By: Shawn K. Hall
Posted: October 7, 2005
You've decided it's time to create your own website but there are so many choices, how can I choose the right option? This hosting provider says Linux is the best and most secure system, while the other guy swears by Windows.
Still another says "DON'T CHOOSE the windows server unless you have to," because the system is too buggy.
The most common reason this type of thing is said is FUD: "fear, uncertainty and doubt." People believe, incorrectly, that Windows is inherently less secure than Linux, and therefore, it is a less reliable and less trustworthy operating system.
Any operating system, application or script is only as secure as the administrator. Every computer can be either as secure or insecure as they are capable of making it.
What Linux has above Windows is not security, but obscurity. There is a huge difference. Security is a process - a layered approach to containing and restricting the function of a system (physical or logical) from external influence. Obscurity, however, is the actual bounty produced.
Linux, though in the significant majority in actual hosting environments is still far less understood than Windows, which builds upon its broad permeation into the desktop market. Granted, Desktops and Servers are two very different beasts, but familiarity with a Windows desktop provides a good base to build upon Windows servers. To put it in perspective - more people have used Windows servers than Linux desktops, and Linux servers are in far greater abundance. Is it really possible that each Linux server administrator (remember the numbers) is more skilled in administrating and operating system they have less time with than the Windows server administrators, who likely have many years of experience with various forms of Windows? It's really that simple.
Windows servers are capable of running more server extensions (and thus more server side scripting engines: more capabilities) and parsing more file types than Linux servers are, and where different versions of parsers and scripting engines are available, the Windows version is usually the more recent/complete. This is not an opinion, it is a fact.
Windows computers are generally more vulnerable only if you consider that 80% of the world is using one form of Windows or another, and due to that fact, the vast majority of people administering those computers haven't clue one about maintaining them correctly.
Contrary to popular belief, Linux is not a single operating system. It is a kernel - the very focused core functionality of a general operating system, itself limited in scope and function. There are about a billion different distributions of Linux since many people compile (create) their own versions particular to the task at hand.
Consider this from the perspective of a web developer, how familiar are you with every function of every line of code responsible for making your website function? Not just the html, css, javascript & dhtml - but the libraries responsible for the actual server-side processing of every line of code and ensuring that the files are sent to the client correctly, that you release the memory correctly for every function call, close all connections and destroy objects in the correct order. Every extension, add-on, program, library and filter - the compiler takes responsibility for.
Myself, I'm a security fanatic. I spend several hours every single day monitoring security lists, writing & reviewing code for security considerations, analyzing and publishing exploit code, and following trends to discover new holes before they can become a problem. Very few computer administrators are anywhere remotely as obsessive about this as I am. I don't understand how it would be easier to trust an operating system that is more cryptic and are an often self-compiled operating system and applications. The potential issues in compiling any single application across hundreds of different potential build environments is simply insane and untrustworthy. Sure, there are standard libraries and builds for the more common distributions of the Linux core, but due to the nature of the system being, well, piecemeal, it's impossible to compare that systems state with any other with absolute certainty.
To put this in perspective, lets look at actual security of servers out there:
Zone H - The internet thermometer
(The stats for current defacement database at http://www.zone-h.org/en/stats are disabled).
What, you mean Linux servers are defaced several times more frequently than Windows? Really, who'd have thunk it!? Okay, how about comparing Linux to Windows Server 2003? What? /50 times/ more defacements on Linux servers than Windows 2003?
Need a little more? How about phpBB - the most popular forum on Linux: Hosts Ban phpBB As Security Issues Persist
I'm not saying that Linux is less secure than Windows. I'm saying something altogether different: The operating system is not the determining factor, the administrator is. Part of my 'offline' business is building firewalls, something I spend a good deal of time doing. For this I use a very barebones Linux distribution as the foundation, which it is perfectly capable of functioning in that regard. I personally use both types of systems daily - they each serve their purpose. Neither is inherently any more secure than the other - and they each require constant management and maintenance.
The question you should be asking yourself is why your host or "informer" has made such a blanket statement as "DON'T CHOOSE the windows server unless you have to." Why? My guess would be $$$. Linux, under its many faces, is an opensource application that does not require registration or licensing fees for its use. Vendors who build operating systems from the Linux kernel are required to provide it, as source.
Thus, anyone can actually build a Linux system for little more than the cost of the hardware. Licensing Windows, on the other hand, can be very expensive. A single license for Windows Server 2003 costs $399 to get in the door, and as much as $4,000. That's a quick profit of $400 simply by convincing your users that Linux is "better" without providing any details. $400 isn't a lot of money in the grand scheme of things, but it adds up, especially for a 'mom and pop' organization like my own business.
Regards,
Shawn K. Hall