Active Directory Certificates Services (AD CS) is the foundation for Microsoft admins to build a Public Key Infrastructure (PKI) by providing public-private key cryptography, digital certificates, certificate authorities (CA) and digital signing capabilities. With AD CS, admins have the opportunity to implement WPA2-Enterprise and 802.1X authentication, the best combination for wireless security.
However, AD CS can be tricky and many IT admins make mistakes during the configuration process. One such mistake is installing AD CS CAs on a Domain Controller (DC) instead of another server.
Don’t Install AD CS on Domain Controllers
While it’s possible to install an AD CS CA on the same server as a DC, doing so will create several problems for admins in the future. For starters, DCs eventually have to be decommissioned and that process becomes more complicated if that DC contains AD CS. Admins would have to move AD CS off that DC before decommissioning the DC.
Secondly, to upgrade an AD CS CA in a DC, admins will need to upgrade the DC’s OS. That requires the DC to be decommissioned and, as we’ve just stated, removing AD CS from the DC. One of the worst problems, if the DC were to fail, admins would face the grueling task of restoring both the DC and CA. The CA being down means that certificate validation and authentication is affected.
Installing AD CS on a DC is a bad security practice because installing any additional role on a DC increases its attack surface. Unfortunately, there are several gaps in security with AD CS which can compromise the DC if installed on the same server.
Configure a Managed PKI with AD CS
While AD CS allows admins to build a PKI, there’s a major disadvantage not going with a third party PKI solution. AD CS is an on-prem service, requiring admins to keep on-prem legacy systems.
On-premise PKIs are incredibly expensive to set up because there are so many components to include, each with their own price tags. Enterprises need to pay for hardware and software implementation, maintenance fees, software licensing, secure hardware storage, data backup, disaster recovery, and much more. All of these expenses often come as hidden costs, meaning enterprises aren’t aware of these costs until it’s too late.
Instead, Microsoft admins can integrate their AD CS setup with a Managed Cloud PKI solution which removes the workload of implementation and management from admins and provides full cloud capabilities.
Configure SecureW2’s Cloud PKI and CloudRADIUS with AD CS
One thing that is often forgotten is that many PKI solutions can be used in tandem with Microsoft CAs. AD CS requires a lot of man hours to configure and setup and even more to maintain. But with a managed PKI service like SecureW2, all the labor-intensive tasks of a PKI are automated.
SecureW2’s PKI simplifies certificate issuance and management. Admins can easily search for certificates by username, SAN, operating system, and much more. You can also select individual users and see all their certificates and devices, alongside their certificate enrollment logs, making remote troubleshooting a breeze. It also significantly improves the certificate enrollment process.
Included in our PKI solution is the JoinNow onboarding software that allows BYOD devices of any operating system to easily self-enroll for certificates. Plus our advanced API gateways empower admins to send payloads that allow managed devices to enroll themselves for certificates in ultra-secure fashion.
Along with our PKI and onboarding software, SecureW2 provides CloudRADIUS, a turnkey RADIUS solution that can be implemented into virtually any environment because it works with all major SAML and LDAP Identity Providers like AD or Azure AD. Designed from the ground up for certificate-based EAP-TLS authentication, it eliminates the risk of sending credentials over the internet and eliminates the risk for credential theft.
CloudRADIUS comes with all the benefits of cloud computing, including 24/7 availability and built-in redundancy to easily handle large onboarding events. Along with the benefits of being in the cloud, CloudRADIUS is more scalable than on-prem alternatives, making it easy to expand your network’s capabilities if your business grows. Security and user experience are bolstered by CloudRADIUS because it performs digital certificate-based EAP-TLS authentication.
Installing AD CS on a DC is not recommended because of the security risks it creates and the labor-intensive tasks when it comes time to upgrade or decommission. Instead, configure your AD CS with SecureW2’s PKI and CloudRADIUS, which automate most IT tasks and strengthen network security overall. Plus, our services come at a reasonable price.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Sam Metzler. Read the original post at: https://www.securew2.com/blog/should-i-install-ad-cs-on-domain-controller