 Hi everybody, how are you doing? Welcome to the latest episode of From the Rock to the Cloud. We are well into season two and as always we're going to talk about everything from the rock to the cloud and everything in between. Yeah, it's in the name. So we're lucky enough, as always, to not be stuck just with me talking a lot of cods while up, but we've actually also managed to rope in an expert or two and this time we've got somebody who, well, what time is it where, or where you are, what time is it? Because you're on the other side of the planet, aren't you? You're in Australia. Yeah, it's quarter to evening. Oh, wow. So not only are we lucky enough to have an expert and I'm going to let him introduce himself in a second, but this is an expert who's staying up late for you guys so that he can tell you all about technology, which is, I mean, to be honest, he doesn't have to do this. I should have got up earlier, but no, he stayed up late for us anyway. So, Oren, not only are you an aficiado, well, pretty much anything techy, you're also an aficiado of pretty much anything geeky and we had a pre-chat and this pre-chat, by the way, has gone on like, must be nearly an hour before the call, which leaves crazy. We've got a lot of things that we enjoy, Warhammer, Star Trek, Star Wars, like you name it, but you've got it all as well. So I'm totally in awe of your collection. I mean, look at that Star Destroyer behind you. Amazing. But anyway, we're not here to talk about our geeky fetishes. We are here to talk about Windows Server. So, Oren, just for those people that don't know you, if you could just do a quick intro and tell people why we've got the privilege of talking to you today. Why? Because you're bloody well asked. But that's the question. The question is sort of more who I am and what are my qualifications? Yeah, but not like you're resonant kind of way. So, what I'm probably mostly known for is writing an obscene number of books. I'm somewhere on my 43rd at this point. So I've passed the Douglas Adams number of 42, mostly around Microsoft IT operations space. I'm also a cloud advocate at Microsoft. And what that means is that I have now shifted inside Microsoft and still writing books as part of the side geek. But we're responsible for advocating to and advocating on behalf of an audience. And what that actually means is that we reflect the audience into Microsoft and we also reflect Microsoft out to the audience. And the difference might be from the old technical evangelists is that we create a lot of our own content to fill gaps that exists within Microsoft's documentation ecosystem or presentation ecosystem that actually meets the needs of who we see as our audience. And obviously, as someone has written for the IT Pro audience for sort of 20 years or so, I have a very definite audience as a cloud advocate of people that are very engaged often with Windows Server and security to a certain extent. And so I try and create content that really scratches the itches that they need scratched rather than necessarily just presenting. There's other aspects of Microsoft that are very good at talking about what's new, what the features are, what products do in that way. And then there's the rest of us who sort of or this is small group of this is cloud advocates who really because we're embedded with the audience we're sitting there going well these are the itches these are the real world problems that the audience has that they don't know how to solve with a Microsoft technology. So what we're going to do is we're going to talk to them about how they do solve that and actually meet them where we are rather than sort of preach to them about where we want them to be. And that is that's a great introduction, but also I love the approach of that which is not to preach. And that's kind of like the whole premise of this. I don't even know what it is. I keep calling a podcast but it's not because it's on video so it's a vlog. But this is scratching an itch. That's what this is. This is just literally, you know, let's talk about things that actually are interesting and hopefully other people find interesting. So today we're going to talk about and this is your terminology and obviously you're the expert and you know you've got like four three books so who am I to question it server hardening and securing data. Now I get conceptually what that means but Windows server is it secured by default like I mean you know let's let's let's talk about that like let's talk about why why are we talking about this today. Okay so one of the things to really understand just given the breadth of the number of customers that use Windows server is that when you're going to shift an operating system like this you've got to make a lot of decisions. So you go and put a lot of security controls into the operating system and you put those security controls in but you've got to decide which ones to turn on and which ones not to turn on and when you are dealing with a lot of very rarely are you deploying into a greenfields environment. Quite often you're deploying into an environment you might be deploying into an active directory environment that's been there since Windows 2000. You might have servers that are running a variety of operating systems so each one of these security controls that you might or you might not enable is a choice. So by default Windows server is as secure as it can be made to maintain what is a reasonable level of compatibility with what our customers expect and sometimes we'll sit there and announce hey it won't work with BLAR because we've disabled this by default like SMB1 is disabled by default in Windows server 2022 but it was not disabled by default say in Windows server 2012. So by saying it's secure is that there's a lot more that you can do to secure Windows server than the just the default installation but what we've put you in a position of doing is that you have to make those decisions and you have to turn on those controls or enable those controls based on the realities of your environment because if we turned on everything it probably wouldn't work in your environment. Yeah, it's true. I was just going to say ultimately what you're saying is actually there is an owners of responsibility around security on the company individual or person