According to the 2016 Duo Trusted Access Report, fifty-three percent of Mac OS users are running either the fully patched, latest version of OS X, or the previous version, compared to thirty-five percent of Windows users on Windows 10 and 8.1. That means the majority of these operating systems are outdated.
As you know, proper patch management is critical to protecting client data and uptime, but it's just one of many security considerations. With Ransomware-as-a-Service and Angler, Bedep and Neutrino exploit kit adoption on the rise, MSPs must strengthen client defenses against outside attack. When attempting to compromise a device or network, malicious actors look for any way in. Unbeknownst to many small- and medium-sized businesses, operating system vulnerabilities provide easy access. In order to provide clients with peace of mind, safeguard their sensitive information and differentiate your security services from the competition, here are six ways to harden customers' operating systems:
Definition of OS Hardening
So what is OS hardening exactly? Here is one definition from a Search Security column:
When you harden a box, you're attempting to make it bulletproof. Ideally, you want to be able to leave it exposed to the general public on the Internet without any other form of protection. This isn't a box you'll use for a wide variety of services. A hardened box should serve only one purpose--it's a Web server or DNS or Exchange server, and nothing else. You don't typically harden a file and print server, or a domain controller, or a workstation. These boxes need too many functions to be properly hardened.
Another definition is a bit more liberal:
Hardening of the OS is the act of configuring an OS securely, updating it, creating rules and policies to help govern the system in a secure manner, and removing unnecessary applications and services. This is done to minimize a computer OS's exposure to threats and to mitigate possible risk.
6 OS Hardening Tips
While different operating systems have their own intricacies, there are recommended practices that apply universally. This list is not all-inclusive and you may implement additional best practices when applicable. However, in order to minimize clients' risk of suffering a cyber attack, adhere to the following protocol:
1. Programs clean-up – Remove unnecessary programs. Every program is another potential entrance point for a hacker. Cleaning these out helps you limit the number of ways in. If the program is not something the company has vetted and "locked down," it shouldn’t be allowed. Attackers look for backdoors and security holes when attempting to compromise networks. Minimize their chances of getting through.
2. Use of service packs – Keep up-to-date and install the latest versions. It’s that simple. No one thing ensures protection, especially from zero-day attacks, but this is an easy rule to follow.
3. Patches and patch management – Planning, testing, implementing and auditing patches should be part of a regular security regimen. Make sure the OS is patched regularly, as well as the individual programs on the client's computer.
4. Group policies – Define what groups can or can’t access and maintain these rules. Sometimes, it’s simply user error that leads to a successful cyber attack. Establish or update user policies and ensure all users are aware and comply with these procedures. For example, everyone should be implementing strong passwords, securing their credentials and changing them regularly.
5. Security templates – Groups of policies that can be loaded in one procedure; they are commonly used in corporate environments.
6. Configuration baselines – Baselining is the process of measuring changes in networking, hardware, software, etc. To create a baseline, select something to measure and measure it consistently for a period of time. Establish baselines and measure on a schedule that is acceptable to both your standard for maintaining security and meeting your clients' needs.
Looking for additional information?
- Top 10 Security Hardening Settings for Windows Servers and Active Directory
- 15 Mac-Hardening Security Tips to Protect Your Privacy
There’s really no end to how much you can do to protect your clients’ environments, however this list should help get you started. Sometimes, it’s the little changes that can make the biggest difference. Teach your clients the importance of OS hardening and the value of keeping their systems up-to-date. Ultimately, they will rely on you to keep them educated and informed on security best practices.