Linux vs. Windows: Which is Most Secure?

I’m more secure on Linux than I am on Windows. Yup, that’s right. I have no doubt whatsoever that I am.

I started down this path by comparing how secure I am on a Mac vs. on Windows, then I compared Mac vs. Linux. To complete that trifecta, I guess it’s only fair to compare the end-user data security aspects of Windows against Linux.

Before I get into my rationale, though, just a little more background is in order. I started using a UNIX desktop way back in college and was always comfortable there. At my first couple of jobs after college, I mostly used UNIX workstations from Dec and Sun as my primary desktops.

Later, I started using Windows-based systems at the office, but never felt quite at home. I was constantly frustrated by the frequent reboots, lack of serious security capabilities (from my perspective), and such. Then, following a brief foray in OS/2, I quickly gravitated to running Linux at home so I could once again have a real multi-tasking working environment.

Nowadays, my primary desktop is on a Macbook Pro – the best computer I’ve ever owned, without any doubt.

But, I still run a Debian Linux infrastructure for my company, with a couple Samba servers at its core. It’s not uncommon for the Linux systems to go over a year in between reboots. And, I still use XP on another laptop from time to time, generally when a customer requires it or I absolutely must run something like ActiveX controls on a web site. I try my best to learn how to best use the security features of each OS I use, naturally.

So, with that background in mind, it’s clear my views are somewhat biased. However, I consider myself very open-minded and will always give credit where it’s due. Heck, some of my best friends use Windows (but I do my best to talk them into OS X anyway).

• True to UNIX.It’s tough to be entirely fair here, since Windows isn’t UNIX in any sense. But my point here is that Linux does follow the security features and capabilities it inherited from UNIX quite closely. In particular, the notion of an administrative (root) user that maintains and operates the system, and desktop users who only run the software on the system, is completely ingrained in most Linux distributions.

Now it’s true that many Linux users ignore these features and run all their software from a root-level account anyway, but that’s a choice that they’ve made. The system defaults to protecting the operating system components from its user’s actions (intentional or otherwise). That feature alone must account in large degree for the dearth of viruses and other malicious vermin on Linux and UNIX platforms.

Windows, on the other hand, started life as a single user system, with that single user being all-powerful. Although that’s no longer the case, the general attitude can still be found in many Windows-based software products – many of which just can’t be installed and/or run properly without desktop administrator privileges. This is all changing for the better, but it took Microsoft far too long to adopt this default-secure configuration practice.

Qualitative score: Windows gets a D+ while Linux gets an A-.

• “Bummer of a birthmark”Many of us no doubt remember Gary Larson’s Far Side comic strip in which two deer are standing around, and one of the deer has a big bulls-eye target on his chest… You get the picture.

Well, in many ways, that’s the sad state of affairs for Windows users these days. It’s true that phishers, virus writers, and other miscreants could target other operating systems, but by and large they don’t.

As other operating systems gain market share, that’s likely change, but by my thinking, Linux isn’t going to be the next big target. So, until and unless that target “birthmark” finds its way onto another victim, it’s “bummer of a birthmark” time for Windows users. (Hint: the “birthmark” itself is your Outlook/Internet Explorer combination!)

Qualitative score: Windows gets an F while Linux gets an A.

• User data confidentiality. All those commands that I grew comfortable with on UNIX (e.g., chmod, chown, umask) for protecting or sharing my data are in Linux and are easy for me to work with. Although the features are relatively on the light side as industrial strength file access control goes, the tools and capabilities are readily available and they work pretty darned well.

While it’s true that Windows has equivalent commands and GUI interfaces for protecting one’s data, I’ve always found them to be awkward at best, and generally defaulting to open (world read-write) unless I go out of my way to lock down my own files.

Now, to be fair, I have to point out that the Windows NTFS file system has a phenomenally powerful set of features when it comes to file/directory access control and auditing. Indeed, when used properly, an NTFS file system can be very tightly configured to the needs of a user or application. The problem is that so few people do it or even know how to do it.

One other factor here is the availability of third-party file and disk encryption products. Here Windows clearly has the upper hand, and I’m noticing more and more corporate laptops employing disk encryption as a standard configuration item. (I guess we can thank the likes of the U.S. Veterans Administration for that.)

Qualitative score: Windows gets a B- while Linux gets a B+.

• Patch practices. Here Windows shines (finally). With Windows Updatebeing readily available and running by default as of XP SP2, things are finally looking up for Windows users. From the perspective of an end-user seeking to keep his computer up to date with the current vendor-supplied security patches, Windows sure does make things easy.

Linux isn’t too far in the distance, though. Most Linux distributions do a respectable job at automated security patch management. Many are opt-in, however, and the interface varies from one distribution to the next, making it a bit less easy to do things properly for a typical end-user.

The elapsed time from notification to patch, on the other hand, can vary substantially. Overall, and again from a highly subjective viewpoint, I give a slight edge to Linux, but I do feel that Microsoft has made great advances in the past few years.

Qualitative score: Windows gets an A- while Linux gets a B+.

With these scores in mind, I have absolutely no doubt that my data is safest on a Linux system than on a Windows system. And that ends my three-way comparison of the user-level security in OS X, Windows, and Linux. I’ve tried to be as fair as I can, and have given credit where each is worthy of it – and wrath where it’s not.

My overall winner remains Apple’s OS X, which offers the best of both worlds (UNIX and Windows-like) to me. I have the native desktop apps that I need to do business, and underneath it all is the familiar face of UNIX. I’m at $HOME.

In closing, I should also say that a person determined to keep her data secure can certainly use any of these three operating systems successfully. There’s enough good in the worst of them (and bad in the best of them) that what matters most is really learning how to use all the security capabilities of the OS you’re most comfortable with.