Windows Server PKI improvements admins should know

As security changes with each Windows Server release, admins should keep up with the PKI improvements.

Public key infrastructure has given rise to entire sections within the security industry devoted to the upkeep and improvement of every facet involved with PKI technology. Everything from Root Certificate Authorities to X.509 certificates spawned efforts geared toward successfully guarding server infrastructure and the data therein.

This is especially true with Microsoft server infrastructure, considering the roles and services available within the modern Windows Server environment. These services and roles exist specifically for Windows Server PKI deployment -- not the least of which is the Active Directory Certificate Services (AD CS) role.

As the security apparatus in Windows Server infrastructure improves, Windows administrators should stay up to speed on improvements and vulnerabilities within their respective environments. Let's delve into some of the improvements Windows Server 2012 brings to the table in terms of public key infrastructure as compared to previous Windows Server versions.

Windows Server PKI increases PowerShell functionality

One improvement that has no doubt caught the attention of Windows Server administrators is the increased functionality Windows PowerShell can have in terms of AD CS. Prior to Windows Server 2012, PowerShell only played a role in the configuration of a Certificate Authority. With the release of Windows Server 2012, PowerShell is built with a rich assortment of methods that can be called upon when deploying AD CS. This is especially useful when Windows administrators want to save time by scripting the deployment of any AD CS role or service.

For example, if an administrator wants to script the Network Device Enrollment Service installation within a domain that uses a remotely located Root Certificate Authority, the Install-AdcsNetworkDeviceEnrollmentService cmdlet in Windows Server 2012 can do this. Furthermore, this ability to script has the potential to save ample amounts of time when administering enterprise networks dispersed across different geographic locations.

AD CS role services in Windows Server 2012

As any experienced Windows administrator can tell you, not all versions of the same operating system are the same. For example, Windows Server 2008 Web Edition is different from the Standard Edition, which is different from the Enterprise Edition. In terms of Windows Server PKI, the differences could be infuriating when dealing with an edition that wasn't a premium version.

Fortunately, in terms of AD CS all of this changed in Windows Server 2012. For example, in the Windows Server 2008 Standard Edition, the Certificate Authority component (now called a role service) was available, but the Network Device Enrollment Service mentioned previously was not available. In Windows Server 2012, all six AD CS role services are available across all Windows Server 2012 editions. This was really a common sense move on Microsoft's part, and many in the industry are happy to see the company come around on this issue.

For those operating in Windows environments, Microsoft looks to be moving in a direction that more robustly integrates PKI into Windows Server domains. Each new Windows Server rollout appears to drastically improve upon its predecessor. While the PKI improvements listed above should not in any way be construed as being an exhaustive list of additional features, they illustrate the dedication of the creators of Windows Server 2012 to advancing PKI and securing the enterprise.

About the author:
Brad Casey holds a master's of science in information assurance from the University of Texas at San Antonio, and has extensive experience in the areas of penetration testing, public key infrastructure, Voice over IP (VoIP) and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time you can find him looking at Wireshark captures and playing with various Linux distros in VMs. Brad Casey is also SearchSecurity's resident expert on network security.

Dig Deeper on Windows Server troubleshooting