Is Microsoft Windows Security a Myth?

Geek!This is Sushruta’s submission for the HP Magic Giveaway. Feel free to leave comments for this article as you see fit – your feedback is certainly welcomed! If you’d like to submit your own how-to, what-is, or top-five list, you can send it to me. Views and opinions of this writer are not necessarily my own:

Any Linux geek would tell you Linux thrashes Windows in more ways than one. But does it? And why? What makes a system better than another? At this stage, are they even different at all?

If there were no Windows vs. Linux battles, the geek life would have been notably duller. Technology forums would inevitably get boring, and life would generally never be the same. The most contentious issue, of course, is security — Windows is notorious for not having much in that department. However, Vista is loaded with a bunch of new security measures, and claims to be able to thwart malicious software better.

What makes an operating system more secure? The way it’s built, of course. And that is the question we’re asking. But first, some myth-busting.

The biggest security breaches occur when malware is allowed to run with on your system with elevated privileges — which means that it has access to critical programs and data that only your system’s kernel should have. Once it’s reached that level, your PC becomes its humble servant, and can be brought down at the slightest whim. Who gives this malware its privileges? Well, you do.

With Windows XP, the person who installs the operating system becomes the Administrator, so if you’re the only one using your PC, you’ve got the privileges to wreak all sorts of havoc, should you choose to. Consequently, any application you install and run is also accorded the same royal treatment, no questions asked. Now add to that the fact that Windows’ system services run under a user account called SYSTEM (you can check this out in the Task Manager)—the most powerful account on your system, with access to everything critical—and that the first processes that malicious programs hijack are system services. You’ll be drawing pretty accurate conclusions by now…

Vista, thankfully, changes this. The user who installs Vista is still part of the Administrators group, but even this administrator runs with regular, limited privileges. When administrative tasks—including installing new programs—need performing, User Account Control (UAC) kicks in, telling you that you need to give the task a go-ahead before it, well, goes ahead. If you read the UAC prompt and don’t know the program it’s warning you about, you can prevent it from running. But what if you’ve blindly allowed the task to continue ?

Services in Linux run as separate users, with access only to files that they own; more often than not, they don’t even have the rights to use the terminal, so they can’t run commands or start other services. This is where the multi-user approach comes handy again—since users are isolated from each other, services can’t access the data used by other services. The Apache server, for instance, runs as a user called www-data, which only has access to the Web pages it serves. If a hacker exploits an Apache vulnerability to get into the www-data user account, he can’t really do much to the other services, because www-data doesn’t own those files. He can, however, mess with Web pages, so while this isn’t a doomsday scenario, it’s certainly not ideal.

What is the scope of the damage it can do? Again, with both Linux and Vista, damage caused by malware is restricted to the service it exploits, and the files that the service can access. What happens when the malware goes about its dirty deed? With Vista, if a critical service—like the Remote Procedure Call (RPC) service—is compromised, all manners of chaos may ensue. Every application under Windows needs to use RPC, so you’re sunk without it. With Linux, services aren’t as tightly integrated with the OS, so while your Linux PC can be crippled—some applications won’t run, you may not have network access and so on—the kernel is still safe, which means that with a little root wizardry, it can be brought back to life again.

Bottom line: for daily desktop use, both systems are equally secure — but if things do go wrong, they go more wrong with Windows.

55 thoughts on “Is Microsoft Windows Security a Myth?”

  1. You made some good points.

    Unfortunately, Vista’s UAC is no good at all for me.

    If I delete or move 1,000 files, UAC asks me 2,000 times if I’m sure I want to do it.

    I don’t need that kind of protection.

  2. Wow that is a great article. I definitely learned something new or more like i learned a few new things. You really know your stuff.

    I have to agree with Ron Vista’s UAC is garbage i just disable it.

  3. Very good article. Before this, I never understood how Linux operating systems are rated safer from Mac and Windows. I assume Mac is similar to Windows, but I might be wrong. The Windows UAC might become annoying for pro or higher Windows users, but since beginners or new-learners don’t have the knowledge on how to disable the UAC, it does protect them from malware and other potential dangers. More educated Windows users can tell where not to go or what now to download. For example I did so much research on viruses and figured out ways on how to use Windows is that I don’t need the UAC and still make it through without any dangerous programs. Once again very well written and very interesting article. I recommend it to others.

  4. Nice article man. 😉

    Security doesn’t really worry me all that much, as I have quite good anti-viruses. I would be open to use Linux if it had better game support, but until then im rolling with Windows.

  5. GREAT article. The first thing I did when I installed vista was to disable UAC. I just don’t like it. I like to control things myself! 😉

  6. Excellent article, Sush. If it wasn’t for my penchant for gaming and my inability to type, I think that I would have switched over to Linux years ago.

  7. Well written !!! I think we’ve gone a long way with the introduction of Vista and things can get only better as it continues to improve. XP all thou it had/s its advantages was a security pain for the average Joe.

  8. Running Windows XP with LUA accounts totally cripples most malware, unless you’re unlucky enought to get hit by one with the system in an unpatched state. Most of the problems nowadays are with third party stuff like Acrobat Reader, Flash, Quicktime, etc.

    Whenever I set up a Windows XP system, I always set up a local admin account and then how ever many user accounts needed as limited user accounts. Train the person to run in the user account and right-click Run As for those programs boneheaded enought to still require being run as “Power User” (Windows 95 mode) or “Administrator” (Windows 3.11 mode). The mode ratings are what I think of the retrograde programming skills of the people creating them. Administrator accounts should only be run to apply upgrade patches.

    Really good article!

  9. Yeah i agree with you there Sean but in my case i would prefer to run the Administrator account everytime whenever i would like to upgrade or even install something.Nice article btw.

  10. This is a lesson in how an OS works and why one is more vulnerable to malware than another that even I can understand.

  11. I can see why Linux is more secure, but I must confess that, while I could use DOS fairly well 20 years ago, commandline work is not something I want to get back into.

  12. Setting up Ubuntu requires some work, as I understand. And if I want the best inking, Vista is the way to go.cheers for the article.

  13. I turned my UAC back on six months ago.I was not very disturbing for me because it only pops up while installing or uninstalling programmes.

  14. I don’t like Linux at all.I think, most programs i use are not compatible with Linux.So, i would better stick to windows.Nice briefing though.

  15. I can live with that just fine.Thanks for taking the time to write this.Vista isn’t so bad as some people were trying to make it.I am using Vista and I can say Vista is more secure & safe than any other operating systems.

  16. Nice article, i consider myself a geek, but i still managed to learn some new stuff.
    And i agree with some previous posters, UAC is too annoying, which gets it turned off, or people just blindly click yes every time it turns up.
    I still won’t switch to Linux though, i need my gaming fix.

  17. I would prefer keeping it on because sometimes malware may get installed without any notice.If you keep UAC off,you may not get any kind of warnings but if you keep it on, it will ask you if the program should be installed or not.

  18. I’ve installed Fedora once but found that it was nowhere near good as XP or Vista.I am a noob in Linux & i think, Windows will be better than Linux always.How many games can a Linux OS support ?

  19. I tried ubuntu once & really liked it but i couldn’t make a dual booting with Vista.So, i had to remove it .

  20. I do agree with some people here.UAC is much more annoying than i have thought before installing Vista.I know what my programs are & i can better take of them myself.I don’t need UAC.I hope Windows 7 will solve this problem.

  21. Iam agree that things go wrong more with windows. I had Linux first but my HDD keeps crashing in every 5-6 months.Now i am using windows XP & everything is fine.Nice artcle.

  22. i consider myself as a pro gamer.So, in my opinion, Windows is better than Linux any day but i have to agree Linux is more solid than Windows.

  23. I don’t think, the article is about which OS is better.I think,it’s only the comparison of the security features between the.Anyhow good writing pal.

  24. I agree with others here.UAC needs to go.I know my stuffs better than MS.So, i don’t anything which pops up here & then telling me what to do or what not to do.

  25. Well good summary, If you people recall. XP Before SP1 Sucks Big Time too. Lots of BUGS ^^.

    XP Became great after sp2, Vista is too FAT for my liking still it proves hogging system resources too.

    After Up Grading my PC to Higher Specs (CPU/RAM/HDD) I Slowly get use to Vista, the only thing I find it a waste was lots of software supported from XP not brought forward to Vista.

  26. Great article!

    This is yet one more reason to switch to a Mac. The mac OS is a tweaked version of the Unix/Linux kernel so the security issue on Linux is the same on Mac, thus making it more secure than Windows. This isn’t “new” information for me being a Linux guru, but it’s a comparison I never though of before….thanks! 🙂

  27. Very informative article. I’m amazed how many people do little to keep their computers safe from outside interference, and then are shocked when they suddenly become infected with a virus etc.

    I have dabbled a bit with Linux and for the most part found it easy enough to use. It did feel strange not using an antivirus solution with it though.

  28. I am both XP and Vista user.

    Every OSes have pros and cons.

    UAC needs to be either improve or remove, it pops up when I installing applications, launch application, access certain files and settings.

    Vista has beautiful graphics and new feature, but it require more RAM memory, faster CPU speed than XP.

    Nice Article, Anyway.

  29. Nice article, but in my opinion, any system, (be it an operating system or a bank vault) is only as secure as the users who have access. In other words, it doesn’t matter what security features are built into a system, if the users don’t take advantage of them. You made a valid point about malware, but again, it’s the user who allows an unauthorized program to install who is essentially at fault. This is almost always unintentional, but still, it’s the user’s responsibility to inform their IT department when they see anything unusual or suspicious happen on their workstation. I’ve been a Network Admin/Support Tech in a University environment for the past 9 years and in my experience, it’s always been a user error that was responsible for security breaches, whether from weak passwords, or inadvertently clicking on a pop-up when visiting a website, the user is almost always aware that something unusual just happened.

  30. Continuing from previous post (sorry. I clicked “Publish” prematurely) … the user is almost always aware that something unusual just happened, but failed to notify their IT Techs until much later, after the damage has already been done and it’s too late to do anything but pick up the pieces.

  31. These are some good points. However, a good administrator will lock down a system before they put it online. This can be done in XP, Vista and even older Win2000 and NT 4.0. Like the old addage, a chain is only as strong as the weakest link, the same goes with computers and the administrators who set them up.

  32. First of all I am against windows being used as an OS name. Once my grandma closed the windows when I asked someone shutdown the windows. Later everyone laughed on her.
    Second Windows GUI is copied from MAc but till this date they have remained like a copy guys and nowhere near to Mac Leopard even.
    Third is that selling OS by MS is against the philosophy as it sd be free or charged very nominal to home users or students. Application sd be charged.
    Fourth windows newer version is making RAM requirement grow n grow.
    Fifth selling buggy software which (most of windows OS) is unethical and they only release Service Pack after long time.
    Sixth with all versions I still need to load anti-virus and slow down my machine.
    List is endless but one good point as I am honest. I prefer GUI of windows and application and driver compatability of devices on MS OS.
    My M/C again infected by some malware.

  33. User Account Control (UAC) aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase in privilege level.So, what i understand is that it’s good to have but not that good use it always.

  34. Only applications that the user trusts receive higher privileges, and malware should be kept from receiving the privileges necessary to compromise the operating system. I mean to say, a user account may have administrator privileges assigned to it, but applications that the user runs do not also have those privileges unless they are approved beforehand or the user explicitly authorizes it to have higher privileges.

  35. Differentiation of a superuser and userland has been common in mainframes and servers for decades. This had an obvious security component, but also an administrative component, in that it prevented users from accidentally changing system settings.

  36. I’ve heard about another new technology which is called User Interface Privilege Isolation which is used in conjunction with UAC to isolate these processes from each other.One prominent use of this i think is the Internet Explorer 7’s “Protected Mode”.

  37. Microsoft home operating systems (such as Windows 95, Windows 98 and Windows Me) did not have a concept of different user accounts on the same machine.Windows NT introduced multiple user accounts, but in practice most users continued to operate as super user administrator for their normal operations.Worth to read anyways.

  38. I knew When logging into Vista as a standard user, a logon session is created and a token containing only the most basic privileges is assigned. So, the new logon session is incapable of making changes that would affect the entire system.All i’m saying is that, When logging in as a user in the Administrators group, two separate tokens are assigned.Is this normal ? Cheers for writing a good article.

  39. As i understand it,when an application requests higher privileges or “Run as administrator” is clicked, UAC will prompt for confirmation and, if consent is given, start the process using the unrestricted token.

  40. Common tasks, such as changing the time zone, do not require administrator privileges.Although changing the system time itself does, since the system time is commonly used in security protocols.A number of tasks that required administrator privileges in earlier versions of Windows, like installing critical Windows updates, no longer do so in Vista.You know,any program can be run as administrator by right-clicking its icon and clicking “Run as administrator”.

  41. UAC generally ask for credentials in a Secure Desktop mode, where the entire screen is temporarily darkened and Windows Aero disabled and only the authorization window is enlightened, to present only the elevation user interface (UI). This thing must happen to prevent spoofing of the UI or the mouse by the application requesting elevation.Good read.

  42. Applications written with the assumption that the user will be running with administrator privileges experienced problems in earlier versions of Windows when run from limited user accounts, often because they attempted to write to machine-wide or system directories (such as Program Files) or registry keys (notably HKLM).Nice artcle.Good job.

  43. There are a number of configurable UAC settings. I think it is possible to, require administrators to re-enter their password for heightened security,require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security & disable Admin Approval Mode (UAC prompts for administrators) entirely.You have made some valid points.

  44. Windows 7 should be here soon.Do you guys know the launch date ? ANother participant is coming to be added in your comparison.

  45. I was using Kaspersky internet security earlier & was satisfied by its performance.Though i’m now using Norton 2009 IS & it’s a very good software for protecting malwares & viruses but why should take the risk ? I use UAC & though it feels disturbing at times but i feel secured.

  46. hey guys
    im here just to say that everyine should wake up Vista GREAT I say that because when i bought my laptop and want to upgrade to vista everybody told me ur system will crach and its didnt and they told me xp faster then its not whats bad in vista that its slow but xp not faster Windows 7 will be GREAT thats what i belive so take care guys

  47. Well written article. It bring up some very interesting points, I have turned my UAC off but mainly out of habit for doing it for everyone else, but I think I may have to turn it back on for many reasons

    Anyway, I hope to see more articles of yours circulating the blog circuit!

  48. I did learn something from reading this article, but I have used Windows since I started using a computer. At my age, I don’t think I will be changing. The article was informative, though.

  49. A very succinct and informative comparison of both OS’s in regards to security. As it has been pointed out in the article and a few of the responses, ultimately it is the user who holds the key to effective protection against malware, etc. There will never be an OS created that can compensate for ignorance.
    Nicely done.

  50. I grew up with Windows, and know how to work around its flaws. All OS’s have flaws, and the one you know how to work around best is the right one for you.

  51. i dont know if this would count, but i happened to see your comment from my friend’s blog stating that one comment would help children with disabilities. This comment will not be relevant with the microsoft thingy but I will post it anyway since I cannot seem to find the entry or the page where the children are shown. But anyway I hope this one would help, if there’s a need for me to be back and post a comment on a regular basis then I would be glad to do so. c”,)

Comments are closed.