Comparisons between the Windows and computer operating systems are a long-running discussion topic within the personal computer industry.[citation needed] Throughout the entire period of the systems through the introduction of , Windows has retained an extremely large retail sales majority among operating systems for personal desktop use, while Linux has sustained its status as the most prominent and Source . Both operating systems are present on servers, embedded systems, mobile internet devices as well as .

Linux and differ in philosophy, cost, versatility and stability, with each seeking to improve in their perceived weaker areas. Comparisons of the two operating systems tend to reflect their origins, historic user bases and distribution models. Typical perceived weaknesses regularly cited have often included poor consumer familiarity with Linux, and Microsoft Windows' susceptibility to viruses and .[1][2]

Contents

[hide]

 1 Total cost of ownership o 1.1 Real world experience  2 Market share  3  4 Installation and Live environments  5 Accessibility and usability  6 Stability  7 Performance  8 Support  9 Platform for third party applications o 9.1 Gaming  10 Software development  11 Security o 11.1 Threats and vulnerabilities o 11.2 Security features and architecture  12 Localization  13 See also  14 References  15 External links

[edit] Total cost of ownership

See also: Studies related to Microsoft

In 2004, Microsoft launched a marketing campaign, "Get the Facts", to encourage users to switch from Linux to its Windows System. Microsoft claims that its products have an overall lower total cost of ownership than programs because of their ease of use, resulting in less work and lower staff costs.[3]

However, a variety of Linux supporters, companies, and organizations, notably Linux distributor Novell, which produces SUSE Enterprise Linux and tech news outlet The Register, dispute Microsoft's figures.[4][5][6][7] One argument supporting the cost-effectiveness of Linux is that although Linux administrators are usually paid somewhat higher salaries than Windows administrators, a competent Linux administrator can take care of more computers than the latter. A study conducted by Chad Robinson, senior research analyst at tech/business researcher Robert Frances Group, supports this view.[8][9]

In 2004, The UK's Advertising Standards Authority (ASA) warned Microsoft that an advertisement using research that claimed "Linux was […] 10 times more expensive than 2003", was "misleading", as the hardware chosen for the Linux server was needlessly expensive. The ASA concluded that the comparison was misleading because the operating systems ran on different hardware.[10]

[edit] Real world experience

The German Foreign Office said that the cost of open source desktop maintenance is by far the lowest it experienced.[11] The French Gendarmerie reported saving millions on licence fees by switching to Linux desktops from Windows XP, following the success of OpenOffice.org roll- outs.[12]

On the other hand, the project of switching Munich's governmental IT infrastructure from Microsoft based to open-source software, called LiMux, had problems finishing all objectives successfully. Started 2003 with the aim of switching 100% of 14,000 PCs to an open-source solution, the project was funded with 35 million euros, approximately the money a Microsoft solution would have cost. Even though more than 80% of workstations used OpenOffice and 100% used /Thunderbird five years later (November 2008),[13] an adoption rate of Linux itself of only 20.0% (June 2010) was achieved.[14][15] [edit] Market share

See also: Usage share of desktop operating systems

The market share of Linux or Microsoft Windows is difficult to determine as users of the former are usually not required to register with any organization to use their copies; additionally, a large number of unlicensed (illegal) copies of Windows exist. The following desktop usage share data is estimated from web browser user agent strings, rather than actual sales information or detailed surveys. This is highly unreliable for many reasons including, but not limited to, web browsers that do not always provide accurate information to web servers[citation needed], and selection bias: Different websites attract different audiences that may be more prone to using one operating system or another. Also, desktop computers used for other tasks will be given a lower weight than computers mostly used for web-surfing. Microsoft's own numbers for Linux share are higher.[16] Windows Linux Notes Estimated Web client data. desktop usage See the source share 82.47%[original research?] 2.41%[original research?] for caveats median of the sources analysed in median of the sources analysed in for using web this page this page client data to estimate OS market share. Pre- Pre-installed by default on Pre-installed by default on installation almost all new desktop PCs. very few new desktop PCs. Among these are all System76 computers, some Dell computers, some Lenovo ThinkPads.[17][18] Server market 73.9% (officially registered)[19] 21.2% (officially registered)[19] Fourth quarter, share 2009 Top 500 1.2% (6 of 500)[20] 91.2% (456 of 500) November 2010 operating the 14 fastest supercomputers Linux figure system family run Linux[20] does not include share 14 computers (2.8%) identified as running "CNK/SLES 9"[20] [21]

[edit] User interface

Windows Linux Graphical The Windows . The window user manager is the Desktop Window interface Manager on , and a Stacking window manager built on top of GDI in older versions. The desktop environment may be modified by a variety of third party products such as The KDE Plasma Desktop WindowBlinds; or completely replaced, for example by Blackbox for Windows, A number of desktop environments are or LiteStep. With available, of which GNOME and KDE and later server releases, there is also the are the most widely used. By default, option of running "" which they use the Metacity and KWin window lacks the standard window manager.[22] managers respectively, though these can The graphics drivers, subsystem, and core be replaced by other window managers, widgets are included with all such as Compiz Fusion. installations, including those used as servers. Other desktop environments and window managers include Xfce, LXDE, Enlightenment, Xmonad, Openbox, Fluxbox, etc. The X Window system runs in user-space and is optional.[23] Multiple X Window System instances can run at once, and it is a fully networked protocol. See also: Comparison of X Window System desktop environments

The Wayland display server protocol is being developed to improve graphics performance[24] and move beyond the X Window System (also referred to as "X" or "X11"), with the intention of replacing X as the native display server.[25] Command- line

interface

A sample Windows PowerShell session

The Command Prompt exists to provide A sample session direct communication between the user and the operating system. A .NET-based Linux is strongly integrated with the command line environment called system console. The command line can Windows PowerShell has been be used to recover the system if the developed. It varies from /Linux [27][28] graphics subsystem fails. A large shells in that, rather than using number of Unix shells exist, with the streams, the PowerShell pipeline is an majority being "Bourne shell object pipeline; that is, the data passed compatible". The most widely used is between cmdlets are fully typed objects. GNU Bash. Alternatives include the When data is piped as objects, the feature-full Z shell as well as shells based elements they encapsulate retain their on the syntax of other programming structure and types across cmdlets, languages such as the shell and Perl without the need for any serialization or Shell. Many applications can be scripted explicit of the stream. , [29] through the system console. There are Mingw, or Microsoft's own Services for many small and specialized utilities Unix provides a shell terminal for available that are designed to work Windows.[26] Posix subsystem is built in together and integrate with other but not enabled by default. The Console programs. This is called the toolbox can execute up to 4 kinds of principle[citation needed]. environments, MSDOS scripts under NT or via Command.com running on NTVDM, NT shell scripts and OS/2 Console Scripts. is included in and newer versions.

[edit] Installation and Live environments

Windows Linux Ease of On and prior, the Varies greatly by distribution. Most Installation installation is divided into two stages; distributions intended for new or the first, text-mode; the second, intermediate users provide simple graphical.[30] On Windows Vista and graphical installers. newer, the installation is single stage and graphical. General purpose oriented distributions offer a live or GUI installer Some older versions require third party (openSUSE, Debian, Pardus, Pclinuxos, drivers (for example, by using driver Mandriva, , Fedora etc.), others floppies disks or slipstreaming the offer a menu-driven installer drivers and creating a new installation (Slackware, Debian) while others, CD) if using a large number of SATA targeting more specialized groups, or SATA2 drives or RAID arrays.[31] require source to be copied and compiled (Gentoo). The system can also be built completely from scratch, directly from (Linux from Scratch). Supported Windows: , -64 and IA-64 (IA- i386, x86-64, PowerPC 32/64, SPARC, Architectures 64 is Windows Server only). DEC Alpha, ARM, MIPS, PA-RISC, S390, IA-64, SuperH and m68k. Windows Embedded: i386, x86-64, PowerPC, ARM, MIPS, SuperH.[32] : ARM

Device driver The Windows installation media usually Linux kernels in most distributions contains enough drivers to the include the majority of drivers available operating system functional. Windows as modules. They are loaded at boot use class drivers to provide without user interaction. Most drivers functionality such as network are included in the kernel source tree, connection, display/screen and input however there are several manufacturers devices. Modern Windows versions will which distribute proprietary drivers. allow the user to update the drivers, if The latter are usually packaged available, from once a separately from the kernel and usually network connection is available. Drivers automatically installed on user's can usually also be upgraded directly request.[38] from the manufacturer. Drivers are almost always closed-source, maintained and published by the manufacturer of their respective devices. Best hardware performance in Windows is gained from installing the latest device drivers, once the devices are correctly identified.[33][34]

64-bit Windows requires all kernel mode drivers to be signed[35][36] using a certificate issued by a trusted certificate authority. Signed drivers do not need an approval from Microsoft. However, Microsoft does maintain a blacklist of certificates which are actively rejected. This has been used to block generic drivers which were being used to circumvent the signing requirement[37]. Hardware Windows Vista and later (Server 2008 If moving an existing installation of changes and later for servers) detect which Linux into a new computer or changing layer (HAL) the motherboard or other hardware should be used at boot time[39]. If components, Linux will detect and moving an existing installation of activate the new supported hardware Windows into a new computer or with little or no further intervention changing the motherboard or other basic required.[citation needed] hardware components, Windows will adapt to the changes during the boot .[40] Subsequently, Windows will automatically install drivers distributed with Windows or the user can manually install drivers if available from Windows Update. Some drivers will need to be downloaded and installed by the user, once the user has correctly identified the brand and model for each hardware device which has no driver installed. Windows may require re- activation, depending on the number and nature of hardware changes.

Windows maintains backwards compatibility with drivers back to Windows NT4[41], although some functions such as power-saving not available at the time will not be supported when running the device under a legacy driver. Installation May be installed through the Windows Almost all Linux distributions now have via Live Preinstallation Environment or BartPE, a live CD that may be used for testing, Environments but only the former is endorsed by install or recovery. All features of the Microsoft. Live environment does not operating system can be used and tested allow normal use, only facilitates the in this mode, and saving of files and installation process. settings is often possible if run from re- writable media such as a USB drive. [42] Operation via Windows Preinstallation Environment Nearly all Linux distributions can run Live is currently available from Microsoft, from a Live CD/DVD and Live USB. Environments and can be used as a Live CD, but is very limited and not intended for general usage. is expected to be able to run from USB drives, see: . Pre-installed Some multimedia and home use Most home-use distributions contain software software such as IE, Windows Media numerous programs: almost all are Center, Windows , Notepad, Paint packaged with an internet browser depending on which edition is (almost invariably Firefox), and a purchased plus OEM bundled software GNOME or KDE suite of programs if Windows is purchased pre-installed including text editors, E-mail clients, on a machine. Office suite or advanced instant messaging apps and media multimedia software are not included. players. Some distributions specialize in As Microsoft has licensed decoders for areas such as education, security or a number of patented audio and video multimedia editing, and so contain coding methods, Windows is able to specialist free software to meet their play a number of patented formats by users' more specific requirements. Some default. Nevertheless, Microsoft's lightweight distributions intentionally methods of bundling software were feature as little software as possible, deemed illegal in the case United States though most home distributions simply v. Microsoft.[43] aim to fit on a standard 700MB CD. Most distributions also give users the choice of which bundled programs to install, if any, alongside the core operating system components. Not pre- A massive pool of both proprietary Free software and some proprietary installed software (including shareware and software covering a wide range of use. software ) and free software. Programs Most primary applications such as usually come with the required libraries office suites are available for free.[44] and are normally installed easily. Most Using free Windows-compatibility programs must be individually installed. layers like , some Windows software can also be run on Linux. Uninstallation can be of varying Third-party software is usually difficulty depending on which of many listed/integrated into a packaging installer methods were used, system, which is built into the operating components and registry entries may be system. Less popular programs, not left behind. Windows has a built-in available in a distribution's core installer program, and software that is to software repositories, are often be installed has an installer "wrapper" available by installing packages outside that interfaces with the Windows of the repositories. Some examples of Installer to accomplish installation. Not this are the Debian-based DEB format all Windows software uses the install and the Red Hat-based RPM (RPM manager. Package Manager) format, both of which can be installed easily by the package manager. In the rare case that no precompiled package exists, programs can be generally be compiled from the source code. Most software is installed non-interactively to a default configuration. Linux distributions can not lawfully include MP3 or MPEG-4 file decoders in a minority of countries, as it would violate the Patent Cooperation Treaty. The system does not prevent a user from installing these decoders, however the user assumes all liability for installing said pieces of software.[45] In particular with the MP3 file format, many companies claim patents relevant to the format. See Patent issues with MP3 for more information. Partitioning Expanding NTFS partitions is possible Most file systems support resizing without problems, and on Vista it is partitions without losing data. LVM possible to shrink partitions as well. provide dynamic partitioning. All Linux Dynamic Disks provide dynamic distributions have bundled partitioning partitioning. Third party tools are software such as or gparted. available that have more features than the built-in partitioning tools. File systems Natively supported: NTFS, FAT, ISO Supported: ext2, ext3, ext4, ReiserFS, 9660, UDF, and others; 3rd-party FAT, ISO 9660, UDF, NFS, NTFS, drivers available for ext2,[46] reiserfs,[47] JFS, XFS, Minux and GmailFS. HFS and the Dokan (a FUSE Archives and FTP sites also can be equivalent) UserSpace filesystem, mounted as filesystems. The FUSE which allows user-space programs to project (FUSE) has long been part of mount drives. the , and allows programs to create filesystem mounts while running in userspace. Boot Loader May boot to multiple versions of May boot to multiple operating systems Windows through the Windows Boot through numerous bootloaders such as Manager in Windows Vista and newer; LILO and GRUB. With these, it is or the earlier boot loader NTLDR in possible to choose among multiple Windows Server 2003 and prior. installed kernel images at boot time. Graphical configuration tools are Graphical configuration tools for GRUB available for both, such as the 3rd party are available.[50][51] GRUB can also EasyBCD for the Windows Boot accept arbitrary, one-time Manager and MSConfig for NTLDR, configurations at boot time via the which can chain load multiple non-NT GRUB prompt. GRUB and LILO also environments, including Linux, by support to non-Unix operating referring to volume boot records from systems via chain loading; for a those environments saved on the Windows and Linux dual-boot system, Windows partition.[48] Windows it is often easiest to install Windows overwrites the Master Boot Record on first and then Linux because almost all installation by default, thus rendering Linux installers will automatically other non-Windows installations (e.g. detect and set up other operating Linux) unusable until fixed.[49] systems for dual/multiple boot with Linux.[52]

[edit] Accessibility and usability

Windows Linux User Focus Microsoft pushes for consistency Interface is usually consistent among between releases with guidelines for the desktop environment used[attribution interface design.[53] Their focus is on needed], which follows its interface consistency and usability.[attribution needed] guidelines.[54][55] High grade of customizability is provided in order to adapt to the needs of the user.[citation needed] Some inconsistencies may appear when using programs targeted for different desktop environments.[attribution needed] There are other environments/window managers, usually targeting professionals or minimalist users, featuring some very powerful programs with rudimentary, minimalist graphical front-ends, focusing much more on performance, small size and safety.[attribution needed] WindowMaker and the Fluxbox/Openbox/Blackbox environments are such examples. Some other environments fit between the two models, giving both power, eye candy and simplicity[attribution needed] (Enlightenment/E17, Xfce). Some graphical environments are targeted to mouse users only (Fluxbox), others to keyboard users only (Ratpoison), others to either. Certain graphical environments are also designed to be as resource-conservative as possible, so as to run on older machines.[citation needed] Newer distribution versions generally maintain the same user focus.[attribution needed] Customization By default, Windows offers Linux offers several user interfaces to customization of size and color of the choose from. Different environments graphical elements, and it is typically and window managers offer various not possible to change how the interface levels of customizability, ranging from reacts to user input.[citation needed] colors and size to user input, actions, and display. A few third-party programs allow more extensive customization, like WindowBlinds or LiteStep, but extreme changes are usually out of reach. It is not possible to customize applications that do not use the default look-and-feel beyond the options the specific application offers. Accessibility Both Windows and Linux offer accessibility options,[56][57][58] such as high contrast displays and larger text/icon size, text to speech and magnifiers. Windows Vista and later has built-in speech recognition[59] [60]. The Windows speech recognition allow both voice command control of the operating

system shell and applications, as well as free text dictation within text editors / word processors.

[edit] Stability

For an operating system to be subjectively “stable”, numerous components must operate synchronously. Not all of these components are under the control of operating system vendor. For example, malfunctioning or broken hardware can cause the operating system to fail to operate properly. Likewise, poorly written device drivers can completely the system, since both Linux and Windows utilize aspects of . The same is true for misconfigured applications, which are using the operating system utilities in unexpected ways. Much of stability, then, is the extent to which the operating system is structured to thwart the consequences of bad behavior of third party installations.

There are other factors outside of the operating system's control which can cause the operating system to malfunction or refuse to install,[61] such as: incorrect BIOS settings, incorrectly performed overclocking, hardware overheating as a result of poor cooling or blocked cooling mechanisms, mismatched or incorrect RAM memory module(s) installed and voltage spikes caused by not using a surge protector.

Windows Linux General Windows operating systems based on There are several indirection levels stability the NT kernel (including all currently since all applications are separated from supported versions of desktop the graphic subsystem (X Server) which Windows) are technically much more itself is detached from the Linux stable than some older versions kernel.[27][28] As a result of that and (including Windows 3.1 and 95/98), as because most device drivers are integral these older versions do not properly parts of the Linux kernel, it almost protect the kernel's data structures. never crashes[verification needed]. The Installing unsigned or beta drivers can graphic subsystem can only fail if the lead to decreased system stability (see application is using it in undocumented below). ways[citation needed]. Even in that case, it can be easily restarted without system .[44] Device drivers are provided by Some vendors contribute to free drivers stability Microsoft or written by the hardware (Intel, HP, etc.) or provide proprietary manufacturer. Microsoft also runs a drivers (Nvidia, ATI, etc.). Unlike certification program, WHQL Testing, Windows, however, kernel developers through which most drivers are digitally and hobbyists write many or most signed by Microsoft as compatible with device drivers; in these drivers, any the operating system, especially on 64- developer is potentially able to fix bit versions. stability issues and other bugs. This generally seems to result in faster response to reported bugs and more stable systems.[62][verification needed] Kernel developers do not support the use of drivers that are not open-source, since only the manufacturer can fix stability issues in closed-source drivers.[63] Graphics Windows (since Vista) uses Windows The display driver is entirely in kernel driver Display Driver Model which feature space. A fault in the driver will freeze stability enhanced fault tolerance. The tolerance or terminate all current programs. If the is derived from splitting the driver into fault did not lead to a kernel memory 2 components: A small kernel mode corruption, the graphics system may be driver and a user mode driver which manually re-initialized terminating and does most of the intense graphics restarting the X server process from a calculations[64]. A fault in the user mode local or remote console. Restarting X component may cause the driver to will cause all GUI processes to reset (flicker), but will not affect terminate.[67] This pertains to the X running programs or their screen Window System, which is eventually representations[65][66]. being superseded by Wayland in Linux distributions such as Ubuntu,[68] Fedora[69] etc.

Downtime Reboots are usually required after Linux itself needs to restart only for system and driver updates. Microsoft kernel updates.[71] However, a special has its hotpatching[70] technology, utility can be used to load the new designed to reduce downtimes. kernel and execute it without a hardware reset () and hence can stay up for years without a single hardware reboot, almost eliminating downtime. For minor updates such as security fixes, allows the linux kernel to be patched without a reboot. System libraries, services and applications can mostly be upgraded without restarting running software (old instances use the "replaced" versions) Recovery In modern, NT-based versions of All processes except for init and those Windows, programs that crash may be in or Z state may be terminated from forcibly ended through the Windows the command line. Applications can be by pressing closed via the GUI. The optional CTRL+SHIFT+ESC or SysRQ allows low-level system CTRL+ALT+DEL. manipulation and crash recovery. The entire graphical subsystem can be If Windows fails to boot properly, it is restarted without the need for a whole possible to boot to safe mode in order system shutdown. Reboots are seldom to recover the system. Also, for required. When necessary, users can , XP and 2003 the press CTRL+ALT+BACKSPACE (on can be utilized, most distributions) to logout which was replaced in Windows Vista immediately and recover from almost with the System Recovery Options any crash without reboot. [73][74] menu.[72] The command line can be accessed immediately to terminate a program if the user is unable to do so with the GUI (e.g. if a full screen game freezes). Pressing Ctrl+Alt+F1 switches to the full screen text terminal and the user can terminate the program, then restore the GUI by pressing Ctrl+Alt+F7. In the default setup, six different text terminals (tty) are available with the key combinations Ctrl+Alt+F1 to Ctrl+Alt+F6 inclusive.[75]

Recovery mode allows the user to fix problems at boot time; for example, Ubuntu offers the recovery mode from the GRUB boot loader options.[76]

Additionally, Live CDs of Linux, if equipped with the correct tools, can work to repair a broken operating system if the hard drive is mountable. See: List of Rescue and repair live CDs. Unrecoverable If the kernel or a driver running in The Unix equivalent of the Windows errors kernel mode encounters an error under blue screen is known as a kernel panic. circumstances whereby Windows The kernel routines that handle panics cannot continue to operate safely, a are usually designed to output an error "bug check" (colloquially known as a message to the console, create a "stop error" or "") memory dump, and then either halt the is thrown. A memory dump is created system or restart automatically. and, depending on the configuration, the computer may then automatically restart. Additionally, automatic restart can be applied to services.

[edit] Performance

This section of this table needs attention from an expert on the subject. See the talk page for details. WikiProject Computing or the Computing Portal may be able to

recruit an expert. (April 2009) Windows Linux Process NT-based versions of Windows use a Linux kernel 2.6 once used a Scheduling CPU scheduler based on a multilevel algorithm favoring interactive feedback queue, with 32 priority levels processes. Here "interactive" is defined defined. The kernel may change the as a process that has short bursts of CPU priority level of a depending on usage rather than long ones. It is said its I/O and CPU usage and whether it is that a process without root privilege can interactive (i. e. accepts and responds to take advantage of this to monopolize the input from the user), raising the priority CPU,[79] when the CPU time accounting of interactive and I/O bounded precision is low. However, Completely processes and lowering that of CPU Fair Scheduler, now the standard bound processes, to increase the scheduler, addresses this problem. responsiveness of interactive applications.[77]

The scheduler was modified in Windows Vista to use the cycle counter register of modern processors to keep track of exactly how many CPU cycles a thread has executed, rather than just using an interval-timer routine.[78] Memory Windows NT family (including 2000, Most hard drive installations of Linux Management/ XP, Vista, Win7) most commonly utilize a "swap partition", a partition Disk Paging employs a dynamically allocated dedicated exclusively for paging pagefile for . A operations. This reduces slowdown due pagefile is allocated on disk, for less to disk fragmentation from general use. frequently accessed objects in memory, leaving more RAM available to actively As disks are much slower than RAM, used objects. This scheme suffers from users can adjust Linux "swappiness" to slow-downs due to disk keep processes in RAM memory for fragmentation[citation needed] (if a variable much longer before swapping to disk. size paging file is specified), which Windows does not support such hampers the speed at which the objects features. The performance requirements can be brought back into memory when are different for desktop and server they are needed. Windows XP and later environments. If processes are moved can defragment the pagefile, and on out of RAM to swap space on disk too NTFS filesystems, intelligently allocate often, users will experience slower blocks to avoid this problem. Windows response times from the computer.[85] can be configured to place the pagefile on a separate disk or partition.[80][self- A new feature, currently referred to as published source?]. However, this is not "zRam", previously called default behavior, because[citation needed] if "compcache", exists to increase the pagefile is on a separate partition, performance in Linux by creating a then Windows cannot create a memory RAM based block device which acts as dump in the event of a Stop Error.[81] a swap disk, but it's compressed and Microsoft does not recommend stored in RAM memory instead of being disabling in Windows on disk, as disks are slower than RAM. because of this reason.[82][83] Also, it is It allows for faster I/O and increases the not recommended to place the paging amount of memory available before the file on a different partition on the same system starts swapping to the disk. It is physical hard disk, as this will cause the now integrated into the Linux kernel.[86] drive's /write heads to jump between the Windows and paging file partitions, which causes a loss of I/O performance that outweighs any gains of having the paging file defragmented.[80]

The ideal solution performance-wise is to have the pagefile on a different hard drive from the one where Windows is installed, as this reduces both fragmentation and I/O issues.[80]

The Windows 3.1x family does not have true virtual memory[citation needed] and uses a simpler swapping scheme easily leading to more swapping to disc and therefore more disc fragmentation. Virtual memory support and strict is limited on the Windows 9x family for the 32-bit processes.[84] Speculative Windows' SuperFetch (based on Linux does not feature a built-in caching Prefetcher) attempts to load commonly predictive or speculative caching,[citation used libraries and application needed] although third-party solutions, components into memory before they such as preload, do exist. Linux also are required. It does so by continually does not support memory priorities analyzing application behavior and which could ensure that such a cache usage patterns, e.g. what applications does not inadvertently cause other are typically used in the morning after process memory to be swapped out (or logon[87]. The cache memory is marked not swapped in) with resulting negative with low priority, meaning that if impact on overall performance (see another process needs the memory, it below Priotitized memory).[citation needed] will be given up. Prioritized With Windows Vista memory Linux swaps and frees memory pages memory prioritization was introduced. Memory using an adapted least recently used priorities are valuable in desktop algorithm which does not allow memory settings where responsiveness of some pages to be marked with priority.[89] [90] processes are more important than overall throughput. Background processes such as search indexers or caches can run with low memory priority to prevent them from gradually causing the memory of more important processes to be swapped out during periods of low-intensity use, sometimes referred to as the "after lunch syndrome"[88]. Multimedia Multimedia Class Scheduler Service Linux does not boost the priority of a performance (MCSS) is a that thread or a process during playback of boosts the CPU and I/O priority of a multimedia nor does it reserve thread as well as reserving network bandwidth.[citation needed]. Linux does bandwidth. It allows an application to support process- and thread priorities, get prioritized access to CPU for time- and applications or the user through sensitive processing (such as utilities may set higher or lower multimedia applications) as well as priorities. prioritized disk access to ensure that the process is not starved of data to process. Without MCSS multimedia playback In late 2010 a was developed may experience glitches or stutter as the which balances workload between load on CPU, IO subsystem or network thread groups[92]. This mitigates the increases.[91] situation where a large number of processes from the same thread group starve out a single multimedia oriented process for resources. Default file The way the default Windows' file Linux most commonly uses the ext4 systems system NTFS works causes files to filesystem, which is unsupported by become fragmented, degrading the Windows. ext4 avoids fragmenting the performance of the system significantly disk as much as possible. Linux can, if over time, and it requires regular desired by the user, install and run on an defragmenting to combat this.[93][self- NTFS - though no published source?][94][self-published source?] mainstream distributions do this by default. [95][self-published source?]

Only very small improvements to performance can be gained from defragmenting UNIX and Linux filesystems.[94][self-published source?] Temporary Windows does not automatically Linux distributions use tmpwatch and files remove unused temporary files. Before logrotate to automatically purge unused the remaining disk space gets too low temporary files and unused log files for the operating system and respectively. applications to function properly, Windows will warn the user about the condition.[96]. The warning includes the option to clean up the system. When invoked, temporary files, restore points etc. can be deleted. The build-up of unused temporary files can cause problems in Windows and other programs in Windows.[97]

[edit] Support

This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged

and removed. (November 2008) This section may contain original research. Please improve it by verifying the claims made and adding references. Statements consisting only of original research may be

removed. More details may be available on the talk page. (October 2011) Windows Linux Community Microsoft Developer Network Most support is provided by advanced support (MSDN), Microsoft TechNet: users and developers over IRC, online Resources for IT Professionals, and forums, and other free community multitudes of user driven support based venues.[citation needed] Professional forums are available at no charge. support is available, but most Additional support is available by 3rd commonly only utilized by large-scale party services such as OEMs. businesses, and server dependent organizations.[citation needed] Phone support Retail versions of Windows come with Phone support is available with a paid 90-day no-charge phone support[98] subscription program or a support contract. OEM versions (purchased with hardware) are supported by the hardware vendors and subject to the support policies of the each vendor. Documentation Applications and tools all have a help Most documentation is available menu item in the menu bar with access online, either in FAQ form or Wiki to hypertext based help topics. pages on developers' websites. Detailed PowerShell cmdlets all have integrated documentation for specific commands, help topics available as Unix-style man programs, functions, libraries, files, and pages. file formats are available through offline documentation systems, such as From Microsoft the following online the man and info pages, which are documentation sources are available: accessed through the command line, or through graphical viewers. Large  Windows Help & How-to: applications often come with separate Help, guides, videos and documentation. documentation for end users of Windows.  Microsoft TechNet: Documentation, guides, videos etc. for Windows IT- professionals.  Microsoft Developer Network (MSDN): Documentation, guidelines, samples, tools & downloads, articles etc. for developers.

Linux is taught in many computing Many IT courses are written for university courses in programming and participants to learn how to use and computer science. [99][100][101] Linux manage Windows systems and Training diplomas and certificates are rarely networks. Most computer assistance offered.[citation needed] Courses for experts have Windows training and certifications are provided by Linux qualifications.[citation needed] Professional Institute and some distributions, such as Red Hat and Ubuntu. Documentation for source packages Documentation is either written in- usually in a README file, also man Third Party house or by a consulting firm for most pages, info pages, and other types of Documentation . generally -supplied documentation.

[edit] Platform for third party applications

Windows Linux Operating Strict separation between operating Linux systems often do not separate system system parts and applications.[102] It is operating system and (third party) integration possible to install same software in applications at the filesystem level as (Installation) several different directories. Microsoft's most popular distributions follow the guidelines strongly suggest that Filesystem Hierarchy software vendors use the Windows Standard.[106][107][108] This approach Installer for installation. However, many stores the program itself, its data, applications are still deployed with configuration files and logs alternative installers such as NSIS[citation separately.[109] Usually applications are needed]. Nevertheless, overly simplified installed using a package manager such application management has several as (not Net connected) APT or drawbacks such as introducing chances RPM,[110][111] which ensures that all of DLL hell and compatibility issues. applications have their library The former problem can be solved by dependencies satisfied. As packages are using static linking (with a considerable incorporated into the system portion of tradeoff in speed and memory the Linux filesystem tree, installation of consumption).[103][104] In addition to that any software typically requires Microsoft has addressed compatibility administrative privileges.[112] However, issues by providing it is possible to install software into to older software.[105] user's home directory, although it is a complex task as the application needs to be compiled from source. [113] Also, these applications introduce a security risk as they will not be tracked and updated if necessary. Program Thousands of programs are available for The majority of applications are distribution download from many websites and for distributed in a binary package format. purchase on CD/DVD in retail shops. Each distribution usually has a Programs must be downloaded (or centralized package repository, where purchased on CD/DVD) and installed trusted applications are stored and individually. The user has to search for available for download.[114] The the application he needs, track dependencies are handled automatically. dependencies (if any) by hand and As there are several common package ensure safety from malware himself. formats, applications are usually packaged specifically for each distribution. The source code is distributed of most applications, which have a licence which allows to do so. Software Software Compatibility historically has The distributed software is generally Compatibility been very high priority.[115] However, compatible with the current and exceptions do exist, even within upcoming versions of the distribution Microsoft's own applications ( (particularly with respect to Windows guarantees maintaining interfaces for at Vista).[116] For example, Windows Vista least 6 years).[117] The same binary is not compatible with pre-2005 packages can be used among systems versions of MS SQL Server.[citation needed] using the same package manager.[118] and generally can be used among any system providing libraries the package is dependent upon[119] Some compatibility issues existed in the past, when proper packaging guidelines were yet to be established.[120][121] Shared DLLs are the Windows implementation Almost all shared libraries are installed Library of shared libraries. DLLs placed in an strictly system wide.[123] Several Linux Policy application (called "private distributions have had problems with libraries").[122] directory are used in software not packaged for the favor to the DLLs in the system distribution when updating libraries, folder[123] Historically, Windows 9x and since the application programming prior versions had no protections on interfaces of some Open Source system DLLs, and poorly written libraries are prone to change between programs would often overwrite them at releases.[124] will with incorrect versions, potentially leading to dependency problems. Software  Windows Update handles only updates updates to Microsoft software and can deploy driver updates if present on the Windows update site.  Some third party software has its own separate update manager.  (See Package management system above) does not manage updates. The Ubuntu Update Manager on a  Windows security updates typically require a restart. Ubuntu Linux system showing updates.

 The Package manager handles updates for software that was installed via the package manager.  Updates generally do not require a system restart, with the exception of kernel updates. Updates to applications or libraries require restarting the applications to take effect, but there is usually no need to restart immediately (new instances of the program use the new version).  All of the installed programs and the Linux operating system can be kept up to date easily (see picture, above). Keeping the operating system and the installed programs up to date is essential for security.[125]  Gentoo allows different versions of software and libraries to be installed in the same system.  GoboLinux allows different versions of a program to be run concurrently.[126]

Microsoft has had a longstanding emphasis on backwards compatibility.[115] In general, the Windows API is consistent over time, with new features added;[citation needed] programs designed for earlier versions of Windows often run without issues on later versions.[citation needed] For the sake of progress, however, Microsoft sometimes draws a line precluding support of very old programs. That first happened with , where some purely 16 bit Windows 3.1 applications would not work, and again with Windows XP, where certain mixed-bit applications would not work. 64-bit versions of Windows (XP-64 and Vista-64) drop 16-bit support completely. However, 16 bit emulation and the enormous array of application-specific tweaks (“shims”) within new Windows versions[127] ensure that compatibility with old applications remains very high.[128]

In the Linux world, the landscape differs. As most (if not all) parts of the operating system are open source and many Linux programs are open source, when a Linux distribution breaks backward compatibility, anyone willing might write a patch to the operating system or the program itself that would allow the older software to work. In reality though, since many popular Linux distributions uses software repository and the most popular programs exist in the repository, the programs provided in the repository are guaranteed to be compatible with supported versions of the distribution.

[edit] Gaming Main article:

A major attraction of Windows is the large library of video games available for purchase.[citation needed] The majority of current major PC games natively support Windows and are released first (and often only) for the Windows platform.[citation needed] Some of these games can be run on Linux with a compatibility layer like Wine, Cedega or CrossOver. Those that rely on copy protection or undocumented features often require much more effort in order to work properly. It has also been shown that native speeds can be achieved with applications running under WINE. [129]

There are notable exceptions, such as id Software's Doom and Quake series. When a developer chooses to write graphics code with OpenGL instead of DirectX, Linux ports become much easier. In addition, games such as the Unreal Tournament series are written in 3 parts: The core 'engine' of the game, the graphical display system, and the actual game data itself. The first two, typically being compiled programs, require porting, however only the graphical display system will often require much work (Windows to X Window, DirectX to OpenGL, etc.). The third part, the game data itself, is typically written in system-independent file formats and scripting languages. This allows the game developer to separate the actual game experience from platform compatibility. This also serves to reduce the cost of development in 2 ways.

 There is no need to port the game data to another platform, which eliminates the need to compile and bug-fix the game data for each platform.  Future releases of the software can use the same "engine" and graphical display system. This allows game developers to focus more on the game experience, and less on compatibility issues.

OpenGL provides a platform independent, widely accepted and available solution for 3D graphics, but does not address input devices or sound. The Simple DirectMedia Layer(SDL) libraries provide support for these features on both Linux and Windows, and are often used to provide portable gaming support.[130]

There are Open Source games designed specifically for Linux[131], including over 1200 native Linux games[132] with over 220 games using proprietary licenses.[133] While most of these are small casual games like Kolf or Pingus, there are also larger games, such as Freeciv and The Battle for Wesnoth. Many have been ported to work on Windows as well. Some gamers opt to dual boot Windows and Linux, using the Windows partition for gaming and other applications, while using the Linux partition for the needs it addresses better.[citation needed] [edit] Software development

Windows Linux Cross-  Elementary  Linux is a UNIX-like operating platform access is provided by the system which implements most development Windows API which is available of POSIX functionality.[134] (Operating and kept compatible since Compatibility between such system Windows NT. Many programs Unix-like operating systems resource are written for the Windows API (such as BSD Unix, Solaris, and access: file and depend on an Mac OS X) is provided through system, implementation of that API. standards such as the POSIX and threads, Many Microsoft libraries have system libraries such as glibc. memory not been ported to other The GNU toolchain has been allocation, operating systems. ported on Windows, as well as etc.)  Source compatibility with some GTK, and many other UNIX programs is done via libraries. POSIX subsystem (Windows NT  Under Linux there is no standard and 2000), or Subsystem for widget toolkit implementing UNIX applications (formerly GUI utilities such as windows, ) (2000, XP, 2003, Vista). buttons, labels, etc. Several Alternatives for POSIX and competing libraries are available, Linux compatibility under such as GTK, Qt, wxWidgets, windows are Cygwin and Motif. Programs written for MinGW. these widget toolkits must ensure that required libraries are installed in order to run.  Wine providing a reimplementation of the Windows API and the DirectX API to allow Windows programs to run on Linux, although often with glitches.

