For a lot of my working life I’ve been in a heterogeneous environment, having to keep both Linux and Windows computers running and secure. Although it is fair to say that given I write books for Microsoft, my feet are firmly in the Windows camp, it is also fair to say that, given that I’ve been a sysadmin on mission critical Linux boxes since the mid 1990’s, I’m not exactly new to the penguin (I even share Linus Torvalds’ birthday).
It should be taken as true that a highly trained Windows Server 2003 administrator can lock down a Windows Server 2003 computer as tightly as a highly trained Linux administrator can a Linux computer. A question that has long interested me is in the case where the administrator is untrained or moderately trained, which operating system is more secure? As I’d learnt my sysadmin practices from building and maintaining a Red Hat server, I found the transition to administration of NT fairly easy.
The thing that struck me then and which has stayed with me even now is that performing administrative tasks in a Windows computer was far less time consuming than performing the same task on a Linux computer. When I administer a Linux computer, I always feel that I’m doing something incredibly complex and impressive. When I administer a Windows computer, especially Windows Server 2003, I don’t feel that way so often. Tasks such as the configuration of a web or DNS server take more time on one platform than the other. Sure, there is a lot of very complex stuff you can do with a Windows configuration, but a lot of the low level stuff is dead easy.
The interesting thing is that one gets the feeling that because it is more time consuming to do a task on Linux and point-and-click easy on Windows, the Linux configuration is more secure. Perhaps this arises because somewhere in my head I equate ease of configuration with something being less secure. Of course just because something feels more secure doesn’t mean that it actually is. Any administrator that congratulates themselves on how great they are at securing a computer is likely to find their computer root-kitted for their hubris.
The question that I’m circling around and will provide more thoughts on in the future is:
Would an administrator with only a little experience be able to lock down a Linux computer as effectively as they could lock down a Windows computer?