Partager via


Securing PKI: Appendix A: Events to Monitor

 

Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012

The following tables provide a full list of events generated by Active Directory® Certificate Services CA role, along with recommendations for which events should be monitored. Unless otherwise specified in the description, the events are available on Microsoft Windows Server 2008® and more recent versions of Windows®.

The “Current Windows Event ID” column lists the current event ID as it is implemented in versions of Microsoft Windows Server® that are currently in mainstream support. The “Potential Criticality” column identifies whether the event should be considered low, medium or high criticality in detecting attacks. The event summary contains a brief description of the event.

A potential criticality of high means that one occurrence of the event should be investigated. Potential criticality of medium or low means that these events should only be investigated if they occur unexpectedly in numbers that significantly exceed the expected baseline in a measured period of time, or the content of the message meets a specific criteria. All organizations should test these recommendations in their environments before creating alerts that require mandatory investigative responses. Every environment is different, and some of the events ranked with a potential criticality of high may occur due to other harmless events.

Microsoft Windows® Security Auditing

Current Windows Event ID

Potential Criticality

Event Summary

Audit Filter Required

Description

4868

Low

The certificate manager denied a pending certificate request. Request ID: %1

Issue and manage certificate requests

4869

Low

Certificate Services received a resubmitted certificate request. Request ID: %1

Issue and manage certificate requests

4870

Low

Certificate Services revoked a certificate. Serial Number: %1 Reason: %2

Revoke certificates and publish CRLs

4871

Low

Certificate Services received a request to publish the certificate revocation list (CRL). Next Update: %1 Publish Base: %2 Publish Delta: %3

Revoke certificates and publish CRLs

4872

Low

Certificate Services published the certificate revocation list (CRL). Base CRL: %1 CRL Number: %2 Key Container: %3 Next Publish: %4 Publish URLs: %5

Revoke certificates and publish CRL

4873

Medium

A certificate request extension changed. Request ID: %1 Name: %2 Type: %3 Flags: %4 Data: %5

Issue and manage certificate requests

If this functionality is not used by the CA, it may indicate tampering with a request

4874

Medium

One or more certificate request attributes changed. Request ID: %1 Attributes: %2

Issue and manage certificate requests

If this functionality is not used by the CA, it may indicate tampering with a request

4875

Low

Certificate Services received a request to shut down.

Start and stop Active Directory® Certificate Services

This event is triggered when the certutil –shutdown command is issued to the CA

4876

Low

Certificate Services backup started. Backup Type: %1

Back up and restore the CA database

4877

Low

Certificate Services backup completed.

Back up and restore the CA database

4878

Low

Certificate Services restore started.

Back up and restore the CA database

4879

Low

Certificate Services restore completed.

Back up and restore the CA database

4880

Low

Certificate Services started. Certificate Database Hash: %1 Private Key Usage Count: %2 CA Certificate Hash: %3 CA Public Key Hash: %4

Start and stop Active Directory® Certificate Services

4881

Low

Certificate Services stopped. Certificate Database Hash: %1 Private Key Usage Count: %2 CA Certificate Hash: %3 CA Public Key Hash: %4

Start and stop Active Directory® Certificate Services

4882

High

The security permissions for Certificate Services changed. %1

Change CA security settings

May indicate an attacker granting permissions for other accounts to enroll.

4883

Medium

Certificate Services retrieved an archived key. Request ID: %1

Store and retrieve archived keys

4884

Low

Certificate Services imported a certificate into its database. Certificate: %1 Request ID: %2

Issue and manage certificate requests

4885

High

The audit filter for Certificate Services changed. Filter: %1

Change CA security settings

May indicate an attacker disabling monitoring in an attempt to cover their tracks prior to certificate activities.

4886

Low

Certificate Services received a certificate request. Request ID: %1 Requester: %2 Attributes: %3

Issue and manage certificate requests

4887

Medium

Certificate Services approved a certificate request and issued a certificate. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6

Issue and manage certificate requests

Issuance of certificates that contain usages that allow the owner to perform privileged operations (Enrollment Agent, Code Signing etc.) or certificates issued to VIP users should be monitored.