setting up using the environment and the services that they want to use but what we're now doing is giving you the choice of what we have and giving you our best kind of shot of what it is off the bat and then you can kind of then configure it and make it personal. Well it's a matter of understanding the each security control that you enable as you know it's going to stone into a pond there's ripples that go everywhere and it may be that you turn the control on and everything continues to work or it may be that suddenly a critical workload that you weren't aware of or that you were only marginally aware of had a particular dependency actually ceases to function so security hardening is very much the process of you know turning one dial at a time rather than turning all of the knobs to 11 and hoping that the thing still works. Okay and you know what is the easiest way to be I suppose as secure as possible given kind of what we've just discussed was the easiest way to be secure as possible with Windows Server today. So in short run the latest version of the operating system and have your latest security updates installed so that's obviously just a motherhood statement right it's so obvious but what's very interesting is if you go out and look at environments there's environments like and the first thing you should always upgrade in any environment is your domain controllers right because your domain controllers are what any attacker wants to get dominance over because if an attacker owns your domain controllers they can do anything on your network because they control authentication and authorization so it's very interesting that a lot of organizations are still sitting there on domain controllers that are running in some cases unsupported versions of Windows Server whereas what should happen is when a new version of Windows Server comes out that should be the first thing that you deploy you should go through and deploy new versions of your domain controllers because nothing else should be running on a domain controller other than Active Directory domain services than maybe of the DNS server that goes in with it you certainly shouldn't be running an application where you're worried about application compatibility on your domain controller so that's the simplest way make sure you've got the most secure the most recent version of the operating system that's a good start and Windows Server 2022 launched and we made some big announcements around secure core would you say that it's always good to have that you know if you can use that configuration should you always use that and deploy that configuration so there's a couple of things there's secure core and there's server core so the first one is to understand with server core that's the version of Windows Server that doesn't ship with the desktop environment so it's all of that desktop environment stuff taken off and it's been around probably since 2008 but a lot of people don't deploy Windows Server in the server core configuration in fact when you deploy Windows Server the default option is to deploy the standard version of Windows Server in server core and everybody goes and goes standard with a GUI or data center with a GUI depending on what license they've got so the first thing is make sure that you're using if you can server core now you talk about something you talk about something that's slightly new which is secure core now secure core is where you've got hardware attestation and then you can go and build basically policies on top of that that allow you to use that hardware attestation to authorize which software runs on the operating system and there's been various iterations of this technology over the years if you go back you had things called software restriction policies and you had app locker policies and then you had node integrity policies and they've all been sort of sitting there basically coming up with a way to make sure that that application or that code that's running right now is authorized to run on this and it's identified in a cryptographically appropriate way that makes sure that you know there's not a false positive there that just because you name something you know app.exe it is actually the app that you want to allow to run rather than a bit of malware that someone's dropped on your system is trying to get to execute so with server core again one of the things to understand about server core is that it's a remote first administration paradigm the idea is that most administrators should not be IDPing into a server firing up a management console on the server and doing whatever they need to do what they should be doing is they should be making some form of remote connection to that server and administering the server in that way because we all know that there's been many cases where servers are compromised simply because someone has remoteed into a domain controller for example they've got bored they've opened up a web browser they're suddenly browsing a third party website on the domain controller some malware dropped on the domain controller Oran how would you how would you protect those domain controllers then So with domain controllers the first thing is to make sure it's the most recent version of Windows Server make sure that your domain controllers are running server core make sure that you've enabled secure core if it's appropriate for that if you've got the appropriate hardware but then turn on device guard or windows defender application control or code integrity policies it's fairly straightforward to go and say I only want to allow signed binaries from Microsoft and authorize scripts to run on this domain controller what you want to do is you want to block anybody basically putting together their own script and then running their own script so you want to have signed scripts and only allow sound scripts to run on that dp the other thing that you should do is you should block the cc from being able to directly communicate with any host on the internet so that the dc should never be able to connect directly to the internet yet that you've got firewall rules sitting at your perimeter that block that dc from making that connection when you're doing software updates on that dc they're coming from a w sus server that's sitting somewhere else on the network and that