Security no matter what the OS

I’m a public supporter of Microsoft Windows, but I also use, respect, and support other operating systems. I’ve been an AS/400 administrator for nearly 20 years. I thought the AS/400 would be long gone by now, but what it does, it does well. I use several flavors of Linux, FreeBSD, and OpenBSD. I even do a little hacking and defense teaching using Sun Solaris.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

So it’s my 20 years of professional experience with a wide variety of OSes that leads me to believe that Windows is just as secure as any other popular OS, if not better, despite knee-jerk criticism to the contrary.

The truth is that all OSes and applications contain exploitable vulnerabilities. If you don’t follow general computer security guidelines, you’ll be at more risk. If you follow the vendor’s recommendations and keep your systems patched, you’ll be less at risk. And if your password is "password," no amount of security will protect you.

Last week, I was helping a new client support their mixed Microsoft and Linux shop. The on-site administrator hated Microsoft and Bill Gates. All his servers were Mandriva Linux, except for the one IIS 6 server he “was forced” to support because of a needed application.

As I normally expect when working with many Linux zealots, he spent our days together dogging Microsoft and Windows at every opportunity. He is absolutely convinced that Windows security is terrible, even though he is “forced” to run Windows on the client desktops.

He tried to replace the Windows clients with Ubuntu, but the “stupid users were too stupid to use OpenOffice.” He did reluctantly agree that there were file formatting issues and education issues (he provided no beforehand training) that ultimately led the users to revolt during the switchover.

Like most Linux administrators I deal with, his environment was highly insecure. Just because you don’t like Windows doesn’t mean you're free to ignore basic computer security principles.

It took me 5 minutes to find dozens of gaping security vulnerabilities. His Cisco PIX firewall was running code many years old. (As a matter of fact, I haven’t come across a PIX in nearly a year that had up-to-date code.) He also ran several Secure Computing firewalls, all of which contained old code and wide-open, misconfigured firewall rules.

Half of his Linux servers were running old, vulnerable kernels. His Web servers were years old and full of flawed PHP scripts. His Windows workstations were all Windows 2000 Professional, unpatched, and without any automated patching solution. All Windows clients ran Firefox 1.0 and Thunderbird, both unpatched. Nearly every piece of software I could find was old and unpatched, whether running on Linux or Windows. His Barracuda Spam Firewall appliance was unpatched, and remained unpatched even after I told him that updates were available.