[linux-elitists] Netcraft reports Windows 2003 taking share from Linux

Jason Spence jspence@lightconsulting.com
Fri Sep 19 23:31:10 PDT 2003

On Wed, Sep 17, 2003 at 02:23:10PM +1200, David Mohring wrote: 
> On Wed, 2003-09-17 at 03:26, Larry M. Augustin wrote:

> > Has anyone spent time dissecting Windows 2003?  
> Only the security aspects of IISv6
> http://techrepublic.com.com/5208-6319-0.html?forumID=14&threadID=137511&start=0

I'm currently deploying Win2k3 all over the place for an industrial
control contractor.  I've written some custom management and
automation for it; I'm pretty happy with some of the new changes.  Not
so happy with the new pricing.  I keep discovering new features, but
the subset of features that I use so far for Real Work probably
wouldn't justify the price for our organization if the customer wasn't
paying for it, especially since the cost of IT labor for custom Linux
integration type stuff has fallen through the floor and then some...

> > I haven't tried it yet myself.  Anyone try running half a dozen
> > large sites with it?  I plan to bring it up on a couple of servers
> > to test.  What Windows 2003 features are making it acceptable as a
> > replacement for Linux?

What, the Linux kernel?  Well, NTOSKRNL.EXE and tcpip.sys provide some
of the stuff you get in vmlinuz... oh, you mean as a web server.
Uhhhh, well that depends on what you're doing.  As far as throwing up
static web content with nothing but a box and an OS CD, 2k3 is
probably slightly faster for anyone who doesn't do Linux for a living
or is using a Linux distribution with a very easy installation and is
specifically designed for web serving (e.g. a Cobalt RaQ).

Of course, that depends a lot on things like the quality of the
hardware, the drivers available (the GeForce, nForce, serial ATA,
fibre channel etc situation on Linux or the ACPI, motherboard driver
etc situation on Windows, for example), network connectivity, how many
patches you have to install (Linux definitely wins here in the Debian,
apt-rpm, up2date, or mandrake-update cases), BIOS reboot time, quality
of documentation, etc etc.  I've had Win2k/3 installations take both
10 minutes and several days; I've also had Linux installations take
both 10 minutes and several days :)

> With Win2k Microsoft reached a stability plateau. Windows 2003 is not
> that much better in either mid/low end server performance or stability.
> A number of added features in Win2k3 are IMO mostly vendor lock-in
> mechanisms. There is a lot of Win2k targeted software that Win2k3
> remains incompatible with, including a few Microsoft packages.
> Despite all that, Windows2003 is a little better in the security
> department, but that is comparison to Microsoft former offerings.
> Microsoft make much of the ease it takes to maintain their own products
> in comparison with Linux, but following their own guide to security
> would be a bit beyond a number of MCSE I know.
> http://go.microsoft.com/fwlink/?LinkId=14845
> Download and unzip the Windows_Server_2003_Security_Guide.exe
> http://go.microsoft.com/fwlink/?LinkId=14846

I completely agree with your assessment of the situation.  I can't
shake the feeling that there's actually two UI design groups at
Microsoft: one that keeps sticking nifty CLI tools in for hard core
engineers to use to Fix The Damn Box Right This Minute, and one that
designs silly feel-good click here to configure the web server type
stuff for managers and the poor schmucks I keep seeing with no real
world experience that get assigned to IT administration positions.

What I think happened is that a lot of people in the open community
(and many in the commercial/Microsoft camp as well...) were so
appalled by the festering cesspool known as Win9x that they were
completely turned off of Microsoft products and made an internal
decision to boycott their products forever and ever.  When the newer
OSs came out, they revisited the situation and saw the candy-cane
administration tools designed by the second UI group I mentioned, and
were again abhorred and swore it off again.  They never bothered (or
were forced) to look deeper to find the more engineer friendly stuff
like WMIC, cygwin, mingw, Open Watcom, or the DCOM privacy APIs.

> For servers, Bastille Linux does a better job with Redhat and Debian.
> http://www.bastille-linux.org/

Also take a look at Crispen's stuff from Immunix if you're running
Gentoo or compiling your own server packages (Apache is a common one).

> > From the Yahoo story:
> > 
> > "The encouraging thing for Microsoft is that [the usage increase] is showing
> > the world that there are some shared-hosting services on Server 2003," he
> > [Netcraft director Mike Prettejohn] said.
> You have to wonder what next months figures are going to be with the
> fallout from the most recent worms.

2k3 has a lot more internal barriers to system level attacks; I've
been disassembling chunks of the DCOM interfaces as part of the recent
attacks, as well as parts of the GDI+ and DirectX interfaces for
something else.  I keep seeing stuff like the "Locking problems!!!"
strings in tcpip.sys being removed as well as some of the less, um,
elegant APIs like the performance monitor DLL stuff having extra hoops
you have to jump through introduced to eliminate potentially
vulnerable attack paths.  Some of the really fundamental problems like
the "Create a process level token" privilege haven't gone away, but
using any vulnerabilities discovered is going to be much more of a
pain in the ass to develop, I think.  Of course, the attackers are
very determined, so many of these are really just feel-good bandaid
measures that may or may not reduce the vuln count over time.

They've also hardened the crap out of a lot of the application level
stuff like IIS 6, the default COM objects (they finally got rid of the
vbscript scriptable Winsock object - whatever retard put that in there
ought to be shot), the DACLs assigned to stuff like the SCM, etc.  The
IIS architecture is very very different from what they were using
before, so I think they've just traded one set of bugs for another,
smaller, harder to exploit set.  I certainly don't think such a
radically new architecture developed in isolation is going to have
zero vulnerabilities...

Of course, there's going to be plenty of hapless uninformed fruitcakes
happily installing totally vulnerable web based applications on their
shiny new 2k3 servers, and they totally deserve whatever happens to
them.  Especially once we get legislation passed to, um, curtail that
kind of behavior :)

Introducing custom APIs to replace security risks like sprintf() and
gets() is just blatant vendor lock-in though, and it really pisses me
off.  I use Windows... but not *only* Windows, dammit.  What is this
_snprintf() bullshit?  I don't want to have to keep track of several
hundred different vendor idiosyncrasies in the various CRTs I use.
Keeping track of the differences between MIPSPro, SunPro, DEC C, gcc,
and the various DSP and microcontroller compilers is saturating my
memory as it is :/

 - Jason                            Currently at: Somewhere on the Internet ()

Real Users hate Real Programmers.

More information about the linux-elitists mailing list