A Comparison of Operating Systems and Web Site Security
Part 3 of 7 of an article on Web Site Security by Steve Avery MSc BA
"Simple is best." Often true, but not always practical. "The more complex a system is, the more there is to go wrong." This applies to a computer operating system as much as to a car, and the security aspect of an operating system is no exception.
Nevertheless, some operating systems are more secure platforms for Web servers than others.
As suggested earlier, the more flexible and powerful an operating system is, the more vulnerable it is to attack via its Web server and, indeed, its other servers.
Although Unix aficionados might cringe at this statement, Unix systems, with all their integral servers, services, text editors, scripting languages, interpreters, etc., are very vulnerable, simply because there are so many entry points that can be exploited by hackers. On the other hand, less sophisticated systems, like a Macintosh or a purpose-built Web server machine, are more difficult to compromise. Taking it to the extreme, the most secure Website would reside on a basic Macintosh with a basic Web server.
Of course, it is very unlikely that anyone would opt for a Mac for the sake of security, and sacrifice the superior performance of a multi-tasking operating system such as Unix or Windows NT, not to mention the additional functionality of middleware control and database transactions that these offer. Unfortunately, holes are continually being found in the security of both Windows NT server and Unix operating systems.
Between the two, the Unix operating system is generally more secure than Windows NT. The reason is twofold. Unix has been around for a very long time, and the serious bugs have been found and fixed. Furthermore, the Unix user account and file systems are far simpler. There is therefore less likelihood of human error or poor judgment when configuring them. Provided that the system is well configured, with security updates applied as soon as they become available, a Unix system is likely to be more secure than a Windows NT system.
Human error and poor judgment have already been mentioned. When choosing an operating system for a Web server, an assessment of the expertise of the people responsible for its operation should be made. A Windows NT system configured and maintained by an experienced Windows NT system administrator is likely to be more secure than a Unix system administered by an inexperienced Unix system administrator. If an external hosting company is used for the Web server, and more than one operating system is offered, it is advisable to find out whether there is technical staff dedicated to only one or the other, rather than staff with general expertise.