Cross- For multimedia applications like games, Among the various distributions of platform audio and video applications is for Linux there is no widely accepted and development Windows the DirectX API available. general multimedia standard and API (hardware Almost all major games and multimedia available. For 3D graphics OpenGL is resource applications rely on this API, given the as standard available and accepted but access: availability since 1995 and the for everything else like audio, input graphic, downward compatibility since then. devices, networking etc. many different audio, input DirectX is available for the Windows approaches are available.[135][136] An devices, etc.) PC platform and the platform, and important, widely supported standard by the reimplementation Wine it is also for access to audio devices are the available for Linux. There are also third Advanced Linux Sound Architecture party libraries and standards available drivers, which allow for very low like e. g. OpenGL for 3D graphics, latencies and supports sound cards from OpenAL for audio and SDL as general about 120 vendors including, for purpose multimedia API. example, high-end sound cards used for professional recordings, as well as the JACK Audio Connection Kit. These are extended by audio daemons, such as the PulseAudio system, which integrates different libraries without need for configuration. Various implementations of networked home audio systems, such as the cross-platform Music Player , are supported. Driver Windows provides extensive, well- Linux hardware drivers are mostly development documented programming interfaces developed and released as part of the that enable third parties to develop kernel itself, as free software released in kernel software that extends and source code form. The driver is modifies system behavior. Microsoft considered part of the kernel project, provides its Windows Driver Kit at no and developers of these drivers are cost, which includes thorough considered to be part of the community documentation, samples, and tools for of Linux kernel developers. However, building, testing, and deploying drivers. driver developers are responsible for Windows driver programming interfaces keeping their drivers up to date; drivers are based on standards and which are not actively maintained are specifications, often the product of a removed from the kernel.[137] process involving leading players in the applicable industry. While Windows The kernel group does not publish a drivers are compiled based on programming interface for third-party specifications, and are not tied to a drivers released in compiled binary-only specific version of Windows, source form. Nonetheless, third-party closed- code for a specific version of Windows source binary drivers are not may, in theory, be purchased for uncommon, especially for graphics modification in some circumstances hardware. Usually they consist of the (restrictive), or third-party tools may binary driver itself and an open-source create modifications. In practice, the driver interface which is compiled on availability of Windows source code is installation.[138] Because binary-only generally heavily restricted or extremely drivers are released only for specific expensive, if available at all. However, machine architectures (usually Intel x86 even where source is available, and x86-64) they are not supported on modification to the operating system can the full set of architectures that the break the EULA, and in turn be Linux kernel itself supports. prohibited or even illegal. IDEs & Several commercial IDEs for sale, such Several commercial IDEs and Compilers as Microsoft's Visual Studio, or for sale such as PGI, Intel, and Absoft's Embarcadero Embarcadero . compilers[citation needed]. Multiple Multiple free or gratis IDEs and free IDEs and compilers, the most compilers, including the GNU common of which are often included in Collection, , NetBeans, Pelles C, distributions, including the GNU lcc32, Borland C++, Visual Studio Compiler Collection, Eclipse, NetBeans, Express (Visual C++, C#, and VB.NET , MonoDevelop, Qt, , compilers), .NET compilers freely , KDevelop, , included in .NET Framework, OpenLDev, Code::Blocks Sharpdevelop, Free Pascal

[edit] Security [edit] Threats and vulnerabilities

Windows Linux

Malware As of 2009, well over 2 million As of 2006, more than 800 pieces of malware programs target Windows.[1] Linux malware had been Botnets – networks of infected discovered.[144] Some malware has computers controlled by malicious propagated through the Internet.[145] persons – with more than one million However, in practice, reports of computers have been witnessed.[139] bonafide malware presence on Linux- based systems are extremely Microsoft recommends the use of anti- rare.[146][147] Nonetheless, anti-malware virus software [140] in Windows and the tools such as ClamAV and Panda Windows (previously Security's DesktopSecure for Linux do called the "Windows Security Center") exist. These programs are mainly checks to see if anti-virus software is intended[146] to filter Windows malware installed and alerts the user if it can't from emails and network traffic detect an anti-virus program.[141] As a traveling through Linux-based servers. result of users following this The extreme rarity of this type of recommendation, there are occurrence is such that it is not usually consequences of using anti-virus necessary to use anti-malware software which are not caused by programs.[146] Windows itself: Anti-virus programs have, in the past, damaged Windows Various distributions are configured to due to faulty signatures,[142] which has use address space layout randomization resulted in costly IT repairs and and NX memory protection by default. disruption to businesses.[143] There are other issues of concern pertaining to the use of anti-virus software. Open vs. Since 2004 developed using the There is a public review process for the Closed formalized process Security source code. Anyone is free to enter Development Lifecycle. this process by patces for public review and inclusion in future releases and Only Microsoft-employed updates. Any patch must be signed off (or licensed third-parties) can fix bugs. by the maintainers of a portion of code, the subsystem maintainers and further up the development chain. [148] The theory that it is reviewed by so many that bugs are detected is referred to as Linus' law. Vulnerabilities In an assessment report from 2004 by the former editorial director of LinuxWorld, Nicholas Petreley, he states that vulnerability counts alone cannot be used to reliably compare the overall security of Linux and Windows. The report talks about the overall security design of Linux and Windows. At that time, the report claimed that Linux is less vulnerable (but not 100% immune) to malware compared to Windows.[149]

Nonsponsored research from Aberdeen Group (2003)[150], Forrester Research (2004)[151], CERT (2006)[152], Symantec (2007)[153] and IBM (2009)[154] found that Windows experienced fewer vulnerabilities overall as well as fewer high- risk vulnerabilities when compared to Linux. Response Microsoft releases bug fixes on a Bugs can be fixed and rolled out within speed monthly schedule in a stated attempt to a day[citation needed] of being reported, help enhance the manageability and though usually it takes a few weeks predictability of the patch management before the patch is available on all process[155]. distributions.

In 2004 a Forrester Research report [156] In the 2004 Forrester Report[156] the found that Microsoft patched best Linux distributions (Red Hat and vulnerabilities with an average all-days- Debian) had an average all-days-risk of risk of 25 days. 57.

The findings of the Forrester Research The report was met with skepticism report is consistent with the findings of from the Linux community[165]. a 2007 Symantec research report which However, the report is consistent with found Microsoft had an average patch the 2007 Symantec research report[157] time between 18 and 23 days[157]. which found that the Red Hat Linux distribution had an average patch time There are known security of between 36 and 49 days. vulnerabilities which Microsoft will not patch on supported versions of In 2010 Jonathan Corbet called Windows, such as Windows XP - attention to a practice among kernel which is supported by Microsoft until developers which lead to at least 18 April 2014. Windows XP will not fixes in the 2.6.32.9 kernel which had receive security patches to fix not been classified as security flaws vulnerabilities which affect TCP/IP.[158] although he found them to have clear Also Windows 2000 did not receive security implications[166]. Linus patches for known TCP/IP Torvalds (founder of Linux) is quoted vulnerabilities during the time which for saying that he doesn't care for Windows 2000 was still supported;[159] labeling updates and changes to Linux Windows 2000 support from Microsoft as a security fix in a security ended in July 2010. advisory[167]. As David Woodhouse told The Register[168] not labelling fixes as Also there have been cases when having security implications can lead to Microsoft has been aware of security the fix not being back-ported to older vulnerabilities and not fixed them for (but still maintained) versions of the longer periods of time. A critical distributions. networking vulnerability which security firm eEye had reported to Microsoft There have been other cases where the was fixed 200 days after Microsoft was Linux vulnerability fixing process has notified about it.[160]. A privilege overlooked a vulnerability even though escalation vulnerability was reported to it had been reported[169], where a Microsoft in June 2009 by Google vulnerability has been inexplicably re- security researcher Tavis Ormandy. introduced after it had been fixed once After waiting several months and and then left vulnerable for 2 years[170], seeing no patch released, he made the and where Linux distributions have flaw public.[161][162] The fix/patch was failed to back-port a vulnerability fix to released to Windows users in February older (but still active) versions due to 2010.[163] In another case which came to the lack of a proper vulnerability light in January 2010, Windows users' disclosure[171]. had to wait at least another 28 days for security patches to fix a known Vulnerabilities are implicitly or vulnerability affecting the Server explicitly disclosed when security bug- Message Block (SMB) in Windows 7 fixes are submitted to the Linux kernel and Windows 2008R2, which could be source tree. These changes are exploited remotely.[164] submitted when testing has been completed, not on a fixed schedule. Unless the vulnerability information However, each Linux distribution must has been publicly disclosed by another then adopt the changes and create party prior to the patch, the release will patches for that specific distribution. coincide with vulnerability disclosure. The period between the disclosure of This minimizes the higher-risk period the vulnerability in the public source between public vulnerability disclosure tree and the practical availability in the and patch availability. Linux distributions is referred to as distribution-days-of-risk in the 2004 Forrester Report. The distribution-days- of-risk are of higher risk as the vulnerability information is publicly available through this period.

