While Windows Server 2003 represents a major improvement in security for Microsoft, a new report by the Burton Group finds that Linux and Unix are "more appropriate" for companies that run "high-risk" applications.
Daniel Blum, the report's author, said that there are valid arguments for the superiority of all three operating systems, but some matters are beyond debate.
"One thing is clear in black and white: Windows has been attacked by these large-scale viruses and worms [such as Blaster], and that hasn't happened to Linux and Unix yet," said Blum, a senior vice president and research director for Midvale, Utah-based Burton. "So, in order to avoid having that type of attack spread to your system, it might be worth considering having that be a non-Windows system."
Blum said that it is not uncommon these days for an enterprise to have routine applications run on a Windows-based server, with high-risk applications placed on a separate Linux-based server. He described high-risk apps as those that, "if compromised, could lead to loss of life or loss of a great deal of money."
In the report, released last week, Blum outlined both the positive and negative security aspects of the recently released Windows Server 2003.
Windows Server 2003 security positives:
IIS fixes. Blum said that Microsoft has made "significant functional enhancements" to Internet Information Server (IIS). For example, IIS can now run with multiple processes, so that if something happens to one of the applications that IIS is running, the rest of the server isn't compromised.
Centralized policy management. A new group policy management console makes it easier to create a group policy and display the net effect of different group policies that have been created. "I think there still may be some third-party tools to improve on that, but they've closed the gap considerably there," he said.
Default security settings. "They've reduced the 'attack surface' by turning a lot of things off by default," Blum said. For example, a server that's being used as a print server doesn't need IIS for dynamic content, so that's one less vulnerability.
"Prescriptive guidance." This includes manuals that instruct users on how to harden a server for three different levels. Blum said that Microsoft's highest level of hardening was good enough to satisfy the National Security Agency. He said that the downside of hardening a server to that degree is that many applications and functions won't work because they depend on certain ports to be open. The way to get around that, he said, is to harden the server, "see what broke" and then "loosen it somewhat to get it just right for your environment."
Automatic detection. The upcoming release of Service Pack 1 for Windows Server 2003 will allow automatic checking of clients for up-to-date patch settings, configuration settings and personal firewall settings. If a user's client doesn't meet those requirements, the client is denied access to the network. "That's called quarantine of the client," Blum said.
Window Server 2003 security negatives:
Complexity. Windows Server 2003 has 40 million to 60 million lines of code -- far more than Linux. That's because Windows comes bundled with a Web server, a directory and a host of other features. "The bundling is good sometimes for customers, because they get all of this functionality for free with their client-access licenses, but it also means that every Windows box out there has all of this complexity, and you don't need all of it," Blum said.
Support for interfaces such as ActiveX. ActiveX, Microsoft's answer to Java, is unmanaged code that is used to connect Microsoft's Web applications. Blum said that ActiveX has the potential to make all applications on a server vulnerable to malware. He recommends that enterprises use .NET's managed code or Java on a server that is running applications containing sensitive data.
Costly patches. Blum said that one Fortune 100 company spent $20 million in "people time" to deploy a number of critical Microsoft patches during one week last year. "It's a very bad situation right now," he said. "Also, the window of vulnerability between the time that enterprises are able to get these patches deployed and the time they come out is longer than it should be." Blum said that some of that pain should be alleviated through better third-party patching tools and through the release later this year of Software Update Services 2.0, which is a free Microsoft management tool.
FOR MORE INFORMATION:
Face-off debate: Microsoft vs. Linux
Article: Make patching less of a grind