27/7/2016

Operatingsystemcomparison:TheWindowsOSsecuritydebate

SearchMidmarketSecurity

Operating system comparison: The Windows OS security debate

byTom Chmielarski, Contributor

Community Member

The security debate between Linux, Mac OS X and Windows got even more heated when Google ended its internal use of Windows. Tom Chmielarski explains when an
organization may (or may not) be ready for a change in operating systems.

http://searchmidmarketsecurity.techtarget.com/tip/OperatingsystemcomparisonTheWindowsOSsecuritydebate

1/6

27/7/2016

Operatingsystemcomparison:TheWindowsOSsecuritydebate

u
c
s
o
i
n
2

SearchMidmarketSecurity.com reader: Google made some waves when they began ending internal use
of Windows. Why was that the case, and will the shift in operating system make a difference? Can you
do a quick operating systems comparison?
Sign in for existing members

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
corporate email address

Continue Reading

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact
TechTarget at 275 Grove Street, Newton, MA.
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the
Privacy Policy.

http://searchmidmarketsecurity.techtarget.com/tip/OperatingsystemcomparisonTheWindowsOSsecuritydebate

2/6

27/7/2016

Operatingsystemcomparison:TheWindowsOSsecuritydebate

Send Tom your security questions

Have a security question about risk management? Windows security? Mobile devices? Sendit to Tom, and he'll answerit in a future tip.

Tom Chmielarski, resident security expert: Google began a move away from Windows on the desktop earlier this year, according to a report by the
Financial Times. This change is reportedly driven by security concerns and by Google's desire to use its own products, including Chromium, the
upcoming Linux OS from Google.
Before considering the ramifications of this shift, however, let's consider Google itself. Google is atypical of many organizations and is not
necessarily a good reference model for your organization; they have very large Linux server farms and the experience and tools that go with that, as
well as a large number of qualified Linux support personnel. They have also developed two Linux-based OSes (Android and Chromium OS). It is
worth noting that Chromium OS has an emphasis on Web-based computing.

Rather than speculating too much on Google's motivations, which I do not know, let's consider the following questions:
Will it make a difference to change operating systems?
And, by extension, is that kind of transition something you should consider for your organization?
The debate regarding Linux versus Mac OS X versus Windows is a heated one, and I won't solve it here. I will emphasize, however, that workstation
security depends on far more than the security of the OS itself. As for an operating system comparison, Windows has the largest market share of
OSes, the old argument goes, and is therefore the most attacked. This means the vulnerabilities within the various Windows versions are more likely
to be uncovered and used.
Linux and OS X both have security problems of their own, though. Apple, from a straightforward numbers perspective, has had more security
vulnerabilities in 2010 than Microsoft. However, the use of vulnerabilities as a numerical indicator of security is much debated as well.
Security of the desktop is important as the desktops are an entry point to your organization and frequently contain sensitive data. (Chromium's
emphasis on Web services, such as Google Docs, might help shift more of that sensitive material to centralized servers that are, in theory, more
secure.) At a high level, the security of those endpoints depends on several factors including:
How secure is the underlying OS?
How securely is the OS configured?
How well is the OS managed to prevent configuration drift and ensure patches are applied?
How secure are the applications running on that OS?
What privileges do users, and user-space applications, have to modify the operating system?
How prone are your users to make poor security decisions?

More "Ask the Expert" responses

Beyond patching, Tom Chmielarski explains what you'll need to do to avoid application exploits caused by Web browser vulnerabilities.

The choice of operating system (Linux/OS X/Windows) only pertains to the first two items in this list, although they are two very important
considerations. This leaves us with configuration management, user rights management and application security. Basic systems management of
Windows desktops is relatively easy, and your typical IT person can do it or pick it up with a little reading. The complexity of Windows administration
is somewhat deceptive, though, since it's much easier to get basic management functions working ( WSUS, for example) than it is to do the
configuration and management reliably and securely.

http://searchmidmarketsecurity.techtarget.com/tip/OperatingsystemcomparisonTheWindowsOSsecuritydebate