you're really restricting which host that dc can reach out to you should make sure that admin sessions to the dc are only allowed from known privileged access workstations or jump servers so you shouldn't allow anybody to rdp across to the dc from any workstation there should be a specific workstation or a specific jump server used to do that simply because again what you want to avoid if you want to avoid you know bob or sally the sysadmin sitting there using their own personal laptop that they take home that they do whatever they want on because they've got local admin privileges and then rdp into a secure server using that they're they almost should and it's obviously much more expensive and hardware be going across to a separate computer that is locked as locked down because you don't want someone to be hopping from that privileged workstation onto the thing that they're connecting to and there's been many attacks where the way that the attack has occurred is that they've attacked the administrator's computer and then use that access to then get into the secure thing that they really wanted to attack but that makes sense so it's about sort of creating those it's like an onion isn't it like putting the the layers to protect to protect that yeah and with security with security there is no one thing that you can do that will absolutely protect your network for your your your host what you're doing is you're sitting there you're you're as you said you're adding layers of security to make it much more difficult it's sort of like Maxwell smart where Maxwell smart went through all of those doors and each one of those was a security barrier they didn't all open at once so what you're trying to do is you're trying to make it much more difficult for your attacker to attack it's again like a safe a safe doesn't stop someone from stealing what's inside the safe but most safe separated based on how long it would it take a competent lock picker or safe cracker to actually get into the safe yeah and even before you get to the safe you've got to get past the security guard you got to get like you got to get to the safe right and I think that's kind of what we're talking about so if we if we think about I suppose there's admin accounts and hardening the authentication what would you suggest people go do from a steps perspective to make sure that authentication process is as bulletproof as possible so there's a couple things that you can do with Windows Server eventually you should get to the point and this is one of those ships by default so Windows Server ships by default with ntlm enabled now ntlm unless you've got and there's a lot of organizations that do that do rely on ntlm for authentication to older systems but really you should be using Kerberos so what you can do is you can go and order ntlm usage work out what applications what users what processes are still using ntlm and you can remediate those and then eventually you get to the stage where you're removing that less secure protocol and relying on Kerberos there's other things called authentication silos which is a bit more challenging where you're only allowing certain objects to authenticate to other ones and then there's protected users where you can enable it and then when you put a user account into that particular container or into that particular group what it does is it disables things like credential caching so what you don't want to do is you don't want to have for example in an administrative user's credentials to be cached because some of the older tech such as mimicats and things like that would go and look through cached credentials and extract those and use the tickets and then go off and let to move around the network so there's things that you can do to just again harden these accounts that are not there by default there's credential guard which is basically on specially configured servers it basically stores credentials in a virtualized container so that again it's it's getting away from that sort of mimicats type attack so it's worth understanding there's a good site called adsecurity.org where the author of that site goes through all of the attacks against ad and the steps that you can take to mitigate those attacks what was that website called again just in case anybody missed it real quick adsecurity.org i believe uh isn't it okay well i might pick that video after the major i've got the url because we'll make sure that we can share that with people because that's like useful uh thing for people to get um well to find out about um so if we think about role-based conditional access um in terms of or or rback now i always try this is just my my other half doesn't work in microsoft and sometimes when i go home and i start talking she goes i hate you stop using that so i try to um always try and say what the thing actually is um but when we think of rback um for administrative tasks on like sensitive hosts what's a good way of implementing that like what what what would what would be oran's recommendation so it's again a lot of these are sounds good in theory but they're actually complicated to implement that any insecurity is right but there's a technology called just enough administration and the way that just enough administration works is that rather than you connecting let's say let's say that you wanted to um do some mucking around with the dns zones in your environment now all of your dns zones are hosted on your domain controllers now what you don't want to do is that you don't want the person who's actually accessing the dns service to have any privileges with an active directory so you kind of don't want them logging on to active directory and you probably don't want to figure out exactly what groups and things they want to be a member of so what cheer allows you to do is you're that actually allows you to set it up so that you create an endpoint on the server a power shell endpoint that a an unprivileged user that is just a member of a bog standard security group that's got no privileges you let's you say you create a new group called uh tasmania dns operators and you give them the permissions to connect to this endpoint and you can configure the endpoint so that an account only needs to be a member of that they don't need any local admin privileges but what you can do in configuring that endpoint is you can say here's all of the power shell commands all of the command line utilities all the power shell functions all of the parameters all the values that you can use when you're connected to this endpoint and then what we'll do is when you're connected to this endpoint rather than use your own credentials what we'll do is we'll spin up a temporary virtual account that has local admin permissions but it only has local admin permissions to use this specific set of commands, parameters and so on so that you're extremely limited so for example you could have the restart service commandlet that the only service name that you can restart is the dns server service that you have to create um dns zone commandlet but you can only use it on this specific dns zone so the idea of just enough administration is that you can create these endpoints that you can actually provide people with a particular account and say go and do dns operations and that dns operation well it won't work on any other endpoint except for the dns endpoint and when they're connected to the dns endpoint they've only got permissions there so they can't use that to escalate their privileges and so where you're going further than that is that you you avoid a swiss army knife account and the swiss army knife account is one that you'll be very familiar with where you have one admin account and it's got permissions to everything it can basically manage the sequel servers exchange servers active directory the firewall the whole thing because rather than log in people people out there i'm telling you don't create those admin accounts like that is number one advice right don't like if you're at the admin make sure you protect yourself i'm sorry that is you know wear wear wear some protection so if you uh if you want to amuse yourself before i became an fte i recorded a session at ignite australia called 30 terrible habits of server administrators and that's got a list of all the worst things that people do such as oh look we've got service accounts how can we make us what we're going to do with our service accounts i know we'll put them in the domain admins group because and the way that the sessions run and you can hear it because there's a bit of audience participation it's like who knows a consultant that's done the following because it's never you that's always some other block right and the whole idea of this session is we know that these are bad practices yet we also know that there's a lot of people that do them it's sort of like the old joke about how do you figure out who's got privileged accounts in an environment and you just do a search of that give directory users and computers for anybody whose account is set to never expire because of course they make everybody else's password expire except those are the privileged accounts because they got sick of changing their passwords well i think you know i was going to talk to you about how you protect um you know accounts and things but i think let's talk about um how we protect i suppose the internal infrastructure of servers that you know what steps can we do for that and then i think maybe we'll talk about some you know maybe what we do with vms afterwards um i think that that's i've joined two questions together there but they might think how do we do that i do do the real environment how do you do the virtual environment so well and a lot of your infrastructure servers of course are going to be running as vms anyway so it is sort of like part one and part two of that question but one thing to consider where appropriate is domain isolation policies so they're not enabled by default and all the domain isolation policy does is it says that every server or every host that connects to me must authenticate so rather than letting anything that's basically got an IP address or from the DHCP server or if someone's you know hard coded an IP address go and communicate with everything you actually require every host on the network to authenticate in some way it might be certificate based authentication it might be something simple as password it's passphrase but it's basically employing the equivalent of ipsic policies but it's i mean you can and you can turn on ipsic or you can just say allow the connection don't encrypt it but make sure every connection is authenticated so we're appropriate for file servers for and if you use certificate based authentication you can set it up so that they can't communicate with a dc unless you know you've installed a certificate on that host so the advantage is if a host is compromised you just go to your ca and then you just rebote a certificate and then suddenly that host can't go and authenticate so domain isolation policies using server core where appropriate again your dns and your dhcp servers and your file servers don't need to be sitting there with that full stack GUI on them for the most part they can get away with running server core and then you're remotely administering them using windows admin center or you're using the appropriate microsoft management console or the appropriate power shell tools or as your arc if you're using that methodology to go and manage them but you again you want to restrict the you make sure that there are no services running you make sure that there are no roles installed on that server that don't need to be there and we've got so much resources in terms of ram and disk space and the vast majority of windows infrastructure servers at the moment don't require you to be sitting I mean obviously if you're running sql or something like that as an application server that's a different kettle of fish but if you're thinking about a bog standard file server does your bog standard file server need 64 giga ram probably not so you can sit there and put these servers into your virtualization fabric and you can actually really restrict the size of it and server core obviously reduces the footprint as well um then you again with infrastructure servers you do with what you did with domain controllers you restrict the hosts that are actually allowed to perform administrative connections to them you say right i'm not going to accept any power shell connections from any host other than the ones that are on this particular subnet or these particular IP