Secured windows xp sp3 VS Ubuntu 9.04

Hi everyone. I'm curious as to whether a properly secured win xp sp3 system would be still worse off then ubuntu's newest and finest. I mean sure by the simple fact that there are no known linux viruses in the wild helps ubuntu's case a lot. But for the average home user, if you properly secure your system and don't get infected then in real terms you could say both system are secure.

On a side note I opened up a thread to get suggestions how to better secure win xp sp3 here. so if you want to contribute, it would be appreciated.
https://www.wilderssecurity.com/showthread.php?t=243687

I have to still use windows related programs so moving to completely to linux is not an option for me atm...so if you write in that thread dont suggest switch to linux lol.

I recently tried ubuntu and tested it using shields up on www.grc.com. Out of the box, all ports but one were closed ( that one was stealthed) but ppl could still tell my computer was online which according to the site is bad.

Next I setup firestarter, frontend for iptables...now all ports stealthed but it still still replied to pings.. So in options I enable icmp filtering and dont check any of its options. Now finally it passed perfectly on the test at www.grc.com.

Compare that to eset smart security 4.....firewall scored perfect score without any tinkering on my part.

Also why is firestarter reporting new attacks virtually every minute from ip ranges all over the world...and ESET 4 except doing the test when it reported port scanning, eset hasnt reportted anything?

Regarding viruses and malware its obvious linux wins there but if you have good AV like eset arent your still safe? And smtimes the sence of security linux has, cant that cause problems?

Also true there's not proper malware for linux but cant the system still be compromised by smone? You dont need malware for smone to get in your system and steal data or wreck it.

I dont mean to favor any OS. Ive tried and used both. My question basically is arent you getting the same secuirty in windows if you put on firewall, AV and antimalware. And if you think you're not getting the same security, how worse off is win xp? Thanks.

 

First off, forget about GRC. To be blunt, it appears you don't know how to interpret portscan results - people can tell your computer's presence even if your ports are stealthed. As long as no vulnerable services are listening on open ports, you're safe, simple as that.

Second, if security is your ONLY concern, there's no point switching to Ubuntu. The enormous time and effort you'll spend relearning how to do every single thing and running into brick walls is going to be trivial compared to the time and effort you'll spend learning some basic security habits and how lock down XP, which is actually very easy to do. There's no need to fret about using XP instead of Ubuntu, or think you're at some sort of security disadvantage.

 

Tnx, I have to admit I have no idea how to interpret results and test firewalls, the site was suggested by ubuntu to test the firewall. Guess its better then nothing. Can you suggest other sites to test? And pls contribute to my other thread if you have any tips on how to secure my system better.

 

Read your other thread and saw that you mentioned online banking. In this instance Linux could be helpful, in the form of a LiveCD or LiveUSB, since no malware that might exist on your system will be running in those environments. Boot your machine from a piece of Linux media, do your online transactions, and reboot back to Windows when you're done.

 

Yes, I considered live cds. Some ppl at ubuntu's forum thought that wasnt enough becos the live cds arent patched and smone could use that to compromise the system. Also firestarter doesnt come on the live cd so you would have to use the default built in firewall. Would that present big security risk? Would that firewall make you more suspectible to redirecting or mitm attacks? Again no clue about firewalls so dont really know if that makes sence.

I dont just need it for online banking, I need to also use it for other windows only programs that I cant afford to get compromised. So if the live cd can be a weak point to get in the HD then maybe I should avoid it. Do you think these points are a big concern?

Also I've only been using linux recently so I guesss its a trust issue too....In windows I have all these programs to guard me lol.....and I'm such a newb in linux that I get worried I may get comprimised cos I dont know how to use it properly.

 

No offense intended here, but... if you can't make the switch to Linux or Ubuntu (as you mentioned above), then why bother discussing it at all? You're more or less stating that you have to stick with Win, for whatever reasons. So just do your best to secure Win and leave it at that.

Most people find Ubuntu extremely easy to set up and use, but again, if that's not a possibility, then it's fairly moot to discuss and/or compare the two.

In general, Ubuntu is going to be far more secure and safe to use for almost all purposes as compared to Win.

 

Couldn't have put it better. In this case, its better to implement LUA with DEP and use a good AV and stick to Win.

 

Well I dont plan to completely stop using linux, I may play around with live cds or use it in limited manner, not as primary OS. And there's no harm in discussing it.

I know what lua is but whats lua with dep?

 

Data Execution Prevention, it can be implemented hardware or software level. For hardware level the CPU has to support it and most modern CPUs do so. To enable hardware DEP, you need to do it via editing boot.ini
http://support.microsoft.com/kb/875352

 

Overkill follows:
Install Ubuntu as your main OS - Lockdown AppArmor(/SELinux), IPtables(UFW), install Denyhosts, BitDefenderAV, Chkrootkit, turn off not needed services, secure openssh-server with only keys, setup static ARP Entries on the gateway, etc. then install virtualboxOSE, setup a LUA Windows XP Pro SP3 account with all the settings/programs from your other thread.

Or

Use windows with common sense, opendns and a good AV.

Don't get me wrong I love Linux, but it is not for everyone.

