It's widely acknowledged that Linux is more secure than the Windows and Mac platforms, thanks in large part to its relatively diverse nature and the way permissions are assigned. As a result, Linux users typically don't use antivirus software. However, no system is impermeable, and another step will help boost that security level even more. Namely, you can make your users' machines “thin” clients rather than “fat” ones running all their own, stand-alone software and applications. A thin client is a computer that depends on a remote server for processing, so the only thing the local machine does itself is display the results as a graphical presentation. This process is typically enabled by the open-source Linux Terminal Server Project (LTSP).
The user's thin machine can't be infected by a virus. Plus, to a business, having data and applications secured on a central server is important and at times mandatory, in addition to the server being in a secure location.
Also worth mentioning is that a number of distros put a particular emphasis on security, including Lightweight Portable Security (LPS).
How to choose Linux for your server
If your office already has existing Windows Active Directory (AD) domain servers, your Linux server will have to be able to join the Active Directory domain and be visible across the network.
Correspondingly, client Linux workstations must be able to join any existing Windows Active Directory domain using client tools such as Likewise (now PowerBroker Open). Most popular Linux servers being deployed today use distros including Debian, CentOS, Ubuntu, and Red Hat.
Red Hat and Ubuntu both provide subscription-based support, good for specialized technical help. Smaller shops may opt to use CentOS, a Red Hat clone, or they may simply use Ubuntu Server without any contract support and rely on their IT pro's expertise.
Ubuntu Server is perhaps the easiest to deploy. In its Long Term Support (LTS version 12.04) configuration, the OS does not receive any major upgrades during that period. Instead, to ensure minimal service interruptions, it receives only feature backports, bug fixes, and security-related updates.
Ubuntu Server's hardware requirements are conservative, with both 32- and 64-bit editions. Out of the box, its security-hardened configuration makes it ideal for setting up public (DMZ) edge servers accessible by the Internet at large.
Both Red Hat and Canonical do an excellent job with documentation, and the level of subscription support you need, if any, will be your other most important consideration. Larger organizations running enterprise-grade applications often choose subscription-based phone support to keep up with the growing demands of the application and underlying platform architecture.
Finally, one additional key consideration is whether to deploy the server infrastructure in-house or in the cloud. If your risk-management process determines that storing data off-site is acceptable, then preprovisioned deployment in the cloud is an excellent opportunity to enjoy significant functionality at pennies per hour in operating expense.
Whichever way you decide, however, be mindful of whether the distro you're looking at can support you for a minimum of five years. That alone could narrow down the number of distros to a handful of candidates.
Best server tools
Systems administrators need the right tools on the server side. Sometimes all it takes is a login via secure shell to make a configuration file tweak, restart a daemon service, or install a needed patch update.
Other times, it takes something more. Most servers should be configured to receive updates manually. This will allow a "change management" process to guide by approval when any update should occur, and to ensure that clear documentation and an audit trail are maintained. In the event of a system failure, for example, change management can help you find the root cause.
For special needs, each systems administrator will inevitably use one or more of these server tools, typically found within your distro's trusted software repository.
- OTRS ticket management/change management software
- Redmine integrated project management
- Git or Subversion version control software
- WireShark, network packet sniffing diagnostic tool
- Preinstalled command-line tools: bash, ftp, Perl, awk, sed, secure shell (ssh), screen, cron, rsync, Nmap, Netcat, ping, traceroute, nslookup, and whois
- dd, tar, rsync, rsnapshot, Duplicity, Amazon S3, and ElephantDrive for offline or off-site backup archival
- KVM Kernel-based Virtual Machine (included free on Linux)
- Webmin browser-based system-admin interface
- Squid proxy/caching system
- Clonezilla, disk imaging system
- Observium, Nagios, or Zabbix network monitor tools
- Plone, WordPress, or Joomla content management systems
- Samba file server and/or Windows Active Directory (AD) primary domain controller
- PowerBroker Open (formerly known as Likewise Open) or Centrify Express for joining Linux client workstations to a Windows AD domain. Help understanding the differences can be found on the Centrify site.
- Common Unix Printing System (CUPS) for printing
Next page: A reading list for those truly committed...