Microsoft Subnet An independent Microsoft community View more

Comparing Access Control in Windows and Linux

What can we learn from Linux about access control?

Ellen Messmer recently wrote an article entitled “Windows Server vs. Linux”, where she spoke on some key differentiators between Windows and Linux. It’s definitely an article worth reading.

One stand-out comment by a quoted source that needs dissecting: “Windows access control ‘blows Linux out of the water… In a Windows box, you can set access-control mechanisms without a software add-on.’” To begin with, what exactly does this mean? Are we talking about file-level security or process-level security?

If file-level security, then.. yes and no. Like Windows, modern Linux distributions support Access Control List (ACL)-based security for files and directories. However, other than in enterprise settings, or when used by savvy Linux systems administrators, ACLs are usually not in use; instead, sysadmins continue to use the less-powerful UNIX owner-group-world permission model.

If process-level security, then certainly not.  The Linux world has always relied heavily on the su and sudo tools to delegate authority. Su is not a very granular delegation tool, but sudo is, and both are almost always available on Linux and UNIX systems. In fact, tools such as su are so frequently used, and have such a long history, that most Linux users assume they won’t have administrator privileges, while Windows users (and applications) often assume the opposite.

Windows User Access Control (UAC) was designed specifically to address the problem of Windows users and applications being given too much power out-of-the-box.  While an absolutely pain in Vista, it’s certainly livable in Windows 7 (I know, since I type this on my Windows 7 laptop).

On a technological front, I would compare UAC with sudo.

To me, the real difference between Windows and Linux access control is more about the mindset of users than the technology. Windows users use file-level ACLs by habit, which is a good thing, while Linux users continue to use an outdated owner-group-world permission model that is outdated, even when ACL support exists on the very same Linux system. Conversely, Microsoft is fighting an uphill battle to train and, to some extent, restrain Windows users from using accounts that are far too powerful, while Linux users almost always are given least-privileged accounts from the start.

Side note: For commercial access control solutions, check out products such as CA Access ControlBeyondTrust’s PowerBroker, and Centrify's DirectAuthorize.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies