Over the last couple of years, there’s been a lot of talk about the possibility of Linux making the jump from servers to desktops as a replacement for the ubiquitous Windows operating system. It hasn’t happened, at least not in any meaningful way, and it doesn’t appear likely to anytime soon. But maybe the real role of Linux on the desktop won’t be as a replacement for Windows but as an underpinning for it. Writing on the Security Focus website, Scott Granneman argues that companies should be installing Linux as the default desktop OS and then running Windows virtually on top of it.
Why? For better security. He points to the dire assessment of Windows malware threats that Microsoft security specialist Mike Danseglio presented at a recent conference. “When you are dealing with rootkits and some advanced spyware programs,” Danseglio advised, “the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit.”
“Everyone reading this knew it all along,” writes Granneman, “but there it is in black and white – if a Windows machine gets infected, wipe it and start again from a baseline install. Virtualization, however, makes that easy, affordable, and quick”:
put Linux on everyone’s computer in your organization. Start with a secure base. I’m talking about a stripped down distro, with little more on it than the kernel, the shell, and whatever X, GTK, or QT libraries your virtualization solution requires. On top of your Linux install, install your virtualization software and then the Windows du jour. Set things up so that on boot, Win4Lin or VMware (or whatever else you’re using) loads by default and then immediately loads Windows in full-screen mode. Trust me: your users won’t even realize that they’re not “really” running Windows. To them, they see Windows, they’re using Windows, all the software they expect is right there, and everything works just like normal.
Running Windows virtually, Granneman says, “will make your life infinitely easier”:
If a you receive a phone call that a problem has developed on Bob’s “Windows computer” in legal, just use SSH to run a script that closes the virtualization software, blows away or backs up the damaged Windows image so that you can review it, and then copies a master copy of the Windows VM from your server. In just a few minutes Bob will be back up and running, and he’ll never know how easy you have it.
If you can’t beat ’em, virtualize ’em.
Actually, that’s what Microsoft is proposing. Vista will have “Windows on Windows” virtualization in some editions.
The problem with running Windows on Linux is simple – drivers and peripherals and installation nightmare.
Corporate/Business users are not going to start playing driver-of-the-week club trying to support scanners, printers, et. al. on two desktop operating systems.
What’s with the ugly ads in your RSS feed? Now instead of thinking about what you write, I’m thinking about how much “2.75% Fixed Student Loan Consolidation” looks like spam, and I should really blacklist the address it’s coming from.
VMs fit in well with the “BYO laptop” concept that the analyst firms have been talking about. The IS dept. supports only the VM and the “guest” OS; employee is responsible for supplying the hardware and the host OS.
Yaacov: Yeah, those feed ads are truly ugly, and I’m sure I’ll soon discontinue them. I fiddle with different ad strategies, hoping to find a way to at least cover my costs, but my readers, to their credit, seem immune to all commercial blandishments. So sit tight, you ungrateful schmuck, and soon your sensibilities won’t be treated so roughly by my free RSS feed from my free blog. In the meantime, feel free to click on those ads. Nick
I don’t think drivers will be a problem: the virtualiser works at a very low level of ports and addresses where the abstraction of what lives where doesn’t matter – up to a point, at least. Look at VMWare, which is a perfectly usable system that doesn’t have oodles of driver probs.
What does matter is that the Vista virtualisation system will be reserved for the enterprise version, which a lot of SMBs and most individuals will not be able to buy — MS says it will tie it into one of those lovely corporate Pay As You Wait licensing schemes.
Call me a communist if you will, but I’ve always rather suspected that people who don’t have a corporatee IT support network need better, rather than worse, help from the OS in protecting them against the slings and arrows of outrageous malware. No doubt that there is an opportunity for a virtualising security product for the rest of us: I’m not sure it’s going to be ‘install Linux’, much as I wish it were.
R
So what happens if the underlying Linux OS contracts a rootkit? You’ll have to blow that away and repave. In fact if ANY OS get’s a rootkit, the safest thing to do is to blow it away and reinstall. It doesn’t just apply to Windows.
Read Ed Bott’s entry if you really want to know what Mike Danseglio said and what it means.
There is no way in hell Granneman’s ideas would work at the university where I help with the IT plumbing. There are thousands of user settings linked to a Windows installation after a single week of use. Settings you cannot backup or push into the user profile. Bob would so be on the phone tearing me a new one five minutes after we nuked his system and replaced it with a fresh copy.
Also, there are perfectly good applications for cloning a Windows PC from a prepped image, without the need for virtualization. Why would anyone need Linux for that?
Nick –
I hate ads too. But your response to Yaacov was so funny that I laughed out loud, then clicked on an ad in appreciation.
And why not use Linux alone ? that would be much simple, and less cpu consuming, Linux is very mature, stable, and safe. For users willing to change from windows to linux there are some comercial emulators, such as XOverOffice or so that let you run natively most of Windows application.
As I’ve seen in the comments what seems to worry yoy the most about running linux is having problem with the device drivers, that was true some years ago but now there are plentty. For a home or corporate user with no need of special programs it is no point to be running a non free ( free as in freedom) operating system.
Just my two cents.
Security is a matter of macro economics. Microsoft is the 300 pound gorilla – even if they slip a few market share points, they still have a virtual monopoly. If you are going to spend your time hacking an operating system, you have three choices: MSFT Windows (various versions), Linux (several flavors) and Apple OSX – the only one that has enough play in market is Microsoft – and the majority of Windows users are very “un-informed” (unlike both the Linux and Apple users).
If Apple owned 85% of the desktop market, they would have a security nightmare on their hands – the decisions on “what to hack” are based at the macro level – and Microsoft is an easy target.