Vous êtes sur la page 1sur 34

Comparisons between the Microsoft Windows and Linux computer operating systems are a long-running discussion topic within

the personal computer industry.[citation needed] Throughout the entire period of the Windows 9x systems through the introduction of Windows 7, Windows has retained an extremely large retail sales majority among operating systems for personal desktop use, while Linux has sustained its status as the most prominent Free Software and Open Source operating system. Both operating systems are present on servers, embedded systems, mobile internet devices as well as supercomputers. Linux and Microsoft Windows differ in philosophy, cost, versatility and stability, with each seeking to improve in their perceived weaker areas. Comparisons of the two operating systems tend to reflect their origins, historic user bases and distribution models. Typical perceived weaknesses regularly cited have often included poor consumer familiarity with Linux, and Microsoft Windows' susceptibility to viruses and malware.[1][2]

Contents
[hide]

1 Total cost of ownership o 1.1 Real world experience 2 Market share 3 User interface 4 Installation and Live environments 5 Accessibility and usability 6 Stability 7 Performance 8 Support 9 Platform for third party applications o 9.1 Gaming 10 Software development 11 Security o 11.1 Threats and vulnerabilities o 11.2 Security features and architecture 12 Localization 13 See also 14 References 15 External links

[edit] Total cost of ownership


See also: Studies related to Microsoft In 2004, Microsoft launched a marketing campaign, "Get the Facts", to encourage users to switch from Linux to its Windows Server System. Microsoft claims that its products have an overall

lower total cost of ownership than open source programs because of their ease of use, resulting in less work and lower staff costs.[3] However, a variety of Linux supporters, companies, and organizations, notably Linux distributor Novell, which produces SUSE Enterprise Linux and tech news outlet The Register, dispute Microsoft's figures.[4][5][6][7] One argument supporting the cost-effectiveness of Linux is that although Linux administrators are usually paid somewhat higher salaries than Windows administrators, a competent Linux administrator can take care of more computers than the latter. A study conducted by Chad Robinson, senior research analyst at tech/business researcher Robert Frances Group, supports this view.[8][9] In 2004, The UK's Advertising Standards Authority (ASA) warned Microsoft that an advertisement using research that claimed "Linux was [] 10 times more expensive than Windows Server 2003", was "misleading", as the hardware chosen for the Linux server was needlessly expensive. The ASA concluded that the comparison was misleading because the operating systems ran on different hardware.[10]

[edit] Real world experience


The German Foreign Office said that the cost of open source desktop maintenance is by far the lowest it experienced.[11] The French Gendarmerie reported saving millions on licence fees by switching to Linux desktops from Windows XP, following the success of OpenOffice.org rollouts.[12] On the other hand, the project of switching Munich's governmental IT infrastructure from Microsoft based to open-source software, called LiMux, had problems finishing all objectives successfully. Started 2003 with the aim of switching 100% of 14,000 PCs to an open-source solution, the project was funded with 35 million euros, approximately the money a Microsoft solution would have cost. Even though more than 80% of workstations used OpenOffice and 100% used Firefox/Thunderbird five years later (November 2008),[13] an adoption rate of Linux itself of only 20.0% (June 2010) was achieved.[14][15]

[edit] Market share


See also: Usage share of desktop operating systems The market share of Linux or Microsoft Windows is difficult to determine as users of the former are usually not required to register with any organization to use their copies; additionally, a large number of unlicensed (illegal) copies of Windows exist. The following desktop usage share data is estimated from web browser user agent strings, rather than actual sales information or detailed surveys. This is highly unreliable for many reasons including, but not limited to, web browsers that do not always provide accurate information to web servers[citation needed], and selection bias: Different websites attract different audiences that may be more prone to using one operating system or another. Also, desktop computers used for other tasks will be given a lower weight than computers mostly used for web-surfing. Microsoft's own numbers for Linux share are higher.[16]

Notes Web client data. Estimated See the source desktop usage [original research?] [original research?] page for caveats share 82.47% 2.41% median of the sources analysed in median of the sources analysed in for using web this page this page client data to estimate OS market share. Pre-installed by default on Pre-installed by default on Preinstallation almost all new desktop PCs. very few new desktop PCs. Among these are all System76 computers, some Dell computers, some Lenovo ThinkPads.[17][18] Server market 73.9% (officially registered)[19] 21.2% (officially registered)[19] Fourth quarter, 2009 share [20] 1.2% (6 of 500) 91.2% (456 of 500) November 2010 Top 500 supercomputer operating the 14 fastest supercomputers Linux figure run Linux[20] does not include system family 14 computers share (2.8%) identified as running "CNK/SLES 9"[20] [21]

Windows

Linux

[edit] User interface


Windows Linux Graphical The Windows Shell. The window manager is the Desktop Window user interface Manager on Windows Vista, and a Stacking window manager built on top of GDI in older versions. The desktop environment may be modified by a The KDE Plasma Desktop variety of third party products such as WindowBlinds; or completely replaced, for example by Blackbox for Windows, A number of desktop environments are or LiteStep. With Windows Server 2008 available, of which GNOME and KDE and later server releases, there is also the are the most widely used. By default, they use the Metacity and KWin window option of running "Server Core" which managers respectively, though these can [22] lacks the standard window manager. The graphics drivers, subsystem, and core be replaced by other window managers,

widgets are included with all installations, including those used as servers.

such as Compiz Fusion. Other desktop environments and window managers include Xfce, LXDE, Enlightenment, Xmonad, Openbox, Fluxbox, etc. The X Window system runs in user-space and is optional.[23] Multiple X Window System instances can run at once, and it is a fully networked protocol. See also: Comparison of X Window System desktop environments The Wayland display server protocol is being developed to improve graphics performance[24] and move beyond the X Window System (also referred to as "X" or "X11"), with the intention of replacing X as the native display server.[25]

Commandline interface

A sample Windows PowerShell session The Command Prompt exists to provide direct communication between the user and the operating system. A .NET-based command line environment called Windows PowerShell has been developed. It varies from Unix/Linux shells in that, rather than using byte streams, the PowerShell pipeline is an object pipeline; that is, the data passed between cmdlets are fully typed objects. When data is piped as objects, the elements they encapsulate retain their structure and types across cmdlets, without the need for any serialization or explicit parsing of the stream. Cygwin, Mingw, or Microsoft's own Services for A sample Bash session Linux is strongly integrated with the system console. The command line can be used to recover the system if the graphics subsystem fails.[27][28] A large number of Unix shells exist, with the majority being "Bourne shell compatible". The most widely used is GNU Bash. Alternatives include the feature-full Z shell as well as shells based on the syntax of other programming languages such as the C shell and Perl Shell. Many applications can be scripted through the system console.[29] There are many small and specialized utilities

Unix provides a shell terminal for Windows.[26] Posix subsystem is built in but not enabled by default. The Console can execute up to 4 kinds of environments, MSDOS scripts under NT or via Command.com running on NTVDM, NT shell scripts and OS/2 Console Scripts. Windows Script Host is included in Windows 98 and newer versions.

available that are designed to work together and integrate with other programs. This is called the toolbox principle[citation needed].

[edit] Installation and Live environments


Windows On Windows Server 2003 and prior, the Ease of Installation installation is divided into two stages; the first, text-mode; the second, graphical.[30] On Windows Vista and newer, the installation is single stage and graphical. Linux Varies greatly by distribution. Most distributions intended for new or intermediate users provide simple graphical installers.

