Operating system comparison: The Windows OS security debate

The security debate between Linux, Mac OS X and Windows got even more heated when Google ended its internal use of Windows. Tom Chmielarski explains when an organization may (or may not) be ready for a change in operating systems.

Tom Chmielarski, Contributor

SearchMidmarketSecurity.com reader: Google made some waves when they began ending internal use of Windows. Why was that the case, and will the shift in operating system make a difference? Can you do a quick operating systems comparison?

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Tom Chmielarski, resident security expert: Financial Times Chromium

Before considering the ramifications of this shift, however, let's consider Google itself. Google is atypical of many organizations and is not necessarily a good reference model for your organization; they have very large Linux server farms and the experience and tools that go with that, as well as a large number of qualified Linux support personnel. They have also developed two Linux-based OSes (Android and Chromium OS). It is worth noting that Chromium OS has an emphasis on Web-based computing.

Rather than speculating too much on Google's motivations, which I do not know, let's consider the following questions:

Will it make a difference to change operating systems?
And, by extension, is that kind of transition something you should consider for your organization?

The debate regarding Linux versus Mac OS X versus Windows is a heated one, and I won't solve it here. I will emphasize, however, that workstation security depends on far more than the security of the OS itself. As for an operating system comparison, Windows has the largest market share of OSes, the old argument goes, and is therefore the most attacked. This means the vulnerabilities within the various Windows versions are more likely to be uncovered and used.

Linux and OS X both have security problems of their own, though. Apple, from a straightforward numbers perspective, has had more security vulnerabilities in 2010 than Microsoft. However, the use of vulnerabilities as a numerical indicator of security is much debated as well.

Security of the desktop is important as the desktops are an entry point to your organization and frequently contain sensitive data. (Chromium's emphasis on Web services, such as Google Docs, might help shift more of that sensitive material to centralized servers that are, in theory, more secure.) At a high level, the security of those endpoints depends on several factors including:

How secure is the underlying OS?
How securely is the OS configured?
How well is the OS managed to prevent configuration drift and ensure patches are applied?
How secure are the applications running on that OS?
What privileges do users, and user-space applications, have to modify the operating system?
How prone are your users to make poor security decisions?

WSUS

Linux management is trickier, and the number of subject matter experts available to hire is much smaller. Does your organization have the tools and skill sets required to securely manage Linux workstations? Given the normal IT emphasis of "more with less" and "do it yesterday," it's not surprising that many organizations have poor systems management practices and barely any asset management.

Limiting user rights -- not letting everyone have local administration rights -- is an important security precaution. This model is fairly common in the Linux world. Windows deployments, however, frequently give every user local administrative rights, which means malware is more easily able to install itself. Windows Vista and Windows 7 offer improved user account control features, but they are too frequently ignored in lieu of the convenience of letting everyone have complete control of their own desktop.

The security of the application is much less important if it doesn't have the ability to modify the OS or access the data stored on that system. Adobe's recent announcement that Adobe Reader will use sandboxing to control access to the OS is an example of an (attacked) application vendor's response to security problems.

User education, which is mostly non-technical, is another important consideration. You're not likely to succeed in securing the workstations if your users are prone to respond to 419 scams, open email attachments from people they don't know, and install random software from the Internet.

To determine if a move to Linux or Mac OS X is right for you, consider your ability to manage and otherwise support Linux desktops. You'll also need to ensure your applications and users can function in a Linux environment.

Lastly, as I noted above, a shift to cloud computing, if you assume the cloud itself is secure, has a security benefit of removing some sensitive data from that endpoint. If, however, an attacker gains user credentials by compromising the endpoint and monitoring user activity, then that benefit is largely negated.

Google began a move away from Windows on the desktop earlier this year, according to a report by the . This change is reportedly driven by security concerns and by Google's desire to use its own products, including , the upcoming Linux OS from Google. The choice of operating system (Linux/OS X/Windows) only pertains to the first two items in this list, although they are two very important considerations. This leaves us with configuration management, user rights management and application security. Basic systems management of Windows desktops is relatively easy, and your typical IT person can do it or pick it up with a little reading. The complexity of Windows administration is somewhat deceptive, though, since it's much easier to get basic management functions working (, for example) than it is to do the configuration and management reliably and securely.

This was last published in August 2010

Dig Deeper on Microsoft Windows security

Join the conversation

1 comment

Send me notifications when other members comment.

Oldest

[-]

0919783119 - 18 Jun 2015 4:10 AM

The security debate between Linux, Mac OS X and Windows got even more heated when Google ended its internal use of Windows. Tom Bearskin• P
Hardware vs. software
Before we talk about different types of computers, let's talk about two things all computers have in common: hardware and software.
• Hardware is any part of your computer that has a physical structure, such as the keyboard or mouse. It also includes all of the computer's internal parts, which you can see in the image below.

Software is any set of instructions that tells the hardware what to do. It is what guides the hardware and tells it how to accomplish each task. Some examples of software include web browsers, games, and word processors. Below, you can see an image of Microsoft PowerPoint, which is used to create presentations.

What is an operating system? An operating system (sometimes abbreviated as "OS") is the program that, after being initially loaded into the computer by a boot program, manages all the other programs in a computer. The other programs are called applications or application programs. The application programs make use of the operating system by making requests for services through a defined application program interface (API). In addition, users can interact directly with the operating system through a user interface such as a command language or a graphical user interface (GUI).
An operating system performs these services for applications:
explains when an organization may (or may not) be ready for a change in operating systems.

Send Tom your security questions

More "Ask the Expert" responses

You should know about Neverware CloudReady when planning Chromebook and thin client projects

Google is sunsetting Chrome apps. Let’s look at the Chrome OS app landscape

An update on Chromium Edge: It’s coming soon. Will the enterprise use it?

New Microsoft Edge browser gets competitive with Chrome

Please create a username to comment.

Privacy-preserving machine learning assuages infosec fears

How Azure, AWS, Google handle data destruction in the cloud

Multi-cloud security strategies rely on visibility, uniformity

Tech pros focus on application delivery during pandemic

How the cloud fractures application delivery infrastructure ops

Why network configuration templates are useful in automation

Post COVID-19 strategies for CIOs on leading through crisis

Workplace of the future undergoes last-minute alterations

Return-to-office plans stress safety, security, collaboration

Citrix microapps look to ease office reopening

VMware Workspace One unifies reshaped digital workforces

Macs to run on Apple silicon, leaving Intel behind

Review the top sessions from recent cloud conferences

Test your cloud knowledge: VMs vs. containers vs. serverless

Cloud lock-in fears aren't as prevalent as you might think

Royal Holloway: An enhanced approach for USB security management

Green tech needed for post-Covid economic recovery

Three counts on Amdocs to support enterprise business expansion