addresses that I know are the admin workstation IP addresses so you make sure that you do that as well because what you again don't want to do is when attackers get into your network what they're trying to do is they're trying to get persistence they're trying to find a nice perch to sit on while they recon your network and understand how it works and what you don't want to do is once they're on that perch that they can get everywhere in the network from that perch and a lot of attacks where the attack has been very successful is that the the modality that people are thinking on is that they're thinking like everybody bad is out there everybody is in here so we're going to everybody in here but what should be doing is you should actually say well we don't know that we could trust everybody in here so what we're going to do is we're going to have a minimal way of determining that they actually are who they should be or that if a particular host is compromised we're going to minimize the chance so that if they do get control over a file server they can't rdp from the file server to the domain controller because the only thing that can rdp to the domain controller the only thing that can make a windows admin server connection to the domain controller is specific admin workstations so yeah i mean i've got some my summary i think you just helped me with my summary there so that's perfect or and that was the perfect explanation i think people need to be aware of all the options and and not be not take responsibility and authenticate but that's that's the that's that's kind of what my layman's ears is hearing is actually you know don't make assumptions that it's you know just because you've kind of put your firewall up happy days um you know people are gonna people are gonna be sneaky and you've got to make sure that you've got enough doors between all the rooms in the house to make sure you're protected um so um yeah like that's what would you say i think it's a matter of finding a balance because you can go down a rabbit hole with the security where you're doing all of this insane stuff but you don't do that if you're looking after the local primary school service because the security requirements to the local primary school are a bit different to the local bank um there's places that you can go such as uh the NIST website um or if you go and look for the security technical implementation guys where you can get good military level third party assistance on every security option that you can turn on and what their recommendation is about those options and then you figure out where do you fit on that particular scale yeah and i suppose it's exactly that it's it's just the right amount for you and you kind of need to go and figure that out and you need to spend some time investing in understanding what that is before you go start turning things on and off but make sure if you're gonna turn things on and off that you actually are working at the right level for your business or company or school or you know hospital or whatever and you have that conversation with your management chain in the you say well look if we get compromised these are the steps that we talk and these you know we got compromised it's again when we had some of the um the the worms that came through um there's a great book um i can't remember but the author but it's called Sandworm and it's all about the and he actually goes through in quite good detail about what happened to MERSC's active directory environment but there was also you know when we had some of those attacks that have that have impacted hospitals all over the world where older systems were sitting there but you also had the quite rational response of hospital administrators saying look do we go and spend half a million dollars or half a million pounds on securing the hospital's network or do we go and buy a new CT scanner because one of these helps our patients and the other well you know we just turn off did not mean like yeah and you're right you know at the end of the day like people especially when you think about someone like healthcare where there's a finite level of investment then then those decisions have to be made um what would you say I'm sorry this is my last question any other good admin habits just you know um that you that you would tell anybody um down the pub um obviously if we're down the pub we won't be talking about this let's be honest we'd be talking about much more exciting things like we'll have um but if we were in the pub and we weren't over in security um you know what good admin habits would would you would you be telling me uh over over a cold brew um I would be absolutely making sure that I had a separate computer for performing my admin tasks the that's one of those things that you've got to have an argument with whoever's in charge of your system and it might be that you've got a jump server and it might be that you've got a jump server that's sitting somewhere that gets nuked every couple of days and then gets rebuilt from a script because that way you know it's safe and then you limit who can go and connect make sure that you have separate daily driver and admin accounts um when I got um when I moved out of working as a sysadmin at a university I went and worked at a private enterprise and I had a bloke come to me and I was in my first week and he said um can you reset the password on my uh my account because I've forgotten it and I was on a call with a vendor at the time and I said yeah yeah I'll get to it in half an hour and he comes back after half an hour I said don't worry about it and I said what do you mean don't worry about it and he said oh I've got a backup account and I just logged in with that and reset it using that and I said how many backup accounts are sitting in this system and he said oh well we might need them so that's not a good security practice at all so make sure that you actually know what accounts are there and then yeah really pare down accounts so that instead of having swiss army knife accounts that yeah okay if you need to go and open the draw and pick up the account used to manage dns you go and pick up that account and you use that and then you go and put that back in the drawer shut the drawer you open the drawing then you go and pick up the file server