4888

Medium

Certificate Services denied a certificate request. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6

Issue and manage certificate requests

4889

Low

Certificate Services set the status of a certificate request to pending. Request ID: %1 Requester: %2 Attributes: %3 Disposition: %4 SKI: %5 Subject: %6

Issue and manage certificate requests

4890

High

The certificate manager settings for Certificate Services changed. Enable: %1 %2

Change CA security settings

May indicate tampering with permissions with what users are able to enroll on behalf of other users, commonly used to issue smart card certificates.

4891

Medium

A configuration entry changed in Certificate Services. Node: %1 Entry: %2 Value: %3

Change CA configuration

Can be used to monitor for changes to Policy/Exit modules on the CA or configuration of CDP/AIA extensions.

4892

Medium

A property of Certificate Services changed. Property: %1 Index: %2 Type: %3 Value: %4

Change CA configuration

Can be used to track changes to Key Recovery Agent configuration

4893

Low

Certificate Services archived a key. Request ID: %1 Requester: %2 KRA Hashes: %3

Store and retrieve archived keys

4894

Low

Certificate Services imported and archived a key. Request ID: %1

Store and retrieve archived keys

4895

Low

Certificate Services published the CA certificate to Active Directory® Domain Services. Certificate Hash: %1 Valid From: %2 Valid To: %3

4896

High

One or more rows have been deleted from the certificate database. Table ID: %1 Filter: %2 Rows Deleted: %3

Issue and manage certificate requests

May indicate an attacker covering their tracks after issuing certificates.

4897

Medium

Role separation enabled: %1

Change CA security settings

If role separation is used, this can be used to trigger an alert if the expected configuration changes.

4898

Medium

Certificate Services loaded a template. %1 v%2 (Schema V%3) %4 %5 Template Information: Template Content: %7 Security Descriptor: %8 Additional Information: Domain Controller: %6

Change CA security settings

Alert if templates that are not expected on a CA are loaded.

4899

Medium

A Certificate Services template was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %8 New Template Content: %7 Additional Information: Domain Controller: %6

Change CA security settings

4900

Medium

Certificate Services template security was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %9 New Template Content: %7 Old Security Descriptor: %10 New Security Descriptor: %8 Additional Information: Domain Controller: %6

Change CA security settings

Microsoft-Windows-CertificationAuthority

Current Windows Event ID

Potential Criticality

Message

3

Low

Request failed

5

Low

Active Directory Certificate Services could not find required registry information. The Active Directory Certificate Services may need to be reinstalled.

6

Low

Active Directory Certificate Services issued a certificate for request %1 for %2.

7

Low

Active Directory Certificate Services denied request %1 because %2. The request was for %3.

8

Low

Active Directory Certificate Services left request %1 pending in the queue for %2.

9

Low

The Active Directory Certificate Services did not start: Unable to load an external policy module.

10

Low

Active Directory Certificate Services were unable to build a new certificate or certificate chain: %1.

15

High

Active Directory Certificate Services did not start: Version does not match certif.dll.

16

Low

Active Directory Certificate Services did not start: Unable to initialize OLE: %1.

17

Low

Active Directory Certificate Services did not start: Unable to initialize the database connection for %1. %2.

19

Low

Active Directory Certificate Services did not start: The Subject Name Template string in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\SubjectTemplate is invalid. An example of a valid string is: CommonName OrganizationalUnit Organization Locality State Country

20

Low

Active Directory Certificate Services did not start: The Certificate Date Validity Period string in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\ValidityPeriod is invalid. Valid strings are "Seconds", "Minutes", "Hours", "Days", "Weeks", "Months" and "Years".

21

Low

Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3.

22

Low

Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. Additional information: %4

23

Low

Active Directory Certificate Services could not process request %1 due to an error: %2. The request was for %3. The certificate would contain an encoded length that is potentially incompatible with older enrollment software. Submit a new request using different length input data for the following field: %4

25

Low

Active Directory Certificate Services revoked the certificate for request %1 for %2.

