Which is more secure: Linux or Windows?

2 10 2012

This has been a hotly debated topic for many years among the computer/technology community. With many vying for both sides, I decided to take a closer look into both OS to see which one was more secure. Now, when you talk about the subject of security there are many avenue’s that one can take. Some tend to talk about how well a problem can be found and mitigated since it’s an inevitability while others tend to look at the inherit security that lies within the structure of the OS. I will be focusing on a combination of the two and will be breaking down my findings into 4 groups: Privileges, Responsiveness to threats, The Monoculture Effect, and The Human Factor.

When speaking about privileges, the understanding of what a user has the ability to do and not to do come into focus. Words like administrator and super user come into the vernacular of both ordinary and advanced users. And in the security realm, privileges are a big deal and the amount of power a single user has over his/her system is vital to how secure the system can ultimately be. This fact is why Linux surpasses Windows when it comes to preventive security via limit of access. According to Katherine Noyes of PC World, “In Windows, users are generally given administrator access by default, which means they pretty much have access to everything on the system, even its most crucial parts. So, then, do viruses. It’s like giving terrorists high-level government positions.”[1] This is a problem because at any time a less than savvy user can go into their registry and completely destroyed their computer. A friend of mine once went into her registry and deleted her HKEYs because she heard they were viruses. Having that kind of power over your machine right at the starting line is extremely dangerous to one’s security and Linux handles that situation far better than Windows. Katherine Noyes continues by saying “With Linux, on the other hand, users do not usually have such “root” privileges; rather, they’re typically given lower-level accounts. What that means is that even if a Linux system is compromised, the virus won’t have the root access it would need to do damage system wide; more likely, just the user’s local files and programs would be affected.”[1] By restricting the user to an account with lower privileges you reduce the attack surface of a virus or an assailant. Now with time and knowledge the user will be keener on how the system works and will be able to access the super user or root level, so when it comes to privileges, Linux is the winner.

Now, even though Linux restricts privileges doesn’t mean they are immune to viruses or other threats because as a system created by fallible humans, things break, and mistakes are made, accidents happen. How we deal with these problems is a sign of how well our security is because as any security specialist knows, mitigation is just as important as prevention. Windows excels in response and mitigation when compared to Linux’s. Brier Dudley of the Seattle Times did a report comparing Windows Servers and Red Hat Servers to find out which one was more secure. In his article he said, “They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft’s on one, the open source Apache on the other). Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when vulnerability is first reported to when a patch is issued. On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.”[2] The report showed that it 41 less days for Microsoft to find out about the problem and fix them and or patch them up. This is a big deal when you are a company who can’t afford to have their servers exploited for that long. You could potentially lose a lot of money if a problem like that cannot be fixed as soon as possible.

Another problem in favor of Linux is the dominant Monoculture that can be found in the Windows system. Nilotpal Chowdhury in his article “Why Linux is More Secure than Windows” he said, “The Windows environment has been likened to a monoculture. There is great homogeneity which makes it easier for crackers to write exploit code, viruses and the like. Compare this to the Linux world. Here, a program can be a .deb, .rpm, or source code, to name a few. This heterogeneity makes it difficult for crackers to have the widespread impact that is possible on Windows.”[3] This is just one example but there are many things that can be gleaned by this information. Windows has streamlined their production and made one system that everyone gets, which does not promote diversity between the systems. So when an attacker is planning his/her attack on a window system, he/she knows that every windows system is the same and that they don’t have to do additional reconnaissance. Also, they know that if they create a virus for one computer, the likely hood that it would affect a mass amount of computers is very high because everyone is on the same system. If there is a hole in the OS and no patch sent out yet, that hole will be in every single windows computer, making it a very good environment for attackers. With Linux, they have a diverse culture with so many versions of its OS that an attacker would find it extremely hard to attack a large set of Linux computers with one attack. This diversity makes Linux a little more secure than Windows.

The last and the most important factor to consider is the Human Factor. Ultimately, the security of the OS is only as good as the people using it. The people on the keyboards are the ones that controls how secure or unsecure a system can be. Naturally, if everything is done or handled the way they are supposed to, this conversation would not have to happen. But more often than not these systems suffer from audience sabotage. Whether you are running Linux, Windows, or even Mac, as a user you ultimately have the final say on whether your system will be secure or not. Does a user decide not to open an email that looks suspicious? Does a user decide to run logs in his/her computer for auditing purposes? Does a user minimize the attack surface of his/her system themselves? Does the user in even care? These are just a few of the questions that one has to think about when dealing with the human factor.

So, ultimately it is extremely hard to determine which one is the most secure because everyone has their own biases and belief system but if you want my opinion I would have to say that Linux conceptually is more secure, what do you think? Write down your responses in the comment box below.


[1] Noyes, Katherine. “Why Linux Is More Secure Than Windows.” Why Linux Is More Secure Than Windows. PC World, 3 Aug. 2010. Web. 25 Sept. 2012. <http://www.pcworld.com/article/202452/why_linux_is_more_secure_than_windows.html&gt;.

[2] Dudley, Brier. “Study Finds Windows More Secure than Linux.” Business & Technology. The Seattle Times, 17 Feb. 2005. Web. 26 Sept. 2012. <http://seattletimes.com/html/businesstechnology/2002182315_security17.html&gt;.

[3] Chowdhury, Nilotpal. “Free Web Software Reviews.” : Why Linux Is More Secure Than Windows. Free Web Software Reviews, 20 Dec. 2007. Web. 25 Sept. 2012. <http://freewebsoftwarereviews.blogspot.com/2007/12/why-linux-is-more-secure-than-windows.html&gt;.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: