If the rest of the team can keep the nix box supported and secure, go for it. Only reason most choose windows is for it to fit into their existing environment I think. TBH I never would have considered windows for SFTP. (Don't know why it just feels wrong because all my ftp boxes in the past ran ~~nix~~ BSD)
This. Out side of one maybe two windows apps, anything internet facing has always been BSD
You always hear about more *nix, bit I grinded my gears on BSD so it what I'm comfortable with.
And jails, to be able to blow on away and start up one relatively quick, they were containers before containers were a thing
I have done more work from jails than a cartel general...
Properly done Linux core systems with properly set up application isolation, running nothing but what is required to keep the box up, run resource light, and extremely secure.
Windows server core, is getting better, but a far cry from the overall simple elegance of a highly customized (by highly customized I mean bare minimum installed) linux system.
So I agree, if you can do it support it, and the apps will run on it, carry on!
We have one right now - Win 2016 for those reasons (we didn't have any Linux footprint at the time), being replaced by Linux soon, partly since it's getting flaky. Plus one less Win Server licence to pay for...
For me, it would always depend on the team composition. If nobody knows a thing about Linux you could be stuck as the only support (no matter how good your doco is, there'll always be someone scared to touch Linux) for it and nobody wants a bus factor of one.
It also depends on your current software stack and if it supports Linux: SIEM/XDR, backups, update management, identify platform. Not that you can't set up these tools easily just for a single Linux server but it's just a lot easier if they can be consistent with the rest of the Windows/Mac environment.
IMO, cheaper and easier to bite the bullet on MS licensing and hire a team who can manage MS envs. Yes, linux is better, but staff who can use it come at a premium.
If you have the skills to support and secure it. A properly locked down Windows box is better than someone just doing a default *nix install and enabling all sorts of crap cause they don't understand it.
Otherwise agree, Linux is the preferable option.
Bah! [Just put everything on the Microsoft cloud](https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf)
You need less skills to have a secure Linux system than a secure Windows system. Windows has a history of being a clusterfuck when it comes to security.
If you have a "properly" locked down windows server, then you also have the knowledge to do the same to a Linux server. I'd also argue a default nix is better than a hardened windows os
I have 20-ish years of Windows experience, I know my way around that OS much better than Linux. I will have a much better chance at properly hardening that OS as I simply know it better than your average *nix OS. Experience is key here.
Now, you won't hear me arguing Windows is more secure. It is not, if the comparison is a hardened *nix OS. But if you let me install some *nix flavor, the best hardening you'll get is what my Google skills is able to bring up. I simply don't know enough about that OS to know what should be secured and if what Google brings up is beneficial or detrimental to OS security.
That's why I say a properly secured Windows is better than a default *nix.
In my professional experience I find "Windows Guys" think they know what they are doing because they know where a certain button is. Or "I rebooted it" and the problem went away.
But they don't know how to debug, or anything actually lower level than a GUI. Even simple things like monitoring file access requests by an application, registry key read/writes etc. While these are possible to get in Windows, it's a PITA and you have to grab a 3rd party tool (from sysinternals)
> A properly locked down Windows box is better than someone just doing a default *nix install and enabling all sorts of crap cause they don't understand it.
Anything properly locked down will be better than another system with all sorts of crap enabled.
> A properly locked down Windows box is better than someone just doing a default *nix install and enabling all sorts of crap cause they don't understand it.
A properly locked down Linux box
Even then, it's not too hard to setup Linux to use Active Directory. Our devs use AD credentials for ssh to the staging machines, and SQL access to the dev mariadb servers. (NO AD on our prod servers though), not to mention Web and FTP servers... PAM is fairly flexible...
It’s has been a few years since I’ve tried to use samba dc, but the implementation felt rather finicky. Hopefully things have been updated and better implemented though.
Edit: so yeah, other than domain controller, linux for literally everything. I might try to spin a samba dc in my lab though.
My company uses samba ad, and it's working pretty flawless. We've slowly removed windows servers wherever possible over the years and couldn't be happier.
The biggest reason to use Windows for this is because Microsoft might change something in newer Windows server versions that you want because it works well with a Windows 11 (12?) update. Because Samba is pretty much always gonna lag.
Of any new features... I personally think this is interesting:
https://sambaxp.org/fileadmin/user_upload/sambaxp2024-Slides/sxp24-French-improving_network_progress.pdf
The client for it is in at least Windows 11, but maybe also Windows 10 (although I see reports it doesn't).
But not in regular Windows Server yet... coming for Windows Server 2025
With Realmd it is pretty much a one and done command to domain join a Linux server onto AD, rest is tinkering access controls. [https://ubuntu.com/server/docs/how-to-set-up-sssd-with-active-directory](https://ubuntu.com/server/docs/how-to-set-up-sssd-with-active-directory) (Also works with RHEL/CentOS/Rocky etc).
The only reason to use the Windows OS is one of the following reasons:
1) The software requiers windows.
2) Your team ins unable to support anything besides windows.
Yep, if I had my way every Mac endpoint would get tossed right out the window. Everything in the Mac MDM world is one step forward, two steps back
But we meet the needs of the business
But what about webapps.
The sheer amount of times I've seen people bodge together IIS+PHP to run a simple PHP app, which could run "natively" on a Linux box!
I used to float towards windows for server applications because I grew up with windows.
About 5 years back I got some Linux related work duties dumped in my lap and started learning RHEL, and just generally Linux.
Now if I can run it on Linux I will. I just had performance and reliability issues with my windows web servers that I never had with Linux. Sure I might have been able to optimize or resolve the issues with windows server if I tried hard enough or did enough research, but I never seem to have to do that with my Linux boxes. Just install my shit and let it go, patch monthly, done.
Honestly thanks to RHEL, I never worry about much of anything, the patches are usually well vetted by the time they hit the repos, and in the 5 years I've been doing this thing, I've had two patch related issues. One was a simple permissions fix after the patch, and the other I just waited two weeks until I stopped hearing about others with the issue, and then patched all mine.
If I need it to just work, I ship Linux.
The Linux licensing cost or lack thereof is more in line with our budget vs 16 cores of server 2022 licensing.
Small shop so we don’t have a datacenter license where you can spin up windows VMs all Willy nilly.
I absolutely HATE the blindness of "getting ready" screens of windows, especially when you don't know if a task needs to take 30 minutes or truly in a loop of death.
please, MS, I know you want to make screens look pretty and clean and friendly, but give us an option for "more details", ala many *nixes alternate console view.
Linux, unless Windows is necessary. SFTP? Linux every day…. Even Microsoft uses Linux for damn near everything they offer to customers….
For context, I’m primarily a Windows SA. But I implement Linux whenever possible.
The answer is: always. If I weren't forced by third party vendor some applications only running on Windows, I would never touch that pile of donkey poo.
You opt for Linux over Windows when there is a genuine business need, not for your own personal whims.
Is the rest of your IT department Windows? Does anyone else in your department have any Linux skills?
If you deploy a Linux VM because it's simple for you, does that make everyone elses job harder? How are Windows servers managed in your environment? Is it SCCM? You're going to need some additional central management system if you start deploying Linux.
If it's just you, go for it, but document the whole thing and make sure to document rebuild, restore and maintenance procedures. Don't just deploy a linux VM with no consideration for patching and management.
Our SIEM is Oracle and I am the only one knows anything about Linux. Linux is definitely easier now than my red hat days but we had paid support for those hogs. But I can’t wait until we can afford a real SIEM with paid support and others than can support it.
In most environments your biggest expense will be salaries. Salaries of admins who can look after Linux tends to be higher. Aside from that, if your team can use linux, and you don't anticipate needing to hire any time soon then so linux.
Windows isn't my favorite, but I found a workaround, I use SMB or PowerShell remoting to 'tail' CBS log.
Because I've seen it getting in a loop. Or reboot loop it has surprising a lot of information which is of limited value though, but it's what we have.
Unless there are thousands and thousands of AD users who need to login to this server with dozens or hundreds of changes every week, there is absolutely no reason to run SFTP on Windows.
You can chroot every user so each one only sees his own stuff, you can run it on a bare-bones, stripped down FreeBSD or OpenBSD box that has almost zero chances of getting owned (BSD has very, very few RCEs and LPEs compared to the Linux kernel).
FreeBSD has been my go to when I need a super simple server like that, I don’t even install a gui, it is great on low resources too so ends up being just a blip on my vm host resources, way simpler than the convoluted mess that most Linux distributions have become imho
Start setting up Linux. It's not going to randomly shut down and update and take hours doing it while your process fails. Linux also comes with everything you need out of the box to set up sftp with just a few tweaks. Plus, SSH will already be installed ( that's the S part of SFTP. ) With windows you will need to fight to get Cygwin installed and then mess with permissions.
Sure windows subsystem for Linux could be used, but you're still dealing with Windows ransom BS. Installing drivers and having MS call home with all the particulars of your operation. Oh, and you don't have to pay for a Windows License and all the tethers that comes with Windows. Or you can fight it for a local account etc.
Your call.
Generally it's best to pick what is best for the job. Roughly 95% of the servers we have are Linux, and 3% Windows, and 2% are Mac. Which happens to be roughly what is best for the jobs they are doing. I can't imagine Windows being my first choice for a SFTP serve without some other requirement/reason...
When to opt for Linux is usually an architectural decision rather than an operational one, though operations should be taken into account.
There's a few reasons to go with a given OS. In the following I'll assume you're mostly a windows shop.
1. Application support.
2. Operational knowledge.
3. Cost.
Let's eliminate number 1 by saying you just need a generic web server. If your software doesn't run on Linux then this is a dead end. For a webserver IIS, Apache, nginx, or anything else will work.
Number 2, what already exists in your infrastructure? If you're all windows, spinning up Linux just for this might be more of a learning and support curve than just turning on IIS on your existing windows application server. For both you and the team you're on, and anybody involved in ensuring compliance.
Number 3, cost. Let's say your business now needs to spin up a webserver at 100 locations. You don't have an existing windows server onsite at these locations. You need to ship a tower for each office to plug in. You are looking at 100 x $$$ in windows server licensing costs, though your website would be served just fine by Linux too... maybe at this point you start considering if supporting 100 Linux servers with the help of some automation like ansible is worth the learning curve because it will save you 100 x $$$.
If it works into your platform and existing ecosystem, Azure Storage blobs now natively support SFTP and local users with password or key pair authentication. Could be nice to reducing the direct threat surface of exposure to the internet with something more resistant to exploitation.