If you would like to switch and don't game, VirtualBox OSE is a nice alternative to having a windows partition eat up space on your disk.

 

I think a properly secured XP is as good as Linux.

On my XP I have set up a whitelist of allowed executables using the software restriction policies (SRP) and also installed Deep Freeze. That means nothing runs unless I want it to and if by some ridiculous fluke, something does compromise my SRP, then it's gone after a reboot. Banking online after a reboot with Deep Freeze must be as good as a linux live CD.

As for GRC, buy a router and forget the hassles.

 

All I will say to all that is install Linux and forget the hassles....

 

Its secure but not hack proof, XP even fully patched has unknown exploits and holes which a Linux system is not prone to. Both can't be compared in this regard. With XP the layers you put on try and save you, Ubuntu and other Linux is secure out of box. This is a futile comparison anyways.

 

Define "properly secured." To me, a "properly secured" XP system is one without a NIC.

 

Have you seen what it's like when an average computer user tries to use Linux without someone knowledgeable like yourself to hold their hand through the process?

I managed to "convert" a friend to Kubuntu when her XP install failed (she lost her XP reinstall CD, and was desperate to get her PC working again). She tried to install it herself before I had time to go over, and it was disaster from the start with alien filesystems and mountpoints, and no C: drive. During the next few weeks I had to repeatedly coach her via phone and in person through all the basic stuff: printer doesn't work, how to install Flash and Java, where's the video chat in MSN, why aren't my Gossip Girl videos playing, can't restore my laptop from suspend, why doesn't wireless automatically connect, my MS Office documents look wrong, etc etc etc.

I've went through 3-4 distros myself trying to find a good alternative to Jaunty, learning and relearning stuff along the way, and I really don't see how installing Linux is a good way to "forget the hassles" unless you have someone else to do all the maintenance and configuration for you. It's either that, or be prepared to spend weeks, if not months, relearning all the things you used to do. Definitely much more work than just learning some basic security habits, which you'll need in Linux as well anyway.

 

You're forgetting how difficult Windows is to the inexperienced as well, and how much more of a nightmare it is to install and deal with Win. I'd like to see your friend install XP and get everything working on her own there...

But that wasn't my point. All of us here at Wilders are relatively experienced users or we wouldn't be here (for the most part anyway). My point was, given all the idiotic gyrations one has to go thru to even attempt to secure Windows, it's really much easier to just slap something like Ubuntu on and in an hour have something that's far more secure than Win will be even after you install all your so-called security apps and tweak it till it screams.

You had a bad experience with Ubuntu that I don't think is typical at all. So you're biased in the other direction. Ubuntu for me has always been a dream, simple, easy as pie to install and setup, virtually zero issues. I think that's how it is for most who attempt it, else it wouldn't have the huge popularity and following that it does today.

But let's for the sake of argument say that both Win and Linux require equal work and effort to install and set up. Linux will still be the more secure of the two, no matter how you slice it.

 

Everyone I have told to install Ubuntu have done so successfully, latest being my 13 year old nephew who will now never go back to Windows. Same goes for my 73 year old neighbor with no IT experience. Linux is secure out of box, Windows isn't, just by slapping a AV doesnt make Windows safer, in fact thats the main reason for all the vulnerabilities. People use unsafe, outdated AVs and think they are protected. Where does Linux need a AV, AS, HIPS etc. in an out of box installation?

 

She's managed it before, actually. That was why she tried installing Kubuntu on her own before I had time to drop by her place. TBH she missed some rather obvious explanations the partitioner threw at her about the available options, but what got her stuck was trying to find the C: drive.

What idiotic gyrations and security apps?

The fact is it's just as easy to go overboard on Windows security as it is on Linux. Just because you see everyone running 6-7 security apps on Windows doesn't mean it's necessary - all I have on Vista is the Windows Firewall, a standard user account, and common sense. Approach the security issue by looking at the facts and finding what works for you instead of trying to emulate what the ignorant and paranoid masses are doing, and you'll see that it's not the monster you seem to be trying to depict it as.

Uh, straw man argument alert.

Sure, if you define 1% of the total Linux desktop market as huge. How much of that 1% does Ubuntu have?

But as for your ease of use argument, I'll agree with that. For all the issues I have with it, I keep coming back to it after trying out other distros. So far it's got the best balance of functionality and aesthetics for me, and Googling for support is a hell lot easier than for some other obscure distro.

I've seen that claim made repeatedly, but I've never seen it demonstrated via statistically reliable means. People point out how the masses keep getting infected in Windows, but unfortunately that ignores the fact that a large part of Microsoft's user base consist of the more-or-less computer illiterate, while the Linux user base is mostly self-selecting to consist only of knowledgeable users.

Let's for the sake of argument say that both Win and Linux have the same market share and user demographics. Linux would lose its myth of security in a big hurry. Just look at Mozilla and Apple, who've been bashers of the security of Microsoft products before they started gaining any appreciable traction in the market, and suddenly finding that they're not so infallible themselves after all.

 

UH OH.....................WINDOZE FANBOI ALERT, watch out, trolling around Linux thread. Linux owns server and supercomputer market which is a far more lucrative market to hack than end user average Joe. If it has survived that and is the preferred OS of choice, its infallible in every sense. What is MS's share in supercomputer or server may I ask, even they were using Free BSD few years back for their Hotmail, good confidence in their own products.

snip--please refrain from personal insults. Final warning

 

It depends on what measures are taken in XP. If you run on a LUA then this helps things dramatically. The problem with this, however, is that many apps will not work in XP under a LUA.

XP has nothing equivalent to a SUID or GUID bit. The XP access controls are nowhere near as advanced or finely grained as the UNIX model (where you can control permissions on every file, directory, process, link, socket, etc.) XP has a "binary" model of either a limited user or a admin. The limited user controls cannot be adjusted in any way (I am not even sure what directories and files a LUA on XP restricts). With Linux one has the "rwxs" permissions that can be set and has the "user, group, other" model of access controls. Again, XP has no such controls; it's either an all or nothing proposition -- you're either admin or you're a limited user. There is no way to adjust the limited user's privileges or restrict the admin's. Every time I get on an XP box I am reminded at just how far behind the XP access controls are compared to Linux. No comparison.

As for there being no malware in the wild for Linux -- this has nothing to do with the small market-share. It has to do with the reasons I outlined above. In other words, it's all about access controls. The truth is that viruses can easily run roughshod over an XP box, but a virus will have a very hard time spreading on Linux. Again, this is because of the DAC and the fact that Linux does not allow files to be executable by default. This stops the "accidental" infections that are common on Windows. You know, Linux has been around since the early 90's and UNIX has been around for 40 years. Neither OS has ever had a virus problem and this can't be blamed on market-share alone.

I could explain in more detail, but there is no need for me to reinvent the wheel when this guy has done such a masterful job of explaining it.

Now, that aside. One vulnerability XP and Linux will share is social engineering. The Linux DAC controls cannot stop a user from being stupid and installing a malicious package. On the bright side for Linux, however, is that most distros use a package manager, where thousands of packages can be downloaded from trusted sources. Windows has no such concept, it's all up to the user to go out on the web on his own searching for software. Secondly, it is difficult for a newb to install outside packages on Linux. With Windows, it is as simple as a double click. And Linux is more diverse than Windows (there are many Linux distros) thus it would be hard for a virus author to target but maybe a couple of distros with a single virus.

*EDIT* I just read the rest of the OP's post and I just have to respond to some of it.

Closed ports are not bad. The only difference is that a "closed" port sends a RST packet to the probing machine letting it know it's closed. Closed ports are no more vulnerable to attacks than "stealthed" ports. Linux has a very high quality firewall built right into the kernel-- IPtables. You can configure it any way you want it. The reason ports are closed is because the firewall flags might be set to:

iptables -A INPUT -p tcp -j REJECT

You can stealth by changing REJECT to DROP.

Apples to oranges. Just because a third party firewall named "eset" is stealthed by default is because it was designed to do that. IPtables can be used for any application and often times some people want it to respond to ICMP or IDENT, etc.. If you don't like it, you can do what i said above, or you can use a front-end like firestarter. I really fail to see how this makes IPtables inferior to any third-party Windows firewall.

Because IPtables provides much better logging options. It will log everything, including requests to and from the DHCP server and other stuff like that. Most of those "attacks" you are seeing are not port scans.

No, you can't assume you are safe. The AV software industry is there to make money and they depend on malware. Their model of "catch it after it goes into the wild" dooms their model to failure forever. It simply isn't all that effective or efficient.

"smone?" Anyway, yes a Linux system can be compromised, but it ain't going to happen through malware. Most of the successful breaches of Linux machines are through software exploits that are done via direct attacks. Server's are usually the main target for direct attacks and thus they should be updated daily. Server's should also run a Mandatory Access Control system like SELinux which pretty much will prevent most exploit attacks.

 

And don't forget, unlike Windows, there is no dll hooking in Linux.

 

Many programs won't work in Linux under a user account either. The solution in both instances is the same, you elevate privileges.

Entire monster-length threads at various security forums have been dedicated to the study of XP access restrictions alone. I never bothered with those either in Windows or Linux, simply because I felt that the defaults were adequate. But saying that it's impossible is nothing short of uninformed at best.

I feel no need to respond to an uninformed poster trying to pass of his own unsubstantiated, unverified, unproven and unreferenced theorycraft as facts. Utter and absolute waste of time. We've all heard the same bullsh*t theorycrafting from Apple and Mozilla; we're secure by design, we'll always be better than Microsoft, it's got nothing to do with market share, bla bla bla. Same old, same old. Only difference is that Apple and Mozilla have actually managed to get somewhere in terms of market share (and hackers finally got interested enough to expose their bs for what it was), while Linux is still... well, you know.

 

I don't believe the OP asked if windows was as secure out of the box or whether it was as secure inherently as linux. What I believe the OP asked was:

I am assuming that the underlying question is "Can I do something to windows to stop me getting infected?" I gave just one of many examples of how to stop windows getting infected.

 

Then the answer plain and simple would be you can't eliminate the chances of getting infected in Windows.

 

That's true........probably.