[Dshield] OS Comparisions

Roger A. Grimes roger at banneretcs.com
Wed Nov 16 06:58:40 GMT 2005

I can't comment of the Linux stuff, but your analysis seems fair. On the
Windows side, during the install of the out of the box install of
Windows XP Pro SP2 and Windows Server 2003 SP1 (the current versions),
both firewalls and all patches are applied as a part of installing the
OS. Both OS's ask if it can download and install all new patches and
enable Automatic Updates to download the same. If the user chooses the
defaults, all patches are installed by default, so calling this the
out-of-the-box install configuration would be accurate. Further, W2K3
SP1 won't allow, by default, any connections other than Windows Update,
until all the patches are installed. So calling a fully patched Windows
system an out-of-the-box install is fair because if anyone, including a
home user, installs the product by accepting all defaults, all patches
are installed. Interestingly, it also means that XP will probably be
installed with user accounts with blank passwords, although they cannot
be accessed over the Internet or network.


*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), TICSA, CEH, CHFI
*email: roger_grimes at infoworld.com or roger at banneretcs.com
*Author of Honeypots for Windows (Apress)


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of jayjwa
Sent: Tuesday, November 15, 2005 3:10 PM
To: Dshield Mail List
Subject: [Dshield] OS Comparisions

Several lists back, someone was wondering if there was ever a test done
of the security of various different operating systems in their default
setups. Today while I was searching for something else, I came upon this


The idea of the test was to take various operating systems, set them up
as they'd be "out of the box", and then run some security scanners
(Nessus, Nmap,
etc) on them to see what shows up. It's pretty interesting, but one
thing I noticed about the systems is that some of them seem to be more
heavily disadvantaged in the tests, namely the Mac OSX and Linux
systems. For example, the Windows systems all got their SP's and had the
privilege of hitting Windowsupdate before the tests (not really what I'd
call "out-of-the-box", then). After their OS versions are listed you can
see "SP1", "SP2" for example, and the author's written "WinUpdate" after
that. The linux names show up like this example, "Slackware 10", with no
mention of other modifications.

With the Linux and Mac, he's gone into inetd.conf and enabled stuff
which would normally be disabled (for example, Slackware 10 does not
come with Bind9 running or enabled) like smtp servers, RPC's (!), and
even time servers for good measure. The reasoning he gives for this is
to simulate what services would normally be running. IMO, if a system
ships without certain services running, then that IS the default, but I
can understand his choice for doing this.

OK, so maybe it's not an entirely leveled playing-field. Still, you
might like to see how the various systems compared against each other.

    / /     __  __  __  __  __ __  __  mail me for my *
   / /__   / / /  \/ / / /_/ / \ \/ /  * email address.
  /_____/ /_/ /_/\__/ /_____/  /_/\_\ ::[ATr2 RG 2005]::
IF you have to request that people contact you via a WEBFORM
because you've blocked off virtually all smtp-sent email from
your own MTA  ...You just might be guilty of DNS-RBL abuse.
Using .Net? Need to know more about .Net Security?

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list