| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: full-d at parsec.net (Todd Burroughs) Subject: M$ Getting Better? > I for one, DO have experience in both Windows and Unix system administration, and everyone of our internet facing machines is running Linux. Why? Because for me they are easier to secure. I can turn off any services that I don't need, I have a fully-functional firewall on every box, and I don't have to reboot once a month to stay secure(all updates are currently automated, only kernel vulns need a reboot). >From my experiance, we reboot our Windows servers daily or more often just to keep them running. (They are very busy) It's a given that we have to reboot when doing updates. We don't usually have to reboot to do updates with Linux or *BSD, unless we replace the kernel or libc, which is much more rare. (ok, Linux kernel has been bad lately ;-) Basically, we run a bunch of load balanced Linux boxes and they don't get rebooted much, except that we've designed and implemented a system to install them automatically, so we reboot them for security updates because it's easier (re-installs everything that is different), but then they basically reinstall themselves. It's simple, we don't have the unique binary registry to deal with, just the config files that are common to all similar servers. This is not possible with Windows as far as I know. (I know there's some third party stuff that might make it work, but it's $$$ and probably second rate software) On our Windows side, we have two servers to handle each group of users (websites). Our load balancers failover to one or the other. Each of these handles a max of 1000 domains. The Linux servers have over 100,000 domains each and balance among a lot of servers. This is not possible with Windows (maybe by paying a *lot* of money it is, I don't know) We have not figured out how to make a Windows box install and come up serving web/mail with no human intervention, but we do that with all of our Linux boxes. When we lose a hard drive on a blade server, we replace it and turn it on, it installs and comes up doing mail/web or whatever. We also do not have any Windows boxes directly facing the Internet, it's too dangerous. They're all hidden behind firewalls, etc. We have hundreds of Linux and FreeBSD boxes directly on the 'net though. It's a pain to keep them safe, but it's not hard compared to Windows. Sorry, but the MS system is not secure and not easy to secure or administer on a large scale. I prefer Linux and don't particularly like MS, but I use whatever makes sense. I'm not a "fanboy" for anything. Todd
Powered by blists - more mailing lists