Securing PKI: Appendix A: Events to Monitor
Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012
The following tables provide a full list of events generated by Active Directory® Certificate Services CA role, along with recommendations for which events should be monitored. Unless otherwise specified in the description, the events are available on Microsoft Windows Server 2008® and more recent versions of Windows®.
The “Current Windows Event ID” column lists the current event ID as it is implemented in versions of Microsoft Windows Server® that are currently in mainstream support. The “Potential Criticality” column identifies whether the event should be considered low, medium or high criticality in detecting attacks. The event summary contains a brief description of the event.
A potential criticality of high means that one occurrence of the event should be investigated. Potential criticality of medium or low means that these events should only be investigated if they occur unexpectedly in numbers that significantly exceed the expected baseline in a measured period of time, or the content of the message meets a specific criteria. All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of high may occur due to other harmless events.
Microsoft Windows® Security Auditing
Current Windows Event ID |
Potential Criticality |
Event Summary |
Audit Filter Required |
Description |
|---|---|---|---|---|
4868 |
Low |
The certificate manager denied a pending certificate request. Request ID: %1 |
Issue and manage certificate requests |
|
4869 |
Low |
Certificate Services received a resubmitted certificate request. Request ID: %1 |
Issue and manage certificate requests |
|
4870 |
Low |
Certificate Services revoked a certificate. Serial Number: %1 Reason: %2 |
Revoke certificates and publish CRLs |
|
4871 |
Low |
Certificate Services received a request to publish the certificate revocation list (CRL). Next Update: %1 Publish Base: %2 Publish Delta: %3 |
Revoke certificates and publish CRLs |
|
4872 |
Low |
Certificate Services published the certificate revocation list (CRL). Base CRL: %1 CRL Number: %2 Key Container: %3 Next Publish: %4 Publish URLs: %5 |
Revoke certificates and publish CRL |
|
4873 |
Medium |
A certificate request extension changed. Request ID: %1 Name: %2 Type: %3 Flags: %4 Data: %5 |
Issue and manage certificate requests |
If this functionality is not used by the CA, it may indicate tampering with a request |
4874 |
Medium |
One or more certificate request attributes changed. Request ID: %1 Attributes: %2 |
Issue and manage certificate requests |
If this functionality is not used by the CA, it may indicate tampering with a request |
4875 |
Low |
Certificate Services received a request to shut down. |
Start and stop Active Directory® Certificate Services |
This event is triggered when the certutil –shutdown command is issued to the CA |
4876 |
Low |
Certificate Services backup started. Backup Type: %1 |
Back up and restore the CA database |
|
4877 |
Low |
Certificate Services backup completed. |
Back up and restore the CA database |
|
4878 |
Low |
Certificate Services restore started. |
Back up and restore the CA database |
|
4879 |
Low |
Certificate Services restore completed. |
Back up and restore the CA database |
|
4880 |
Low |
Certificate Services started. Certificate Database Hash: %1 Private Key Usage Count: %2 CA Certificate Hash: %3 CA Public Key Hash: %4 |
Start and stop Active Directory® Certificate Services |
|
4881 |
Low |
Certificate Services stopped. Certificate Database Hash: %1 Private Key Usage Count: %2 CA Certificate Hash: %3 CA Public Key Hash: %4 |
Start and stop Active Directory® Certificate Services |
|
4882 |
High |
The security permissions for Certificate Services changed. %1 |
Change CA security settings |
May indicate an attacker granting permissions for other accounts to enroll. |
4883 |
Medium |
Certificate Services retrieved an archived key. Request ID: %1 |
Store and retrieve archived keys |
|
4884 |
Low |
Certificate Services imported a certificate into its database. Certificate: %1 Request ID: %2 |
Issue and manage certificate requests |
|
4885 |
High |
The audit filter for Certificate Services changed. Filter: %1 |
Change CA security settings |
May indicate an attacker disabling monitoring in an attempt to cover their tracks prior to certificate activities. |
4886 |
Low |
Certificate Services received a certificate request. Request ID: %1 Requester: %2 Attributes: %3 |
Issue and manage certificate requests |
|
4887 |
Medium |
Certificate Services approved a certificate request and issued a certificate. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6 |
