Active Directory Certificate Services Advice Roils PKI Security Experts
The idea came off as a simple one: implement Microsoft's Active Directory Certificate Services (AD CS) and you'll be on your way to a more secure infrastructure. That was the premise of this month's Windows Insider column by Greg Shields, which was quickly criticized by some well-known Microsoft security MVPs and PKI experts.
Among the critics who posted comments were Brian Komar, author of a number of books and guides on Windows PKI security including the Windows Server 2008 PKI and Certificate Security and MVP Paul Adare, a consultant and trainer with a focus on enterprise PKI and Active DIrecotry Rights Management Services (RMS) deployments. Several others weighted in, all lambasting Shields for suggesting that deploying AD CS will jump start a more secure IT infrastructure.
"This is one of the worst security related columns I have ever seen," Adare wrote in the comments section. "Redmond magazine should be ashamed for allowing this to be published at all. As an MVP myself, and one who specializes in AD CS, I'm embarrassed by this." Komar suggested we should remove the article from our site. "It really should be pulled as it would only create disaster in a company as written," Komar noted. "One of the worst articles I have ever read on PKI. This should be titled ADCS: Worst Practices."
Several commenters criticized Shields for suggesting that you should install an AD CS role onto an existing Active Directory domain controller. It turned out that was a typo which has since been updated, which appeased some but not others, who took issue with the column beyond the typo. Shields acknowledged and regretted the implication of deploying AD CS as a best practice wasn't the best phrasing. In a rebuttal Shields said some of his critics missed his point.
"The comments below have succeeded in manifesting the opposite effect of what I had originally intended. My goal was to merely incent individuals to get started and to highlight a barest minimum of steps that might accomplish that -- even as those steps aren't, as y'all have stated, the very best ones," Shields responded. "There appears an unspoken assertion in these comments that the mere presence of this article presents something like a danger to society. But let's be rational adults here. Would any IT pro, experienced or no, seriously go about creating a PKI solution based solely on a handful of paragraphs in a trade magazine? Likely not."
Shields added that the point of his column was to get people started toward building more secure infrastructure and perhaps on the road to building a more extensive PKI. "And if they turn to Brian's book, Paul's community contributions or the body of PKI knowledge elsewhere, then I've accomplished my goal."
I reached out to David Strom, a longtime colleague and expert on networking, security, PKI and other issues, to get his take on the column and subsequent criticism."There's an element of truth in both sides," said Strom. "Yes, CAs should be used more, and you should know what you are doing."
Posted by Jeffrey Schwartz on 06/04/2015 at 12:24 PM