 So I'm joined by my colleague, Aaron Thomas. Aaron, thanks for joining me. G'day, Sonia. G'day, viewers. Today, Sonia and I are going to talk about optimizing your Windows Server. Now, Sonia, Windows Server's been around for a while. It has. It was one of the first things I got into tech-wise, was installing that very first version of Windows NT Server back in 1993. And I got started with Windows NT4, so Sonia's been mucking around with it longer than I have. A little bit. Now, Windows Server is important for a lot of organization. It hosts a ton of different workloads. You know, it hosts identity. Yeah, networking, file sharing, remote desktop services. And that's the thing about Windows Server. It really is not just a piece of an infrastructure platform. It does provide so many services that it runs itself. And then you can put on top Microsoft applications, custom applications, containers, websites. And it's a really excellent general-purpose operating system that kind of gets forgotten a bit because it just does what you put it in there to do. So today, we're going to go through several things in this next section. What are we going to cover, Sonia? Let's start with modernizing the operating system. So if the servers have been around a little while, we need to get them up to one of the latest versions. We'll talk about why and the easiest way to do that. Then we'll look at securing the operating system settings. So going back and revisiting some of the things that you might have configured previously, that need a little bit of an update. And then we'll cover optimizing your file shares. So again, what can you do with that workload where you're sharing the files that people in your company make to make that a better experience? Absolutely. Now, one of the things that we need to, and one of the reasons we're talking about modernizing your operating system, is that a lot of people sort of deploy Windows Server and it works and they just, that works, right? So if it works, if you've been in IT long enough, you know it works, you're not gonna muck around with it. But we do have an end of support deadline coming up. And as you can see on this slide here, well, Windows Server 2012 and 2012 R2 are going to reach end of support October 10, 2023, which is less than a year from now. So what we're gonna do now is we're gonna quickly jump into a demo to show you how to migrate off an older version of Windows Server across to a new version, which is Windows Server 2022 running Server Core. What are we starting with, Sonia? Yeah, this is Windows Server 2008 R2. Now I know none of our viewers have got this version of operating system running in their environments anymore, but let's just pretend for a minute that we do have one of these really old versions. So what we're showing you here is a file server. And this file server's got a bunch of folders. We've got Jupiter, Mars, Mercury, Saturn, Venus and Ned's dogs. Now what I wanna show you about this file server is not only these folders, but I wanna show you the permissions here. And you can see that the Jupiter group is assigned share permissions to that folder, the Jupiter shared folder and that the Mars group is assigned permissions to the Mars shared folder and so on and so forth. So the next thing we're doing is we're switching across and we're setting up a PowerShell session to our destination server. So we're gonna take this 2008 R2 server and we're gonna move it across to Windows Server 2022. So we've got a source server and a destination server and our destination server is Temp Adelaide. So that's when you've already prepared earlier, right? We're not doing an in-place upgrade here. You actually built that box brand new and fresh and we're gonna move all of the settings and files off the old box and onto the new one. Absolutely. And there's nothing else on that box other than it being a server core machine. And you can see I've done a directory there and the directory's showing that on the eDrive, there's nothing. So just showing you this is our before and there's nothing sitting there at the moment. So what we're gonna do now is we're going to come into Windows Admin Center and in Windows Admin Center, we're going to select the storage migration servers. Storage migration service is a really cool tool that allows you to pick up one file server and drop all of the contents of that on another server. And then when you do that, it's also gonna pull across the identity of that server, all of the permissions of that server and all of the networking information of that source server. It's gonna drop it onto the other one. That's pretty cool because I can't just do that with an X copy or a Robo copy. It's not gonna take all of that server identity and port it over as well. Yeah, so what we do is we first go and we create a new job. So we select new job and we give it a name and we're calling it MIGFS ADL for Adelaide. Okay, then what we're going to do is we're going to provide some credentials. And then once we've provided the credentials, it checks whether or not we need any extra features to perform this migration. And then what we do is we choose our source device. Now, in this case, we're choosing that Windows Server 2008 R2 server. We select that, we click add. And then what we do is we validate that we can make that connection. And once we've performed that validation, what we then do is an inventory scan to find out all the information that we need to know about that source server. Now that we've done that, what we're going to do is provide the credentials to the destination server. So I specify the name of the destination server and I do a scan on that and I see the configuration of that destination server. Now that configuration of the destination server has the same volume structure. It's got a C drive and an E drive as the source server. That's going to make transferring those files really easy because I'm not saying move that share across to that volume, that share across to that volume. And it's gone then and looked at the inventory of that source server and said, right, here's all of the stuff that we've found on that source server. Do you want to move all of this across? Yeah, and I like the fact that you can deselect that, right? So we don't have to move everything and it's going to pick up some of these system level shares like the print folder that we don't need to migrate. So we don't need to move the print folder across. What we do is we then set up all of the transformation or the translation settings, how many retries need to occur, whether or not we need to install any extra features to get it to work. Then we go and then put in some final credentials. It then goes and checks. It installs the storage migration services proxy. It'll then do a validation. It'll check whether or not what we've asked it to do is actually same. We then start the transfer. When we start the transfer, it picks up all the stuff that's on the source server and moves it across to that destination server. And once that copy has completed, the next thing we can do is we can actually go and check that that has all occurred before we do the cutover of the name and identity six. So we've gone back to temporary Adelaide. We go into the E folder. We do a directory. We can see all of those folders are there. We can go into the NEDsDogs directory and we can see that files have also transferred across. Great stuff. So once we've validated that all the files have come across, the next thing we need to do is we need to take the identity of that source server and then bring it across and stamp it on that destination server and then rename the source server so there's no