Issue and manage certificate requests |
Issuance of certificates that contain usages that allow the owner to perform privileged operations (Enrollment Agent, Code Signing etc.) or certificates issued to VIP users should be monitored. |
4888 |
Medium |
Certificate Services denied a certificate request. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6 |
Issue and manage certificate requests |
|
4889 |
Low |
Certificate Services set the status of a certificate request to pending. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6 |
Issue and manage certificate requests |
|
4890 |
High |
The certificate manager settings for Certificate Services changed. Enable: %1 %2 |
Change CA security settings |
May indicate tampering with permissions with what users are able to enroll on behalf of other users, commonly used to issue smart card certificates. |
4891 |
Medium |
A configuration entry changed in Certificate Services. Node: %1 Entry: %2 Value: %3 |
Change CA configuration |
Can be used to monitor for changes to Policy/Exit modules on the CA or configuration of CDP/AIA extensions. |
4892 |
Medium |
A property of Certificate Services changed. Property: %1 Index: %2 Type: %3 Value: %4 |
Change CA configuration |
Can be used to track changes to Key Recovery Agent configuration |
4893 |
Low |
Certificate Services archived a key. Request ID: %1 Requester: %2 KRA Hashes: %3 |
Store and retrieve archived keys |
|
4894 |
Low |
Certificate Services imported and archived a key. Request ID: %1 |
Store and retrieve archived keys |
|
4895 |
Low |
Certificate Services published the CA certificate to Active Directory® Domain Services. Certificate Hash: %1 Valid From: %2 Valid To: %3 |
||
4896 |
High |
One or more rows have been deleted from the certificate database. Table ID: %1 Filter: %2 Rows Deleted: %3 |
Issue and manage certificate requests |
May indicate an attacker covering their tracks after issuing certificates. |
4897 |
Medium |
Role separation enabled: %1 |
Change CA security settings |
If role separation is used, this can be used to trigger an alert if the expected configuration changes. |
4898 |
Medium |
Certificate Services loaded a template. %1 v%2 (Schema V%3) %4 %5 Template Information: Template Content: %7 Security Descriptor: %8 Additional Information: Domain Controller: %6 |
Change CA security settings |
Alert if templates that are not expected on a CA are loaded. |
4899 |
Medium |
A Certificate Services template was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %8 New Template Content: %7 Additional Information: Domain Controller: %6 |
Change CA security settings |
|
4900 |
Medium |
Certificate Services template security was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %9 New Template Content: %7 Old Security Descriptor: %10 New Security Descriptor: %8 Additional Information: Domain Controller: %6 |
Change CA security settings |
Microsoft-Windows-CertificationAuthority
Current Windows Event ID |
Potential Criticality |
Message |
|---|---|---|
3 |
Low |
Request failed |
5 |
Low |
Active Directory Certificate Services could not find required registry information. The Active Directory Certificate Services may need to be reinstalled. |
6 |
Low |
Active Directory Certificate Services issued a certificate for request %1 for %2. |
7 |
Low |
Active Directory Certificate Services denied request %1 because %2. The request was for %3. |
8 |
Low |
Active Directory Certificate Services left request %1 pending in the queue for %2. |
9 |
Low |
The Active Directory Certificate Services did not start: Unable to load an external policy module. |
10 |
Low |
Active Directory Certificate Services were unable to build a new certificate or certificate chain: %1. |
15 |
High |
Active Directory Certificate Services did not start: Version does not match certif.dll. |
16 |
Low |
Active Directory Certificate Services did not start: Unable to initialize OLE: %1. |
17 |
Low |
Active Directory Certificate Services did not start: Unable to initialize the database connection for %1. %2. |
19 |
Low |
Active Directory Certificate Services did not start: The Subject Name Template string in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\SubjectTemplate is invalid. An example of a valid string is: CommonName OrganizationalUnit Organization Locality State Country |
20 |
Low |
Active Directory Certificate Services did not start: The Certificate Date Validity Period string in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\ValidityPeriod is invalid. Valid strings are "Seconds", "Minutes", "Hours", "Days", "Weeks", "Months" and "Years". |
21 |
Low |
Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. |
22 |
Low |
Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. Additional information: %4 |
23 |
Low |
Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. The certificate would contain an encoded length that is potentially incompatible with older enrollment software. Submit a new request using different length input data for the following field: %4 |
25 |
Low |
Active Directory Certificate Services revoked the certificate for request %1 for %2. |
26 |
Low |
Active Directory Certificate Services for %1 was started.%2%3 |
27 |
Low |
Active Directory Certificate Services did not start: Hierarchical setup is incomplete. Use the request file in %1.req to obtain a certificate for this Certificate Server, and use the CA administration tool to install the new certificate and complete the installation. |
28 |
Low |
Active Directory Certificate Services did not start: The Certificate Revocation List Period string is invalid in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\CRLPeriod. Valid strings are "Seconds", "Minutes", "Hours", "Days", "Weeks", "Months" and "Years". |
29 |
Low |
Active Directory Certificate Services issued a new Certificate Revocation List for %1. |
33 |
Low |
Active Directory Certificate Services did not start: Could not create the Certificate Server service thread for %1. %2. |
34 |
Low |
Active Directory Certificate Services did not start: Could not initialize RPC for %1. %2. |
35 |
Low |
Active Directory Certificate Services did not start: Could not initialize OLE for %1. %2. |
38 |
Low |
Active Directory Certificate Services for %1 was stopped. |
39 |
Low |
Active Directory Certificate Services did not start: The CA DCOM class for %1 could not be registered. %2. Use the services administration tool to change the CA logon context. |
40 |
Low |
Active Directory Certificate Services did not start: Could not initialize DCOM class factories for %1. %2. |
41 |
Low |
Active Directory Certificate Services did not start: Could not initialize DCOM Security Context for %1. %2. |
42 |
Low |
Could not build a certificate chain for CA certificate %3 for %1. %2. |
43 |
Low |
The "%1" Policy Module "%2" method caused an exception at address %4. The exception code is %3. |
44 |
Low |
The "%1" Policy Module "%2" method returned an error. %5 The returned status code is %3. %4 |
45 |
Low |
The "%1" Exit Module "%2" method caused an exception at address %4. The exception code is %3. |
46 |
Low |
The "%1" Exit Module "%2" method returned an error. %5 The returned status code is %3. %4 |
48 |
Low |
Revocation status for a certificate in the chain for CA certificate %3 for %1 could not be verified because a server is currently unavailable. %2. |
49 |
Low |
A certificate in the chain for CA certificate %3 for %1 could not be verified because no information is available describing how to check the revocation status. %2. |
51 |
Low |
A certificate in the chain for CA certificate %3 for %1 has been revoked. %2. |
52 |
Low |
Active Directory Certificate Services issued a certificate for request %1 for %2. Additional information: %3 |
53 |
Low |
Active Directory Certificate Services denied request %1 because %2. The request was for %3. Additional information: %4 |
54 |
Low |
Active Directory Certificate Services left request %1 pending in the queue for %2. Additional information: %3 |
55 |
Medium |
Active Directory Certificate Services unrevoked the certificate for request %1 for %2. |
56 |
Low |
Active Directory Certificate Services denied request %1. The request was for %2. |
57 |
Low |
Active Directory Certificate Services denied request %1. The request was for %2. Additional information: %3 |
58 |
Low |
A certificate in the chain for CA certificate %3 for %1 has expired. %2. |
59 |
Low |
Active Directory Certificate Services did not start: Could not connect to the Active Directory for %1. %2. |
60 |
High |
Active Directory Certificate Services refused to process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize registry parameter via certutil -setreg CA\MaxIncomingMessageSize <bytes>. Unless verbose logging is enabled, this error will not be logged again for 20 minutes. |
62 |
Low |
Active Directory Certificate Services had problems loading valid CRL publication values and has reset the CRL publication to its default settings. |
63 |
Low |
Active Directory Certificate Services did not start: %1 %2. |
64 |
Low |
Active Directory Certificate Services cannot publish enrollment access changes to Active Directory. |
65 |
Low |
Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location: %2. %3.%5%6 |
66 |
Low |
Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location: %2. %3.%5%6 |
67 |
Low |
Active Directory Certificate Services made %1 attempts to publish a CRL and will stop publishing attempts until the next CRL is generated. |
68 |
Low |
Active Directory Certificate Services successfully published Base CRL(s). |
69 |
Low |
Active Directory Certificate Services successfully published Delta CRL(s). |
70 |
Low |
Active Directory Certificate Services successfully published Base and Delta CRL(s). |
71 |
Low |
Active Directory Certificate Services successfully published Base CRL(s) to server %1. |
72 |
Low |
Active Directory Certificate Services successfully published Delta CRL(s) to server %1. |
73 |
Low |
Active Directory Certificate Services successfully published Base and Delta CRL(s) to server %1. |
74 |
Low |
Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location on server %4: %2. %3.%5%6 |
75 |
Low |
Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location on server %4: %2. %3.%5%6 |
76 |
Low |
The "%1" Policy Module logged the following information: %2 |
77 |
Low |
The "%1" Policy Module logged the following warning: %2 |
78 |
Low |
The "%1" Policy Module logged the following error: %2 |
79 |
Low |
Active Directory Certificate Services could not publish a Certificate for request %1 to the following location: %2. %3.%5%6 |
80 |
Low |
Active Directory Certificate Services could not publish a Certificate for request %1 to the following location on server %4: %2. %3.%5%6 |
81 |
Low |
Active Directory Certificate Services key archival is only supported on Advanced Server. %1 |
82 |
Low |
Active Directory Certificate Services could only verify %1 of %2 key recovery certificates required to enable private key archival. Requests to archive private keys will not be accepted. |
83 |
Low |
Active Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. %1 |
84 |
Low |
Active Directory Certificate Services will not use key recovery certificate %1 because it could not be verified for use as a Key Recovery Agent. %2 %3 |
85 |
Low |
Active Directory Certificate Services ignored key recovery certificate %1 because it could not be loaded. %2 %3 |
86 |
Low |
Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. %1 |
87 |
Low |
Active Directory Certificate Services could not use the default provider for encryption keys. %1 |
88 |
Low |
Active Directory Certificate Services switched to the default provider for encryption keys. %1 |
90 |
Low |
%1: Active Directory Certificate Services detected an exception at address %2. Flags = %3. The exception is %4. |
91 |
Low |
Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access. |
92 |
Low |
Active Directory Certificate Services could not update security permissions. %1 |
93 |
Low |
The certificate (#%1) of Active Directory Certificate Services %2 does not exist in the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. The directory replication may not be completed. |
94 |
Low |
Active Directory Certificate Services %1 can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. |
95 |
High |
Security permissions are corrupted or missing. The Active Directory Certificate Services may need to be reinstalled. |
96 |
Low |
Active Directory Certificate Services could not create an encryption certificate. %1. %2. |
97 |
Low |
Active Directory Certificate Services %1 will reduce the maximum lifetime of the issued certificate for request %2 because the CA certificate lifetime is shorter than the registry validity period. Consider renewing the CA certificate or reducing the registry validity period. |
98 |
Low |
Active Directory Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted. |
99 |
Low |
Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. %2. %3. |
100 |
Low |
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. %1 %2. |
101 |
Low |
Active Directory Certificate Services created CA cross certificate %2 for %1. |
102 |
Low |
Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. The %2 extension is inconsistent. %3. %4. |
103 |
Low |
Active Directory Certificate Services added the root certificate of certificate chain %1 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "%2" (you must include the quotation marks when you run this command). If the Root CA certificate is not present, use the Certificates console on the Root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root. |
104 |
Low |
Active Directory Certificate Services published certificate %1 to %2. |
105 |
Low |
Active Directory Certificate Services deleted invalid certificate %1 from %2. |
106 |
Low |
