Active Directory Certificate Services (AD CS) is a Windows server software solution designed to issue x.509 digital certificates. Certificates have proven to be more secure and easier to use than passwords, and are commonly used for Wi-Fi, VPN and web applications. Microsoft realized this and aimed to help deploy certificates in Microsoft environments, and designed AD CS shortly before the release of Windows Server 2008. However, AD CS has rarely received updates since then, and can be tricky, with many IT admins have run into several problems when managing a Public Key Infrastructure (PKI) and certificates.
In this article we’re going to go through the top 3 tips that will make sure you run AD CS to its full capability.
Don’t Use Default AD CS Certificate Templates
The first step in creating your AD CS certificate template should always be to plan out which templates are necessary. These certificate templates are designed as building blocks for you to duplicate. That is to say, only modify the duplicated templates and leave the originals alone because you cannot create new ones.
Mark these duplicates with some sort of identifier, we recommend using the name of your organization so you can easily identify them and group them together.
Enterprise Admins are able to manage certificate templates by default. To change this, you need to create a security group and adjust role separations so only admins you have approved can have access. This step is especially important because without specified security groups, a threat can enable any end user to access any type of certificate or even create their own “wildcard” certificate. These powerful certificates can be applied to a domain and all its subdomains, leaving plenty of room for potential theft.
Check out our AD CS integration page to see how our customers issue AD CS certificates for BYODs and Managed Devices.
Create a Foundational, Zero Trust, Policy Set In Your Azure Directory
A Zero Trust Security model says that everything should be untrusted by default. This is an especially important mindset to take into your AD CS environment as a certificate in the wrong hands can be catastrophic for your organization.
Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. These policies at their simplest are if-then statements, that is to say, if a user wants to access a resource, then they must complete an action.
Some of the best policies we recommend you practice with Conditional Acces are:
- Requiring multi-factor authentication for users with administrative roles
- Requiring multi-factor authentication for Azure management tasks
- Blocking sign-ins for users attempting to use legacy authentication protocols
- Requiring trusted locations for Azure Multi-Factor Authentication registration
- Blocking or granting access from specific locations
- Blocking risky sign-in behaviors
- Requiring organization-managed devices for specific applications
Microsoft has a step-by-step guide on configuring Azure Active Directory Conditional Access if you want to learn more..
Integrate AD CS with Modern PKI Technology
AD CS predates Windows server 2008, and receives minimal updates and support from Microsoft making using AD CS much more costly and troublesome than many of the other PKI solutions. Cloud technology has progressed tremendously over the past decade, allowing organizations to take advantage of PKI that don’t require any additional hardware to be set up, eliminating any infrastructure cost associated with on-premise maintenance.
Cloud RADIUS is the only RADIUS Server that comes with an industry-exclusive Dynamic Policy Engine that integrates natively with Azure and Intune. This allows you to integrate AD CS with cloud technology and empowers your organization with certificate-based authentication for ultra secure Wi-Fi and VPN authentication.
Cloud PKI services also eliminate the need for hiring a team of expensive experts as they can easily be managed by just one part-time administrator. AD CS admins can deploy SecureW2’s onboarding software to automate certificate enrollment and 802.1X configuration. Our automated services relieve admins from manually configuring every BYOD for a certificate. Plus, end users have a far better experience because all they need to do is press a few buttons and their devices handle the rest.
With our Dynamic Policy Engine, you can enforce zero trust access policies. Every time a user is authenticated for network access, admins can enforce network policies in real time. Cloud RADIUS automatically checks user status, what groups they’re in, if they’ve changed departments, and ties them to custom network policies created by administrators in our easy to use management system.
SecureW2’s Managed PKI comes with all the infrastructure setup, takes less than an hour to integrate with an existing infrastructure, and doesn’t require any prior security or cryptographic experience. If you’re interested in learning more, check out our pricing page and see how our cost effective solutions can enhance your network’s security today.