Red Hat and Windows – Defining an Apples-to-Apples Workstation Build

Why Red Hat?

As folks know who read my blog know, I normally utilize Red Hat as a proxy for Linux Distributions when analyzing Windows vs Linux for security and vulnerabilities.  Some object to this (Red Hat is Not Linux), but it would be hard to select another alternative because:

  • Red Hat is the acknowledged market share leader in Enterprise Linux
  • Any distro without Enterprise support is generally not a long term consideration for business customers
  • Red Hat offers the best/longest support program for Enterprise customers
  • Red Hat appears to have the best security response team of any Linux vendor in terms of comprehensive and timely Security Advisories to support their security patches.  Not that I don’t think Red Hat doesn’t have their own issues, but their demonstrably better than other Linux choices.  Two examples of what I mean:
    • Red Hat has a list of issues for different builds, rhel3ws for example. Ubuntu security notices, in comparison, must each be read to see if it applies to a product.  Ubuntu also lacks severity and mitigation guidance to help customers plan.
    • SuSE security advisories frequently trail patches by days or weeks.  Worse (in my opinion), they frequently roll up High Severity issues (as rated by NVD) into Security Summaries and advise customers that they are “minor” issues.  See CVE-2006-3739 in this one, for example.

Yes, this is sort of a backhanded complement for Red Hat and Mark Cox, in particular, for good efforts.  Well, that and for following the Microsoft example for security response.  😉

Apples-to-Apples – what are you talking about Jeff?

Commonly, if you talk about Windows and Linux, someone will point out that they have different compositions and different levels of modularity.  For example, Red Hat Enterprise Linux 4 Workstation (rhel4ws) ships with OpenOffice, GIMP, and the MySQL database, which may not be installed on many deployed systems.  Even if they are deployed, Windows does not ship with Office, as it is sold as a separate product. 

Take my Windows vs Linux – Workstation – 1H06, for example – some would say, any comparison of all components compares apples and oranges and is not fair.  The impied statement in this objection is that if one did do an apples-to-apples comparison, Linux would beat Windows handily.  Of course, nobody ever follows through to demonstrate that part…  I think it is a little more complex than that though and previously captured my thoughts in Apples, Oranges and Vulnerability Metrics.

Having shared those thoughts, I think different comparisons provide different values.  Think about these:

  • Comparing workstation roles (with or without Office applications) could be useful for Desktop management teams.
  • Comparing certain individual roles, Web for example, could be useful to a team responible just for those servers (in this case a Web server farm possibly).
  • Comparing all components might be useful for an IT Administrator to compare the relative workload across mulitple roles if a platform was a standard for use across the entire enterprise.

So, I see value in comparisons of the entire product totals, as well as value in breaking out individual roles.

Defining a Comparable Workstation Role for rhel4ws

Windows XP SP2 does not ship with Office, or with server components similar to MySQL, Apache, DHCP Server, DNS, OpenLDAP, etc, so we’re going to have to cut down rhel4ws if we want it to be approximately comparable to Windows XP.

 Assuming you booted up an installation CD for rhel4ws, you’d eventually get to a package selection menu similar to that shown in Figure 1.  Red Hat establishes default selections for the WS, and these are marked as “standard” in the comps.xml file, which they use to drive the package installation process.  There are also several package groups that are “hidden”, with three of them selected for installation by default – core, base and dialup.  These are not visible for de-selection, nor are several other groups that are included or not based upon other settings (like language).  All installations via the GUI will include these three mandatory installation groups.

Figure 1: RHEL4 Package Selection


Since this is not a “server” product, noneof the common server components are flagged for installation by default and we won’t change that.  Basically, by default, we see core, base, printing, base-x, gnome-desktop, graphical-internet, sound-and-video, text-internet, graphics, office and some system tools and libraries necessary to support dependendies. 

To make this more comparable to Windows XP, we’re going to manually exlude a few things, specifically thunderbird plus the text-internet, graphics (which is the gimp stuff), and office (which is OpenOffice) installation groups.

So, what we’re left with is a basic Gnome-windowed workstation that includes standard system management tools, firefox for browsing, sound and video support, but excludes all server packages, as well as OpenOffice and other optional stuff that a Windows system wouldn’t have by default.  That’s it.

I’m going to stop there, since I think Server configurations are enough different that I want to do a separate post on it and keep any discussions here focused on Workstation.  If you have thoughts, criticisms or suggestions related to building reasonable Windows-comparable Red Hat 4 workstation, please comment.

Regards ~ Jeff

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »