As for putting it online as a blog post, yeah, maybe not the best decision without further revision, but I decided to be lazy at this point in my life.

I totally agree with your assessment of the similarities between Windows and Linux – hell, they run on the same hardware architecture for goodness sakes (Linux can run Windows programs through wine, as an example). This is of course, something I know now and not then (originally written back in May 2008). I’ve had a few more “insightful” college courses and first hand experience since then.

IIS vs. Apache – my view right now is still biased towards Apache just because its really the most popular web server on the market. If properly configured, IIS and Apache both do their jobs security wise. IIS had some bumps back in version 5, but 6 and 7 have shipped out as great products, no questions about it. However, I’m still getting the same kind of security from a properly configured Apache server (including any regular bugfixes), so I’m sticking with free . Fortune 500 companies have the money; they can use it to buy up some Oracle databases along with Server 2008 for all I care.

Now, as for actual OSes, I won’t pretend to actually know the inner workings of everything (kernel and such), as I’ve only played around with a little assembly and C to work with it. However, based on the articles I’ve read (and the conclusions that I academically drew up from them at that point), Linux is (or at one point was in comparison to Windows) more securely “built” (in regards to fundemental concepts and designs, such as modularity within the kernel itself (it was NOT monolithic) http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/#modular).

As for ignorant blog entries; I live and I learn. I’ve got an old Linux paper I did back in high school – it hurts for me to read through it now, but I keep it up for archival purposes.

“It’s my website, I do stuff to it that I find interesting.” It might not be accurate information, it might not even be useful. I didn’t publish any of these things into a journal; this is just my little portable time capsule in a way. I don’t expect you to agree, but I do appreciate your corrections and your insight! I really did learn a few things just from your comment. Thanks!

Alex

http://milw0rm.com/search.php?dong=iis%206&Submit=Submit (there’s nothing on 7 and 5 is extremely outdated), one on IIS6

http://milw0rm.com/search.php?dong=apache&Submit=Submit
Now, have a look at your pet server’s security history! Awful in comparison the bugs in the core web server IIS (i.e. not in a language which renders pages like PHP/ASP, because then we’re not talking Web Server anymore)!

What about searching for only IIS? Then we get many more results, but look at them! While most of the apache stuff is in core components of the server, the iis ones are lots of duplicated reports (half), in IIS5 which isn’t really being used at all anymore and in custom corporate plugins.

You can’t compare a web server with an operating system, there’s an ocean of complexity in between, you loller!

Now, I’m not saying anything about the rest of your points, but I can assure you that with a monolithic kernel like linux’s you’ll have the same problems as you have in Windows, had the OS been equally much used; with UAC Windows got su/sudo, as well. The fact that both OSes would fare similar under similar circumstances is further cemented by the fact that the actual (hardened) operating system wouldn’t just allow lots of exploits to take place if its updated, but many of the bugs being fixed are in xml-parsing libs, internet explorer and third party programs. You notice this because another statistic that’s interesting is that in the furtune 500 companies, IIS is the more common web server.

Anyway, go write some more ignorant blog entries now.