Information Technology Reference
In-Depth Information
does differ. Linux uses a password salt, a random
value generated and added to the users password
before encryption. This increases the difficulty of
guessing the password with a brute force attack.
Windows does not use a password encryption salt
which combined with other weaknesses has led
to some well publicized concerns about the ease
of cracking Windows passwords (Lemos, 2003).
A fair analysis of Windows authentication must
however consider the user of AD to provide au-
thentication. AD has become the common method
for user authentication for Windows systems. The
AD password does not have the password weak-
nesses of LM passwords and essentially provides
a secure authentication process and enhances the
authorization process.
Considering the principle of
psychological ac-
ceptability
, using Active Directory the Windows
network authentication scheme is more robust and
flexible, making administration of authentication
and authorization easier. Similar domain security
administration is possible with Linux (LDAP +
Kerberos), but is currently more difficult to ad-
minister than its Windows counterpart. Though
there are incompatibility issues with using Linux
and Windows network authentication together
(a common requirement in today's information
technology centers), these incompatibilities are
not insurmountable and are not severe enough
to change this assessment.
Though it does not fall under the categories
established by Saltzer and Schroeder (1975),
ac-
countability
issues should be considered under
authentication and authorization. General shared
user accounts should be limited and discouraged
since a user account shared amongst multiple users
does not provide accountability for the actions per-
formed by that user account on the system (since
it could be one of many users). For this reason,
authentication for shared accounts should either
be eliminated or severely limited by the system.
In Windows, the “guest” account is commonly
used as a shared account and is now disabled by
default. In Linux, the “nobody” account is com-
monly used by a number of programs but login
is disabled by default.
Summary and concluSion
In evaluating the authentication and authorization
of Windows and Linux on the basis of Saltzer and
Schroeder's security principles and accountability,
Linux distributions of SELinux using MAC have
an advantage in authentication and authorization.
The lack of open design in Windows limits the
auditability of its authentication and authorization
features and is considered a detriment. Mali-
cious software running in user-space is the most
common cause of security exploits. Mandatory
access controls (MAC) provide a higher level
of security which can mitigate weaknesses in
application security. These controls add another
layer of security to the management of authori-
zation requests by the operating system and thus
improve the Linux implementation of separation
of privilege and the default behavior of applica-
tions (fail-safe defaults). Windows does not cur-
rently provide an implementation of MAC in their
server product and consideration of this reduces
the authentication and authorization security of
that operating system.
Windows implementation of network security
with AD demonstrates the benefits of psychologi-
cal acceptability in security features. As Saltzer
and Schroeder understood, providing ease of use
greatly improves the likelihood that the security
feature will be used (psychological acceptability).
The ability to create consistent security policies
and the ability to implement them throughout an
enterprise is a significant benefit. Windows has
an advantage in this area as Linux implementa-
tions of such features have had limited develop-
ment and must contend with the predominance of
Windows client operating system on the desktop
and the persistent interoperability issues that
exist in integrating Windows authorization and
authentication features with Linux.
Search WWH ::
Custom Search