As an MSP, you may find yourself managing IT infrastructures or environments that include a mix of different operating systems. You might be working with Linux and Windows servers at the same time, for example. Or you may be supporting Windows workstations alongside Macs.
Securing systems of different types can be challenging because many security tools are OS-specific. Most firewall tools and some vulnerability scanners only work on one type of OS, for example. If you rely on these tools to secure a mixed-OS environment, you will end up having to master and deploy a range of different security platforms, each tailored for a different operating system.
Although you can and should deploy OS-specific security tools when they are necessary to address vulnerabilities that you can't handle otherwise, security best practices for a mixed OS environment also include broader strategies that help protect against vulnerabilities, no matter which type of system you are managing.
Here's a list of practices and tools that will help you keep all of the systems you manage secure, regardless of which operating system you work with.
You might also want to check our separate article about MSP’s tools for supporting mixed OS networks.
1. Scan for Viruses
Most viruses are designed to infect only Windows systems. However, virus files can be stored on any type of operating system. A Linux-based email server could host viruses that are later distributed to Windows workstations, for example. Or the file system on a Mac could be shared over the local network with Windows PCs, providing an attack vector.
That's why it's a best practice to scan all of your systems for viruses. Most modern antivirus platforms have the ability to scan files or file systems on any operating system, so finding tools to address these challenges is easy enough. The key responsibility for MSPs is simply to remember to include all systems, not just Windows instances, in antivirus scanning.
Further reading Top 5 Antivirus Solutions for Managed Service Providers
2. Centralize Identity Management
All of the major operating systems have native frameworks for managing user identities and permissions. Windows has an accounts wizard, macOS has the Users and Groups tool and most Linux distributions have their own tools for managing accounts and permissions. (You can also use Unix command-line tools like chmod to manage users on Linux and macOS.)
While these tools are useful for dealing with identities and permissions in an environment that involves just one type of OS, juggling multiple tools for a mixed-OS infrastructure is not ideal. It's harder to manage identities and permissions in a reliable, consistent way when you have to deal with different tools. By extension, you are at increased risk of misconfiguring identities or permissions in such a way that a security breach can occur.
Instead, adopt a centralized framework that works with all operating systems. Microsoft Active Directory can manage identities and permissions on Windows, macOS, and Linux systems. If you don't like Active Directory, consider OpenLDAP, an open-source alternative that is also compatible with all major operating systems.
3. Monitor for Network-Based Threats
Scanning network traffic is one key way to discover vulnerabilities or attempted breaches. That's true no matter which types of operating systems are sending and exchanging the traffic.
Further reading Network Security Best Practices
4. Scan Ports for Vulnerabilities
Ports that are left open unnecessarily are a common attack vector. Although the attacks that can be executed through unsecured ports are often OS-specific, port-scanning tools (such as Nmap) that look for vulnerabilities can scan systems no matter which operating system they are running.
These tools identify open ports so that you can make sure to secure them with proper authentication controls or close them if the ports should not be open in the first place.
Read this free whitepaper to learn more about:
- How to move your operations out of the office;
- Security considerations for remote workers;
- Best practices and tools;
- And a lot more.
5. Encrypt Data
Sensitive data can and should be encrypted, no matter which OS hosts it. Windows, macOS and most mainstream Linux distributions offer their own built-in tools for encrypting data at rest.
However, to simplify data encryption operations, consider using a cross-platform tool, such as VeraCrypt, that can encrypt data on any major OS or file system. You can also streamline the data encryption process by storing sensitive data on central file servers, where it can be kept encrypted in a single location, instead of spreading it across multiple workstations that each have to be encrypted separately.
6. Consider Isolating Databases from Application Servers
In some cases, it can be more secure to host databases on one type of OS and connect them to an application server hosted on a different OS. For example, you could set up a MySQL database server on Windows and an Apache web server on Linux, and connect them to each other to serve websites.
With an arrangement such as this, a threat against one part of your application stack cannot be easily escalated to impact the other. In the example just described, if an attacker compromises the Windows database server, the Linux webserver will remain safe.
7. Standardize OS Versions
If you have a mix of Windows, Linux and macOS machines, managing and securing them will be simpler if all systems run the same version of Windows, the same Linux distribution and the same macOS version. There are fewer variables and less room for error.
Perfect standardization is not always possible to achieve, of course, especially if you’re an MSP who is managing infrastructure that was set up before you arrived. But to the extent possible, strive for consistency in order to make security easier. As a bonus, bringing up this topic with your clients when you discuss planning for the future (and emphasizing the importance of striving for consistency) is a way to make them aware of the thought you put into their long-term security.
8. Make Data Backups
Finally, no matter which OS you are dealing with, backing up data helps protect against ransomware and other security threats. As with data encryption, most modern operating systems offer native data-backup tools, which you could use if you have enough patience to switch between different tools and maintain multiple configurations. But, of course, that’s not how you succeed as an MSP.
A better approach is to adopt a centralized backup and recovery tool, like MSP360, that can work with any and all operating systems (not to mention cloud services, NAS devices, and more) that you support. This way, you can use a single platform to handle all backup needs, greatly reducing the risk of forgetting to back up some data.
Conclusion
Securing client infrastructure that consists of a mix of Windows, Linux, and macOS systems is challenging. But it’s what you have to do if you want to offer effective managed services for many clients today. Although you may sometimes need to work with OS-specific security tools, orienting your managed security strategy around solutions that apply to any type of platform is a great way to simplify your operations while maximizing the level of protection you offer to clients.