In July 2003, a group of computer hackers held the "Defacers Challenge," a contest with the goal of defacing 6,000 Web sites in six hours. Participants scored points depending on which operating systems (OS) they breached. Web sites running on Microsoft Windows were worth one point; those running UNIX or Linux were worth three. In other words, the hackers considered UNIX and Linux tougher nuts to crack.

The hackers' subjective judgment aside, surprisingly little hard data exists on the security of one operating system versus another.

One objective measure is the Common Criteria standard, based on ISO 15408, Information technology—Security techniques—Evaluation criteria for IT security. The globally accepted standard enables users to define security requirements for infrastructure technology, and developers to meet those requirements. Independent evaluation labs test products for such features as the development environment, security functionality, handling of security vulnerabilities, and security-related documentation; and then assign a security level of one through seven.

Windows, for all its bad press, has achieved evaluation assurance level (EAL) 4 on Windows 2000. Novell , with SUSE Linux Enterprise Server 9, has received EAL 4+. Sun Microsystems ' last three releases of its UNIX-based Solaris OS—8, 9, and 10—are ranked at EAL 4 or better.

Common Criteria is sniffed at by critics as measuring the amount of testing done on systems instead of actual security effectiveness, leaving analysts, columnists, conventional wisdom, and hackers to make the judgment—and they judge Linux and UNIX as more secure systems than Windows.

Open up differences

Stacey Quandt, research director with Boston-based AberdeenGroup , conducted a comprehensive comparison of Linux and Windows security in October 2004. This analysis underscores two key differences between Linux, architecturally similar UNIX, and Windows: philosophy and architecture.

Philosophically, Linux and UNIX are completely or partially open-source systems. Linux is entirely open source; that is, the base code is available to anyone who wants it, and any changes made to it get incorporated into the next "distribution" of the code. Some portions of the code of UNIX-based systems, such as those from Sun or Hewlett-Packard, have been made available to the open-source community. Windows is strictly proprietary.

If the "transparent code" used in both UNIX and Linux is available to everyone—including hackers, disgruntled employees, and corporate rivals—while Windows code is closely guarded intellectual property, then UNIX and Linux systems should be more vulnerable than Windows, right?

Wrong, says Justin Steinman, North American division manager at Novell. "Linux is more secure based on 'security by transparency' versus Windows' so-called 'security by obscurity,' which means you have the whole Linux community building and looking at Linux code. The moment someone sees a security flaw, they fix it and release the patch to the community."

Steinman contrasts that responsiveness to Microsoft "Patch Tuesday," the second Tuesday of each month when Microsoft releases patches for the Windows operating system and other applications. "Suppose you find that flaw the second Wednesday? You'll wait 30 days for a patch," he says.

Mod versus mono

Quandt points out that Linux and UNIX use a concept of "least privilege" in their architectures. She compares the idea to giving someone keys to specific doors, rather than a master key that opens all doors. In Linux v 2.6, the security architecture was significantly enhanced over prior versions to support least privilege, with role-based access controls. Users only get into the parts of the system they need to use.

The user and process rights management capabilities of UNIX-based Solaris 10 from Sun operate on the same principle. Privileges can be applied to both kernel- and user-level applications without recompiling or rewriting applications, a task administrators often cannot perform on proprietary software.

Open-source consultant Nicholas Petreley describes the modular architecture of Linux and UNIX in terms of three concentric spheres. The outermost sphere is the user interface, where applications such as word processors run. The word processor makes use of commonly needed features provided by the second sphere, such as the ability to render graphical images or format text. This second sphere must request permission from the innermost sphere to do its work. The innermost sphere, the kernel, is the heart of the OS and controls a system's disks and memory.

Windows architecture is more monolithic, with numerous features—such as Internet Explorer—integrated to the kernel of its OS. The downside: a flaw in Explorer could expose every other application integrated to that core. In the spherical design, almost no function in either Linux or UNIX is inextricably intertwined with any other.

Another way to describe the difference is multi-user versus single-user architecture.

Multi-user design presumes more users, and frankly, trusts them less. Simply put, Windows integrates user applications to its kernel, where Linux and UNIX separate the kernel space and user space.

"That's an inherent level of security," says Mark Thacker, manager for Solaris Security at Sun. "UNIX has been multi-user from day one, not a desktop OS that grew into a server OS. UNIX has always separated the user and kernel spaces, and that's not available in any DOS-derived OS."

Petreley published a comparison of data on Linux and Windows security from The Computer Emergency Readiness Team at Carnegie Mellon University in October 2004. He notes these findings:

• Microsoft returned 250 entries (patches and system vulnerabilities), with 39 entries of a severity rating of 40 or greater, which triggers a security alert; and

• Results for Linux returned 100 entries, with only six entries of a severity rating of 40 or greater.

