The most secure modern OS, Part II

Part I was about the OS with zero known vulnerabilities and no real trend towards worse situation. Mind you, source code for that OS’s kernel is available, so it must be really hard target indeed.


My next favourite provides the best platform for security solutions – standards support, rich set of APIs that make integration an easy task, and an excellent sofware stack on top of that as a proof.


The OS in question is Windows. I haven’t seen better support for security yet. there are attempts. I’ve come across this one (on Slashdot, of all places), which is rather impressive:


I believe I have one of the most advanced LDAP/Kerberos/Samba/Bind “Open Directory” setups. I have two Samba 3 Domain Controllers, both Kerberos and Bind Enabled. with OpenLDAP and MIT Kerberos. I have no
need for NFS.

My OpenLDAP stores:

POSIX User Attributes
Samba User Attributes
Radius User Attributes
eGroupware User Attributes (Egroupware accounts.)
DNS Information for our internal DNS Server
DHCP Lease information.

I use Kerberos with ssh-agent to distribute software RPMS for Mandriva Linux to mass distibute RPMs with a single command.

I have Samba Kerberos enabled so that Samba will not repeatedly ask for usernames and passwords, and requires zero configuration.

I have had the code to Egroupware modified so that eGroupware, and Nagios can use Apache’s mod_auth_kerb addon to authenticate eGroupware users with a single click instead of a whole second login process.

I’m currently workong on creating a Samba Authenticated gateway with NTLM-SPNEGO support so that kerberos will handle Squid too.

All I need now is for someone to make the modifications nesessary to eGroupware’s XMLRPC so that Kontact could use Kerberos and I would have the “Exchange Killer” I always wanted.

All of my users use Samba for network browsing under KDE’s Konqueror, with Kerberos and LDAP, it just works.

I consider this my shining accomplishment. I like to have myself believe that I accomplished “Active Direrctory” under Linux now. I don’t use Windows at all in this network, so keep that in mind. The eGroupware people can attest to what a past I am. bugging them to include Kerberos detection in session management. But it all works.


That is rather impressive. As a qualified Linux engineer, I can attest the big scale of assembly required to achieve this.

Which is exactly my point. On Windows, I’m used to similar kind of setup since 2000. Plus, we have robust smart card support integrated with Kerberos. Pluse, we use IPsec in transport mode – also with Kerberos authentication. All within the reach of an average MCSE. Life is good. Windows is by far the best security platform.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>