You can apply several best practices to optimize Compute Engine instances that run Microsoft Windows Server. This article describes how you can utilize other products available on Google Cloud and to ensure your Windows instances are performing optimally in terms of performance, security, redundancy and availability. For further information on configuration and setup of Windows instances, see Windows Workloads. For Microsoft SQL instances, refer to Best Practices for SQL Server.
General Compute Engine best practices
- Understand which versions of Windows Server are supported, best suited for your use case, and which versions might be coming up to the end of Windows Server support on Google Cloud. Further information can be found at Lifecycle FAQ from Microsoft.
- Understand how to correctly Add a persistent disk to your Windows VM.
- Enable or disable Windows Server operating system features not required for the services run by your organization, unused features will consume resources you might not be using.
- Launch new instances with the latest image version provided by Google Cloud public images, if you are using Pay-as-you-go (PAYG) licence.
Security
- If you are running Windows, you should be running antivirus software. Malware and software viruses present a significant risk to any system connected to a network, and antivirus software is a simple mitigation step you can use to protect your data. Microsoft provides advice about on antivirus software.
- Understand how to create new local users and grant/revoke Administrator privileges on local accounts to limit critical applications and system files.
- If you are using Active Directory, make use of Configuring User Access Control and Permissions to implement the principle of least privilege for user permissions within the Windows operating system. For further information see summary of best practices for Active Directory.
Backup & Recovery
- Routinely review and verify your backup and recovery strategy.
- Enable regular Persistent Disk Snapshots
for a quick recovery from a previous backup if there is a VM failure.
- Only enable VSS snapshots on data volumes and where the application is VSS compatible. Avoid creating VSS snapshots on the operating system disk because the VSS service marks this disk as read-only.
Patch Management
- Confirm your Windows operating system is updated to the latest version and all system and quality updates (also referred to as "cumulative updates" or "cumulative quality updates") are installed.
- Make use of automatic Windows Update on your instance. Microsoft releases patches every second Tuesday of each month at minimum. You should have a strategy for applying these updates to help safeguard the system from known bugs and/or vulnerabilities. If automatic restarts are not an option, consider creating patch jobs by using VM Manager, which can schedule updates and restart your instances at an appropriate time.
Logging and Monitoring
- Enable virtual displays to better understand the current state of the operating system, and to allow you to view the console in case your instance is inaccessible.
- If your VM instance is stopped, logs from the serial console will no longer be available, to retain these logs you can stream serial port output to Cloud Logging and use the output stored to assist with troubleshooting and auditing.
- Consider configuring the Ops Agent to centralize the logs you see in Event Viewer by streaming logs to Cloud Logging, this allows for easier retrieval of the logs and more consistent retention. This step is completely optional, but recommended.
- Consider installing the Ops Agent to monitor and retain the monitoring data of your instance performance.
- Consider streaming logs from third-party Applications.
Google related drivers, agents & features
- When you use Microsoft software, you are responsible for understanding and complying with any licensing agreements that you might have with Microsoft. To understand the requirements and options for licensing, refer to the Microsoft Licenses documentation.
- Keep the guest environment updated in line with your Windows Update strategy. Regularly updating the guest environment of your Windows instance will ensure you are running the latest and most stable version of all necessary Google Cloud agents and drivers.