This paper compares the security of Red Hat Enterprise Linux ES 3, Red Hat Enterprise Linux ES 4, and Microsoft Windows Server 2003 Enterprise Edition. Different aspects of operating system security, such as the number of vulnerabilities and the time to resolve them, were analyzed as indicators of security for each operating system.

Data collection and analysis for this study was performed in December 2006. Data was collected from Secunia (http://secunia.com), a leading independent source of vulnerability intelligence. For each vulnerability, data on start and patch dates was collected from all security bulletins and announcements under all CVE references associated by Secunia with that vulnerability.

The study found that Windows Server 2003 is consistently lower risk than Red Hat ES 3 or Red Hat ES 4. Windows Server 2003 has fewer total vulnerabilities, which means users have fewer patching events to respond to, the first high-criticality vulnerability was not identified until over two years after release, and on average Windows Server 2003 has fewer unpatched vulnerabilities per day.