Hi Roman,

there are several massive disadvantages of Windows-System:

1. There is nearly infinite malware that can harm your Windows system. Yes I know there exists malware for Unix too, but the probability is very low to  be affected by that on a Unix System!
2. A windows system can be hacked much more easier!!!
3. The effects of patching a Windows system is more “unpredictable” than on Unix.
4. Unix is running much more robust than Windows
5. You can monitor a Unix system much better than a Windows system (good tool is Nagios)

In my opinion the first two points are the real showstoppers for a Windows system. You always live in fear of malware and other attacks!!!

Best regards

Willi Eimler

Hello Willi,

Can't believe what you've written, many of your arguments are not true since a while...

Most of my customers are running their SAP systems on Windows without getting any of the problems you're talking about.

1) they never get any malware, malware came with users and no users connect onto a Windows server.

Malware are a real danger for workstations and your own PC not for servers...

In matter of security if the hacker is already knocking at your system door (that means your LAN is compromised) they will get in whatever Operating system you are running...

2) sorry but for a while the opposite was true, I remember many years ago password files were not shadowed on Unix, Windows SAM base was more secured by design...

3) can't agree on that either... on both Unix & Windows patches can have impact.

A good admin should always validate patch on QA/Sandbox system.

4) The time of the blue screen of death is far away, now days Windows systems are as reliable as *nix one.

I've seen Windows box running SAP systems that were not rebooted neither fail for more than a year (ok it is not a good practice, but that proves that Windows system is reliable)

5) you can also use Nagios on Windows...

Two little points you seem to forget,

- Proprietary Unix are far more expensive & complex than Windows system.

- Lake of competences, it is not that easy to find a good Aix admin for instance

I'm not saying Windows is better than *nix... but Windows is a real/valuable competitor/alternative to Unix systems.

Regards

http://www.realtech.com/wNewzealand/pdf/RT_SUSE_Whitepaper_SAP_U2L_3rd_EN_final.pdf

Hi Yves,

Sorry for the late reply, I was on Easter holiday

Well, first of all: I don’t want to affront the windows administrators or be disrespectful!!!! Far from it! In my opinion a Windows administrator has to do a harder work and needs more technical expertise than a Unix admin!!! A good Windows admin is a real tough (guy/girl)!!!

The main difference between Unix and Windows regarding security is that security mechanisms of Unix is a result of a good architectural design. The security mechanisms of Unix are not a result of “on top design”. These mechanisms are integrated in the core architecture of Unix. On Windows, many of these mechanisms were implemented as a feature on top of the OS.
Example: The privilege separation was integrated in the Unix architecture from the beginning of Unix. On the other side Windows had (for a long time) problems with the privilege separation, because  it was not completely part of the core system architecture. It was only (Sorry my English is not as good as it should be. In my language (German) exists the phrase: Halbherzig = half-hearted? And means not with full power/enthusiasm ) half-hearted implemented. Another example is the possibility to harm a Windows system with the internet explorer.  You can inject kernel commands with a not secured internet explorer. These are only some examples.

Take a look at http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4d/3da980d936391ee10000000a15822b/content.htm There you can see how to secure a Windows system and a Unix/Linux system. You will discover that you have much more work to do, when securing a windows system.
Another little example is http://scn.sap.com/thread/2003350. There you can see: For a Unix/Linux system you don’t need to configure the Viruscheck.

The text above is not really a proofs for the statement that Unix is easier to secure   than Windows, but a big indication.

I think this could be a very interesting discussion! Maybe we should open an own thread.

Best regards
Willi Eimler

Hi Willi,

It won't be that easy to understand each other... as my english is not that good either

Most of the points introduced in the SAP help link are automatically performed by sapinst.

Almost all my customers running on MS are not using an AV, and neither get into troubles...

but no user ever connect on the SAP server, only admin, for maintenance purpose or SAP admin when needed...

Internet explorer should not be used on a sever, MS itself says it should be uninstalled...

Best regards

SAP on SQL General Update for Customers & Partners April 2014

10. Do Not Install SAPGUI on SAP Servers

Windows Servers have the ability to run many desktop PC applications such as SAPGUI and Internet Explorer however it is strongly recommended not to install this software on SAP servers, particularly production servers.

To improve reliability of an operating system it is recommended to install as few software packages as possible.  This will not only improve reliability and performance, but will also make debugging any issues considerably simpler

“A server is a server, a PC is a PC”.  Customers are encouraged to restrict access to production servers by implementing Server Hardening Procedure. 

SAP Servers should not be used as administration consoles and there should be no need to directly connect to a server. Almost all administration can be done remotely

SAP on SQL General Update for Customers & Partners September 2013

Internet Explorer (and any other non-essential software) should always be removed from every SAP DB or Application server. 

The following command line removes IE from Windows 2008 R2, Windows 2012 and Windows 2012 R2:

Open command prompt as an Administrator ->  dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64