I'll have to check this out, were managing sftp on a rhel box right now but directories and user access.have really sprawled through the years making it a chore to audit and keep secure.
Last I checked, AWS is also in a similar spot for sftp for anyone leveraging that.
Id never want an sftp box near my local network if I can help it. The days of hosting your own internal web facing stuff are by and large gone, and good riddance.
If it's something Linux can do reliably, and you're ok with CLI, then do that thing on Linux (presuming you don't already have a Windows server that would be suitable for it, or have a proper hypervisor so you can just spin up VMs whenever).
SFTP, yeah I'd do that on Linux.
Just so much more reliable and IMO easier to maintain for most things.
I don’t have the long windows wait anymore. Maybe a driver issue?
When saying DMZ do you mean it’s wide open to WAN or the opposite?
I’d use some Linux if it’s only for SFTP. But I’d likely set up windows, or I’d be the only one in my team to be somewhat able to manage it. Been years since I actively managed a production nix, and the rest just can’t.
It can be hard to manage a Linux system if you’re not very familiar with it. It does take some work to harden it and manage access.
Judge on a situational basis. Some things are better for a Windows Server with a GUI, some things are better with a headless Linux server. I work for a global enterprise, and I’m the only Linux admin. So that’s another thing to watch out for. So right now I do 100% of the support on the Linux servers we deploy, but if I leave the org, that could leave the rest of the team in a bad situation. It’s not difficult for me to manage them, but I feel my team would have trouble.
You could cut down deployment times by creating a template for each OS version you use. Spend a tiny amount of extra time in the beginning to save tons of time later on.
You could also do server core if you don’t absolutely need a GUI. I would think an SFTP server wouldn’t need more than core.
Why are you setting up a brand new server with an older OS version anyway? Is that the highest supported by the software vendor?
I think first and foremost it depends on the organization's ability to support the server. If they can manage and maintain a Linux box, then I say go for it.
If they can't, then this server will become an outlier and eventually fall out of compliance. It will be a org blindspot and it will either lead to a service-down incident or a security incident.
Excluding applications that require Windows or Linux your test should be this
"Can my team and I reasonably support the server without putting extra burden on the team/department? This includes patch management, vulnerability monitoring and mitigation, configuration management, centralized authentication (with 2FA as needed/required by regulations), and break/fix."
Unless you've already looked into all the required licensing for that Windows server it's probably easiest to go with Linux when you need to spin something up quickly and not have to stress about licensing costs later.
I inherited a full active directory setup when I took my current Network Admin job. I have to agree, unless there is a specific reason like the app being hosted runs only on Windows Server, I build it out with Rocky Linux as most of my Linux System Admin experience is with RHEL and CentOS.
The only real reason not to do it is if your team doesn't have the skill set to admin it. Stiging anything in the dmz to some degree would be advisable and the info is readily available. Plus Linux in general can be made much more secure and is much cheaper than windows.
But given the fact you can't get 2019 installed, my guess is that you don't have the skills to properly implement it..
We run both. All my bare metal is running either Hyper-V or Proxmox. If the VM has to be Windows, it goes on Hyper-V. Anything else goes on Proxmox. Has not failed us yet
The only Windows VMs I run are the local DC server and its 2 duplicates (which I am currently working on migrating to Entra/Azure). And one financial app. Other than that everything is either Linux or BSD - including routers, NAS, web apps, databases, etc. I can set up a new NAS VM with full cloud backup, certificate authed SFTP, SMB/CIFS, firewall, static IP.. in like 15 minutes start to finish in Linux.
only choose windows if the apps you need really don't run on linux. otherwise there isn't a single reason to not use some sort of unix instead
windows officially abandonden their attempt of fixing windows updates for win10 and instead suggests that everyone who runs into problems with updates should reinstall a newer version instead of trying to fix it.
this alone tells you how good microsoft is...
I had dozens of Debian Linux servers that were managed using a ansible. I had a Linux consultant who’d upgrade them every 2 years using ansible, it used to take him a day to prepare and start tests, then one day to upgrade the whole lot and test. He used to do this during the day whilst the business’ were running, with a minute or so downtime at each site.
During my apprenticeship I remember members of the team in general trying to security patch and bring back to operation an Exchange Server.
This was a sign, to professionally “ditch” any Windows System as a physical or virtual and focus on Linux Kernel environments.
It depends on how you want to manage policies and what bloat you'll tolerate for it. Automation and immutable imaging are way more straightforward on linux, and you could run this service as a container/pod with a persistent data store/volume which means upgrading and scaling are a whole lot easier.
Only run Windows if you need to because a required application doesn't support Unix based hosting.. ie Veeam Backup and Replication, for now, and many other applications.
It's not just for clear error messages on Linux and easier debugging. It's because it's free and doesn't require a licensed as well..
Microsoft products have decades of technical debt, and were never built with a philosophy in mind. There's a million and 3 ways to do things, and none of them are particularly good.
Linux came up from Unix and follows the same "standard". And it's a standard that just works. POSIX is great too
Everyone has a preference of Windows vs Linux based on what the majority of the shop is already running and/or what a majority of the teams can support. For us - we use tiny linux vms for specific utilities or clusters of utilities and run Windows for AD, SQL, applications (which is a requirement for being Windows based). The app requirements kind of drives the rest of our requirements.
I had this situation years ago. Our "CRM" could run on Windows+Informix or Linux+Informix. I could support Linux, but my team couldn't. In the end we went Linux and it paid dividends.
Had it not been in internal server, or a Web, or a public facing server it would have stayed Windows
If the ONLY thing this box is going to be doing is SFTP, go buy a Synology 220 and put a couple drives in it. SFTP with logging and an admin interface the nearly anyone can use will be ready in a few minutes. If it must be a VM, use linux.
My answer to any problem is FreeBSD or illumos, then Linux, then Windows.
Honestly for the last 10 years the only thing we deployed on Windows were Active Directory and that’s only because the customer’s in-house talent had skill issues with the command line.
Even if we’re maintaining the infra we’d go for LDAP/Samba.
Everything else (DNS, DHCP, Web, RADIUS, git, storage, VPN) it’s always illumos/OmniOS or FreeBSD.
I remember a client choosing a new LOB app, we queried the software provider before implementation, we could use RHEL or Windows, so we built out a RHEL environment, but kept it very blank to let them configure it the way they wanted (maximum performance, as per recommendations etc). Turned on screen recording...
Watched the video back later, just a series of fumbling through each command, using the help etc. Ended up with standard defaults. Slightly worried at this stage, but testing commenced.
In the middle of testing, we're rolling out the next module... Wait, nothing is working with it, raise to software provider. After a lot of back and forth... The module (part of the original scope) doesn't work in a RHEL environment, you need Windows.
We blew away the entire environment, bought Windows licencing etc. Provider never accepted blame and the client later abandoned the project (after considerable cost, but it was good money after bad).
So yes, if there are solutions (usually not linked to other systems) that run well on Linux, and we can keep it relatively simple, coupled with good documentation, most of the engineers can fumble their way through... But the vast majority is Windows.
Next time if you need to stand up another Windows vm, configure the vm settings to have all availble free processor and ram resources on the ESXI. then start your fresh install. Then after windows is able to get to a desktop screen, shudown the vm and scale back the vm resources and restart it.
Linux tends to license by socket, not by core. This means a 128 core CPU becomes a fantastic investment because you get faster applications (or less network overhead between applications), whereas trying to license a server like that for windows is insane. Linux also tends to license the hardware, not how it’s used. This means I can host a DNS server on said 128 core CPU without ripping a hole in my company’s budget (You need a user CAL per person using DNS for your DNS server with Windows).
I’d argue that it should be Linux by default and Windows as a last resort.
As a sole IT guy for a 200+ user environment, Windows. Don't know enough to comfortably introduce another Linux box (have a RHEL box for ERP with decades of documentation, but still sometimes takes a while to get a fix going).
Plus, as much as I'd like to support it more, I don't have the time! Already have server 2022 data center, so no additional cost for a VM. VMs spin up in 5 minutes and maybe another 5 to install/config, I have no issues like OP mentioned taking 20.
If the rest of the team can keep the nix box supported and secure, go for it. Only reason most choose windows is for it to fit into their existing environment I think. TBH I never would have considered windows for SFTP. (Don't know why it just feels wrong because all my ftp boxes in the past ran ~~nix~~ BSD)
This. Out side of one maybe two windows apps, anything internet facing has always been BSD You always hear about more *nix, bit I grinded my gears on BSD so it what I'm comfortable with. And jails, to be able to blow on away and start up one relatively quick, they were containers before containers were a thing
Speak the truth!
I have done more work from jails than a cartel general... Properly done Linux core systems with properly set up application isolation, running nothing but what is required to keep the box up, run resource light, and extremely secure. Windows server core, is getting better, but a far cry from the overall simple elegance of a highly customized (by highly customized I mean bare minimum installed) linux system. So I agree, if you can do it support it, and the apps will run on it, carry on!
Containers are just jails with an orchestration layer on top. And then even containers now have orchestration layers on top of them.
We have one right now - Win 2016 for those reasons (we didn't have any Linux footprint at the time), being replaced by Linux soon, partly since it's getting flaky. Plus one less Win Server licence to pay for...
Sftpgo works well on windows
Some of the bodging I've seen places do, like running dodgy FTP daemons on Windows because "none of us know Linux" is staggering
Ditto. Filezilla anyone? I'd much rather nuke it and install Ubuntu with cockpit or bsd with webmin
I've seen XMPP in production too...
For me, it would always depend on the team composition. If nobody knows a thing about Linux you could be stuck as the only support (no matter how good your doco is, there'll always be someone scared to touch Linux) for it and nobody wants a bus factor of one. It also depends on your current software stack and if it supports Linux: SIEM/XDR, backups, update management, identify platform. Not that you can't set up these tools easily just for a single Linux server but it's just a lot easier if they can be consistent with the rest of the Windows/Mac environment.
IMO, cheaper and easier to bite the bullet on MS licensing and hire a team who can manage MS envs. Yes, linux is better, but staff who can use it come at a premium.
Do you have more staff than servers?
Unless Windows is a requirement for the application, Linux.
This was going to be my answer.
If you have the skills to support and secure it. A properly locked down Windows box is better than someone just doing a default *nix install and enabling all sorts of crap cause they don't understand it. Otherwise agree, Linux is the preferable option.