26

Low

Active Directory Certificate Services for %1 was started.%2%3

27

Low

Active Directory Certificate Services did not start: Hierarchical setup is incomplete. Use the request file in %1.req to obtain a certificate for this Certificate Server, and use the CA administration tool to install the new certificate and complete the installation.

28

Low

Active Directory Certificate Services did not start: The Certificate Revocation List Period string is invalid in the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%1\CRLPeriod. Valid strings are "Seconds", "Minutes", "Hours", "Days", "Weeks", "Months" and "Years".

29

Low

Active Directory Certificate Services issued a new Certificate Revocation List for %1.

33

Low

Active Directory Certificate Services did not start: Could not create the Certificate Server service thread for %1. %2.

34

Low

Active Directory Certificate Services did not start: Could not initialize RPC for %1. %2.

35

Low

Active Directory Certificate Services did not start: Could not initialize OLE for %1. %2.

38

Low

Active Directory Certificate Services for %1 was stopped.

39

Low

Active Directory Certificate Services did not start: The CA DCOM class for %1 could not be registered. %2. Use the services administration tool to change the CA logon context.

40

Low

Active Directory Certificate Services did not start: Could not initialize DCOM class factories for %1. %2.

41

Low

Active Directory Certificate Services did not start: Could not initialize DCOM Security Context for %1. %2.

42

Low

Could not build a certificate chain for CA certificate %3 for %1. %2.

43

Low

The "%1" Policy Module "%2" method caused an exception at address %4. The exception code is %3.

44

Low

The "%1" Policy Module "%2" method returned an error. %5 The returned status code is %3. %4

45

Low

The "%1" Exit Module "%2" method caused an exception at address %4. The exception code is %3.

46

Low

The "%1" Exit Module "%2" method returned an error. %5 The returned status code is %3. %4

48

Low

Revocation status for a certificate in the chain for CA certificate %3 for %1 could not be verified because a server is currently unavailable. %2.

49

Low

A certificate in the chain for CA certificate %3 for %1 could not be verified because no information is available describing how to check the revocation status. %2.

51

Low

A certificate in the chain for CA certificate %3 for %1 has been revoked. %2.

52

Low

Active Directory Certificate Services issued a certificate for request %1 for %2. Additional information: %3

53

Low

Active Directory Certificate Services denied request %1 because %2. The request was for %3. Additional information: %4

54

Low

Active Directory Certificate Services left request %1 pending in the queue for %2. Additional information: %3

55

Medium

Active Directory Certificate Services unrevoked the certificate for request %1 for %2.

56

Low

Active Directory Certificate Services denied request %1. The request was for %2.

57

Low

Active Directory Certificate Services denied request %1. The request was for %2. Additional information: %3

58

Low

A certificate in the chain for CA certificate %3 for %1 has expired. %2.

59

Low

Active Directory Certificate Services did not start: Could not connect to the Active Directory for %1. %2.

60

High

Active Directory Certificate Services refused to process an extremely long request from %1. This may indicate a denial-of-service attack. If the request was rejected in error, modify the MaxIncomingMessageSize registry parameter via certutil -setreg CA\MaxIncomingMessageSize <bytes>. Unless verbose logging is enabled, this error will not be logged again for 20 minutes.

62

Low

Active Directory Certificate Services had problems loading valid CRL publication values and has reset the CRL publication to its default settings.

63

Low

Active Directory Certificate Services did not start: %1 %2.

64

Low

Active Directory Certificate Services cannot publish enrollment access changes to Active Directory.

65

Low

Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location: %2. %3.%5%6

66

Low

Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location: %2. %3.%5%6

67

Low

Active Directory Certificate Services made %1 attempts to publish a CRL and will stop publishing attempts until the next CRL is generated.

68

Low

Active Directory Certificate Services successfully published Base CRL(s).

69

Low

Active Directory Certificate Services successfully published Delta CRL(s).

70

Low

Active Directory Certificate Services successfully published Base and Delta CRL(s).

71

Low

Active Directory Certificate Services successfully published Base CRL(s) to server %1.

