Information Technology Reference
In-Depth Information
variant, a version of original Unix developed at
Bell Labs in New Jersey in 1971 for academic
and research work (Ritchie, 1978). Linux was
developed about 20 years after the original Unix
and is not a product owned by a single company.
Its design is purposely sparse and modular. The
core operating system component is the Linux
kernel
and it is this kernel that is packaged with
numerous open source operating system utilities
and programs to create the various Linux
distri-
butions
available today. There is no overarching
business strategy and accompanying update
cycle which impacts the development of Linux
distributions. This combined with the fact that
the business model under which Linux distribu-
tion vendors operates is new and volatile have
led to a varied landscape of Linux distributions.
Though some Linux distributions are marketed
as complete solutions, most Linux users will add
a variety of additional components to the system
to provide the complete solution. Linux distribu-
tion vendors consider this a benefit of using a
modular, flexible operating system and refer to
this approach as a “best-of-breed approach” where
the user can choose the components best suited
to their environment.
To identify the best approach to developing an
operating system or to define which components
are truly part of an operating system is beyond the
scope of this chapter. But in order to make a valid
“apples-to-apples” comparison of Windows and
Linux security, it is important to acknowledge the
fact that Windows installations commonly use just
the components provided with the operating sys-
tem but Linux installations commonly add com-
ponents to complete the computing environment.
Any assessment of authentication, authorization
must take this into consideration and discuss the
security components commonly added to com-
plete the Linux computing environment in order
to make reasonable comparison. For purposes of
this comparison we assume a standard Windows
distribution which effectively is bundled with
significant security and administration features
such as Active Directory, IIS and DNS, and Red
Hat Linux ES with SELinux extensions.
The following sections will provide an evalu-
ation of Windows and Linux security in relation
to authentication and authorization. The next
section will evaluate authentication, evaluating
Windows and then Linux. The section following
will evaluate authorization, evaluating Windows
and then Linux.
authentication
windows authentication
Authentication on Windows allows a user to login
to either a local workstation or a network domain
of Windows hosts. A login process requests the
user name and password interacts with the
local
security authority
to request a
security access
token
which contains the security identifier
(SID) for the user. The Security Account Man-
ager (SAM) database contains user and group
names, security identifiers and passwords stored
in encrypted form. The SAM database is stored
in the Windows registry but is not accessible by
system users. In Windows, the login process and
local security authority are processes which run
in user-space. A security reference monitor is
executed in kernel-space and is used to determine
whether or not a user has permission to access a
system object (WindowsSecurity.com).
In larger installations of Windows clients,
Active Directory (AD) is commonly for user au-
thentication and is considered a central component
of f t h e W i n d of w s s e r v e r p r of d u c t l i n e . A c t i v e D i r e c -
tory is a customization of the LDAP (Lightweight
Directory Access Protocol) for storage of user
information (user name, password) and Kerberos
to provide trusted logins over the network. A
detailed description of AD is beyond the scope
of this chapter, but key authentication features
are relevant to this discussion. AD provides both
authentication and authorization features over one
Search WWH ::
Custom Search