SAN FRANCISCO - Believe it or not, a Windows Web server is more secure than a similarly set-up Linux server, according to a study presented yesterday by two Florida researchers.
The researchers, appearing at the RSA Conference of computer-security professionals, discussed the findings in an event, "Security Showdown: Windows vs. Linux." One of them, a Linux fan, runs an open-source server at home; the other is a Microsoft enthusiast. They wanted to cut through the near-religious arguments about which system is better from a security standpoint.
"I actually was wrong. The results are very surprising, and there are going to be some people who are skeptical," said Richard Ford, a computer-science professor at the Florida Institute of Technology who favors Linux.
Their research could contribute to the debate about which system costs more for companies to operate. Linux costs less to acquire, but Microsoft is trying to convince buyers that its software is less expensive to run and manage.
The researchers said security management is a key factor in the cost of running any system. "We need a real factual comparison here," said Herbert Thompson, the other researcher. He is director of security research and training at Security Innovation, a company that provides security services and technology. "There's so much speculation on the Web, newsgroups, from certain presenters on an RSA stage, we need real solid facts."
They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft's on one, the open source Apache on the other).
Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.
On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found.
"That's a very surprising statistic, and I must say the first time I saw this statistic I thought you messed with my database," Ford said to Thompson. Their presentation started jokingly, with Ford reeling off Windows jabs and praising the virtues of freely shared software that's developed collaboratively over the Internet.
But they concluded with statistics showing that the Windows setup had a clear advantage over the Linux alternative.
The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features.
Ford said the idea was to represent what an average system administrator may do, as opposed to a "wizard" who could take extra steps to provide plenty of security on a Linux setup, for instance.
The presentation was a preview of a report they plan to issue in 30 days.