72

Low

Active Directory Certificate Services successfully published Delta CRL(s) to server %1.

73

Low

Active Directory Certificate Services successfully published Base and Delta CRL(s) to server %1.

74

Low

Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location on server %4: %2. %3.%5%6

75

Low

Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location on server %4: %2. %3.%5%6

76

Low

The "%1" Policy Module logged the following information: %2

77

Low

The "%1" Policy Module logged the following warning: %2

78

Low

The "%1" Policy Module logged the following error: %2

79

Low

Active Directory Certificate Services could not publish a Certificate for request %1 to the following location: %2. %3.%5%6

80

Low

Active Directory Certificate Services could not publish a Certificate for request %1 to the following location on server %4: %2. %3.%5%6

81

Low

Active Directory Certificate Services key archival is only supported on Advanced Server. %1

82

Low

Active Directory Certificate Services could only verify %1 of %2 key recovery certificates required to enable private key archival. Requests to archive private keys will not be accepted.

83

Low

Active Directory Certificate Services encountered an error loading key recovery certificates. Requests to archive private keys will not be accepted. %1

84

Low

Active Directory Certificate Services will not use key recovery certificate %1 because it could not be verified for use as a Key Recovery Agent. %2 %3

85

Low

Active Directory Certificate Services ignored key recovery certificate %1 because it could not be loaded. %2 %3

86

Low

Active Directory Certificate Services could not use the provider specified in the registry for encryption keys. %1

87

Low

Active Directory Certificate Services could not use the default provider for encryption keys. %1

88

Low

Active Directory Certificate Services switched to the default provider for encryption keys. %1

90

Low

%1: Active Directory Certificate Services detected an exception at address %2. Flags = %3. The exception is %4.

91

Low

Could not connect to the Active Directory. Active Directory Certificate Services will retry when processing requires Active Directory access.

92

Low

Active Directory Certificate Services could not update security permissions. %1

93

Low

The certificate (#%1) of Active Directory Certificate Services %2 does not exist in the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container. The directory replication may not be completed.

94

Low

Active Directory Certificate Services %1 can not open the certificate store at CN=NTAuthCertificates,CN=Public Key Services,CN=Services in the Active Directory's configuration container.

95

High

Security permissions are corrupted or missing. The Active Directory Certificate Services may need to be reinstalled.

96

Low

Active Directory Certificate Services could not create an encryption certificate. %1. %2.

97

Low

Active Directory Certificate Services %1 will reduce the maximum lifetime of the issued certificate for request %2 because the CA certificate lifetime is shorter than the registry validity period. Consider renewing the CA certificate or reducing the registry validity period.

98

Low

Active Directory Certificate Services encountered errors validating configured key recovery certificates. Requests to archive private keys will no longer be accepted.

99

Low

Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. %2. %3.

100

Low

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. %1 %2.

101

Low

Active Directory Certificate Services created CA cross certificate %2 for %1.

102

Low

Active Directory Certificate Services could not create cross certificate %1 to certify its own root certificates. The %2 extension is inconsistent. %3. %4.

103

Low

Active Directory Certificate Services added the root certificate of certificate chain %1 to the downloaded Trusted Root Certification Authorities Enterprise store on the CA computer. This store will be updated from the Certification Authorities container in Active Directory the next time Group Policy is applied. To verify that the CA certificate is published correctly in Active Directory, run the following command: certutil -viewstore "%2" (you must include the quotation marks when you run this command). If the Root CA certificate is not present, use the Certificates console on the Root CA computer to export the certificate to a file, and then run the following command to publish it to Active Directory: Certutil -dspublish %certificatefilename% Root.

104

Low

Active Directory Certificate Services published certificate %1 to %2.

105

Low

Active Directory Certificate Services deleted invalid certificate %1 from %2.

106

Low

Active Directory Certificate Services cannot add certificate %1 to %2. %3. %4.

107

Low

Active Directory Certificate Services cannot delete invalid certificate %1 from %2. %3. %4.