Active Directory Certificate Services cannot add certificate %1 to %2. %3. %4. |
107 |
Low |
Active Directory Certificate Services cannot delete invalid certificate %1 from %2. %3. %4. |
108 |
Low |
Active Directory Certificate Services could not delete a Certificate for request %1 from the following location: %2. %3.%5%6 |
109 |
Low |
Active Directory Certificate Services could not delete a Certificate for request %1 from the following location on server %4: %2. %3.%5%6 |
110 |
Low |
Active Directory Certificate Services could not initialize the performance counters. |
111 |
Low |
Active Directory Certificate Services upgrade failed because the upgrade path could not be determined. %1 |
112 |
Low |
Active Directory Certificate Services upgrade failed because information required for the upgrade was unavailable. %1 |
113 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not create CertEnroll folder and/or shared folder with proper permissions. %1 |
114 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not create virtual roots. %1 |
115 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not update server registry entries. %1 |
116 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not create web configuration file. %1 |
117 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not create revocation page. %1 |
118 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not upgrade key containers. %1 |
119 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not register CertSrv request. %1 |
120 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not register CertSrv admin. %1 |
121 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not install new templates. %1 |
122 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not update service description. %1 |
123 |
Low |
A portion of the Active Directory Certificate Services upgrade failed: Could not update security settings. %1 |
124 |
Low |
Active Directory Certificate Services upgrade succeeded. Active Directory Certificate Services settings have been upgraded successfully. |
125 |
Low |
Active Directory Certificate Services upgrade failed. Active Directory Certificate Services settings have not been upgraded. %1 |
126 |
Low |
Current information about advanced features supported by this CA is not available from the domain controller. Stop and restart Certificate Services in order to update this information. %1 |
127 |
Low |
Key recovery certificate %1 is about to expire soon and will not be used upon expiration. Contact your administrator to renew this certificate. %2 %3 |
128 |
Low |
An Authority Key Identifier was passed as part of the certificate request %1. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1" and then restart the service. |
129 |
Low |
An invalid OID has been detected in the EnabledEKUForDefinedCACert configuration setting. To resolve, run: "certutil -getreg ca\EnabledEKUForDefinedCACert" to identify the invalid OID and correct it. The default OID ("1.3.6.1.5.5.7.3.9") will be used. |
130 |
Low |
Active Directory Certificate Services could not create a certificate revocation list. %1. This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services. |
131 |
Low |
An invalid OID has been detected in the EKUOIDsForPublishExpiredCertInCRL configuration setting. To resolve, run: "certutil -getreg ca\EKUOIDsForPublishExpiredCertInCRL" to identify the invalid OID and correct it. The default OIDs ("1.3.6.1.5.5.7.3.3" and "1.3.6.1.4.1.311.61.1.1") will be used. |
132 |
Low |
The CA was unable to perform a decryption operation. This error can occur when an advanced encryption algorithm such as Advanced Encryption Standard (AES) is used and the CA has not been configured to use a CryptoAPI Next Generation (CNG) key storage provider. If this error occurred during certificate enrollment, check the Certificate Template to ensure that advanced encryption for key archival is not enabled. |
133 |
Low |
The CA failed to encode a server extension required to validate a certificate or certification revocation list (CRL). The CA will not issue any certificates or CRLs that do not contain this extension. To correct this problem, use the CA snap-in to remove any Unicode characters in the URLs for the AIA, CDP, and IDP extensions, then restart the CA. |
Registry Values to Monitor
The following events are recommendations for advanced monitoring of registry changes that affect the security of a CA. While many of these same alerts are generated when enabling auditing on the CA, there are cases where values can be changed and no alert is generated. In those cases, registry auditing can be enabled and the following events can be monitored for.