conflicts going on. Yeah, and it's not just the name. It's all of those networking details as well. And the reason that this is so important is because you might have custom applications in your environment that somebody has hard coded in an IP address or a server name. And this kind of change can break a lot of things but by literally assuming the identity on the new server of the old system, we're preserving this continuity so that when you make these changes, hopefully everything else from that legacy environment should still work because as far as they're concerned, it's the same server. So we've gone through all that process. The cut-overs occurred. We can then jump onto the newly renamed Adelaide server that's now running Windows Server 2022. We can jump down to the command prompt. We can open up Windows Explorer. We can go to the e-volume and you can see we've got exactly those same files, folders and permissions that we had when we started on Windows Server 2008. Okay, Sonia, we want to secure an operating system. How do we do that? Yeah, absolutely. So when we talk about security, we have this concept of defense in depth and what we're trying to do is make it as hard as possible through all of the different layers of the process and all the different layers of the technology stack. It's kind of like making sure that all of the locks in your house, everything's locked up tightly. You might have a safe that has some important documents in it and so we'll start by securing the operating system. What can we do at that level on the Windows Server to make it as tight as possible? And you can see on this slide here, we've got use server core. Make sure you only install the stuff you need to be on the server. Make sure you limit who has administrative access to the server. Turn on BitLocker to encrypt the drives. Turn on Windows Defender application control to control what applications are present. Turn on Microsoft Defender for servers to perform all of your anti-malware protection and then use secure core server technology. Now, if I wanted a hard and active directory, what do I do, Sonia? So it's really important to make sure that you're bringing your domain controllers up to Windows Server 2022 for the security features that are in there but it's also about going back and doing things like auditing and then disabling NTLM. Some of those older authentication protocols that were designed for a world that doesn't exist anymore. Minimize the amount of access and who's got domain admin rights and use things like group managed service accounts to provide identities for your services. Use local admin password solutions to manage local passwords on your accounts and then use Microsoft Defender for identity to pick up behavioral patterns and people authenticating against Active Directory. And that'll give you a good idea and that's where the other aspect of modernizing your Windows Server infrastructure is that you wanna start to adopt appropriate cloud technologies and the new versions of Windows Server and you should always be running the most recent, the most secure version of Windows Server can plug in to those cloud technologies. In terms of securing network communication, implement domain isolation policies and I'll explain what those are in a moment. Use privileged access workstations. So don't allow just anybody to use any computer to perform admin tasks. Make sure they're using a really locked down computer. Minimize the communication with the internet. Odds are, most of your servers on your on-prem network don't need to communicate with anything on the internet. They might need to communicate with a couple of Azure services, but that's about it. Order and disable older protocols such as SMB1 and then require things like SMB3 encryption and signing. So what we'll do now is a quick demo showing a connection security rule. Okay, so you can see here that we've got three servers sitting in an organizational unit and what we're gonna do is we're going to use group policy to apply a rule to those that limits how communication can occur with those servers. So what we do is we open up the group policy management console. Once we've got the group policy management console we navigate through the group policy management console to select that organizational unit that we've created called file servers. We create a GPO and link it in that location. We then go and edit that policy. Now we're gonna do two things in the policy. The first thing we're gonna do is we're going to go into the policy and disable NTLM authentication for those servers, which means that anybody who's authenticating to those servers can only use the Kerberos protocol to do so. And we do that by selecting this network security restrict NTLM incoming and say deny all accounts from authenticating. The next thing we're going to do now that this policy's been set is we're gonna create a connection security rule. And what a connection security rule does is it restricts communication to that server only to users and computers that have authenticated with the domain using Kerberos. So here we select isolation, we select require authentication for inbound connections and request it for outbound connections. And then we specify computer and user Kerberos authentication. We give it a name, we click finish and that policy is now set and ready to be applied. So now let's look at optimizing the file shares. You can use DFS namespaces to provide an entry point for your users that's consistent regardless of which server they're hitting in the backend. Use controlled folder access to only allow trusted applications to be able to act on those folders. Turn on D duplication to help you save some disk space and then systems insight also helps with that disk space capacity forecasting. And as well, you can use Azure File Sync to do some cloud tiering again to protect and free up some of that disk space management on your servers. And what we'll do now is we'll do just a quick demo showing how a file screen works. And file screens are a cool technology to have been around for a while that allows you to block certain file types from being written to file shares. We use file server resource manager to set that up. We go to file screen management. We select file screens. And what we do is we create a new file screen. So here we specify we wanna block executable files and we specify the path where we wanna block them. So in this case, we're blocking the Jupiter folder with the Jupiter shared folder on our file sheet. We click create and that applies. So let's demonstrate that working. You can see here we've got notepad.exe, which I've just copied from system 32 and it's an executable file. Now let me show you a normal shared folder. So here I'm navigating across to Adelaide 2 and I go to the Mercury folder. And what you can see is I can drop notepad straight onto that folder and it writes it there. So that's an executable file going there. What I can then do is go back to Jupiter where I put the file screen and I can't copy that executable there. So that's how a file screen works. So to summarize, Oren, we've covered quite a lot of points today, but it comes down to modernizing your operating system, getting them up to those latest versions for security and cloud capabilities. Going back and securing them by changing some of those operating system settings and also using those settings to optimize your file shares and your disk management. Remember, Windows Server is a fantastic platform for you, but you need to keep it up to date. Keep those end of support deadlines in mind and use them as a catalyst to upgrade your environment. Thank you very much for your attention.