Windows servers are lower risk than Linux servers
In December 2006, data was collected and analysed from Secunia, a leading independent source of vulnerability intelligence.
The information compared the security of Red Hat Enterprise Linux ES 3, Red Hat Enterprise Linux ES 4 and Microsoft Windows Server 2003 Enterprise Edition.
Different aspects of operating system security, such as number of vulnerabilities and the time to resolve them, were analysed as indicators of security for each operating system.
For each vulnerability, data on start and patch dates were collected from all security bulletins and announcements under all CVE references associated by Secunia with that vulnerability.
Figure 1: Total vulnerabilities for Windows Server 2003, Red Hat ES 3 and Red Hat ES 4
Figure 1 shows Windows Server 2003 is released with fewer initial vulnerabilities than either Red Hat ES 3 or Red Hat ES 4, and has many fewer total vulnerabilities throughout the product lifecycle.
Upon release, one vulnerability was identified for Windows Server 2003, compared to 27 for Red Hat ES 4 and eight for Red Hat ES 3.
At the time of this analysis, Windows Server 2003 had 110 identified vulnerabilities, Red Hat ES 4 had 241, and Red Hat ES 3 had 320.
Windows Server 2003 has less than half the vulnerabilities either version of Red Hat has despite being available for twice as long as Red Hat ES 4 and six months longer than Red Hat ES 3.
Conclusion
Windows Server 2003 is consistently lower risk than Red Hat ES 3 or Red Hat ES 4. Windows Server 2003 has fewer total vulnerabilities, which means users have fewer patching events to respond to. The first high criticality vulnerability was not identified until over two years after release and on average Windows Server 2003 has fewer unpatched vulnerabilities per day.
For more information on Windows Server 2003 call today on 0800 4584545 or request more information online.
