Windows V Redhat (Linux) Security.... again
Robert Hensing's Secure Windows Initiative Blog : Windows Server 2003 spanks Red Hat's monkey?
Some interesting comment about the study comparing Redhat and Windows Server 2003 over at Robert Hensings blog.
As people'll know if they've been following slashdot, it turns out that this study was sponsored by Microsoft . More information and a link to the report source here
At first glance I like the principles behind the methodology used, ie use a specific server role, rather than a generic install. I'll hopefully get a chance to read it in more detail, but a couple of things do niggle at me from my first read through.
When they go through the nmap results for the "minimal" linux install, it appears to have ports open that weren't there on the full install! (631/tcp for cups) I find that a bit hard to believe, and even if there is a flaw in the install process, any competant admin will shut down and remove cups as soon as they realise it's running.
Also any competant admin will shut down other services like the rpc ports mentioned (111/tcp and 32768/tcp) and remove the software using them.
Not being too up on my MS stuff at the moment I can't comment whether simple hardening steps would improve it's performance (As far as I can recall shutting down ports like 445 is nigh-on impossible outside of firewalling the host)
All-in-all it's an interesting study and definately shows that the more modern Microsoft products have a much better stance in relation to security.
[rant] If only their marketing people would allow them to abandon their "you must install irrelevant components and then we'll make it really hard to remove them" stance, they'd be onto a real winner!
why do Microsoft insist that you need an Internet browser on a server! for that point why do you have to install a GUI on a server! it's irrelevant in many cases. The server will be put in a rack in a datacentre and no-one will physically log onto it again![/ rant]