[edit] Security features and architecture

This section of this table needs attention from an expert on the subject. See the talk page for details. WikiProject Computer Security or the Computer Security Portal may be

able to help recruit an expert. (October 2011)

The actual security of the operating system can be affected by the actions performed by the user, such as tampering with security settings or running malicious executables or "malware". Users with administrative privileges have more control and so do the programs the user runs with these elevated privileges.

Windows Linux Privileged Windows defines a number of A Linux system has a single root user system administrative privileges[172] which can who has exclusive access to perform the functions be assigned individually to users and/or privileged system operations. Unlike in groups. An account (user) holds only the Windows, the permissions to perform privileges granted to it, either directly or these privileged operations are indirectly through group memberships. hardwired to this user and the privileges Upon installation a number of groups cannot be delegated in whole or part to and accounts are created and privileges other user accounts. In Linux it is the are granted to them. However, these privilege to run as the root user which grants can be changed at a later time or can be delegated.[173] When a non-root though a . Unlike Linux, no user needs to perform a privileged privileges are implicitly or permanently operation (e.g. change a password), the granted to a specific account. user needs to temporarily log in as the root user or run a process with root as Some administrative privileges (e.g. the effective user of the process. taking ownership of or restoring arbitrary files) are so powerfull that if  To temporarily log in as the root used with malicious intent they could user, the su utility is used. allow the entire system to be However, this means that compromised. With multiple users with (on by default since Windows Vista) administrative responsibilities Windows will strip the user token of will share the root account and these privileges at login. Thus, if a user password, which is not logs in with an account with broad considered a security best- system privileges, he/she will still not be practice. Some distributions (e.g. running with these system privileges. Ubuntu[174]) disable log-in for the Whenever the user wants to perform root user to avoid this. administrative actions requiring any of  To allow a user to execute a the system privileges he/she will have to process with root as the effective do this from an elevated process. When user, a SUID root executable can launching an elevated process, the user be used. A special SUID root is made aware that his/her administrative utility, sudo, is available which privileges are being asserted through a can be configured with more prompt requiring his/her consent. Not fine-grained access control to holding privileges until actually required system operations than what is is in keeping with the Principle of least possible with the default file privilege. system permissions. sudo can also request extra confirmation Elevated processes will run with the full from the user prior to executing privileges of the user, not the full the privileged operation. privileges of the system. Even so, the privileges of the user may still be more Logging in as or running a process with than what is required for that particular root privileges (root as the effective process, thus not completely least user) is not in keeping with the Principle privilege. of least privilege security best-practice. A security flaw in the process can allow an attacker unrestricted system access. Extensions/patches such as SELinux, AppArmor or grsecurity can mitigate this problem. The patch/extension hooks into every system operation and for each invocation it compares the attempted action against a policy/profile for the particular process, e.g. ensuring that the ping utility can only access network sockets and not the entire system, even if an exploitable vulnerability exists.

Linux does define a number of Linux capabilities[175] akin to Windows privileges, but these are not practically available[176] except for the Fedora distribution. Fedora has from release 15 changed system utilities to utilize capabilities instead of the unrestricted SUID model[177] . User In Windows Vista and later versions, all Users typically run as limited accounts, Accounts logged-in sessions (even for those of having created both administrator "administrator" users) run with standard (named "root") and at least one user user permissions, preventing malicious account during installation. In most programs (and inexperienced users) from Linux distributions, there are commands gaining total control of the system. (su, sudo) that will temporarily grant Processes that require administrator elevated permissions to processes that privileges can be run using the User need it. Like in Windows, the Account Control (UAC) framework. For administrator (su) or user (sudo) standard users, this presents a credentials password is required to access such dialogue (example) that requires the commands. Errors done with these password of a member of the elevated privileges can lead to severe administrators group (who are listed). damage to the system. As an alternative For users who are already logged in as to this approach, the Ubuntu Linux an administrator, only confirmation is distribution disables the root account by necessary. The first user account created default and the password for the root during the setup process is automatically account is locked. This setup exists for a member of the administrators group; if security and safety reasons. Ubuntu also the user does not manually create prohibits the use of su and uses sudo another user account which runs with instead, which is safer. Ubuntu users do fewer privileges, the administrator not use the root account and the Ubuntu account in use means that in Windows documentation does not support or versions prior to the introduction of the recommend trying to unlock the root UAC, malicious programs could gain account, but recommends that: "Ideally, full control over the system. Security you run as a user that has only the exploits have been able to bypass the privileges needed for the task at protection offered by the User Account hand".[174] Control.[178] It is possible for users to disable the UAC or lower the UAC New frameworks such as PolicyKit exist security level in order to reduce the to restrict the actions of programs number of prompts; disabling the UAC running with elevated privileges - is not recommended. PolicyKit is now included in Ubuntu, Fedora, OpenSUSE and many other distributions. Package There is no central package manager in Linux distributions use a package

manager Windows. Users downloading and manager and the programs go through an installing programs via an Internet approval process, before being added to connection must find these programs repositories accessible by the package from websites and take into account the manager.[146] risks of obtaining programs from untrusted sources.[146][unbalanced opinion] Filesystem Linux has a traditional Unix-like "user, permissions group, other" approach to filesystem permissions at a minimum.[181] This approach is extended by Access Control Lists on some filesystems. There are some optional, Linux-specific frameworks such as AppArmor and SELinux which add even finer-grained controls over which users and programs can access certain resources or perform certain operations. Some distributions File system permissions on a Windows use them out of the box.[182] SELinux Vista system. can be configured to policies as Role- Based Access Control and multilevel Windows NT and subsequent NT-based security, which are demanded, for versions of Windows (thus all present example, in military environments. versions) use NTFS-based Access Control Lists to administer permissions, [179] Linux executable files must be set as using tokens. On Windows XP and executable, which helps unsuspecting prior versions, most home users still ran users to avoid malware, trojan horses all of their software with Administrator etc.[183][184] accounts, as this is the default setup upon installation. The DOS based Windows ME, Windows 98, Windows 95, and previous versions of non-NT Windows only operated on the FAT filesystem and did not support filesystem permissions.[180] Exploit Windows has Address Space Layout Linux has weak Address Space Layout prevention Randomization (ASLR) combined with Randomization (ASLR) combined with Data Execution Protection/No Execute Data Execution Protection/No Execute bit (DEP/NX)[185] bit (DEP/NX) enabled by default[185]. If the Linux distribution include one of the PaX or ExecShield patches, Linux ASLR has the same strength as Windows ASLR.

