft shop, Microsoft provides the database server, email server, directory server, file server, web server, application server, and cloud. All of the software updates are streamlined through a centralized Update Server that features extensive testing for compatibility between updates. Software versions are controlled through a single entity – Microsoft – and that single entity is also directly responsible for all failures. Security breaches have a direct and highly negative effect on the bottom line, and as a result, security is often taken more seriously.
Linux, on the other hand, has most of its server-side applications provided by a plethora of open-source organizations. While the application source code is often public and available for inspection, certain software packages are less stringently reviewed than others. Most errors are fixed through a collaborative effort, and serious vulnerability testing is rare in any but the most mainstream vendor-backed projects. Although distributions like Red Hat put a large amount of effort into making sure that the initial release of a Linux version has all packages working seamlessly together, many installations have a way of falling apart after several years. While Microsoft machines will run Windows updates for the full lifetime of the operating system, Linux machines often become discombobulated due to incorporation of external repositories to handle specific user requirements, or run the newest versions of an application.
Although it’s a wonder that Linux machines still have the low level of breaches they currently do – and this fact alone is a testament to the security of the operating system – the vast majority of Linux breaches are likely unreported. Mission critical systems at companies that can hire an small army of network engineers to constantly maintain their infrastructure are likely safe, however smaller organizations with tighter resource requirements might see their Linux machines degrade in security and maintainability over time.
What does this mean for the users? Sometimes Windows machines may be a better fit. In instances where the company doesn’t have resources to invest in constant, dedicated server maintenance for a particular system, it might make sense to choose Windows over Linux. In instances where the application might require leaving the stock vendor RPM repository for external repos, again, it might make sense to choose Windows. Although Microsoft might have a higher count of critical vulnerabilities discovered each year, at least having those vulnerabilities properly patched puts the server far ahead of a Linux machine that can’t even run updates due to dependency hell. Choosing a server platform requires as much an evaluation of the operating system as the infrastructure that the company will put in place to support that system over the lifetime of the software.
Written by Andrew Palczewski
About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.