Is Microsoft Windows quite secure (as secure as linux) if used properly?

Discussion in 'all things UNIX' started by wearetheborg, Aug 14, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I wanted to get the perspective of the linux crowd on this, to understand security better (both linux and windows)

    I'm a linux person, been using Linux since I started usign computers.

    Recently I've been learning about windows security(mostly for Xp Pro), and have found some really cool features that make it quite secure.
    Some of the major causes of "windows security" seem to me to be as follows:

    1. Use of admin account as default (windows sorta messed up here in terms of user education).

    2. Not using software restriction policies, not turning autoplay off.

    3. Use of untrusted binaries installed by user(linux is nice in that there is a cental repository for a whole lotta apps). Common sense can mitigate a lot of issues here.

    So, if a user uses Limited user account(LUA) + software restriction policies(SRP) + turns autoplay off + uses common sense in installing apps+ additionally uses Sandbox like free third party utilities for web browsing; it seems like windows can be as secure as linux, maybe more secure since linux doesnt have as many third party easy to use security apps like windows.
     
  2. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    If you run LUA with a good AV, good browser and common sense, I don't see why not
     
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Oh lord, here we go again...

    But to answer your question: I think modern versions of Windows (Vista/7/Server 200:cool: can be made pretty secure because Microsoft has *finally* caught on to what the Unix world has been doing for 40 years.

    If you do these things, you can make Windows pretty secure:

    • Use a 64 bit CPU with a 64 bit Windows version
    • Run in a LUA
    • Utilize SRP/Applocker
    • Turn on full DEP/ASLR
    • Broswer: use either IE in protected mode or Chromium (with its sandbox). If you prefer Firefox, put it in a sandbox like Sandboxie

    Linux and other *nixes have all of the above protections and have for longer than Windows.
     
  4. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    Sandboxie is not needed in Linux, Linux comes in both x32 and x64 flavors, both supporting DEP hardware via kernel. You can enable apparmor for browser to get Sandboxie like security.
     
  5. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Well apparmor has been discontinued in linux.

    Does linux have SRP?
     
  6. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    That is wrong. Now, Ubuntu is officially maintaining it and AppArmor will be integrated in the next version of the linux kernel (LSM).

    If theoritically (and practically), it doesn't cover as much as SeLinux, it is so easy to configure that it is still a very good hardening tool.

    By default, most Linux distros have SRP like enabled. Below a screen capture showing the properties of a downloaded file. The exec capability is not checked by default.
     

    Attached Files:

  7. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Well yeah, that file is an archive and would have its execute flag off at the server. What about files that are executables?

    BTW, you can have executables in tar archives, and when the archive is untarred, the execute flag is autoomatically on in the execuctable.
     
  8. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    BTW, SeLinux is also a *tool* for linux for system hardening; its not a distro as the name might imply,
     
  9. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Same for executables: No execute right, by default.

    Concerning executables in archives, it is not worrying in the first place security wise as it needs two actions from the user:
    - extract manually the archive,
    - execute manually the file,
    And even then the execution is still confined in user mode...
     
  10. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Thats pretty cool!
    Yup.

    So how would drive by attacks work in Linux? Javascript?
    Can we not have the follwoing scenario: A website downloads a file onto user system. Javascript turns on the execute flag, and then invokes the executable.
     
  11. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    I will let more knowledgeable people answer this question.

    Nevertheless, I have the default ubuntu FF apparmor default profile in enforced mode and FF doesn't have any execute right in Home. Therefore, be it Javascript or whatever couldn't execute the downloaded executable file. Same for Chromium or any other of my apparmor profiles.

    The idea with apparmor is to create a profile for every internet facing application in which you give the right to write and read in Home, and deny the right to execute (by omitting to give this right). You recreate somehow per app a SRP.
     
  12. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Sandboxie uses virtualisation whereas Apparmor uses policy, much like Geswall (MAC application using windows capabilities) and DW (same, but uses its own mechanism instead of relying on windows's)
     
  13. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    I have configured my neighbors PC something like this:
    winxp pro sp3
    -limited user account
    -disabled services he doesn't use (built in firewall is on)
    -software restriction policy
    -full dep

    Firefox in private browsing with noscript addon

    He hasn't been infected ever since
     
  14. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    Another important point for me is that in Linux, when you click "check for updates", it will check for updates for all apps installed through the package manager.... in windows you need "Hunt" sometimes... more and more apps today have "chech for updates automatically", But no doubt in linux this is a lot more easy.
     
  15. Metastasio

    Metastasio Registered Member

    Joined:
    Aug 8, 2010
    Posts:
    28
    Enable SEHOP for all processes and I think you have a winner.

    I *do* think Windows users can be safe with this set-up.

    Just make sure she/he also applies all timely patches and it will work well.
     
  16. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
  17. Metastasio

    Metastasio Registered Member

    Joined:
    Aug 8, 2010
    Posts:
    28
  18. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    From a flaw in the application's code (like Firefox for instance). If FF has a 0-day it can be exploited and will give the attacker the same access rights as Firefox itself has. That is unless Firefox was locked down with a MAC system like AppArmor.
     
  19. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    In the absence of AppArmor, is a 0-day needed for the javascript attack I mentioned?
    Isnt javascript basically unlimited (except that it doesnt have root access) in what it can do in FF?
     
  20. Limited user accounts in Linux are rather more limited than in Windows though, no direct access to keyboard devices for example. A driveby on Linux could easily wreck your data, but it would be a lot harder to log keystrokes.

    (On the other hand, there'd be no problem recording you if you had a webcam. :p )

    Generally Linux security isn't spectacular by default, but the default settings tend to be... a bit saner than Windows', I think.

    Re Windows, I used to think you could secure any Windows NT OS if you knew what you were doing. Now, after that shortcut vulnerabilty... I'm not so sure.

    Actually I take that back. You can still secure a computer very effectively with a limited account and SRP or AppLocker. The problem is, that works fine for someone who just browses and watches movies and stuff, but if you're compiling software and otherwise running stuff in your home directory, it's quite inconvenient.

    If there's a security solution for people like me who do tons of stuff with their computers (other than using an obscure OS like Linux, which won't keep us safe forever), I haven't found it; and I frankly doubt it exists. It seems to me that there's just an inherent tradeoff between functionality and security on the desktop.

    [/long boring speech]
     
  21. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
  22. wat0114

    wat0114 Guest

    That's as close to a perfect setup as one can get, imo. It's using mostly built-in security, limited account, fully updated, reduced services, and only no script as a 3rd party addition. Two XP machines are set up this way here, except IE8 instead of Firefox (kids don't like Firefox) and Sandboxie with browser forced in it, and restrictions on what can access Internet from it. The SRP practically guarantees security.
     
  23. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    When was apparmor ever discontinued in Linux? This is news to me, till today Novell actively develops it for SUSE and Ubuntu and other Linux distros implement it. Also apparmor is used in SUSE Enterprise which has a larger share than RH in server market so development of apparmor is a must for linux server and desktop.
     
  24. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    If you switch to private mode browsing in Google Chrome, you get the same effect as well, you can then use apparmor policies to jail it from any hacks. I use FF and Opera with apparmor and have no surfing issues period. Even my torrent client is apparmored.
     
  25. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
Loading...
Thread Status:
Not open for further replies.