General purpose oriented distributions offer a live CD or GUI installer Some older versions require third party (openSUSE, Debian, Pardus, Pclinuxos, drivers (for example, by using driver Mandriva, Ubuntu, Fedora etc.), others floppies disks or slipstreaming the offer a menu-driven installer drivers and creating a new installation (Slackware, Debian) while others, CD) if using a large number of SATA targeting more specialized groups, or SATA2 drives or RAID arrays.[31] require source to be copied and compiled (Gentoo). The system can also be built completely from scratch, directly from source code (Linux from Scratch). Supported Windows: i386, x86-64 and IA-64 (IA- i386, x86-64, PowerPC 32/64, SPARC, DEC Alpha, ARM, MIPS, PA-RISC, Architectures 64 is Windows Server only). S390, IA-64, SuperH and m68k. Windows Embedded: i386, x86-64, PowerPC, ARM, MIPS, SuperH.[32] Windows Mobile: ARM Device driver The Windows installation media usually Linux kernels in most distributions contains enough drivers to make the include the majority of drivers available operating system functional. Windows as modules. They are loaded at boot use class drivers to provide basic without user interaction. Most drivers functionality such as network are included in the kernel source tree, connection, display/screen and input however there are several manufacturers devices. Modern Windows versions will which distribute proprietary drivers. allow the user to update the drivers, if The latter are usually packaged

available, from Windows Update once a separately from the kernel and usually network connection is available. Drivers automatically installed on user's can usually also be upgraded directly request.[38] from the manufacturer. Drivers are almost always closed-source, maintained and published by the manufacturer of their respective devices. Best hardware performance in Windows is gained from installing the latest device drivers, once the devices are correctly identified.[33][34] 64-bit Windows requires all kernel mode drivers to be signed[35][36] using a certificate issued by a trusted certificate authority. Signed drivers do not need an approval from Microsoft. However, Microsoft does maintain a blacklist of certificates which are actively rejected. This has been used to block generic drivers which were being used to circumvent the signing requirement[37]. Windows Vista and later (Server 2008 If moving an existing installation of and later for servers) detect which Linux into a new computer or changing hardware abstraction layer (HAL) the motherboard or other hardware [39] should be used at boot time . If components, Linux will detect and moving an existing installation of activate the new supported hardware Windows into a new computer or with little or no further intervention changing the motherboard or other basic required.[citation needed] hardware components, Windows will adapt to the changes during the boot process.[40] Subsequently, Windows will automatically install drivers distributed with Windows or the user can manually install drivers if available from Windows Update. Some drivers will need to be downloaded and installed by the user, once the user has correctly identified the brand and model for each hardware device which has no driver installed. Windows may require reactivation, depending on the number and nature of hardware changes. Windows maintains backwards compatibility with drivers back to

Hardware changes

Windows NT4[41], although some functions such as power-saving not available at the time will not be supported when running the device under a legacy driver. Installation May be installed through the Windows Preinstallation Environment or BartPE, via Live Environments but only the former is endorsed by Microsoft. Live environment does not allow normal use, only facilitates the installation process. Operation via Windows Preinstallation Environment is currently available from Microsoft, Live Environments and can be used as a Live CD, but is very limited and not intended for general usage. Windows 8 is expected to be able to run from USB drives, see: Windows To Go. Pre-installed Some multimedia and home use software software such as IE, Windows Media Center, Windows Mail, Notepad, Paint depending on which edition is purchased plus OEM bundled software if Windows is purchased pre-installed on a machine. Office suite or advanced multimedia software are not included. As Microsoft has licensed decoders for a number of patented audio and video coding methods, Windows is able to play a number of patented formats by default. Nevertheless, Microsoft's methods of bundling software were deemed illegal in the case United States v. Microsoft.[43]

Almost all Linux distributions now have a live CD that may be used for testing, install or recovery. All features of the operating system can be used and tested in this mode, and saving of files and settings is often possible if run from rewritable media such as a USB drive. [42] Nearly all Linux distributions can run from a Live CD/DVD and Live USB.

Not preinstalled software

Most home-use distributions contain numerous programs: almost all are packaged with an internet browser (almost invariably Firefox), and a GNOME or KDE suite of programs including text editors, E-mail clients, instant messaging apps and media players. Some distributions specialize in areas such as education, security or multimedia editing, and so contain specialist free software to meet their users' more specific requirements. Some lightweight distributions intentionally feature as little software as possible, though most home distributions simply aim to fit on a standard 700MB CD. Most distributions also give users the choice of which bundled programs to install, if any, alongside the core operating system components. A massive pool of both proprietary Free software and some proprietary software (including shareware and software covering a wide range of use. freeware) and free software. Programs Most primary applications such as usually come with the required libraries office suites are available for free.[44] and are normally installed easily. Most Using free Windows-compatibility programs must be individually installed. layers like Wine, some Windows

software can also be run on Linux. Third-party software is usually Uninstallation can be of varying difficulty depending on which of many listed/integrated into a packaging system, which is built into the operating installer methods were used, components and registry entries may be system. Less popular programs, not available in a distribution's core left behind. Windows has a built-in installer program, and software that is to software repositories, are often be installed has an installer "wrapper" available by installing packages outside of the repositories. Some examples of that interfaces with the Windows Installer to accomplish installation. Not this are the Debian-based DEB format and the Red Hat-based RPM (RPM all Windows software uses the install Package Manager) format, both of manager. which can be installed easily by the package manager. In the rare case that no precompiled package exists, programs can be generally be compiled from the source code. Most software is installed non-interactively to a default configuration. Linux distributions can not lawfully include MP3 or MPEG-4 file decoders in a minority of countries, as it would violate the Patent Cooperation Treaty. The system does not prevent a user from installing these decoders, however the user assumes all liability for installing said pieces of software.[45] In particular with the MP3 file format, many companies claim patents relevant to the format. See Patent issues with MP3 for more information. Partitioning Expanding NTFS partitions is possible Most file systems support resizing without problems, and on Vista it is partitions without losing data. LVM possible to shrink partitions as well. provide dynamic partitioning. All Linux Dynamic Disks provide dynamic distributions have bundled partitioning partitioning. Third party tools are software such as fdisk or gparted. available that have more features than the built-in partitioning tools. File systems Natively supported: NTFS, FAT, ISO Supported: ext2, ext3, ext4, ReiserFS, 9660, UDF, and others; 3rd-party FAT, ISO 9660, UDF, NFS, NTFS, drivers available for ext2,[46] reiserfs,[47] JFS, XFS, Minux and GmailFS. HFS and the Dokan (a FUSE Archives and FTP sites also can be equivalent) UserSpace filesystem, mounted as filesystems. The FUSE which allows user-space programs to project (FUSE) has long been part of mount drives. the Linux Kernel, and allows programs to create filesystem mounts while

running in userspace. May boot to multiple operating systems Boot Loader May boot to multiple versions of Windows through the Windows Boot through numerous bootloaders such as Manager in Windows Vista and newer; LILO and GRUB. With these, it is or the earlier boot loader NTLDR in possible to choose among multiple Windows Server 2003 and prior. installed kernel images at boot time. Graphical configuration tools are Graphical configuration tools for GRUB available for both, such as the 3rd party are available.[50][51] GRUB can also EasyBCD for the Windows Boot accept arbitrary, one-time Manager and MSConfig for NTLDR, configurations at boot time via the which can chain load multiple non-NT GRUB prompt. GRUB and LILO also environments, including Linux, by support booting to non-Unix operating referring to volume boot records from systems via chain loading; for a those environments saved on the Windows and Linux dual-boot system, [48] Windows partition. Windows it is often easiest to install Windows overwrites the Master Boot Record on first and then Linux because almost all installation by default, thus rendering Linux installers will automatically other non-Windows installations (e.g. detect and set up other operating Linux) unusable until fixed.[49] systems for dual/multiple boot with Linux.[52]

