On Wed, Jun 25, 2003 at 09:31:08AM -0700, Chris W. Parker wrote: > > I'm trying to sell my boss on replacing our Win2k IIS web server with > a RH8/9 Apache server. Although it's my understanding that Linux is > more secure than windows I really don't have much to point out in > defense on that idea. > > Please list for me reasons why you believe (or know for a fact) that > Linux is more secure than our current setup. Let's assume two > different situations: 1. Out of the box with a standard install, 2. > Standard install, fully patched.
One of the key differences between IIS and Apache is the way the web server is started. On Windows, the web server runs under local user SYSTEM, and has FULL access to every resource on that system. This means that if the web server is penetrated (and many have been in the past), the attacker has full access to the system, allowing them to further compromise your system with trojans, virii, and DoS attacks. On Linux, however, the web server almost always run under a non-privileged account. If Apache is penetrated, the worst the attacker can do is run non-privileged code - they may access web server files and world readable and writable files, but they won't be able to modify your system binaries nor startups. You can make both IIS and Apache secure for now. How secure they stay is dependent on how often you keep yourself updated and how many future holes are found in the web servers. You didn't talk about Apache on Windows and this is (I believe) a viable alternative to IIS on Windows. -- Ed Wilts, Mounds View, MN, USA mailto:[EMAIL PROTECTED] Member #1, Red Hat Community Ambassador Program -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