account and yes it's more cumbersome and figure out what the balance is in your environment maybe if you're a one person shop that makes a little less sense but what you're trying to do is you're trying to figure out how do I limit the damage an account can do if it's compromised how do I limit the damage that can occur if this host is compromised fair and you know what that pine was great as well so although you have those little small beers in australia though you don't have like full pines over there do you I don't know when you see them on like on the tv they're always drinking those little beers over in australia so in each state there's a different name for what's a pot what's a schooner what's a midi what's a yard glass of course we used to have the prime minister of australia who was in the Guinness book of records when he was ox at oxford for the fastest drinker of a yard glass in history and he actually held that for several decades so that was a guy named Bob Bork so but again it's much more the the beer cup the beer here is obviously much more influenced by the UK than it is America although if I remember correctly you guys don't have cold beers because of course you don't have warm weather so you know again there needs to be balances and adjustments mate that's okay I will have to sort you out with some ale then that's what that's what I have to say anyway so move swiftly on we always have a little bit of fun in the show because you know too too much tech for anybody is is just too much so we have a little bit of fun which is we do a meme review now you've already warned me that our memes are very dad's joke and I'll be honest I'm I'm not called bloke I know I'm not called bloke right like I'm you know I'm like I freely admit it and yeah I've got you know dad dancing skills and dad meme jokes right but let's see the first meme I mean it's hide the pain Harold so again yeah with systems administration memes there's some pretty dark stuff because system administrators are tend to have very dark humor and I remember the first place I worked they had the um the train spotting sys admin meme which obviously you can't repeat on a podcast because it's basically a beg-be-speech from train spotting where uh or Ewan McGregor's speech from train spotting except it's translated into systems administrators but it's very much 90 systems administrators where everybody got around looking like that they were a reject from a sort of a goth concert or something like that so um I had that post from my when I was a kid but this one it fixed one minor bug the entire server crashes and they were also just they're taking the producers are taking because that is definitely a dad as well he like they are obviously who does this stuff they've done it on purpose haven't they no I mean yeah look I mean if you you don't you only have to look around the internet just find some really um my favorite one is obviously I haven't seen it there is you know the the um the ancient aliens guys and he's like they say it wasn't DNS but of course it was DNS right yeah very good okay well let's um I didn't really warn you about this one so the reaction we were just talking about other stuff but um let's get the second one let's get your your reaction to the second one oh that lady now I when I was working at Killy University in the 1990s I was working in a well I can actually it was a working in an apartment of philosophy anthropology and history of science and we had an admin assistant and this is so this is the early 90s we're talking about 93 94 and the admin assistant was elderly and their response their general responsibility was typing and that only been shifted off a typewriter recently onto a word processor and every night the person diligently covered their PC in a dust cover and everything last this and I I asked why are you doing that and the person honestly responded and I don't want the computer to get a virus and there was a professor of anthropology standing behind me and we watched this person leave and he went no this is not stupidity it's just a case of metaphors not being understood and that this admin person has understood viruses is something that can be transmitted so has naturally thought that a human could transmit a virus to a computer maybe one day you know we've got the matrix behind you so maybe we're all just living in the matrix so it could be true well that's what Neil said a long time to think is that we're all living in a matrioshka reality so why not right yeah yeah I mean well whatever gives you the justification to do whatever you want to do in life do you know what I mean or it's been amazing talking to you today um thank you so much um as ever with the audience if you want to ask a question if you want us to go find uh or and I think we're definitely going to have you on again because I'm talking to you has been absolutely fascinating um but um yeah like if you want us to talk about particular thing or you like the meme or whatever drop a comment let us know we will try to do what we can do and get you your your questions to an expert now I'm just going to summarize really quick um which um you know I think the reality is there's no such thing as as greenfield sites anymore it's you know there's there's all that existing technology and what's happening in the cloud and people have got to find the right levels of um appropriate uh security and they've got to have just enough for their needs and they've got to do their research before they go and turn things on and off but they've got to take that responsibility themselves and the main thing that I put on here my big note is authenticate where appropriate um and I think that is is the I suppose the key thing that I've taken away for hardening um hardening your servers cool yeah cool so I did so I did listen and I did learn something so it was definitely worth that's one person converted or and so that's you've done you've done your your job for today um thank you um well um as always um massive thank you for watching um and if you like I said if you want to know more do let me know this has been Tom and this has been oran oran yeah and and we've we've thoroughly enjoyed our time together and we will see you soon on another episode from the rock to the cloud thanks a lot cheers everybody bye