AD CS on Virtual Machines
Applies to
Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Considerations
You can run all six of the Active Directory Certificate Services (AD CS) role services on virtual machines. Some things to consider when virtualizing these roles are:
- A virtualized hard disk file is equivalent to the physical hard drive of the role server. As such, it should be protected with the same amount of care that goes into securing the hard drive of a physical computer. Make sure that only reliable and trusted administrators are allowed access to the role service's hard disk files.
- The administrator account(s) of the virtual host computer effectively have physical access to the virtual computers run on them.
- Anyone who has physical access to the virtual host computer, including copies, snap-shots, or backups of the virtual guest computers, can potentially compromise the security of those systems.
There are some additional considerations for running a virtual certification authority:
- You cannot consider a CA to be offline, if it is running on a host computer that is connected to a network.
- If you issue a number of certificates and then restore a CA to an earlier state, you can lose track of certificates issues by the CA. This can create a situation where the CA has no knowledge and therefore cannot revoke the certificates that were issued.
- If you are planning to implement a hardware security module (HSM) for your virtual CAs, you will need to consider the connectivity to those devices carefully. For example, in Hyper-V there is no USB pass-through capabilities, so USB HSM connection would not be possible. There are also PCI (internal) HSM devices, which would not be workable for virtual machines.
- If an HSM is not in use, then the CA private keys would be stored locally, which means that anyone with access to the virtual machine hard disk files has access to the private keys of the CA.