Full Disclosure mailing list archives

RE: M$ Getting Better?

From: Todd Burroughs <full-d () parsec net>
Date: Tue, 22 Jun 2004 03:12:42 -0400 (EDT)

I for one, DO have experience in both Windows and Unix system administration, and everyone of our internet facing 
machines is running Linux.  Why?  Because for me they are easier to secure.  I can turn off any services that I don't 
need, I have a fully-functional firewall on every box, and I don't have to reboot once a month to stay secure(all 
updates are currently automated, only kernel vulns need a reboot).

From my experiance, we reboot our Windows servers daily or more often

just to keep them running.  (They are very busy) It's a given that we
have to reboot when doing updates.  We don't usually have to reboot to
do updates with Linux or *BSD, unless we replace the kernel or libc,
which is much more rare.  (ok, Linux kernel has been bad lately ;-)

Basically, we run a bunch of load balanced Linux boxes and they don't
get rebooted much, except that we've designed and implemented a system to
install them automatically, so we reboot them for security updates because
it's easier (re-installs everything that is different), but then they
basically reinstall themselves.  It's simple, we don't have the unique
binary registry to deal with, just the config files that are common to
all similar servers.  This is not possible with Windows as far as I know.
(I know there's some third party stuff that might make it work, but it's
$$$ and probably second rate software)

On our Windows side, we have two servers to handle each group of users
(websites).  Our load balancers failover to one or the other.  Each of
these handles a max of 1000 domains.  The Linux servers have over 100,000
domains each and balance among a lot of servers.  This is not possible
with Windows (maybe by paying a *lot* of money it is, I don't know)

We have not figured out how to make a Windows box install and come up
serving web/mail with no human intervention, but we do that with all of
our Linux boxes.  When we lose a hard drive on a blade server, we replace
it and turn it on, it installs and comes up doing mail/web or whatever.

We also do not have any Windows boxes directly facing the Internet,
it's too dangerous.  They're all hidden behind firewalls, etc.   We have
hundreds of Linux and FreeBSD boxes directly on the 'net though.  It's a
pain to keep them safe, but it's not hard compared to Windows.

Sorry, but the MS system is not secure and not easy to secure or
administer on a large scale.  I prefer Linux and don't particularly like
MS, but I use whatever makes sense.  I'm not a "fanboy" for anything.

Todd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: M$ - so what should they do?, (continued)
- - - RE: M$ - so what should they do? joe (Jun 21)
    - Re: M$ - so what should they do? Valdis . Kletnieks (Jun 21)
    - RE: M$ Getting Better? joe (Jun 21)
    - RE: M$ Getting Better? Eric Paynter (Jun 21)
    - RE: M$ Getting Better? joe (Jun 21)
    - RE: M$ Getting Better? Eric Paynter (Jun 21)
  - Re: M$ Getting Better? Michael Gale (Jun 21)
- Re: M$ Getting Better? Eric Paynter (Jun 18)
- RE: M$ Getting Better? marklist (Jun 21)
  - Re: M$ Getting Better? Nasir Ghaznavi (Jun 21)
  - RE: M$ Getting Better? Todd Burroughs (Jun 22)
  - RE: M$ Getting Better? joe (Jun 22)