just general questions about fbsd

Mon May 21 00:35:40 UTC 2007

> 
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of 
> Kevin Kinsey
> > Sent: Sunday, May 20, 2007 3:19 PM
> > To: Anton Galitch
> > Cc: questions at freebsd.org
> > Subject: Re: just general questions about fbsd
> > 
> > 
> > Anton Galitch wrote:
> > > Hi
> > > Im writing an article about FreeBSD and want to ask some 
> few question:
> > > 
> > > - What advanced features it has that for example Windows, or MacOS
> > dont
> > > have?
> > 
> 
> Windows, even the server versions of Windows, are 
> fundamentally desktop software operating systems that are at 
> times pressed into being servers.
> 
> FreeBSD and the other UNIXES are fundamentally server 
> operating systems that are at times pressed into being desktops.
> 
> Remember, UNIX came out of the multiuser environment, where 
> you had a lot of people connected via dumb ASCII terminals to 
> a single mainframe.
> >From the beginning, concepts like reentrant code, and separation of
> user authority, have been ingrained in it.
> 
> Consider for example the extreme difficulty that Microsoft 
> has had with the simple concept of a "superuser".  A 
> superuser is, as you may know, a userID on the system that 
> has authority to do anything, change anything, and that the 
> normal security mechanisms do not apply to.
> Under UNIX this is the "root" user ID.
> 
> Well, with Windows, in the Win 3.1/win95/win98/winME series, 
> anyone who booted the Windows system was automatically the 
> superuser.  This causes a lot of problems as you might 
> imagine with programs, as if a program has a bug or goes out 
> of control somehow, since the user it is running under has no 
> security, the program can destroy anything on the system.
> 
> With UNIX, normally, programs are not run under the superuser 
> ID, they are run under a normal user ID.  Thus programs 
> cannot normally
> damage the system.   Microsoft observed the value of this paradigm
> and so put it into Windows NT - although, under NT, they 
> called the superuser "the administrative user" most likely, 
> because they didn't want anyone to realize they were just 
> copying how UNIX does things.  But, "administrator" under 
> Windows, and "root" under UNIX are essentially the same thing.
> 
> The problem, though, is that because the concept of the 
> superuser ID was grafted onto Windows, if you setup Windows 
> so that when it boots, a person logs into it as a regular 
> user, they have a lot of problems.  They cannot install 
> software, they cannot run a lot of different network 
> software, they cannot make changes in simple things like the 
> screen resolution, and so on.  Both Windows NT and Windows 2K 
> were setup by Microsoft out of the box like this - when you 
> installed them, you had to tell them a regular userID and an 
> administrator userID.  But, due to the problems, Microsoft 
> went to a model in both Windows XP and Windows Vista, where 
> when you install and set it up, BY DEFAULT, you are put in as 
> a superuser (administrator)
> 
> This saves Microsoft a lot of support calls from people 
> calling in demanding to know why the Windows OS won't let 
> them do simple things like change screen resolution - but, it 
> completely defeats the security in Windows, and makes even 
> the most modern Windows no better than Windows 3.1 in terms 
> of security.
> 
> This I think is one of the best illustrations of the 
> different approaches of Windows and UNIX.  With a server, 
> since a lot of people are affected if an errant program 
> crashes it, the security is never disabled by default, and 
> the installer must deliberately choose to do it.  With a 
> desktop, nobody is really affected if it crashes except for 1 
> person, so since usability is more important than security, 
> by default this is why security in Windows Vista is subverted 
> this way, out of the box.
> 
> There are a very great many people out there walking around 
> who have setup Windows systems as servers, and not understood 
> this, and as a result, caused their company to lose hundreds 
> if not thousands of dollars of time and labor due to the 
> Windows server crashing as a result of a virus knocking it 
> down.  A virus, I will say, that IF the Windows security had 
> been properly enabled, would NOT have been able to take the 
> Windows server down.
> 
> Ted

Not to change this to Windows vs Unix thread. But I think they are two different ball games. I work with both servers and have seen advantages/disadvantages in both security and non-security related.

The SYSTEM user is considered to be the superuser on Windows. This is why many malicious codes that exploit a high risk vulnerability in OS automatically grant their application a service or run it as a system process.

On the other hand, Windows has the ability to change the administrator user or completely disable it. Something not available in Unix systems. For example, a cracker or hacker targeting UNIX system will automatically try to compromise the "root" user. It is 100% guaranteed to be there. On the other hand in Windows, good sys admins will rename or complete disable the administrator user hence making it more difficult to know the administrator user.

Anyway, this is an opinionated subject. FBSD is great in many aspects. We use it because it is freely available, has a great community support, doesn't need much rebooting once installed and is fairly quick to backup/restore.