Operating system comparison: The Windows OS security debate

The security debate between Linux, Mac OS X and Windows got even more heated when Google ended its internal use of Windows. Tom Chmielarski explains when an organization may (or may not) be ready for a change in operating systems.

SearchMidmarketSecurity.com reader: Google made some waves when they began ending internal use of Windows. Why was that the case, and will the shift in operating system make a difference? Can you do a quick operating systems comparison?

Tom Chmielarski, resident security expert: Google began a move away from Windows on the desktop earlier this year, according to a report by the Financial Times. This change is reportedly driven by security concerns and by Google's desire to use its own products, including Chromium, the upcoming Linux OS from Google.

Before considering the ramifications of this shift, however, let's consider Google itself. Google is atypical of many organizations and is not necessarily a good reference model for your organization; they have very large Linux server farms and the experience and tools that go with that, as well as a large number of qualified Linux support personnel. They have also developed two Linux-based OSes (Android and Chromium OS). It is worth noting that Chromium OS has an emphasis on Web-based computing.

Rather than speculating too much on Google's motivations, which I do not know, let's consider the following questions:

  • Will it make a difference to change operating systems?
  • And, by extension, is that kind of transition something you should consider for your organization?

The debate regarding Linux versus Mac OS X versus Windows is a heated one, and I won't solve it here. I will emphasize, however, that workstation security depends on far more than the security of the OS itself. As for an operating system comparison, Windows has the largest market share of OSes, the old argument goes, and is therefore the most attacked. This means the vulnerabilities within the various Windows versions are more likely to be uncovered and used.

Linux and OS X both have security problems of their own, though. Apple, from a straightforward numbers perspective, has had more security vulnerabilities in 2010 than Microsoft. However, the use of vulnerabilities as a numerical indicator of security is much debated as well.

Security of the desktop is important as the desktops are an entry point to your organization and frequently contain sensitive data. (Chromium's emphasis on Web services, such as Google Docs, might help shift more of that sensitive material to centralized servers that are, in theory, more secure.) At a high level, the security of those endpoints depends on several factors including:

  • How secure is the underlying OS?
  • How securely is the OS configured?
  • How well is the OS managed to prevent configuration drift and ensure patches are applied?
  • How secure are the applications running on that OS?
  • What privileges do users, and user-space applications, have to modify the operating system?
  • How prone are your users to make poor security decisions?

The choice of operating system (Linux/OS X/Windows) only pertains to the first two items in this list, although they are two very important considerations. This leaves us with configuration management, user rights management and application security. Basic systems management of Windows desktops is relatively easy, and your typical IT person can do it or pick it up with a little reading. The complexity of Windows administration is somewhat deceptive, though, since it's much easier to get basic management functions working ( WSUS, for example) than it is to do the configuration and management reliably and securely.

Linux management is trickier, and the number of subject matter experts available to hire is much smaller. Does your organization have the tools and skill sets required to securely manage Linux workstations? Given the normal IT emphasis of "more with less" and "do it yesterday," it's not surprising that many organizations have poor systems management practices and barely any asset management.

Limiting user rights -- not letting everyone have local administration rights -- is an important security precaution. This model is fairly common in the Linux world. Windows deployments, however, frequently give every user local administrative rights, which means malware is more easily able to install itself. Windows Vista and Windows 7 offer improved user account control features, but they are too frequently ignored in lieu of the convenience of letting everyone have complete control of their own desktop.

The security of the application is much less important if it doesn't have the ability to modify the OS or access the data stored on that system. Adobe's recent announcement that Adobe Reader will use sandboxing to control access to the OS is an example of an (attacked) application vendor's response to security problems.

User education, which is mostly non-technical, is another important consideration. You're not likely to succeed in securing the workstations if your users are prone to respond to 419 scams, open email attachments from people they don't know, and install random software from the Internet.

To determine if a move to Linux or Mac OS X is right for you, consider your ability to manage and otherwise support Linux desktops. You'll also need to ensure your applications and users can function in a Linux environment.

Lastly, as I noted above, a shift to cloud computing, if you assume the cloud itself is secure, has a security benefit of removing some sensitive data from that endpoint. If, however, an attacker gains user credentials by compromising the endpoint and monitoring user activity, then that benefit is largely negated.


This was last published in August 2010

Dig Deeper on Microsoft endpoint security management

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

The security debate between Linux, Mac OS X and Windows got even more heated when Google ended its internal use of Windows. Tom Bearskin• P
Hardware vs. software
Before we talk about different types of computers, let's talk about two things all computers have in common: hardware and software.
• Hardware is any part of your computer that has a physical structure, such as the keyboard or mouse. It also includes all of the computer's internal parts, which you can see in the image below.

Software is any set of instructions that tells the hardware what to do. It is what guides the hardware and tells it how to accomplish each task. Some examples of software include web browsers, games, and word processors. Below, you can see an image of Microsoft PowerPoint, which is used to create presentations.

What is an operating system? An operating system (sometimes abbreviated as "OS") is the program that, after being initially loaded into the computer by a boot program, manages all the other programs in a computer. The other programs are called applications or application programs. The application programs make use of the operating system by making requests for services through a defined application program interface (API). In addition, users can interact directly with the operating system through a user interface such as a command language or a graphical user interface (GUI).
An operating system performs these services for applications:
explains when an organization may (or may not) be ready for a change in operating systems.
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close