Security: Leopard vs. Vista: Page 2
Separation of data and executables. Previously, Id said, In my familiar UNIX land, all programs are stored in areas of the file system that were outside of the control of users. Specifically, directories including /bin, /usr/bin, /usr/sbin, /usr/local/bin, and so on are where programs go. Users, on the other hand, login to their own directories, such as /home. Among other things, this has made various administrative tasks like backing up user data, system data, etc., well organized and easy to manage on UNIX systems.
Here too, the comparison hasnt substantially changed with Vista and Leopard.
Qualitative score: OS X gets a B+ while Windows gets a D-.
Privilege management. Now things start to get murkierand for both operating systems. In comparing Tiger and XP, I wrote, Pretty much from the start, UNIX has been a multi user system, whereas multi user functionality has been a retrofitted feature in the Windows family. OS X has a root user while modern Windows versions have an Administrator user for doing administrative tasks.
Now, Im confident Microsoft and Apple will both claim that their newer privilege models are improvements in usability over previous versions, but I remain unconvinced. I find them to be pretty sloppy and no substitute for proper system administrationwhich, some will argue, died some 10+ years ago.
I give Leopard an only slightly less bad score than Vista because its application firewalling doesnt annoy me as much.
Qualitative score: OS X gets a D+ while Windows gets a D-.
Program management. Previously, I wrote, Heres where OS X really shines. Apple has improved on UNIX in this area. Although the standard UNIX utilities are still in /bin, /usr/bin, and such, Apple apps and most third party apps install in /Applications.
This hasnt changed much with Leopard and Vista. I still dont feel I can remove a major application from a Windows system without leaving behind significant residue, be it directly in the file system in the form of remnant DLLs or in a registry hive somewhere that the uninstaller didnt clean up.
Qualitative score: OS X gets an A while Windows gets a C.
Access controls. On the topic of access controls and, in particular, default configurations, I previously said, OS X installs the default desktop user with administrative privileges. This bothered me to my kernel when I first set up my Mac, so I went out of my way to turn that off. Regarding Windows, I said, Windows, once again, shows its security-retrofitted roots here. Normal desktop users generally have far too much write-enabled access to a Windows installation, even if they do not have administrative privileges.
Unfortunately, I dont see any improvements being made here. If anything, by my score, weve stepped backwards due to the new action-focused security desktop mechanisms I described above.
Still, though, I was able to tweak my Leopard installation so that my desktop user is unprivileged and my administrative user has read/write control over applications. But I still find myself sweeping through the system periodically to clean up the default access controls left behind by various application installers that leave /Applications and /Library/Application Support open to world read/write.
This is sloppy at best, and it enables malware to infect and spread with relative impunity. So, Im downgrading my score for both operating systems.
Qualitative score: OS X gets a C- while Windows gets a D-.
So, all this doesnt paint a very pretty picture for either operating system, does it?
The only thing that kept Leopard from failing me in several areas is that Im still able to invoke the UNIX-like attributes of the underlying operating system to enable security the way I want it to be. Ive not been so fortunate on the Windows systems Ive used over the years, as I find the privilege and access control mechanisms to be far murkier.
As a result, I remain steadfast in saying that Im more secure on Apples Leopard than I would be on Microsofts Vista. But it does seem to me that, with each subsequent release of OS X, I have to spend more and more time tweaking the operating systems features before I really feel at $HOME.