Azure Migrate, Best practices, Management and Governance, Microsoft Defender for Cloud, Migration, Security
4 best-practices to keep your Windows Server estate secure and optimized
By Patrick Widjaja Product Marketing Manager, Azure Marketing
4 min read
Windows Server customers often share with us the challenges of navigating rapid changes in recent years. Many of their IT estates have expanded to support growth, while teams are often changing, with talent coming and going. You may find your organization in a similar situation, with a sprawled IT estate that includes a mix of legacy and new applications and hardware. This can leave room for potential security vulnerabilities and compliance gaps, but also opportunities to optimize.
We are committed to supporting you through the next stages of optimization and growth in your organization, which starts with a secure IT foundation. Here are four best practices to keep your Windows Server estate secure and up-to-date:
1. Watch for update notifications and have a strategy to apply the latest security patches
A critical but often overlooked best practice is having a strategy to apply the latest security patches that are released. Our team continuously monitors and listens to customer feedback on any issues they have encountered and creates patches to address these. These are released on the second Tuesday of every month (known as Patch Tuesday). Keeping your various systems up-to-date with the latest patches will secure workloads and optimize day-to-day performance and operations. Learn more about best practices for software updates.
However, we know that patching also usually means rebooting and ultimately downtime for your workloads. If you are in Microsoft Azure, you can take advantage of Hotpatch, which allows you to keep your Windows Server virtual machines on Azure up-to-date without rebooting, enabling higher availability with faster and more secure delivery of updates.
2. Get deeper visibility and management capabilities at no additional cost
Many Windows Server customers might be familiar with many of the native Windows Server Microsoft Management Consoles (MMC). Windows Admin Center is the modern evolution of “in-box” management tools such as Server Manager and MMC. It has become the solution for managing Windows Server infrastructure, giving you deep management, troubleshooting, configuration, and maintenance capabilities over your server clusters.
It can be locally deployed with no cloud dependency or can be used within the Azure portal through direct integration, enabling you to carry over the simple and familiar UI when you decide to start adopting the cloud. Learn more in the Windows Admin Center documentation or download it today for free.
3. Check for end of support versions and prepare to modernize
Most organizations are likely to have a mix of Windows Server versions that support a variety of applications. Each version of Windows Server is backed by 10 years of support (5 years for mainstream support and 5 years for extended support) that include regular security updates, per the Microsoft lifecycle policy. After the end of support date, a version and its workloads will be vulnerable as they will no longer receive regular security updates. Windows Server 2012/R2 is the upcoming version that will reach the end of support on October 10, 2023.
With this in mind, a critical step towards optimizing performance and tightening security should be to check for Windows Server 2012/R2 versions, which will reach end of support soon. This can be done with various, built-in tools such as Server Manager, PowerShell, or at-scale with tools from Azure such as Azure Migrate or Azure Arc. Additionally, mapping out application and hardware dependencies on Windows Server should be done to determine the next best step:
- Upgrading to the latest version such as Windows Server 2022 will provide the latest security, performance, and application modernization innovation. Learn more about how to perform in-place upgrades.
- If you are unable to upgrade by the end-of-support date, you can continue to stay secure on current versions by getting extended security updates1 for up to three years free in Azure or purchasing them for deployment on-premises.
4. Utilize cloud-native services for enhanced security and compliance anywhere
Whether your organization has migrated to Azure or is just starting to consider the cloud, here are some steps you can take now, to enhance your security with Microsoft:
- Already in Azure: To maximize your security coverage in Azure, be sure to check your secure score and improve it by enabling services such as Microsoft Defender for Cloud, Microsoft Sentinel (cloud-native SIEM), and Azure Network Security.
- Have workloads on-premises: Extend Microsoft Defender for Servers to your on-premises Windows Servers by connecting them to Azure Arc.
- Ready to migrate to Azure: When you are ready to migrate workloads to Azure, your first step can be an assessment with Azure Migrate or getting expert help and support through the Azure Migration and Modernization Program.
We hope these best practices serve as starting points to help you increase security and optimize the performance of your IT platform, so you can focus on supporting business growth. Be sure to explore the resources below for further information:
- Learn more about capabilities and offers for Windows Server on Azure.
- Watch our recent webinar on-demand titled “Optimizing Windows and SQL Server Security in Azure.”
- Register for our upcoming webinar titled “Cloud Migration Stories: Windows and SQL Server with Azure” on March 29, 2023, at 10 AM Pacific Time.
- Take the recently available Windows Server Hybrid Administrator Certification to apply your current Windows Server knowledge and learn how to apply it in the current state of hybrid cloud computing.
- Learn more about your options for Windows Server 2012/R2 end of support.
- Join the Windows Server Tech Community for regular Ask Me Anything (AMA) sessions.
1In alignment with the servicing model for Windows 7 and Windows 8.1 (link to blog), the Windows Server 2012 and 2012/R2 ESU program will only include Monthly Rollup packages; Security Only update packages will not be provided.