3/6

27/7/2016

Operatingsystemcomparison:TheWindowsOSsecuritydebate

Linux management is trickier, and the number of subject matter experts available to hire is much smaller. Does your organization have the tools and
skill sets required to securely manage Linux workstations? Given the normal IT emphasis of "more with less" and "do it yesterday," it's not surprising
that many organizations have poor systems management practices and barely any asset management.
Limiting user rights -- not letting everyone have local administration rights -- is an important security precaution. This model is fairly common in the
Linux world. Windows deployments, however, frequently give every user local administrative rights, which means malware is more easily able to
install itself. Windows Vista and Windows 7 offer improved user account control features, but they are too frequently ignored in lieu of the
convenience of letting everyone have complete control of their own desktop.
The security of the application is much less important if it doesn't have the ability to modify the OS or access the data stored on that system.
Adobe's recent announcement that Adobe Reader will use sandboxing to control access to the OS is an example of an (attacked) application
vendor's response to security problems.
User education, which is mostly non-technical, is another important consideration. You're not likely to succeed in securing the workstations if your
users are prone to respond to 419 scams, open email attachments from people they don't know, and install random software from the Internet.
To determine if a move to Linux or Mac OS X is right for you, consider your ability to manage and otherwise support Linux desktops. You'll also need
to ensure your applications and users can function in a Linux environment.
Lastly, as I noted above, a shift to cloud computing, if you assume the cloud itself is secure, has a security benefit of removing some sensitive data
from that endpoint. If, however, an attacker gains user credentials by compromising the endpoint and monitoring user activity, then that benefit is
largely negated.

This was first published in August 2010

m Dig Deeper on Microsoft endpoint security management

ALL

NEWS

EVALUATE

MAN A GE

PR O BL EM S OLV E

2
2
2
2

Windows Phone 7 security: Assessing WP7 security features

Securing Windows 7 desktops in 5 quick steps
How to conduct endpoint application security triage
What can the Khobe technique do to Windows antivirus software?

Load More

z 1comment

Oldest5

Shareyourcomment

Send me notifications when other members comment.

http://searchmidmarketsecurity.techtarget.com/tip/OperatingsystemcomparisonTheWindowsOSsecuritydebate

4/6

27/7/2016

Operatingsystemcomparison:TheWindowsOSsecuritydebate

Register or Login
E-Mail
email@techtarget.com

Username / Password
Username

Password

Comment
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the
United States. Privacy

0919783119 18 Jun 20153:10 PM

The security debate between Linux, Mac OS X and Windows got even more heated when Google ended its internal use of Windows. Tom Bearskin P
Hardware vs. software
Before we talk about different types of computers, let's talk about two things all computers have in common: hardware and software.
Hardware is any part of your computer that has a physical structure, such as the keyboard or mouse. It also includes all of the computer's internal parts, which you can see in the image
below.
Software is any set of instructions that tells the hardware what to do. It is what guides the hardware and tells it how to accomplish each task. Some examples of software include web
browsers, games, and word processors. Below, you can see an image of Microsoft PowerPoint, which is used to create presentations.
What is an operating system? An operating system (sometimes abbreviated as "OS") is the program that, after being initially loaded into the computer by a boot program, manages all
the other programs in a computer. The other programs are called applications or application programs. The application programs make use of the operating system by making requests
for services through a defined application program interface (API). In addition, users can interact directly with the operating system through a user interface such as a command
language or a graphical user interface (GUI).
An operating system performs these services for applications:
explains when an organization may (or may not) be ready for a change in operating systems.

-ADS BY GOOGLE

SECURITY

CLOUD SECURITY

NETWORKING

CIO

CONSUMERIZATION

ENTERPRISE DESKTOP

COMPUTER WEEKLY

SearchSecurity
Experts say NIST deprecating SMS 2FA is long overdue

http://searchmidmarketsecurity.techtarget.com/tip/OperatingsystemcomparisonTheWindowsOSsecuritydebate

5/6

27/7/2016

Operatingsystemcomparison:TheWindowsOSsecuritydebate

America's National Institute for Standards and Technology is advising the deprecation of using SMS-based two-factor ...

How to start building an enterprise application security program

Building an effective application security program can be daunting. Sean Martin talks with experts about the best first steps ...

About Us

Contact Us

Corporate Site
Events

Guides

Experts

Privacy Policy
Reprints

Opinions

Advertisers

Archive

Photo Stories

Business Partners

Site Map

Media Kit

E-Products

Videos
All Rights Reserved,
Copyright 2009 - 2016, TechTarget

http://searchmidmarketsecurity.techtarget.com/tip/OperatingsystemcomparisonTheWindowsOSsecuritydebate

6/6