[edit] Accessibility and usability


User Focus Windows Linux Microsoft pushes for consistency Interface is usually consistent among between releases with guidelines for the desktop environment used[attribution [53] needed] interface design. Their focus is on , which follows its interface consistency and usability.[attribution needed] guidelines.[54][55] High grade of customizability is provided in order to adapt to the needs of the user.[citation needed] Some inconsistencies may appear when using programs targeted for different desktop environments.[attribution needed] There are other environments/window managers, usually targeting professionals or minimalist users, featuring some very powerful programs with rudimentary, minimalist graphical front-ends, focusing much more on performance, small size and safety.[attribution needed] WindowMaker and the Fluxbox/Openbox/Blackbox environments are such examples. Some other environments fit between the two

models, giving both power, eye candy and simplicity[attribution needed] (Enlightenment/E17, Xfce). Some graphical environments are targeted to mouse users only (Fluxbox), others to keyboard users only (Ratpoison), others to either. Certain graphical environments are also designed to be as resource-conservative as possible, so as to run on older machines.[citation needed] Newer distribution versions generally maintain the same user focus.[attribution
needed]

Linux offers several user interfaces to Customization By default, Windows offers customization of size and color of the choose from. Different environments graphical elements, and it is typically and window managers offer various not possible to change how the interface levels of customizability, ranging from reacts to user input.[citation needed] colors and size to user input, actions, and display. A few third-party programs allow more extensive customization, like WindowBlinds or LiteStep, but extreme changes are usually out of reach. It is not possible to customize applications that do not use the default look-and-feel beyond the options the specific application offers. Accessibility Both Windows and Linux offer accessibility options,[56][57][58] such as high contrast displays and larger text/icon size, text to speech and magnifiers. Windows Vista and later has built-in speech recognition[59] [60]. The Windows speech recognition allow both voice command control of the operating system shell and applications, as well as free text dictation within text editors / word processors.

[edit] Stability
For an operating system to be subjectively stable, numerous components must operate synchronously. Not all of these components are under the control of operating system vendor. For example, malfunctioning or broken hardware can cause the operating system to fail to operate properly. Likewise, poorly written device drivers can completely crash the system, since both Linux and Windows utilize aspects of monolithic kernel. The same is true for misconfigured applications, which are using the operating system utilities in unexpected ways.

Much of stability, then, is the extent to which the operating system is structured to thwart the consequences of bad behavior of third party installations. There are other factors outside of the operating system's control which can cause the operating system to malfunction or refuse to install,[61] such as: incorrect BIOS settings, incorrectly performed overclocking, hardware overheating as a result of poor cooling or blocked cooling mechanisms, mismatched or incorrect RAM memory module(s) installed and voltage spikes caused by not using a surge protector. Linux There are several indirection levels General since all applications are separated from stability the graphic subsystem (X Server) which itself is detached from the Linux kernel.[27][28] As a result of that and because most device drivers are integral parts of the Linux kernel, it almost never crashes[verification needed]. The graphic subsystem can only fail if the application is using it in undocumented ways[citation needed]. Even in that case, it can be easily restarted without system reboot.[44] Some vendors contribute to free drivers Device driver Device drivers are provided by Microsoft or written by the hardware (Intel, HP, etc.) or provide proprietary stability manufacturer. Microsoft also runs a drivers (Nvidia, ATI, etc.). Unlike certification program, WHQL Testing, Windows, however, kernel developers through which most drivers are digitally and hobbyists write many or most signed by Microsoft as compatible with device drivers; in these drivers, any the operating system, especially on 64- developer is potentially able to fix bit versions. stability issues and other bugs. This generally seems to result in faster response to reported bugs and more stable systems.[62][verification needed] Kernel developers do not support the use of drivers that are not open-source, since only the manufacturer can fix stability issues in closed-source drivers.[63] Graphics Windows (since Vista) uses Windows The display driver is entirely in kernel Display Driver Model which feature space. A fault in the driver will freeze driver enhanced fault tolerance. The tolerance or terminate all current programs. If the stability is derived from splitting the driver into fault did not lead to a kernel memory 2 components: A small kernel mode corruption, the graphics system may be driver and a user mode driver which manually re-initialized terminating and does most of the intense graphics restarting the X server process from a calculations[64]. A fault in the user mode local or remote console. Restarting X Windows Windows operating systems based on the NT kernel (including all currently supported versions of desktop Windows) are technically much more stable than some older versions (including Windows 3.1 and 95/98), as these older versions do not properly protect the kernel's data structures. Installing unsigned or beta drivers can lead to decreased system stability (see below).

component may cause the driver to reset (flicker), but will not affect running programs or their screen representations[65][66].

Downtime

Recovery

will cause all GUI processes to terminate.[67] This pertains to the X Window System, which is eventually being superseded by Wayland in Linux distributions such as Ubuntu,[68] Fedora[69] etc. Reboots are usually required after Linux itself needs to restart only for system and driver updates. Microsoft kernel updates.[71] However, a special has its hotpatching[70] technology, utility can be used to load the new designed to reduce downtimes. kernel and execute it without a hardware reset (kexec) and hence can stay up for years without a single hardware reboot, almost eliminating downtime. For minor updates such as security fixes, Ksplice allows the linux kernel to be patched without a reboot. System libraries, services and applications can mostly be upgraded without restarting running software (old instances use the "replaced" versions) In modern, NT-based versions of All processes except for init and those Windows, programs that crash may be in D or Z state may be terminated from forcibly ended through the Windows the command line. Applications can be Task Manager by pressing closed via the GUI. The optional CTRL+SHIFT+ESC or SysRQ allows low-level system CTRL+ALT+DEL. manipulation and crash recovery. The entire graphical subsystem can be If Windows fails to boot properly, it is restarted without the need for a whole possible to boot to safe mode in order system shutdown. Reboots are seldom required. When necessary, users can to recover the system. Also, for press CTRL+ALT+BACKSPACE (on Windows 2000, XP and 2003 the most distributions) to logout Recovery Console can be utilized, which was replaced in Windows Vista immediately and recover from almost any crash without reboot. [73][74] with the System Recovery Options [72] menu. The command line can be accessed immediately to terminate a program if the user is unable to do so with the GUI (e.g. if a full screen game freezes). Pressing Ctrl+Alt+F1 switches to the full screen text terminal and the user can terminate the program, then restore the GUI by pressing Ctrl+Alt+F7. In the default setup, six different text terminals (tty) are available with the key combinations Ctrl+Alt+F1 to

Ctrl+Alt+F6 inclusive.[75] Recovery mode allows the user to fix problems at boot time; for example, Ubuntu offers the recovery mode from the GRUB boot loader options.[76] Additionally, Live CDs of Linux, if equipped with the correct tools, can work to repair a broken operating system if the hard drive is mountable. See: List of Rescue and repair live CDs. The Unix equivalent of the Windows Unrecoverable If the kernel or a driver running in kernel mode encounters an error under blue screen is known as a kernel panic. errors circumstances whereby Windows The kernel routines that handle panics cannot continue to operate safely, a are usually designed to output an error "bug check" (colloquially known as a message to the console, create a "stop error" or "Blue Screen of Death") memory dump, and then either halt the is thrown. A memory dump is created system or restart automatically. and, depending on the configuration, the computer may then automatically restart. Additionally, automatic restart can be applied to services.

[edit] Performance
This section of this table needs attention from an expert on the subject. See the talk page for details. WikiProject Computing or the Computing Portal may be able to help recruit an expert. (April 2009) Windows NT-based versions of Windows use a Process Scheduling CPU scheduler based on a multilevel feedback queue, with 32 priority levels defined. The kernel may change the priority level of a thread depending on its I/O and CPU usage and whether it is interactive (i. e. accepts and responds to input from the user), raising the priority of interactive and I/O bounded processes and lowering that of CPU bound processes, to increase the responsiveness of interactive applications.[77] The scheduler was modified in Linux Linux kernel 2.6 once used a scheduling algorithm favoring interactive processes. Here "interactive" is defined as a process that has short bursts of CPU usage rather than long ones. It is said that a process without root privilege can take advantage of this to monopolize the CPU,[79] when the CPU time accounting precision is low. However, Completely Fair Scheduler, now the standard scheduler, addresses this problem.

