Active Directory Certificate Services Advice Roils PKI Security Experts -- Redmondmag.com

The Schwartz Report

Active Directory Certificate Services Advice Roils PKI Security Experts

The idea came off as a simple one: implement Microsoft's Active Directory Certificate Services (AD CS) and you'll be on your way to a more secure infrastructure. That was the premise of this month's Windows Insider column by Greg Shields, which was quickly criticized by some well-known Microsoft security MVPs and PKI experts.

Among the critics who posted comments were Brian Komar, author of a number of books and guides on Windows PKI security including the Windows Server 2008 PKI and Certificate Security and MVP Paul Adare, a consultant and trainer with a focus on enterprise PKI and Active DIrecotry Rights Management Services (RMS) deployments. Several others weighted in, all lambasting Shields for suggesting that deploying AD CS will jump start a more secure IT infrastructure.

"This is one of the worst security related columns I have ever seen," Adare wrote in the comments section. "Redmond magazine should be ashamed for allowing this to be published at all. As an MVP myself, and one who specializes in AD CS, I'm embarrassed by this." Komar suggested we should remove the article from our site. "It really should be pulled as it would only create disaster in a company as written," Komar noted. "One of the worst articles I have ever read on PKI. This should be titled ADCS: Worst Practices."

Several commenters criticized Shields for suggesting that you should install an AD CS role onto an existing Active Directory domain controller. It turned out that was a typo which has since been updated, which appeased some but not others, who took issue with the column beyond the typo. Shields acknowledged and regretted the implication of deploying AD CS as a best practice wasn't the best phrasing. In a rebuttal Shields said some of his critics missed his point.

"The comments below have succeeded in manifesting the opposite effect of what I had originally intended. My goal was to merely incent individuals to get started and to highlight a barest minimum of steps that might accomplish that -- even as those steps aren't, as y'all have stated, the very best ones," Shields responded. "There appears an unspoken assertion in these comments that the mere presence of this article presents something like a danger to society. But let's be rational adults here. Would any IT pro, experienced or no, seriously go about creating a PKI solution based solely on a handful of paragraphs in a trade magazine? Likely not."

Shields added that the point of his column was to get people started toward building more secure infrastructure and perhaps on the road to building a more extensive PKI. "And if they turn to Brian's book, Paul's community contributions or the body of PKI knowledge elsewhere, then I've accomplished my goal."

I reached out to David Strom, a longtime colleague and expert on networking, security, PKI and other issues, to get his take on the column and subsequent criticism."There's an element of truth in both sides," said Strom. "Yes, CAs should be used more, and you should know what you are doing."

Posted by Jeffrey Schwartz on 06/04/2015 at 12:24 PM

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.