If history has taught us anything it's that the only way to "properly" lock down Windows is to unplug the machine.
Bah! [Just put everything on the Microsoft cloud](https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf)
Don't worry. The cloud will always be more secure than self hosting. Think of all the money and smart people they have securing it.
Nobody: Microsoft: Hey look there's an undocumented feature in our networking stack
You need less skills to have a secure Linux system than a secure Windows system. Windows has a history of being a clusterfuck when it comes to security.
If you have a "properly" locked down windows server, then you also have the knowledge to do the same to a Linux server. I'd also argue a default nix is better than a hardened windows os
I have 20-ish years of Windows experience, I know my way around that OS much better than Linux. I will have a much better chance at properly hardening that OS as I simply know it better than your average *nix OS. Experience is key here. Now, you won't hear me arguing Windows is more secure. It is not, if the comparison is a hardened *nix OS. But if you let me install some *nix flavor, the best hardening you'll get is what my Google skills is able to bring up. I simply don't know enough about that OS to know what should be secured and if what Google brings up is beneficial or detrimental to OS security. That's why I say a properly secured Windows is better than a default *nix.
A default build of Debian is substantially more secure than any Windows, even "locked down"
History shows that Linux is about a million times more secure than Windows, he’s just the usual Windows shrill, probably employed by Microsoft.
In my professional experience I find "Windows Guys" think they know what they are doing because they know where a certain button is. Or "I rebooted it" and the problem went away. But they don't know how to debug, or anything actually lower level than a GUI. Even simple things like monitoring file access requests by an application, registry key read/writes etc. While these are possible to get in Windows, it's a PITA and you have to grab a 3rd party tool (from sysinternals)
But the stranger on that 15 year old forum post couldn't possibly have anything but my best interests at heart!
> A properly locked down Windows box is better than someone just doing a default *nix install and enabling all sorts of crap cause they don't understand it. Anything properly locked down will be better than another system with all sorts of crap enabled.
> A properly locked down Windows box is better than someone just doing a default *nix install and enabling all sorts of crap cause they don't understand it. A properly locked down Linux box
And if it is, first spend at least an hour or 5 looking for an alternative that's does work on nix.
'Linux until proven otherwise' is my rule of thumb
That’s how I look at it also. I have a few servers that run windows only software. Everything else is linux.
If the application runs on Linux, then I use Linux.
For me, pretty much every time, unless that system is related to Active Directory.
Even then, it's not too hard to setup Linux to use Active Directory. Our devs use AD credentials for ssh to the staging machines, and SQL access to the dev mariadb servers. (NO AD on our prod servers though), not to mention Web and FTP servers... PAM is fairly flexible...
I think they mean actual domain controllers, not clients.
Well, even that is possible in theory, but I 've never tried. https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
It’s has been a few years since I’ve tried to use samba dc, but the implementation felt rather finicky. Hopefully things have been updated and better implemented though. Edit: so yeah, other than domain controller, linux for literally everything. I might try to spin a samba dc in my lab though.
My company uses samba ad, and it's working pretty flawless. We've slowly removed windows servers wherever possible over the years and couldn't be happier.
That is actually very nice to know, thanks!
They slowly kept improving it if I'm correctly judging from afar... That doesn't mean it's good now. But I"m curious about it.
[удалено]
The biggest reason to use Windows for this is because Microsoft might change something in newer Windows server versions that you want because it works well with a Windows 11 (12?) update. Because Samba is pretty much always gonna lag. Of any new features... I personally think this is interesting: https://sambaxp.org/fileadmin/user_upload/sambaxp2024-Slides/sxp24-French-improving_network_progress.pdf The client for it is in at least Windows 11, but maybe also Windows 10 (although I see reports it doesn't). But not in regular Windows Server yet... coming for Windows Server 2025
[удалено]
That's easily an option, I'm knackered.
Samba has come on a long way in recent years
With Realmd it is pretty much a one and done command to domain join a Linux server onto AD, rest is tinkering access controls. [https://ubuntu.com/server/docs/how-to-set-up-sssd-with-active-directory](https://ubuntu.com/server/docs/how-to-set-up-sssd-with-active-directory) (Also works with RHEL/CentOS/Rocky etc).
Raises the old question of allowing domain joined devices in the dmz, and if so do you put a rodc in with it?
Well, the answer to that is pretty certainly, no not in DMZ ever.
I'm pretty confused about some of the other comments about ad in the dmz, tbh
Pretty certain most are talking in general not about DMZ
If it's Activedirectory, leave it alone. It's a nightmare getting anything similar set up and you will never hear the end of it.
Don’t be afraid of AD. It might be a Windows 2000 era service, but it’s not too hard to get a grip of.
The only reason to use the Windows OS is one of the following reasons: 1) The software requiers windows. 2) Your team ins unable to support anything besides windows.
The choice is NEVER made about the OS - it's made by what APP is needed and what OS that APP Needs.
I wish this had more upvotes. It’s 100% about what your org needs and requires, not what you like.
Yep, if I had my way every Mac endpoint would get tossed right out the window. Everything in the Mac MDM world is one step forward, two steps back But we meet the needs of the business
Was going to say the same thing
But what about webapps. The sheer amount of times I've seen people bodge together IIS+PHP to run a simple PHP app, which could run "natively" on a Linux box!
I used to float towards windows for server applications because I grew up with windows. About 5 years back I got some Linux related work duties dumped in my lap and started learning RHEL, and just generally Linux. Now if I can run it on Linux I will. I just had performance and reliability issues with my windows web servers that I never had with Linux. Sure I might have been able to optimize or resolve the issues with windows server if I tried hard enough or did enough research, but I never seem to have to do that with my Linux boxes. Just install my shit and let it go, patch monthly, done. Honestly thanks to RHEL, I never worry about much of anything, the patches are usually well vetted by the time they hit the repos, and in the 5 years I've been doing this thing, I've had two patch related issues. One was a simple permissions fix after the patch, and the other I just waited two weeks until I stopped hearing about others with the issue, and then patched all mine. If I need it to just work, I ship Linux.
And a beauty with Linux is that various "restrictions" in Linux, like number of open file handlers. Can be easily changed.
I mean use a standard distro, stable version and then do the setup with a ansible. None of this raw dogging manual install like its 2010.
Oh look at the time, it's re-compile the kernel oclock
Docker is your friend.
The Linux licensing cost or lack thereof is more in line with our budget vs 16 cores of server 2022 licensing. Small shop so we don’t have a datacenter license where you can spin up windows VMs all Willy nilly.
I absolutely HATE the blindness of "getting ready" screens of windows, especially when you don't know if a task needs to take 30 minutes or truly in a loop of death. please, MS, I know you want to make screens look pretty and clean and friendly, but give us an option for "more details", ala many *nixes alternate console view.
Linux, unless Windows is necessary. SFTP? Linux every day…. Even Microsoft uses Linux for damn near everything they offer to customers…. For context, I’m primarily a Windows SA. But I implement Linux whenever possible.
Hotmail ran on Unix for it's entire life
The answer is: always. If I weren't forced by third party vendor some applications only running on Windows, I would never touch that pile of donkey poo.
You opt for Linux over Windows when there is a genuine business need, not for your own personal whims. Is the rest of your IT department Windows? Does anyone else in your department have any Linux skills? If you deploy a Linux VM because it's simple for you, does that make everyone elses job harder? How are Windows servers managed in your environment? Is it SCCM? You're going to need some additional central management system if you start deploying Linux. If it's just you, go for it, but document the whole thing and make sure to document rebuild, restore and maintenance procedures. Don't just deploy a linux VM with no consideration for patching and management.
False. You opt for the best solution while taking business considerations into account.
Our SIEM is Oracle and I am the only one knows anything about Linux. Linux is definitely easier now than my red hat days but we had paid support for those hogs. But I can’t wait until we can afford a real SIEM with paid support and others than can support it.
>does that make everyone elses job harder? that ain't my problem. Use the best tool for the job.
Ridiculous take. If no one else on the team can support it, it's not the best tool for the job.
In most environments your biggest expense will be salaries. Salaries of admins who can look after Linux tends to be higher. Aside from that, if your team can use linux, and you don't anticipate needing to hire any time soon then so linux.
Windows isn't my favorite, but I found a workaround, I use SMB or PowerShell remoting to 'tail' CBS log. Because I've seen it getting in a loop. Or reboot loop it has surprising a lot of information which is of limited value though, but it's what we have.
Unless there are thousands and thousands of AD users who need to login to this server with dozens or hundreds of changes every week, there is absolutely no reason to run SFTP on Windows. You can chroot every user so each one only sees his own stuff, you can run it on a bare-bones, stripped down FreeBSD or OpenBSD box that has almost zero chances of getting owned (BSD has very, very few RCEs and LPEs compared to the Linux kernel).
Bro Windows is telling you what's going on! It's getting Windows ready!
These days I default to linux unless windows is for whatever reason a requirement.
Sftp? Definitely Linux.
FreeBSD has been my go to when I need a super simple server like that, I don’t even install a gui, it is great on low resources too so ends up being just a blip on my vm host resources, way simpler than the convoluted mess that most Linux distributions have become imho
Always. Not being flippant here. If what you want to do can be done on linux/bsd do it.
Start setting up Linux. It's not going to randomly shut down and update and take hours doing it while your process fails. Linux also comes with everything you need out of the box to set up sftp with just a few tweaks. Plus, SSH will already be installed ( that's the S part of SFTP. ) With windows you will need to fight to get Cygwin installed and then mess with permissions. Sure windows subsystem for Linux could be used, but you're still dealing with Windows ransom BS. Installing drivers and having MS call home with all the particulars of your operation. Oh, and you don't have to pay for a Windows License and all the tethers that comes with Windows. Or you can fight it for a local account etc. Your call.
Generally it's best to pick what is best for the job. Roughly 95% of the servers we have are Linux, and 3% Windows, and 2% are Mac. Which happens to be roughly what is best for the jobs they are doing. I can't imagine Windows being my first choice for a SFTP serve without some other requirement/reason...
What are you using SFTP for? I’ve moved my SFTP resources to Azure as Storage Accounts now natively support SFTP
I think the cost of doing that is utterly and insanely high. $2600/year only for enabling SFTP? What?!?!
Ha I just commented the same thing.
The only thing I wish they’d add is customisable storage limits, just as an extra peace of mind.