Windows Vista to use the cycle counter register of modern processors to keep track of exactly how many CPU cycles a thread has executed, rather than just using an interval-timer interrupt routine.[78] Memory Windows NT family (including 2000, Most hard drive installations of Linux utilize a "swap partition", a partition Management/ XP, Vista, Win7) most commonly dedicated exclusively for paging Disk Paging employs a dynamically allocated pagefile for memory management. A operations. This reduces slowdown due pagefile is allocated on disk, for less to disk fragmentation from general use. frequently accessed objects in memory, leaving more RAM available to actively As disks are much slower than RAM, used objects. This scheme suffers from users can adjust Linux "swappiness" to slow-downs due to disk keep processes in RAM memory for fragmentation[citation needed] (if a variable much longer before swapping to disk. size paging file is specified), which Windows does not support such hampers the speed at which the objects features. The performance requirements can be brought back into memory when are different for desktop and server they are needed. Windows XP and later environments. If processes are moved can defragment the pagefile, and on out of RAM to swap space on disk too NTFS filesystems, intelligently allocate often, users will experience slower blocks to avoid this problem. Windows response times from the computer.[85] can be configured to place the pagefile on a separate disk or partition.[80][selfA new feature, currently referred to as published source?] . However, this is not "zRam", previously called default behavior, because[citation needed] if "compcache", exists to increase the pagefile is on a separate partition, performance in Linux by creating a then Windows cannot create a memory RAM based block device which acts as dump in the event of a Stop Error.[81] a swap disk, but it's compressed and Microsoft does not recommend stored in RAM memory instead of being disabling virtual memory in Windows on disk, as disks are slower than RAM. because of this reason.[82][83] Also, it is It allows for faster I/O and increases the not recommended to place the paging amount of memory available before the file on a different partition on the same system starts swapping to the disk. It is physical hard disk, as this will cause the now integrated into the Linux kernel.[86] drive's read/write heads to jump between the Windows and paging file partitions, which causes a loss of I/O performance that outweighs any gains of having the paging file defragmented.[80] The ideal solution performance-wise is to have the pagefile on a different hard drive from the one where Windows is installed, as this reduces both

fragmentation and I/O issues.[80] The Windows 3.1x family does not have true virtual memory[citation needed] and uses a simpler swapping scheme easily leading to more swapping to disc and therefore more disc fragmentation. Virtual memory support and strict memory protection is limited on the Windows 9x family for the 32-bit processes.[84] Windows' SuperFetch (based on Prefetcher) attempts to load commonly used libraries and application components into memory before they are required. It does so by continually analyzing application behavior and usage patterns, e.g. what applications are typically used in the morning after logon[87]. The cache memory is marked with low priority, meaning that if another process needs the memory, it will be given up. With Windows Vista memory prioritization was introduced. Memory priorities are valuable in desktop settings where responsiveness of some processes are more important than overall throughput. Background processes such as search indexers or caches can run with low memory priority to prevent them from gradually causing the memory of more important processes to be swapped out during periods of low-intensity use, sometimes referred to as the "after lunch syndrome"[88]. Multimedia Class Scheduler Service (MCSS) is a Windows service that boosts the CPU and I/O priority of a thread as well as reserving network bandwidth. It allows an application to get prioritized access to CPU for timesensitive processing (such as multimedia applications) as well as prioritized disk access to ensure that the

Speculative caching

Linux does not feature a built-in predictive or speculative caching,[citation needed] although third-party solutions, such as preload, do exist. Linux also does not support memory priorities which could ensure that such a cache does not inadvertently cause other process memory to be swapped out (or not swapped in) with resulting negative impact on overall performance (see below Priotitized memory).[citation needed] Linux swaps and frees memory pages using an adapted least recently used algorithm which does not allow memory pages to be marked with priority.[89] [90]

Prioritized memory

Multimedia performance

Linux does not boost the priority of a thread or a process during playback of multimedia nor does it reserve bandwidth.[citation needed]. Linux does support process- and thread priorities, and applications or the user through utilities may set higher or lower priorities.

In late 2010 a patch was developed which balances workload between thread groups[92]. This mitigates the situation where a large number of processes from the same thread group starve out a single multimedia oriented process for resources. Linux most commonly uses the ext4 Default file The way the default Windows' file system NTFS works causes files to filesystem, which is unsupported by systems become fragmented, degrading the Windows. ext4 avoids fragmenting the performance of the system significantly disk as much as possible. Linux can, if over time, and it requires regular desired by the user, install and run on an defragmenting to combat this.[93][selfNTFS file system - though no published source?][94][self-published source?] mainstream distributions do this by default. [95][self-published source?] Only very small improvements to performance can be gained from defragmenting UNIX and Linux filesystems.[94][self-published source?] Linux distributions use tmpwatch and Temporary Windows does not automatically remove unused temporary files. Before logrotate to automatically purge unused files the remaining disk space gets too low temporary files and unused log files for the operating system and respectively. applications to function properly, Windows will warn the user about the condition.[96]. The warning includes the option to clean up the system. When invoked, temporary files, restore points etc. can be deleted. The build-up of unused temporary files can cause problems in Windows and other programs in Windows.[97]

process is not starved of data to process. Without MCSS multimedia playback may experience glitches or stutter as the load on CPU, IO subsystem or network increases.[91]

[edit] Support
This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (November 2008) This section may contain original research. Please improve it by verifying the claims made and adding references. Statements consisting only of original research may be removed. More details may be available on the talk page. (October 2011) Windows Linux

Most support is provided by advanced users and developers over IRC, online forums, and other free community based venues.[citation needed] Professional support is available, but most commonly only utilized by large-scale businesses, and server dependent organizations.[citation needed] Phone support Retail versions of Windows come with Phone support is available with a paid 90-day no-charge phone support[98] subscription program or a support contract. OEM versions (purchased with hardware) are supported by the hardware vendors and subject to the support policies of the each vendor. Documentation Applications and tools all have a help Most documentation is available menu item in the menu bar with access online, either in FAQ form or Wiki to hypertext based help topics. pages on developers' websites. Detailed PowerShell cmdlets all have integrated documentation for specific commands, help topics available as Unix-style man programs, functions, libraries, files, and pages. file formats are available through offline documentation systems, such as From Microsoft the following online the man and info pages, which are documentation sources are available: accessed through the command line, or through graphical viewers. Large Windows Help & How-to: applications often come with separate Help, guides, videos and documentation. documentation for end users of Windows. Microsoft TechNet: Documentation, guides, videos etc. for Windows ITprofessionals. Microsoft Developer Network (MSDN): Documentation, guidelines, samples, tools & downloads, articles etc. for developers. Many IT courses are written for participants to learn how to use and manage Windows systems and networks. Most computer assistance experts have Windows training and qualifications.[citation needed] Linux is taught in many computing university courses in programming and computer science. [99][100][101] Linux diplomas and certificates are rarely offered.[citation needed] Courses for certifications are provided by Linux Professional Institute and some

Community Microsoft Developer Network (MSDN), Microsoft TechNet: support Resources for IT Professionals, and multitudes of user driven support forums are available at no charge. Additional support is available by 3rd party services such as OEMs.

Training

distributions, such as Red Hat and Ubuntu. Documentation for source packages Documentation is either written inusually in a README file, also man Third Party house or by a consulting firm for most pages, info pages, and other types of Documentation proprietary software. generally programmer-supplied documentation.

[edit] Platform for third party applications


Windows Linux Linux systems often do not separate Operating Strict separation between operating system parts and applications.[102] It is operating system and (third party) system applications at the filesystem level as integration possible to install same software in (Installation) several different directories. Microsoft's most popular distributions follow the guidelines strongly suggest that Filesystem Hierarchy software vendors use the Windows Standard.[106][107][108] This approach Installer for installation. However, many stores the program itself, its data, applications are still deployed with configuration files and logs [citation alternative installers such as NSIS separately.[109] Usually applications are needed] . Nevertheless, overly simplified installed using a package manager such application management has several as (not Net connected) APT or drawbacks such as introducing chances RPM,[110][111] which ensures that all of DLL hell and compatibility issues. applications have their library The former problem can be solved by dependencies satisfied. As packages are using static linking (with a considerable incorporated into the system portion of tradeoff in speed and memory the Linux filesystem tree, installation of consumption).[103][104] In addition to that any software typically requires Microsoft has addressed compatibility administrative privileges.[112] However, issues by providing compatibility layer it is possible to install software into to older software.[105] user's home directory, although it is a complex task as the application needs to be compiled from source. [113] Also, these applications introduce a security risk as they will not be tracked and updated if necessary. Program Thousands of programs are available for The majority of applications are distribution download from many websites and for distributed in a binary package format. purchase on CD/DVD in retail shops. Each distribution usually has a Programs must be downloaded (or centralized package repository, where purchased on CD/DVD) and installed trusted applications are stored and individually. The user has to search for available for download.[114] The the application he needs, track dependencies are handled automatically. dependencies (if any) by hand and As there are several common package ensure safety from malware himself. formats, applications are usually

Software Software Compatibility historically has Compatibility been very high priority.[115] However, exceptions do exist, even within Microsoft's own applications (particularly with respect to Windows Vista).[116] For example, Windows Vista is not compatible with pre-2005 versions of MS SQL Server.[citation needed]

Shared Library Policy

Software updates

DLLs are the Windows implementation of shared libraries. DLLs placed in an application (called "private libraries").[122] directory are used in favor to the DLLs in the system folder[123] Historically, Windows 9x and prior versions had no protections on system DLLs, and poorly written programs would often overwrite them at will with incorrect versions, potentially leading to dependency problems. Windows Update handles only updates to Microsoft software and can deploy driver updates if present on the Windows update site. Some third party software has its own separate update manager. Windows Installer (See Package management system above) does not manage updates. The Ubuntu Update Manager on a Windows security updates Ubuntu Linux system showing updates. typically require a restart.

packaged specifically for each distribution. The source code is distributed of most applications, which have a licence which allows to do so. The distributed software is generally compatible with the current and upcoming versions of the distribution (Linux Standard Base framework guarantees maintaining interfaces for at least 6 years).[117] The same binary packages can be used among systems using the same package manager.[118] and generally can be used among any system providing libraries the package is dependent upon[119] Some compatibility issues existed in the past, when proper packaging guidelines were yet to be established.[120][121] Almost all shared libraries are installed strictly system wide.[123] Several Linux distributions have had problems with software not packaged for the distribution when updating libraries, since the application programming interfaces of some Open Source libraries are prone to change between releases.[124]

The Package manager handles updates for software that was installed via the package manager.

Updates generally do not require a system restart, with the exception of kernel updates. Updates to applications or libraries require restarting the applications to take effect, but there is usually no need to restart immediately (new instances of the program use the new version). All of the installed programs and the Linux operating system can be kept up to date easily (see picture, above). Keeping the operating system and the installed programs up to date is essential for security.[125] Gentoo allows different versions of software and libraries to be installed in the same system. GoboLinux allows different versions of a program to be run concurrently.[126]

Microsoft has had a longstanding emphasis on backwards compatibility.[115] In general, the Windows API is consistent over time, with new features added;[citation needed] programs designed for earlier versions of Windows often run without issues on later versions.[citation needed] For the sake of progress, however, Microsoft sometimes draws a line precluding support of very old programs. That first happened with Windows 95, where some purely 16 bit Windows 3.1 applications would not work, and again with Windows XP, where certain mixed-bit applications would not work. 64-bit versions of Windows (XP-64 and Vista-64) drop 16-bit support completely. However, 16 bit emulation and the enormous array of application-specific tweaks (shims) within new Windows versions[127] ensure that compatibility with old applications remains very high.[128] In the Linux world, the landscape differs. As most (if not all) parts of the operating system are open source and many Linux programs are open source, when a Linux distribution breaks backward compatibility, anyone willing might write a patch to the operating system or the program itself that would allow the older software to work. In reality though, since many popular Linux distributions uses software repository and the most popular programs exist in the repository, the programs provided in the repository are guaranteed to be compatible with supported versions of the distribution.

[edit] Gaming

Main article: Linux gaming A major attraction of Windows is the large library of video games available for purchase.[citation needed] The majority of current major PC games natively support Windows and are released first (and often only) for the Windows platform.[citation needed] Some of these games can be run on Linux with a compatibility layer like Wine, Cedega or CrossOver. Those that rely on copy protection or undocumented features often require much more effort in order to work properly. It has also been shown that native speeds can be achieved with applications running under WINE. [129] There are notable exceptions, such as id Software's Doom and Quake series. When a developer chooses to write graphics code with OpenGL instead of DirectX, Linux ports become much easier. In addition, games such as the Unreal Tournament series are written in 3 parts: The core 'engine' of the game, the graphical display system, and the actual game data itself. The first two, typically being compiled programs, require porting, however only the graphical display system will often require much work (Windows to X Window, DirectX to OpenGL, etc.). The third part, the game data itself, is typically written in system-independent file formats and scripting languages. This allows the game developer to separate the actual game experience from platform compatibility. This also serves to reduce the cost of development in 2 ways.

There is no need to port the game data to another platform, which eliminates the need to compile and bug-fix the game data for each platform. Future releases of the software can use the same "engine" and graphical display system. This allows game developers to focus more on the game experience, and less on compatibility issues.

OpenGL provides a platform independent, widely accepted and available solution for 3D graphics, but does not address input devices or sound. The Simple DirectMedia Layer(SDL) libraries provide support for these features on both Linux and Windows, and are often used to provide portable gaming support.[130] There are Open Source games designed specifically for Linux[131], including over 1200 native Linux games[132] with over 220 games using proprietary licenses.[133] While most of these are small casual games like Kolf or Pingus, there are also larger games, such as Freeciv and The Battle for Wesnoth. Many have been ported to work on Windows as well. Some gamers opt to dual boot Windows and Linux, using the Windows partition for gaming and other applications, while using the Linux partition for the needs it addresses better.[citation needed]

[edit] Software development


Crossplatform development (Operating system

Windows Elementary system resource access is provided by the Windows API which is available and kept compatible since Windows NT. Many programs

Linux Linux is a UNIX-like operating system which implements most of POSIX functionality.[134] Compatibility between such Unix-like operating systems

resource access: file system, threads, memory allocation, etc.)

are written for the Windows API and depend on an implementation of that API. Many Microsoft libraries have not been ported to other operating systems. Source compatibility with some UNIX programs is done via POSIX subsystem (Windows NT and 2000), or Subsystem for UNIX applications (formerly Interix) (2000, XP, 2003, Vista). Alternatives for POSIX and Linux compatibility under windows are Cygwin and MinGW.

(such as BSD Unix, Solaris, and Mac OS X) is provided through standards such as the POSIX and system libraries such as glibc. The GNU toolchain has been ported on Windows, as well as GTK, Qt and many other libraries. Under Linux there is no standard widget toolkit implementing GUI utilities such as windows, buttons, labels, etc. Several competing libraries are available, such as GTK, Qt, wxWidgets, Motif. Programs written for these widget toolkits must ensure that required libraries are installed in order to run. Wine providing a reimplementation of the Windows API and the DirectX API to allow Windows programs to run on Linux, although often with glitches.

