Date: Sun, 20 May 2007 20:09:19 -0400 From: "Tamouh H." <hakmi@rogers.com> To: "'Ted Mittelstaedt'" <tedm@toybox.placo.com>, "'Kevin Kinsey'" <kdk@daleco.biz>, "'Anton Galitch'" <anton.galitch@gmail.com> Cc: questions@freebsd.org Subject: RE: just general questions about fbsd Message-ID: <1a9901c79b3c$4774abc0$6600a8c0@tamouh> In-Reply-To: <BMEDLGAENEKCJFGODFOCCEBHCAAA.tedm@toybox.placo.com> References: <20070520221917.GA91736@ezekiel.daleco.biz> <BMEDLGAENEKCJFGODFOCCEBHCAAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>=20 > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of=20 > Kevin Kinsey > > Sent: Sunday, May 20, 2007 3:19 PM > > To: Anton Galitch > > Cc: questions@freebsd.org > > Subject: Re: just general questions about fbsd > >=20 > >=20 > > Anton Galitch wrote: > > > Hi > > > Im writing an article about FreeBSD and want to ask some=20 > few question: > > >=20 > > > - What advanced features it has that for example Windows, or MacOS > > dont > > > have? > >=20 >=20 > Windows, even the server versions of Windows, are=20 > fundamentally desktop software operating systems that are at=20 > times pressed into being servers. >=20 > FreeBSD and the other UNIXES are fundamentally server=20 > operating systems that are at times pressed into being desktops. >=20 > Remember, UNIX came out of the multiuser environment, where=20 > you had a lot of people connected via dumb ASCII terminals to=20 > a single mainframe. > >From the beginning, concepts like reentrant code, and separation of > user authority, have been ingrained in it. >=20 > Consider for example the extreme difficulty that Microsoft=20 > has had with the simple concept of a "superuser". A=20 > superuser is, as you may know, a userID on the system that=20 > has authority to do anything, change anything, and that the=20 > normal security mechanisms do not apply to. > Under UNIX this is the "root" user ID. >=20 > Well, with Windows, in the Win 3.1/win95/win98/winME series,=20 > anyone who booted the Windows system was automatically the=20 > superuser. This causes a lot of problems as you might=20 > imagine with programs, as if a program has a bug or goes out=20 > of control somehow, since the user it is running under has no=20 > security, the program can destroy anything on the system. >=20 > With UNIX, normally, programs are not run under the superuser=20 > ID, they are run under a normal user ID. Thus programs=20 > cannot normally > damage the system. Microsoft observed the value of this paradigm > and so put it into Windows NT - although, under NT, they=20 > called the superuser "the administrative user" most likely,=20 > because they didn't want anyone to realize they were just=20 > copying how UNIX does things. But, "administrator" under=20 > Windows, and "root" under UNIX are essentially the same thing. >=20 > The problem, though, is that because the concept of the=20 > superuser ID was grafted onto Windows, if you setup Windows=20 > so that when it boots, a person logs into it as a regular=20 > user, they have a lot of problems. They cannot install=20 > software, they cannot run a lot of different network=20 > software, they cannot make changes in simple things like the=20 > screen resolution, and so on. Both Windows NT and Windows 2K=20 > were setup by Microsoft out of the box like this - when you=20 > installed them, you had to tell them a regular userID and an=20 > administrator userID. But, due to the problems, Microsoft=20 > went to a model in both Windows XP and Windows Vista, where=20 > when you install and set it up, BY DEFAULT, you are put in as=20 > a superuser (administrator) >=20 > This saves Microsoft a lot of support calls from people=20 > calling in demanding to know why the Windows OS won't let=20 > them do simple things like change screen resolution - but, it=20 > completely defeats the security in Windows, and makes even=20 > the most modern Windows no better than Windows 3.1 in terms=20 > of security. >=20 > This I think is one of the best illustrations of the=20 > different approaches of Windows and UNIX. With a server,=20 > since a lot of people are affected if an errant program=20 > crashes it, the security is never disabled by default, and=20 > the installer must deliberately choose to do it. With a=20 > desktop, nobody is really affected if it crashes except for 1=20 > person, so since usability is more important than security,=20 > by default this is why security in Windows Vista is subverted=20 > this way, out of the box. >=20 > There are a very great many people out there walking around=20 > who have setup Windows systems as servers, and not understood=20 > this, and as a result, caused their company to lose hundreds=20 > if not thousands of dollars of time and labor due to the=20 > Windows server crashing as a result of a virus knocking it=20 > down. A virus, I will say, that IF the Windows security had=20 > been properly enabled, would NOT have been able to take the=20 > Windows server down. >=20 > Ted Not to change this to Windows vs Unix thread. But I think they are two = different ball games. I work with both servers and have seen = advantages/disadvantages in both security and non-security related. The SYSTEM user is considered to be the superuser on Windows. This is = why many malicious codes that exploit a high risk vulnerability in OS = automatically grant their application a service or run it as a system = process. On the other hand, Windows has the ability to change the administrator = user or completely disable it. Something not available in Unix systems. = For example, a cracker or hacker targeting UNIX system will = automatically try to compromise the "root" user. It is 100% guaranteed = to be there. On the other hand in Windows, good sys admins will rename = or complete disable the administrator user hence making it more = difficult to know the administrator user. Anyway, this is an opinionated subject. FBSD is great in many aspects. = We use it because it is freely available, has a great community support, = doesn't need much rebooting once installed and is fairly quick to = backup/restore.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1a9901c79b3c$4774abc0$6600a8c0>