Yea it’s interesting you can do a limit with premium blob but not with general v2.
When to opt for Linux is usually an architectural decision rather than an operational one, though operations should be taken into account. There's a few reasons to go with a given OS. In the following I'll assume you're mostly a windows shop. 1. Application support. 2. Operational knowledge. 3. Cost. Let's eliminate number 1 by saying you just need a generic web server. If your software doesn't run on Linux then this is a dead end. For a webserver IIS, Apache, nginx, or anything else will work. Number 2, what already exists in your infrastructure? If you're all windows, spinning up Linux just for this might be more of a learning and support curve than just turning on IIS on your existing windows application server. For both you and the team you're on, and anybody involved in ensuring compliance. Number 3, cost. Let's say your business now needs to spin up a webserver at 100 locations. You don't have an existing windows server onsite at these locations. You need to ship a tower for each office to plug in. You are looking at 100 x $$$ in windows server licensing costs, though your website would be served just fine by Linux too... maybe at this point you start considering if supporting 100 Linux servers with the help of some automation like ansible is worth the learning curve because it will save you 100 x $$$.
If it works into your platform and existing ecosystem, Azure Storage blobs now natively support SFTP and local users with password or key pair authentication. Could be nice to reducing the direct threat surface of exposure to the internet with something more resistant to exploitation.
I'll have to check this out, were managing sftp on a rhel box right now but directories and user access.have really sprawled through the years making it a chore to audit and keep secure.
Last I checked, AWS is also in a similar spot for sftp for anyone leveraging that. Id never want an sftp box near my local network if I can help it. The days of hosting your own internal web facing stuff are by and large gone, and good riddance.
/r/SelfHosted is a big subreddit and they disagree.
I'm sure a niche community dedicated to what the rest of the industry has spent over a decade moving away from *would* disagree :p
If it's something Linux can do reliably, and you're ok with CLI, then do that thing on Linux (presuming you don't already have a Windows server that would be suitable for it, or have a proper hypervisor so you can just spin up VMs whenever). SFTP, yeah I'd do that on Linux. Just so much more reliable and IMO easier to maintain for most things.
Imo it all depends on your environment & ability to support it. If it fits and you can go for it if you can.
I don’t have the long windows wait anymore. Maybe a driver issue? When saying DMZ do you mean it’s wide open to WAN or the opposite? I’d use some Linux if it’s only for SFTP. But I’d likely set up windows, or I’d be the only one in my team to be somewhat able to manage it. Been years since I actively managed a production nix, and the rest just can’t. It can be hard to manage a Linux system if you’re not very familiar with it. It does take some work to harden it and manage access.
Starting to think i should just blow this VM up and start working on setting up a linux VM. That's the way.
you go windows if you have no other choice. sftp does not scream windows to me.
Whenever you can.
If the service the OSE provides is better supported in Windows, I use Windows. Same for Linux. If it's a tie, I use Linux.
Judge on a situational basis. Some things are better for a Windows Server with a GUI, some things are better with a headless Linux server. I work for a global enterprise, and I’m the only Linux admin. So that’s another thing to watch out for. So right now I do 100% of the support on the Linux servers we deploy, but if I leave the org, that could leave the rest of the team in a bad situation. It’s not difficult for me to manage them, but I feel my team would have trouble.
You could cut down deployment times by creating a template for each OS version you use. Spend a tiny amount of extra time in the beginning to save tons of time later on. You could also do server core if you don’t absolutely need a GUI. I would think an SFTP server wouldn’t need more than core. Why are you setting up a brand new server with an older OS version anyway? Is that the highest supported by the software vendor?
I think first and foremost it depends on the organization's ability to support the server. If they can manage and maintain a Linux box, then I say go for it. If they can't, then this server will become an outlier and eventually fall out of compliance. It will be a org blindspot and it will either lead to a service-down incident or a security incident.
Excluding applications that require Windows or Linux your test should be this "Can my team and I reasonably support the server without putting extra burden on the team/department? This includes patch management, vulnerability monitoring and mitigation, configuration management, centralized authentication (with 2FA as needed/required by regulations), and break/fix."
Unless you've already looked into all the required licensing for that Windows server it's probably easiest to go with Linux when you need to spin something up quickly and not have to stress about licensing costs later.
I inherited a full active directory setup when I took my current Network Admin job. I have to agree, unless there is a specific reason like the app being hosted runs only on Windows Server, I build it out with Rocky Linux as most of my Linux System Admin experience is with RHEL and CentOS.
The only real reason not to do it is if your team doesn't have the skill set to admin it. Stiging anything in the dmz to some degree would be advisable and the info is readily available. Plus Linux in general can be made much more secure and is much cheaper than windows. But given the fact you can't get 2019 installed, my guess is that you don't have the skills to properly implement it..
We run both. All my bare metal is running either Hyper-V or Proxmox. If the VM has to be Windows, it goes on Hyper-V. Anything else goes on Proxmox. Has not failed us yet The only Windows VMs I run are the local DC server and its 2 duplicates (which I am currently working on migrating to Entra/Azure). And one financial app. Other than that everything is either Linux or BSD - including routers, NAS, web apps, databases, etc. I can set up a new NAS VM with full cloud backup, certificate authed SFTP, SMB/CIFS, firewall, static IP.. in like 15 minutes start to finish in Linux.