For multimedia applications like games, Crossplatform audio and video applications is for development Windows the DirectX API available. (hardware Almost all major games and multimedia resource applications rely on this API, given the availability since 1995 and the access: graphic, downward compatibility since then. audio, input DirectX is available for the Windows devices, etc.) PC platform and the Xbox platform, and by the reimplementation Wine it is also available for Linux. There are also third party libraries and standards available like e. g. OpenGL for 3D graphics, OpenAL for audio and SDL as general purpose multimedia API.

Among the various distributions of Linux there is no widely accepted and general multimedia standard and API available. For 3D graphics OpenGL is as standard available and accepted but for everything else like audio, input devices, networking etc. many different approaches are available.[135][136] An important, widely supported standard for access to audio devices are the Advanced Linux Sound Architecture drivers, which allow for very low latencies and supports sound cards from about 120 vendors including, for example, high-end sound cards used for professional recordings, as well as the JACK Audio Connection Kit. These are extended by audio daemons, such as the PulseAudio system, which integrates different libraries without need for configuration. Various implementations

of networked home audio systems, such as the cross-platform Music Player Daemon, are supported. Windows provides extensive, wellLinux hardware drivers are mostly Driver developed and released as part of the development documented programming interfaces that enable third parties to develop kernel itself, as free software released in kernel software that extends and source code form. The driver is modifies system behavior. Microsoft considered part of the kernel project, provides its Windows Driver Kit at no and developers of these drivers are cost, which includes thorough considered to be part of the community documentation, samples, and tools for of Linux kernel developers. However, building, testing, and deploying drivers. driver developers are responsible for Windows driver programming interfaces keeping their drivers up to date; drivers are based on standards and which are not actively maintained are specifications, often the product of a removed from the kernel.[137] process involving leading players in the applicable industry. While Windows The kernel group does not publish a drivers are compiled based on programming interface for third-party specifications, and are not tied to a drivers released in compiled binary-only specific version of Windows, source form. Nonetheless, third-party closedcode for a specific version of Windows source binary drivers are not may, in theory, be purchased for uncommon, especially for graphics modification in some circumstances hardware. Usually they consist of the (restrictive), or third-party tools may binary driver itself and an open-source create modifications. In practice, the driver interface which is compiled on availability of Windows source code is installation.[138] Because binary-only generally heavily restricted or extremely drivers are released only for specific expensive, if available at all. However, machine architectures (usually Intel x86 even where source is available, and x86-64) they are not supported on modification to the operating system can the full set of architectures that the break the EULA, and in turn be Linux kernel itself supports. prohibited or even illegal. IDEs & Several commercial IDEs for sale, such Several commercial IDEs and compilers for sale such as PGI, Intel, and Absoft's Compilers as Microsoft's Visual Studio, or Embarcadero Embarcadero Delphi. Fortran compilers[citation needed]. Multiple Multiple free or gratis IDEs and free IDEs and compilers, the most compilers, including the GNU Compiler common of which are often included in Collection, Eclipse, NetBeans, Pelles C, distributions, including the GNU lcc32, Borland C++, Visual Studio Compiler Collection, Eclipse, NetBeans, Express (Visual C++, C#, and VB.NET Mono, MonoDevelop, Qt, Geany, compilers), .NET compilers freely Anjuta, KDevelop, Free Pascal, included in .NET Framework, OpenLDev, Code::Blocks Sharpdevelop, Free Pascal

[edit] Security

[edit] Threats and vulnerabilities


Linux As of 2006, more than 800 pieces of Malware Linux malware had been discovered.[144] Some malware has propagated through the Internet.[145] However, in practice, reports of bonafide malware presence on Linuxbased systems are extremely Microsoft recommends the use of anti- rare.[146][147] Nonetheless, anti-malware virus software [140] in Windows and the tools such as ClamAV and Panda Security's DesktopSecure for Linux do Windows Action Center (previously called the "Windows Security Center") exist. These programs are mainly intended[146] to filter Windows malware checks to see if anti-virus software is from emails and network traffic installed and alerts the user if it can't detect an anti-virus program.[141] As a traveling through Linux-based servers. The extreme rarity of this type of result of users following this occurrence is such that it is not usually recommendation, there are necessary to use anti-malware consequences of using anti-virus programs.[146] software which are not caused by Windows itself: Anti-virus programs have, in the past, damaged Windows Various distributions are configured to due to faulty signatures,[142] which has use address space layout randomization resulted in costly IT repairs and and NX memory protection by default. disruption to businesses.[143] There are other issues of concern pertaining to the use of anti-virus software. Since 2004 developed using the There is a public review process for the Open vs. formalized process Security source code. Anyone is free to enter Closed Development Lifecycle. this process by patces for public review and inclusion in future releases and Only Microsoft-employed programmers updates. Any patch must be signed off (or licensed third-parties) can fix bugs. by the maintainers of a portion of code, the subsystem maintainers and further up the development chain. [148] The theory that it is reviewed by so many people that bugs are detected is referred to as Linus' law. Vulnerabilities In an assessment report from 2004 by the former editorial director of LinuxWorld, Nicholas Petreley, he states that vulnerability counts alone cannot be used to reliably compare the overall security of Linux and Windows. The report talks about the overall security design of Linux and Windows. At that time, the report claimed that Linux is less vulnerable (but not 100% immune) to Windows As of 2009, well over 2 million malware programs target Windows.[1] Botnets networks of infected computers controlled by malicious persons with more than one million computers have been witnessed.[139]

malware compared to Windows.[149] Nonsponsored research from Aberdeen Group (2003)[150], Forrester Research (2004)[151], CERT (2006)[152], Symantec (2007)[153] and IBM (2009)[154] found that Windows experienced fewer vulnerabilities overall as well as fewer highrisk vulnerabilities when compared to Linux. Microsoft releases bug fixes on a Bugs can be fixed and rolled out within monthly schedule in a stated attempt to a day[citation needed] of being reported, help enhance the manageability and though usually it takes a few weeks predictability of the patch management before the patch is available on all process[155]. distributions. In 2004 a Forrester Research report [156] In the 2004 Forrester Report[156] the found that Microsoft patched best Linux distributions (Red Hat and vulnerabilities with an average all-days- Debian) had an average all-days-risk of risk of 25 days. 57. The findings of the Forrester Research report is consistent with the findings of a 2007 Symantec research report which found Microsoft had an average patch time between 18 and 23 days[157]. There are known security vulnerabilities which Microsoft will not patch on supported versions of Windows, such as Windows XP which is supported by Microsoft until April 2014. Windows XP will not receive security patches to fix vulnerabilities which affect TCP/IP.[158] Also Windows 2000 did not receive patches for known TCP/IP vulnerabilities during the time which Windows 2000 was still supported;[159] Windows 2000 support from Microsoft ended in July 2010. The report was met with skepticism from the Linux community[165]. However, the report is consistent with the 2007 Symantec research report[157] which found that the Red Hat Linux distribution had an average patch time of between 36 and 49 days. In 2010 Jonathan Corbet called attention to a practice among kernel developers which lead to at least 18 fixes in the 2.6.32.9 kernel which had not been classified as security flaws although he found them to have clear security implications[166]. Linus Torvalds (founder of Linux) is quoted for saying that he doesn't care for labeling updates and changes to Linux as a security fix in a security advisory[167]. As David Woodhouse told The Register[168] not labelling fixes as having security implications can lead to the fix not being back-ported to older (but still maintained) versions of the distributions.

