FAQ: Inside Microsoft's Client Protection

TalkBack 27 of 69:

Next »

« Previous

• Thread View
• Flat View

A few corrections

I think you make a lot of really great points, but I think your info about Windows is a bit outdated.

>>the way you think they do or for the reasons you think(at least inbound), this is a common misconception<<

Actually, the misperception is that a firewall is ONLY useful for inbound connections. Can you guarantee that every program you install is not malicious or spyware? If not, then you need outbound protection as well. And even if you assume every program you have is not malicious, do you realize how many programs actually do open listen ports? Try doing a port scan one day, you may be surprised (depending on how well you set up your box).

>>Windows this is usually necessary because many services start up <<

Linux as well. I think a lot of these services are now disabled by default, but it used to be a lot of really dangerous ports and services (whois, finger, etc) were all left running. As you say, modern distributions lock these down, but then again Windows XP SP2 also locks down all public ports as well.

>>Since you know all the services that are listening for connections, then a firewall is pointless<<

Again, this misses the point. Some attacks use valid services and then exploit vulnerabilities in the program (the most common being buffer overflows). Even with LUA, if that service is running in a privileged thread, you have now hosed your system. If it is LUA, then you're safe, but this is also the case in Windows. Not every Windows service runs as a privileged account. And this is actually customizable. Even if a service runs as a privileged account, in most cases, you can manually demote privilege or set the service to run as a different account entirely. A firewall that does stateful packet inspection is the only protection.

>> two off the top of my head are ExecShield and SELinux<<

Great examples. This completely proves my point. The point is you have to install extra software to get to this stage. This security doesn't come natively to Linux either.

>>The fact that its file systems have to be defragmented says it all<<

I thought Linux also uses FAT? Beyond that, I'm not sure where you got this misperception. If you properly isolate your virtual disk space from your storage space, you never have to defragment on Windows either.

>>Linux is implemented with a least privilege design, in contrast with Windows model of most privilege<<

That's actually not true. Most users run with admin simply because this is what they are used to. At home, I run XP Home in limited user mode. The only time I ever switch to Admin mode is when I need to install something. True, the advantage Linux has is that you can install without being Admin, but frankly software installation is something I do once a month at most so it's trivial to run Windows with LUA. And in fact, Vista is designed completely with LUA. Correct me if I'm wrong, but running Linux as root is just as vulnerable as running Windows as admin.

>>Linux takes security much more serious than Microsoft<<

Not to be nitpicky, but Linux is not an entity. Linux has not devoted billions of dollars and thousands of developers into security. Linux has not acquired several security companies to provide better security software. Microsoft has. To claim that Microsoft is not security conscious is a gross exaggeration. This very article (MS Client Protection) disproves that entire notion. Microsoft takes security very seriously.

>> it pays off greatly and makes your life much easier<<

I very strongly disagree. It pays to be educated. You can be an educated Linux user. You can be an educated Windows user. You can even be both. A properly secured Windows box is no less inherently "dangerous" than a properly secured Linux box.

>>Also, if you want to see the currently most secure OS you may want to check out OpenBSD<<

Again, the OS is not the only problem. Your OS might be the best, most secure, most efficient one ever. But you only have to install one bad application (say your have a corrupted browser) to turn your entire computer into a massive security risk. And beyond that, human error plays a large part too. No OS is going to stop a user from stupidly entering their credit card info onto a scam website (yes, anti-phishing software helps, but if a user is determined to be stupid...)

If we were talking about Windows 5 years ago, I would absolutely agree with every single point you bring up. These days, the security gap is not as large as the common misperception. I'm no Linux expert, so please correct me if I made any mistakes about what I said about Linux (Windows too, I don't claim to know everything).

Posted by: java.user   Posted on: 10/07/05 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now
• Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
• The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now