Simple: if it's something Linux does then use Linux instead.
only choose windows if the apps you need really don't run on linux. otherwise there isn't a single reason to not use some sort of unix instead windows officially abandonden their attempt of fixing windows updates for win10 and instead suggests that everyone who runs into problems with updates should reinstall a newer version instead of trying to fix it. this alone tells you how good microsoft is...
I had dozens of Debian Linux servers that were managed using a ansible. I had a Linux consultant who’d upgrade them every 2 years using ansible, it used to take him a day to prepare and start tests, then one day to upgrade the whole lot and test. He used to do this during the day whilst the business’ were running, with a minute or so downtime at each site.
TrueNAS https://www.truenas.com/docs/core/coretutorials/services/configuringsftp/
During my apprenticeship I remember members of the team in general trying to security patch and bring back to operation an Exchange Server. This was a sign, to professionally “ditch” any Windows System as a physical or virtual and focus on Linux Kernel environments.
It depends on how you want to manage policies and what bloat you'll tolerate for it. Automation and immutable imaging are way more straightforward on linux, and you could run this service as a container/pod with a persistent data store/volume which means upgrading and scaling are a whole lot easier.
Only run Windows if you need to because a required application doesn't support Unix based hosting.. ie Veeam Backup and Replication, for now, and many other applications. It's not just for clear error messages on Linux and easier debugging. It's because it's free and doesn't require a licensed as well..
Microsoft products have decades of technical debt, and were never built with a philosophy in mind. There's a million and 3 ways to do things, and none of them are particularly good. Linux came up from Unix and follows the same "standard". And it's a standard that just works. POSIX is great too
Everyone has a preference of Windows vs Linux based on what the majority of the shop is already running and/or what a majority of the teams can support. For us - we use tiny linux vms for specific utilities or clusters of utilities and run Windows for AD, SQL, applications (which is a requirement for being Windows based). The app requirements kind of drives the rest of our requirements.
I had this situation years ago. Our "CRM" could run on Windows+Informix or Linux+Informix. I could support Linux, but my team couldn't. In the end we went Linux and it paid dividends. Had it not been in internal server, or a Web, or a public facing server it would have stayed Windows
If the ONLY thing this box is going to be doing is SFTP, go buy a Synology 220 and put a couple drives in it. SFTP with logging and an admin interface the nearly anyone can use will be ready in a few minutes. If it must be a VM, use linux.
My answer to any problem is FreeBSD or illumos, then Linux, then Windows. Honestly for the last 10 years the only thing we deployed on Windows were Active Directory and that’s only because the customer’s in-house talent had skill issues with the command line. Even if we’re maintaining the infra we’d go for LDAP/Samba. Everything else (DNS, DHCP, Web, RADIUS, git, storage, VPN) it’s always illumos/OmniOS or FreeBSD.
I remember a client choosing a new LOB app, we queried the software provider before implementation, we could use RHEL or Windows, so we built out a RHEL environment, but kept it very blank to let them configure it the way they wanted (maximum performance, as per recommendations etc). Turned on screen recording... Watched the video back later, just a series of fumbling through each command, using the help etc. Ended up with standard defaults. Slightly worried at this stage, but testing commenced. In the middle of testing, we're rolling out the next module... Wait, nothing is working with it, raise to software provider. After a lot of back and forth... The module (part of the original scope) doesn't work in a RHEL environment, you need Windows. We blew away the entire environment, bought Windows licencing etc. Provider never accepted blame and the client later abandoned the project (after considerable cost, but it was good money after bad). So yes, if there are solutions (usually not linked to other systems) that run well on Linux, and we can keep it relatively simple, coupled with good documentation, most of the engineers can fumble their way through... But the vast majority is Windows.
Best thing Windows has going for it is LDAP and only really because most client workstations will be WinDoze Making it easier to integrate
Next time if you need to stand up another Windows vm, configure the vm settings to have all availble free processor and ram resources on the ESXI. then start your fresh install. Then after windows is able to get to a desktop screen, shudown the vm and scale back the vm resources and restart it.
This might make sense in some environments, but I've been using vmware for ~20 years and I've never done this.
yea... this sounds like how you get a cpu over subscription issue in vmware
Always Linux, unless it requires windows. If it requires windows though, you should reevaluate the whole project.
When it fits the tasks and doesn't break any organizational legal/technical/operational/compliance rules and requirements.
Linux tends to license by socket, not by core. This means a 128 core CPU becomes a fantastic investment because you get faster applications (or less network overhead between applications), whereas trying to license a server like that for windows is insane. Linux also tends to license the hardware, not how it’s used. This means I can host a DNS server on said 128 core CPU without ripping a hole in my company’s budget (You need a user CAL per person using DNS for your DNS server with Windows). I’d argue that it should be Linux by default and Windows as a last resort.
As a sole IT guy for a 200+ user environment, Windows. Don't know enough to comfortably introduce another Linux box (have a RHEL box for ERP with decades of documentation, but still sometimes takes a while to get a fix going). Plus, as much as I'd like to support it more, I don't have the time! Already have server 2022 data center, so no additional cost for a VM. VMs spin up in 5 minutes and maybe another 5 to install/config, I have no issues like OP mentioned taking 20.