Response speed

Also there have been cases when Microsoft has been aware of security vulnerabilities and not fixed them for longer periods of time. A critical networking vulnerability which security firm eEye had reported to Microsoft There have been other cases where the was fixed 200 days after Microsoft was Linux vulnerability fixing process has notified about it.[160]. A privilege overlooked a vulnerability even though

escalation vulnerability was reported to it had been reported[169], where a Microsoft in June 2009 by Google vulnerability has been inexplicably resecurity researcher Tavis Ormandy. introduced after it had been fixed once After waiting several months and and then left vulnerable for 2 years[170], seeing no patch released, he made the and where Linux distributions have flaw public.[161][162] The fix/patch was failed to back-port a vulnerability fix to released to Windows users in February older (but still active) versions due to 2010.[163] In another case which came to the lack of a proper vulnerability light in January 2010, Windows users' disclosure[171]. had to wait at least another 28 days for security patches to fix a known Vulnerabilities are implicitly or vulnerability affecting the Server explicitly disclosed when security bugMessage Block (SMB) in Windows 7 fixes are submitted to the Linux kernel and Windows 2008R2, which could be source tree. These changes are exploited remotely.[164] submitted when testing has been completed, not on a fixed schedule. Unless the vulnerability information However, each Linux distribution must has been publicly disclosed by another then adopt the changes and create party prior to the patch, the release will patches for that specific distribution. coincide with vulnerability disclosure. The period between the disclosure of This minimizes the higher-risk period the vulnerability in the public source between public vulnerability disclosure tree and the practical availability in the and patch availability. Linux distributions is referred to as distribution-days-of-risk in the 2004 Forrester Report. The distribution-daysof-risk are of higher risk as the vulnerability information is publicly available through this period.

[edit] Security features and architecture


This section of this table needs attention from an expert on the subject. See the talk page for details. WikiProject Computer Security or the Computer Security Portal may be able to help recruit an expert. (October 2011) The actual security of the operating system can be affected by the actions performed by the user, such as tampering with security settings or running malicious executables or "malware". Users with administrative privileges have more control and so do the programs the user runs with these elevated privileges. Windows Privileged Windows defines a number of administrative privileges[172] which can system functions be assigned individually to users and/or groups. An account (user) holds only the Linux A Linux system has a single root user who has exclusive access to perform the privileged system operations. Unlike in Windows, the permissions to perform

privileges granted to it, either directly or indirectly through group memberships. Upon installation a number of groups and accounts are created and privileges are granted to them. However, these grants can be changed at a later time or though a group policy. Unlike Linux, no privileges are implicitly or permanently granted to a specific account. Some administrative privileges (e.g. taking ownership of or restoring arbitrary files) are so powerfull that if used with malicious intent they could allow the entire system to be compromised. With user account control (on by default since Windows Vista) Windows will strip the user token of these privileges at login. Thus, if a user logs in with an account with broad system privileges, he/she will still not be running with these system privileges. Whenever the user wants to perform administrative actions requiring any of the system privileges he/she will have to do this from an elevated process. When launching an elevated process, the user is made aware that his/her administrative privileges are being asserted through a prompt requiring his/her consent. Not holding privileges until actually required is in keeping with the Principle of least privilege. Elevated processes will run with the full privileges of the user, not the full privileges of the system. Even so, the privileges of the user may still be more than what is required for that particular process, thus not completely least privilege.

these privileged operations are hardwired to this user and the privileges cannot be delegated in whole or part to other user accounts. In Linux it is the privilege to run as the root user which can be delegated.[173] When a non-root user needs to perform a privileged operation (e.g. change a password), the user needs to temporarily log in as the root user or run a process with root as the effective user of the process.

To temporarily log in as the root user, the su utility is used. However, this means that multiple users with administrative responsibilities will share the root account and password, which is not considered a security bestpractice. Some distributions (e.g. Ubuntu[174]) disable log-in for the root user to avoid this. To allow a user to execute a process with root as the effective user, a SUID root executable can be used. A special SUID root utility, sudo, is available which can be configured with more fine-grained access control to system operations than what is possible with the default file system permissions. sudo can also request extra confirmation from the user prior to executing the privileged operation.

Logging in as or running a process with root privileges (root as the effective user) is not in keeping with the Principle of least privilege security best-practice. A security flaw in the process can allow an attacker unrestricted system access. Extensions/patches such as SELinux, AppArmor or grsecurity can mitigate this problem. The patch/extension hooks

into every system operation and for each invocation it compares the attempted action against a policy/profile for the particular process, e.g. ensuring that the ping utility can only access network sockets and not the entire system, even if an exploitable vulnerability exists. Linux does define a number of Linux capabilities[175] akin to Windows privileges, but these are not practically available[176] except for the Fedora distribution. Fedora has from release 15 changed system utilities to utilize capabilities instead of the unrestricted SUID model[177] . In Windows Vista and later versions, all Users typically run as limited accounts, logged-in sessions (even for those of having created both administrator "administrator" users) run with standard (named "root") and at least one user user permissions, preventing malicious account during installation. In most programs (and inexperienced users) from Linux distributions, there are commands gaining total control of the system. (su, sudo) that will temporarily grant Processes that require administrator elevated permissions to processes that privileges can be run using the User need it. Like in Windows, the Account Control (UAC) framework. For administrator (su) or user (sudo) standard users, this presents a credentials password is required to access such dialogue (example) that requires the commands. Errors done with these password of a member of the elevated privileges can lead to severe administrators group (who are listed). damage to the system. As an alternative For users who are already logged in as to this approach, the Ubuntu Linux an administrator, only confirmation is distribution disables the root account by necessary. The first user account created default and the password for the root during the setup process is automatically account is locked. This setup exists for a member of the administrators group; if security and safety reasons. Ubuntu also the user does not manually create prohibits the use of su and uses sudo another user account which runs with instead, which is safer. Ubuntu users do fewer privileges, the administrator not use the root account and the Ubuntu account in use means that in Windows documentation does not support or versions prior to the introduction of the recommend trying to unlock the root UAC, malicious programs could gain account, but recommends that: "Ideally, full control over the system. Security you run as a user that has only the exploits have been able to bypass the privileges needed for the task at protection offered by the User Account hand".[174] Control.[178] It is possible for users to disable the UAC or lower the UAC New frameworks such as PolicyKit exist security level in order to reduce the to restrict the actions of programs

User Accounts

running with elevated privileges PolicyKit is now included in Ubuntu, Fedora, OpenSUSE and many other distributions. Package There is no central package manager in Linux distributions use a package manager and the programs go through an manager Windows. Users downloading and installing programs via an Internet approval process, before being added to connection must find these programs repositories accessible by the package from websites and take into account the manager.[146] risks of obtaining programs from untrusted sources.[146][unbalanced opinion] Linux has a traditional Unix-like "user, Filesystem group, other" approach to filesystem permissions permissions at a minimum.[181] This approach is extended by Access Control Lists on some filesystems. There are some optional, Linux-specific frameworks such as AppArmor and SELinux which add even finer-grained controls over which users and programs can access certain resources or perform certain operations. Some distributions File system permissions on a Windows use them out of the box.[182] SELinux Vista system. can be configured to policies as RoleBased Access Control and multilevel Windows NT and subsequent NT-based security, which are demanded, for versions of Windows (thus all present example, in military environments. versions) use NTFS-based Access Control Lists to administer permissions, Linux executable files must be set as using tokens.[179] On Windows XP and executable, which helps unsuspecting prior versions, most home users still ran users to avoid malware, trojan horses all of their software with Administrator etc.[183][184] accounts, as this is the default setup upon installation. The DOS based Windows ME, Windows 98, Windows 95, and previous versions of non-NT Windows only operated on the FAT filesystem and did not support filesystem permissions.[180] Linux has weak Address Space Layout Exploit Windows has Address Space Layout prevention Randomization (ASLR) combined with Randomization (ASLR) combined with Data Execution Protection/No Execute Data Execution Protection/No Execute bit (DEP/NX)[185] bit (DEP/NX) enabled by default[185]. If the Linux distribution include one of the PaX or ExecShield patches, Linux ASLR has the same strength as

number of prompts; disabling the UAC is not recommended.