PaX and ExecShield are not in the mainline kernel. PaX is included with grsecurity while ExecShield is included with SELinux. Mainstream distributions such as Ubuntu do not use any of these patches and thus still have the form of ASLR which Charlie Miller referred to as weak.[185] Red Hat Enterprise Server uses SELinux.

Both grsecurity and SELinux comes with increased CPU overhead.[186] Runtime 64-bit versions of Windows have, since No runtime kernel integrity checks.[citation kernel Windows XP, employed Kernel Patch needed] integrity Protection. Kernel Patch Protection will periodically check the integrity of central kernel structures and tables, and if it determines that the kernel has been tampered with it will halt the system[187].

Microsoft does not claim that Kernel Patch Protection can stop all malicious code, but they do take the position that "Protecting the integrity of the kernel is one of the most fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching"[188] Persistent Beginning with Windows XP, 64-bit Linux does not perform integrity checks kernel versions of Windows have required that on the kernel or drivers before integrity kernel mode drivers be digitally signed loading.[citation needed] to be loaded. With Windows Vista this requirement was expanded to the entire kernel on 64-bit versions of Windows. Microsoft calls this Kernel Mode Code Signing (KMCS).[189] KMCS requires that all the kernel files on disk are digitally signed or resides within a digitally signed catalog file.[190] This requirement protects against malicious code tampering with kernel binaries or driver code to inject attack code and hijack program flow. If a file has been tampered with, the signature will not be valid for the file. See also: Authenticode

Drivers can be signed with certificates obtained from a number of certificate authorities which are trusted by Windows, i.e. a device vendor can develop and sign a driver without Microsofts consent. Driver signing does not prevent an attacker from obtaining such a certificate and create a malicious, signed driver which will be accepted by the system should she succeed in placing it in the boot path. However, to obtain a certificate an identity check is performed by the certificate authority. Also, drivers signed with a certificate that is later determined to be used to sign malicious code, can be disabled by revoking the certificate at any time. Firewall, Windows has a built-in Windows Linux has a built-in Linux kernel basic Firewall which has all basic firewall firewall. features[191] : The firewall/netfilter has all basic  Both inbound and outbound rules firewall features:  Rules for specific local ports, remote ports and IP protocols  Both inbound and outbound rules  Rules can be scoped by both  Rules for specific local ports, local and remote IP addresses remote ports and IP protocols  Rules can allow or block  Rules can be scoped by both connections local and remote IP addresses  The firewall can log accepted  Rules can allow or block and/or rejected traffic connections/packets  The firewall can log traffic based The firewall rules describe connections on matching rules. (depending on protocol) and do not allow the fine-grained single-packet The firewall allows fine-grained packet filtering of the Linux kernel firewall. inspection, down to individual fragments. Firewall, Rules can be set to only activate for The firewall does not feature high-level advanced certain applications (by executable path) rules like those found in the Windows rules and/or services (by service name)[192] . Firewall, i.e. the Linux firewall cannot For instance, a rule can be set to only filter based on which application or allow incoming traffic on given port if daemon is the local endpoint, who the the recipient is a specific instant user running the process is, or to which messaging client. The same feature can group he/she belongs, or with which also be used to ensure that only specific authenticated computers it is programs/services are allowed to communicating. The firewall also does connect to the Internet, thus controlling not support access control lists for the "phone-home" behavior of programs. rules.

Windows Firewall also integrates with the user directory and allows rules to be set up on condition that the attempted connection is authenticated and optionally encrypted[192]. As part of this, access can be restricted by using access control lists on individual rules or ports, for instance allowing only certain users to access the internet or allowing only certain remote (authenticated) computers to access services. Firewall, The is switched on by A Linux distribution can decide whether default state default[193] (since Windows XP SP2). configure the netfilter with default rules. One of 3 profiles is activated For instance, Ubuntu does not filter any automatically for each network traffic in the firewall by default. The interface[194]: firewall is not activated because Ubuntu has no outward-facing services. There  Public assumes that the network are no programs that allow incoming is shared with the World and is connections from the Internet apart from the most restrictive profile. those which are under the user's [195]  Private assumes that the network control. Ubuntu does, however, have is isolated from the Internet and a policy of "No Open Ports" and states: allows more inbound connections "Default installations of Ubuntu must than public. A network is never have no listening network services after assumed to be private unless initial install. Exceptions to this rule designated as such by a local include network infrastructure services administrator. such as the DHCP client and mDNS  Domain profile is the least (Avahi/ZeroConf, see restrictive. It allows more ZeroConfPolicySpec for implementation inbound connections to allow for details and justification). When file sharing etc. The domain installing Ubuntu Server, the profile is selected automatically administrator can, of course, select when connected to a network specific services to install beyond the with a domain trusted by the defaults (e.g. Apache)." local computer.

Firewall, Windows Firewall can be The Linux firewall can be management controlled/configured through a COM controlled/configured through a user- object-oriented API, scriptable through mode program called iptables, or other the command[196] , through the tools which can access netfilter. iptables GUI administration tool[197] or centrally is a scriptable command-line tool. The through group policies[198] . All features firewall can also be controlled through are available regardless of how it is an API. Graphical front-ends and online configured. "rule generators" exist, but they do not allow all firewall features to be controlled. One example is the Uncomplicated Firewall (UFW) and its associated GUI tool Gufw distributed with Ubuntu. Security As of October 2011 all major versions of As of October 2011 the following Linux certification Windows have obtained EAL4+ distributions have obtained EAL4+ (Common certification: certifications: Criteria)  Microsoft Windows 7  Wind River Linux Secure 1.0  Microsoft Windows Server 2008  Red Hat Enterprise Linux . R2 5.3 on Dell 11G Family Servers  Microsoft Windows Vista  Red Hat Enterprise Linux Enterprise Version 5.1  Windows Server 2008 Standard,  SUSE Linux Enterprise Server Enterprise and Datacenter 10 SP1 Editions  Red Hat Enterprise Linux  Microsoft Windows Server 2003 Version 5 SP2 including R2, Standard,  Red Hat Enterprise Linux Enterprise, Datacenter, x64, and (RHEL) Version 4 Update 1 AS Itanium Editions and Red Hat Enterprise Linux  Windows XP Professional SP2 (RHEL) Version 4 Update 1 WS and x64 SP2  Windows XP Embedded SP2 The following Linux distributions have  Microsoft Windows Server 2003 obtained EAL3+ certifications: SP1 (x86) and x64 Edition, Standard, Enterprise, and  Red Hat Enterprise Linux Datacenter (RHEL) Advanced Server (AS)  Windows Server 2003 SP1 Version 3 Update 5 Running on (IA64), Enterprise and Unisys ES7000 Hardware Datacenter models 405, 410, 420, 430, and  Windows XP Professional SP2 440 (x86) and x64 Edition  Red Hat Enterprise Linux  Microsoft Windows 2000 (RHEL) Advanced Server (AS) Professional, Server, and Version 4 Running on Unisys Advanced Server with SP3 ES7000 Hardware models 405, 410, 420, 430, 440, 505, 510, 520, 530, 540, and one  Red Hat Enterprise Linux Version 4 Update 4  Red Hat Enterprise Linux Version 4 Update 2 AS & Red Hat Enterprise Linux Version 4 Update 2 WS

Absence of a Linux distribution certification does not mean that it cannot meet the criteria for certification; it may be that no certification has been applied for. See also: Common_Criteria#Criticisms