Linked by Thom Holwerda on Fri 16th Jun 2006 01:11 UTC, submitted by Eugenia
Windows Microsoft senior vice president Bob Muglia opened up TechEd 2006 in Boston Sunday evening by proclaiming that Windows Vista was the most secure operating system in the industry. But a bold statement can only go so far, and much of this week's conference has been spent reinforcing that point.
Thread beginning with comment 134453
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[3]: Not the most secure OS
by BluenoseJake on Sat 17th Jun 2006 04:00 UTC in reply to "RE[2]: Not the most secure OS"
Member since:

"SELinux is not ACLS, it is Mandatory Access Control. Windows has never had Mandatory Access Control or anything similar to it. Modern filesystems such as ext3 support acls when mounted with the correct options and acls are set using commands like setfacl. "

What is the point of that statement? NTFS supports ACLs, you even say it yourself. Using wikipedia for your sources is not adding any credibilty to your arguments either. NTFS supports ACLs when running under NT/2k/2k3 and XP Pro. I can use ACLs to define what directories a user or group have access to. I can define group policy that says what a user can run and not run, where they can log in from (local or network) and how much access to system settings and configuration, just like in unix.

Reply Parent Score: 1

RE[4]: Not the most secure OS
by SEJeff on Sat 17th Jun 2006 04:23 in reply to "RE[3]: Not the most secure OS"
SEJeff Member since:

You said, "SELinux is ACLs" and you were incorrect. I am refraining from saying wrong because you obviously don't understand what SELinux does by a longshot. SELinux also can be used to restrict network data depended on how it is labeled. Can you do that with NTFS or ACLs? No, because they aren't even similar.

Discretionary Access Control (what ntfs is) is weak compared to Mandatory Access Control. MAC and DAC compliment eachother, but they are VERY different.

Maybe I can break this down better for you to understand. What if...

I login as the Administrator over RDP to a windows 2003 server. I try to access the settings for Exchange Server, but can't. The rdp service was started with a role that doesn't have permissions to touch or even read any of those files/settings. Even thought you are the Administrator (which can modify anything), with MAC, you can't touch any of those settings. MAC makes it physically impossible for something in an unpriviliged role/domain to touch anything in a privileged one. This is currently impossible in Windows as it doesn't have a form of MAC. It is sooooooo much more than file permissions which is all ACLs are.

If you still don't understand, can I contact you offline to help you understand the difference between MAC and DAC? I'd be more than willing to help you learn if you are interested.

Reply Parent Score: 2

BluenoseJake Member since:

Your condescending tone doesn't help your case, as your statement doesn't take into account group policy, which i can use to limit what users and groups can do when they log in and how they log in, so NTFS ACLs are by themselves not equivalent to SELinux, but mated with GP, they are "roughly" equivalent. I have used SELinux under Fedora Core, and I have used ACLs and GP under Windows for better than a decade.

My original point to my post was to inform the great grandparent that NT has had ACL technology (meaning fine-grained permissions on objects) longer then Linux, as SELinux is only a few years old, and so is AppArmor. I made some mistakes in my first post, granted, but that was due to haste, not misunderstanding. You have managed to ignore my subsequent comment that took Group policy into account. Using GP and AD, I can define what a person has access to, and what they don't. I can tell the OS not to allow certain users or groups access remotely, or what they can do when they have remote access. I can control what a particular user runs and when. they may not be the same from under the hood, but in my experience, and I do have quite a bit with both, your opinion notwithstanding, they allow similar capabilities.

Reply Parent Score: 1