Windows ASLR. PaX and ExecShield are not in the mainline kernel. PaX is included with grsecurity while ExecShield is included with SELinux. Mainstream distributions such as Ubuntu do not use any of these patches and thus still have the form of ASLR which Charlie Miller referred to as weak.[185] Red Hat Enterprise Server uses SELinux. Both grsecurity and SELinux comes with increased CPU overhead.[186] 64-bit versions of Windows have, since No runtime kernel integrity checks.[citation needed] Windows XP, employed Kernel Patch Protection. Kernel Patch Protection will periodically check the integrity of central kernel structures and tables, and if it determines that the kernel has been tampered with it will halt the system[187].

Runtime kernel integrity

Microsoft does not claim that Kernel Patch Protection can stop all malicious code, but they do take the position that "Protecting the integrity of the kernel is one of the most fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching"[188] Linux does not perform integrity checks Persistent Beginning with Windows XP, 64-bit versions of Windows have required that on the kernel or drivers before kernel integrity kernel mode drivers be digitally signed loading.[citation needed] to be loaded. With Windows Vista this requirement was expanded to the entire kernel on 64-bit versions of Windows. Microsoft calls this Kernel Mode Code Signing (KMCS).[189] KMCS requires that all the kernel files on disk are digitally signed or resides within a digitally signed catalog file.[190] This requirement protects against malicious code tampering with kernel binaries or driver code to inject attack code and hijack program flow. If a file has been

tampered with, the signature will not be valid for the file. See also: Authenticode Drivers can be signed with certificates obtained from a number of certificate authorities which are trusted by Windows, i.e. a device vendor can develop and sign a driver without Microsofts consent. Driver signing does not prevent an attacker from obtaining such a certificate and create a malicious, signed driver which will be accepted by the system should she succeed in placing it in the boot path. However, to obtain a certificate an identity check is performed by the certificate authority. Also, drivers signed with a certificate that is later determined to be used to sign malicious code, can be disabled by revoking the certificate at any time. Linux has a built-in Linux kernel Firewall, Windows has a built-in Windows Firewall which has all basic firewall netfilter firewall. basic [191] features : The firewall/netfilter has all basic Both inbound and outbound rules firewall features: Rules for specific local ports, remote ports and IP protocols Both inbound and outbound rules Rules can be scoped by both Rules for specific local ports, local and remote IP addresses remote ports and IP protocols Rules can allow or block Rules can be scoped by both connections local and remote IP addresses The firewall can log accepted Rules can allow or block and/or rejected traffic connections/packets The firewall can log traffic based The firewall rules describe connections on matching rules. (depending on protocol) and do not allow the fine-grained single-packet The firewall allows fine-grained packet filtering of the Linux kernel firewall. inspection, down to individual fragments. The firewall does not feature high-level Firewall, Rules can be set to only activate for advanced certain applications (by executable path) rules like those found in the Windows and/or services (by service name)[192] . Firewall, i.e. the Linux firewall cannot rules For instance, a rule can be set to only filter based on which application or allow incoming traffic on given port if daemon is the local endpoint, who the the recipient is a specific instant user running the process is, or to which

messaging client. The same feature can also be used to ensure that only specific programs/services are allowed to connect to the Internet, thus controlling "phone-home" behavior of programs.

group he/she belongs, or with which authenticated computers it is communicating. The firewall also does not support access control lists for the rules.

Windows Firewall also integrates with the user directory and allows rules to be set up on condition that the attempted connection is authenticated and optionally encrypted[192]. As part of this, access can be restricted by using access control lists on individual rules or ports, for instance allowing only certain users to access the internet or allowing only certain remote (authenticated) computers to access services. Firewall, The Windows Firewall is switched on by A Linux distribution can decide whether configure the netfilter with default rules. default state default[193] (since Windows XP SP2). One of 3 profiles is activated For instance, Ubuntu does not filter any automatically for each network traffic in the firewall by default. The [194] interface : firewall is not activated because Ubuntu has no outward-facing services. There Public assumes that the network are no programs that allow incoming is shared with the World and is connections from the Internet apart from those which are under the user's the most restrictive profile. [195] Ubuntu does, however, have Private assumes that the network control. is isolated from the Internet and a policy of "No Open Ports" and states: allows more inbound connections "Default installations of Ubuntu must than public. A network is never have no listening network services after initial install. Exceptions to this rule assumed to be private unless include network infrastructure services designated as such by a local such as the DHCP client and mDNS administrator. (Avahi/ZeroConf, see Domain profile is the least ZeroConfPolicySpec for implementation restrictive. It allows more inbound connections to allow for details and justification). When installing Ubuntu Server, the file sharing etc. The domain profile is selected automatically administrator can, of course, select specific services to install beyond the when connected to a network defaults (e.g. Apache)." with a domain trusted by the local computer. Firewall, Windows Firewall can be management controlled/configured through a COM object-oriented API, scriptable through the netsh command[196] , through the The Linux firewall can be controlled/configured through a usermode program called iptables, or other tools which can access netfilter. iptables

is a scriptable command-line tool. The firewall can also be controlled through an API. Graphical front-ends and online "rule generators" exist, but they do not allow all firewall features to be controlled. One example is the Uncomplicated Firewall (UFW) and its associated GUI tool Gufw distributed with Ubuntu. Security As of October 2011 all major versions of As of October 2011 the following Linux distributions have obtained EAL4+ certification Windows have obtained EAL4+ certifications: (Common certification: Criteria) Microsoft Windows 7 Wind River Linux Secure 1.0 Microsoft Windows Server 2008 Red Hat Enterprise Linux Ver. R2 5.3 on Dell 11G Family Servers Microsoft Windows Vista Red Hat Enterprise Linux Enterprise Version 5.1 Windows Server 2008 Standard, SUSE Linux Enterprise Server Enterprise and Datacenter 10 SP1 Editions Red Hat Enterprise Linux Microsoft Windows Server 2003 Version 5 SP2 including R2, Standard, Red Hat Enterprise Linux Enterprise, Datacenter, x64, and (RHEL) Version 4 Update 1 AS Itanium Editions and Red Hat Enterprise Linux Windows XP Professional SP2 (RHEL) Version 4 Update 1 WS and x64 SP2 Windows XP Embedded SP2 The following Linux distributions have Microsoft Windows Server 2003 obtained EAL3+ certifications: SP1 (x86) and x64 Edition, Standard, Enterprise, and Red Hat Enterprise Linux Datacenter (RHEL) Advanced Server (AS) Windows Server 2003 SP1 Version 3 Update 5 Running on (IA64), Enterprise and Unisys ES7000 Hardware Datacenter models 405, 410, 420, 430, and Windows XP Professional SP2 440 (x86) and x64 Edition Red Hat Enterprise Linux Microsoft Windows 2000 (RHEL) Advanced Server (AS) Professional, Server, and Version 4 Running on Unisys Advanced Server with SP3 ES7000 Hardware models 405, 410, 420, 430, 440, 505, 510, 520, 530, 540, and one Red Hat Enterprise Linux Version 4 Update 4 Red Hat Enterprise Linux Version 4 Update 2 AS & Red

GUI administration tool[197] or centrally through group policies[198] . All features are available regardless of how it is configured.

Hat Enterprise Linux Version 4 Update 2 WS Absence of a Linux distribution certification does not mean that it cannot meet the criteria for certification; it may be that no certification has been applied for. See also: Common_Criteria#Criticisms

Vous aimerez peut-être aussi