Access control: Windows vs Linux

security windows linux

Nobody would dispute that writing buffer overflows on Windows is substantially harder than on linux. As well, The ACL system in Windows is vastly superior to the *nix system in numerous respects (Its still possible to use setpgid() to break outside of chroot()/jail() and transfer the psuedo-root tokens to effective UID 0).

HOWEVER.

Linux, BSD, Solaris, and AIX have the virtue of having user-made patches which implement very impressive security features. I'd name the PaX/GrSEC projects, Which, regardless of security shortcomings in the past few years, Have set the standard for implementing Address Space Layout Randomization, Likewise for StackGuard, W^X and the numerous other utilitiees designed to prevent Heap and Format string attacks from being successful. Strictly from an access point of view, There are many extensions to the admittedly outdated current system.

If process division attacks are a concern for you, Not to be that Crotchety Unix Admin, but Windows has suffered far, far, worse

In short, If you're lazy, You're better off with Windows. If you're dilligent, You're often better off with *Nix (From a security perspective)


Here is a detailed article that gets to the heart of the matter - it doesn;t matter how powerful and detailed your access control and security systems are... if its too complicated to set them correctly, you will end up with security holes. In this case its complexity of the systems - the larger the 'surface', the more chance there is of a security bug.

I used to see this with our domain groups - its too easy to give someone access to a secured resource if they are in the wrong group if you have too many groups. The register describes this better.


I'd like to know are there any more detailed articles or paper comparing security mechanisms and designs in Windows and Linux?

This one sounds relatively good to my novice eyes... a bit old and slightly biased, but not so much.

Related

Does anyone use check_mk for Nagios? Anything I should be aware of before considering it?
How to load-balance SQL Server 2008 for high-usage ASP.NET applications?
Exchange 2010 and Outlook 2010 requesting password every time it starts
Is there a compression format that supports tail operations?
What's the protocol-level difference between IPSec and "Cisco IPSec"?
How can I display full urls in Apache mod_status output?
BIND9: Do forwarders have any priority?
Difference between ulimit, launchctl, sysctl?
Encryption over gigabit carrier ethernet
Free alternatives to M/Monit interface for the Monit systems management system [closed]
How to install GD library in php?
What is the purpose and uniqueness SHTML?