The fact of Operating System Security regarding frameworks is a little bit more than
just a kernel type issue. Individually each of the frameworks do have their compliant
security mechanisms. The multi-user account specification within Microsoft Windows
does allow a bit more flexibility in terms of mass deployment however with Linux you
have the ability to control down to the tee -- the ins and outs of permissions and
delegation.
The .NET Framework security level mainly has to do with your group policy, powershell
andnetsh console settings. The reason being is kernel telemetry at low level access
parameters with dynamic access requests in memory. Linux frameworks often require a
similar level of attention, but it mainly has to do with the flags that you specify
when you are configuring the language. Linux when properlly configured is proven to
be more secure than Microsoft Windows configured security. Though at a "decent" level
of configuration; tools can slip straight through your IIS and dip right into your
services by using a specific GUID. Overall Linux allows more aspect control than
Major Points:
inodes and NTFS index primers and permissions in Windows (including registry)
are easier to sift through than an EXT hardnened Linux
protocol traversal within Linux for exception handling are easier to find
than a solid configured Windows Firewall.
cache indexes within ASP.NET are easier to violate than cache management
technologies which are well handled within GNU and C++ libraries
they are practically built for parallel systems now.
SQL parse queries, have been proven over and over again; MySQL is faster.
than MSSQL, though Oracle has been pushing the belt. Transactional
security is proven to be more secure on Windows, but for performance
and sheer flexibility shows that MySQL should be used or something
along the lines of a iSQL or NSQL (not SQLAB like Berkeley SQL which
MSSQL is based on)
Gateway permissions, Linux has an amazing ability to fondle packets and tiny
little things that Windows can only put into sorting bins. This being
said, if you are running a Windows network, you have more network auditing
than a Linux network because the packages are easier to apply walls to
than DLL files and protocol requests.
Surface layer GUI, .NET Framework offers strict field definitions; while Linux
allows intense PCRE and other Regular Expressions.
Government Statures:
OWASP proves over and over again that it is harder to crack a hardened Linux Server
than it is to crack a hardened Windows Server. Why? Because the firewall and Group
Policy does not allow as far a tuned key for aspects of the closed source framework
within ASP.NET; Linux will let you choose a color for every letter on your command.
NIST Shows over time that SQL management permissions are harder to parse with Windows
while Linux PCRE makes it harder to bypass SQL queries whether it be within a GUI or
a Web Interface.
Carnagie Mellon shows that ASP.NET can hold higher regulations because it is built
in a more module based context which employs the use of MVC frameworks and can potentially
have a higher restriction. Meanwhile PHP and Java show that they are incredibly robust
with their Obfuscation and encapsulation methodologies.
Personal Opinions:
Each Operating System has the potential to be more secure than the rest out of the box.
Taken the raw comparison of frameworks which operate at a higher security with Linux or
Windows I would have to say that the main part of web security is using the most
incompatible but efficient framework. This way it becomes much harder to latch onto
the native hard-drive access permissions and the library handles. This way you have
somewhat a welded bowl ontop of your operating system. As Evan had said with NTFS and
/proc or /dev permissions. If you use something that can't talk to it; its harder to crack.
What I have learned from web development is, never underestimate your framework.
.NET has permissions to make shared mounted volumes and control mechanisms for
SQL Server clusters; while Apache Source can do the same thing with Operating Systems
using Linux. It is a pretty decent question though I would have to say, Linux allows
more security on individual aspect control and multi-language restrictions and monitoring;
while Windows has the extensive power of auditing and logging with a high level logic
debug interface. Both of them are compareable, it eventually narrows down to a "how well -
do you lock it down" and "how many bells and whistles are there?" within the framework.
Apache has more add-in security boosts; IIS has dead stop or all run permissions with ASP
which make it a give and take on module programming (Sharepoint for example).
At the current moment compairing PHP on Linux or Windows, it is quite obvious that
there are more extensions you can use within a Linux Operating System; Windows has
a different permission management level over PHP which makes it harder to manage
directories and file access. Within Apache for example XAMPP, LAMPP or WAMP I would
feel that Windows is a little less secure considering the fact that its restrictions
on the firewall are easier to violate because it shares the same tunneling rules
as your web browser. Linux on the other hand can use app pools and further packet
level security mechanisms that are much more complicated to emmulate. Windows
would require you to use all aspects of the operating system to make the networking
more secure. Linux can fix it by using about %60 of the operating system when using
distributions or flavors like CentOS and Ubuntu.
IIS (On a Microsoft Server, not Windows Client) on Windows with ASP.NET with the
latest SEC_ATL mixes can also be very secure.
Just Apache alone, you may want to run it with Linux to enable the higher and
lower level driver, SMIME, codec and packet level securities. While Windows would
require you to install overlaying security mechanisms that would otherwise clog your
traffic down a little bit more than you may like if it comes to running thousands of
servers.
With Linux, the more slimline the kernel is and more optimal for net security it is
the better (like fusing in Apache with NSLUG).
With Windows you better like programming Powershell modules and aditional overlaying
security for your ASP.NET framework and configuring your group policy to USGS because
most of the time it really does need it to shut out the kind of traffic that Linux
will automatically deny and not think about.
Equally they can be strong. Out of the Box a live distribution of Linux will be stronger
than an un-configured Microsoft Windows Server just set up with the Wizard.
Over time, Linux will outrun Windows in the security game. Debian 3 servers are still
stronger today than Microsoft Server 2008 R2 out of the box and guess what they can
support the same technologies without a kernel rebuild. Debian can still smoke it,
and I have seen this with my own eyes.
Though as it has been said before I'm sure. It comes down to the staff you work with
and your eye to detail. That always makes the biggest difference when it comes to
working in a large server network.