Petreley's research suggests the average Windows security flaw is more severe than a Linux flaw. That being said, companies on Windows systems need not run screaming to a rival OS vendor. Microsoft has countered its security critics with initiatives of its own, moving closer to that multi-user model that distinguishes its rivals.

Largely in response to industry and end-user pressure, Microsoft launched its Trustworthy Computing Initiative in 2003 and retrained its developers in secure development practices. Since then, the company has integrated anti-spam and anti-phishing technology into Hotmail, MSN, Microsoft Office 2003, and Microsoft Exchange Server 2003.

Microsoft's internal Security Development Lifecycle (SDL) capability led to modification of its Internet-connected applications to incorporate security checkpoints and milestones. Windows 2003 was the first OS to implement SDL, and compared to Windows 2000, Microsoft claims 63 percent fewer vulnerabilities in the first year.

Microsoft's Service Pack 2 for Windows XP turned off some services by default to reduce spam, and created a central repository for attachments from Outlook/Exchange, Windows Messenger, and Internet Explorer. This reduces the risk of an end user enabling a virus or worm.

After three years, Microsoft appears to be achieving results. At this point, according to Quandt, Linux and Windows support for network security and protocols are comparable.

But security isn't the only factor influencing the choice of an operating system. As secure as they are, how do UNIX and Linux compare to Windows in ease of use and flexibility? And to one another?

Depends which Linux; depends which UNIX. "UNIX" actually describes several operating systems based on the same code, but from different providers—e.g., Sun, Hewlett-Packard, SCO, and IBM. Linux replicates features of UNIX systems, but its author, Linus Torvalds, developed the code from scratch. Linux also comes in "distributions" from providers such as Red Hat and Novell.

Version control

UNIX or Linux systems vary in usability and security depending on the vendor, as each builds in its own features.

Novell, for example, offers AppArmor for its SUSE Linux Enterprise Server 9. AppArmor allows an administrator to create a security policy for each Linux program requiring protection. Red Hat claims that kernel and security improvements in its Enterprise Linux 5, due in 2006, are sufficient to achieve EAL 4, comparable to both Windows and Novell SLES 9. Sun's Solaris 10 OS is in evaluation for EAL 4+.

Windows also comes in different configurations, including Windows 2000, Windows 2003, and Windows XP. Windows evolved from a desktop system into an OS, thus, it has a user-friendly pedigree.

Sun's Thacker believes the UNIX security pedigree more vital, comparing the two architectures as houses built on stone or sand—but security isn't the only criterion for choosing.

"Frankly," says Computer Security Institute (CSI) Editorial Director Robert Richardson, "companies can surrender a lot of the Windows flexibility they're used to and gain security, but I can't picture many companies doing that."

Specialized Linux providers such as Xandros, Mandriva, Novell, and Red Hat all offer desktop products, with Xandros probably closest to Windows in look and feel. But looks alone aren't the only problem. UNIX and Linux don't support all mission-critical applications in a given vertical. "So ease of use is only part of the problem," says Quandt. "The harder problem to solve is application availability."

Linux providers are working very hard to close that gap. SUSE Linux Enterprise Server, for example, was recently added to the Electronic Design Automation Consortium road map, sponsored by semiconductor manufacturers to identify workable application-OS-hardware combinations, which generates an opportunity base for Novell in the semiconductor industry.

OS security all you need?

In the end, while OS security isn't a trivial matter, it's not the whole ball game. Companies achieve security through myriad solutions, with firewalls and antivirus programs being the first and second most common.

"It is important to point out that attacks come not just through the operating system, but the applications and network devices. Any device that runs an operating system can [be vulnerable]," says Bob Mick, a VP at ARC Advisory Group, Dedham, Mass. "Any security strategy is made of multiple elements, including the router switches and firewalls. Sure, the OS provides a level of protection, but you have to surround that system with more protection. And users are not free from that with Linux or UNIX."

CSI's Richardson assesses the current state of OS security this way: "It's reasonable to say that if you want to buy a little time on the virus attack front, then look at UNIX, Linux, or even Apple—if it has the applications you need. The flipside of usable and adopted is more attacks. If the world was 50-percent Linux, Linux would see 50 percent of attacks."

Linux and UNIX vendors disagree, countering that the architectural differences account for the greater number of attacks.

The take-away is that open-code solutions appear more secure—today—though Windows is more flexible and broadly applicable—today. But security is only one criterion in selecting an OS, and it appears not a strong enough reason to dump an existing one.