In the table below, “Event ID” is the current Microsoft Windows® event ID for versions of Microsoft Windows® currently in mainstream support. “Text to Alert On” is the text to search for within the event body when an alert is generated. “Potential Criticality” identifies whether the event should be considered of low, medium or high criticality in detecting attacks. The event summary contains a brief description of the event.
Event ID |
Text to Alert On |
Potential Criticality |
Event Summary |
|---|---|---|---|
4657 |
"AuditFilter" |
High |
The audit filter controls which Microsoft Windows® Security Auditing events are logged. Changing the audit filter may indicate an attacker attempting to disable logging prior to performing a certificate operation. Normally the audit filter is configured when the CA is created and not changed after. |
4657 |
"EKUOIDsForPublishExpiredCertInCRL" |
High |
This value controls what types of certificates remain on a CRL even after the certificate expires. An attacker could remove specific certificate types (such as Code Signing) that would allow a previously revoked certificate that malware was signed with to validate successfully again after the next CRL publication.This value is not changed during normal CA operation. |
4657 |
“EditFlags” |
Medium |
Alert if the new value enables EDITF_ATTRIBUTESUBJECTALTNAME2. This can be identified by taking the value found in the “New Value” field and performing a bitwise “AND” operation with 262144 (the decimal value for the bitmask for the EDITF_ATTRIBUTESUBJECTALTNAME2 value). Adding this value will allow any certificate request to contain arbitrary alternative names. |
4657 |
"KRACertHash" |
Medium |
This will happen rarely in normal operations and an attacker who has control of a valid KRA certificate could assign it to a CA to get access to any private keys that are subsequently archived on the CA. |
4657 |
"RoleSeparationEnabled" |
Medium |
Role separation allows for a CA to tightly control the rights of a specific user and enforce that all users can only have one role on the system (CA Admin, Cert Issuer, administrator, Auditor). A local administrator can always disable role separation, which may allow an account who should not have rights to perform an operation to be eligible for those rights. |
4657 |
"Security" |
High |
This alert is raised when the permissions on the CA are modified. These permissions control which users and groups are allowed to Read CA information, issue certificates, manage the CA settings and enroll for certificates from a given CA. Modification could allow an attacker to give privileges to an unwanted account for enrollment.This is a similar alert to 4882. |
4657 |
"ExitModules","Active" |
High |
Indicates a change to the default exit module(s) being used by the CA. Exit modules allow additional actions to be performed by the CA after an event occurs (issuance, revocation, CRL publishing, etc.). Additions/deletions of exit modules occur very infrequently in normal operations and may indicate tampering with the CA. |
4657 |
"PolicyModules","Active" |
High |
Indicates a change to the active policy module being used by the CA. The policy module control certificate issuance and is changed very infrequently in normal operations. |
See Also
Securing Public Key Infrastructure (PKI)
Securing PKI: Introduction
Securing PKI: Planning a CA Hierarchy
Securing PKI: Physical Controls for Securing PKI
Securing PKI: PKI Process Security
Securing PKI: Technical Controls for Securing PKI
Securing PKI: Planning Certificate Algorithms and Usages
Securing PKI: Protecting CA Keys and Critical Artifacts
Securing PKI: Monitoring Public Key Infrastructure
Securing PKI: Compromise Response
Securing PKI: Appendix B: Certification Authority Audit Filter
Securing PKI: Appendix C: Delegating Active Directory PKI Permissions
Securing PKI: Appendix D: Glossary of Terms
Securing PKI: Appendix E: PKI Basics
Securing PKI: Appendix F: List of Recommendations by Impact Level
Security and Protection
Secure Windows Server 2012 R2 and Windows Server 2012