108

Low

Active Directory Certificate Services could not delete a Certificate for request %1 from the following location: %2. %3.%5%6

109

Low

Active Directory Certificate Services could not delete a Certificate for request %1 from the following location on server %4: %2. %3.%5%6

110

Low

Active Directory Certificate Services could not initialize the performance counters.

111

Low

Active Directory Certificate Services upgrade failed because the upgrade path could not be determined. %1

112

Low

Active Directory Certificate Services upgrade failed because information required for the upgrade was unavailable. %1

113

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not create CertEnroll folder and/or shared folder with proper permissions. %1

114

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not create virtual roots. %1

115

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not update server registry entries. %1

116

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not create web configuration file. %1

117

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not create revocation page. %1

118

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not upgrade key containers. %1

119

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not register CertSrv request. %1

120

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not register CertSrv admin. %1

121

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not install new templates. %1

122

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not update service description. %1

123

Low

A portion of the Active Directory Certificate Services upgrade failed: Could not update security settings. %1

124

Low

Active Directory Certificate Services upgrade succeeded. Active Directory Certificate Services settings have been upgraded successfully.

125

Low

Active Directory Certificate Services upgrade failed. Active Directory Certificate Services settings have not been upgraded. %1

126

Low

Current information about advanced features supported by this CA is not available from the domain controller. Stop and restart Certificate Services in order to update this information. %1

127

Low

Key recovery certificate %1 is about to expire soon and will not be used upon expiration. Contact your administrator to renew this certificate. %2 %3

128

Low

An Authority Key Identifier was passed as part of the certificate request %1. This feature has not been enabled. To enable specifying a CA key for certificate signing, run: "certutil -setreg ca\UseDefinedCACertInRequest 1" and then restart the service.

129

Low

An invalid OID has been detected in the EnabledEKUForDefinedCACert configuration setting. To resolve, run: "certutil -getreg ca\EnabledEKUForDefinedCACert" to identify the invalid OID and correct it. The default OID ("1.3.6.1.5.5.7.3.9") will be used.

130

Low

Active Directory Certificate Services could not create a certificate revocation list. %1. This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.

131

Low

An invalid OID has been detected in the EKUOIDsForPublishExpiredCertInCRL configuration setting. To resolve, run: "certutil -getreg ca\EKUOIDsForPublishExpiredCertInCRL" to identify the invalid OID and correct it. The default OIDs ("1.3.6.1.5.5.7.3.3" and "1.3.6.1.4.1.311.61.1.1") will be used.

132

Low

The CA was unable to perform a decryption operation. This error can occur when an advanced encryption algorithm such as Advanced Encryption Standard (AES) is used and the CA has not been configured to use a CryptoAPI Next Generation (CNG) key storage provider. If this error occurred during certificate enrollment, check the Certificate Template to ensure that advanced encryption for key archival is not enabled.

133

Low

The CA failed to encode a server extension required to validate a certificate or certification revocation list (CRL). The CA will not issue any certificates or CRLs that do not contain this extension. To correct this problem, use the CA snap-in to remove any Unicode characters in the URLs for the AIA, CDP, and IDP extensions, then restart the CA.

Registry Values to Monitor

The following events are recommendations for advanced monitoring of registry changes that affect the security of a CA. While many of these same alerts are generated when enabling auditing on the CA, there are cases where values can be changed and no alert is generated. In those cases, registry auditing can be enabled and the following events can be monitored for.

In the table below, “Event ID” is the current Microsoft Windows® event ID for versions of Microsoft Windows® currently in mainstream support. “Text to Alert On” is the text to search for within the event body when an alert is generated. “Potential Criticality” identifies whether the event should be considered of low, medium or high criticality in detecting attacks. The event summary contains a brief description of the event.

Event ID

Text to Alert On

Potential Criticality

Event Summary

4657

"AuditFilter"

High

The audit filter controls which Microsoft Windows® Security Auditing events are logged. Changing the audit filter may indicate an attacker attempting to disable logging prior to performing a certificate operation. Normally the audit filter is configured when the CA is created and not changed after.

4657

"EKUOIDsForPublishExpiredCertInCRL"

High

This value controls what types of certificates remain on a CRL even after the certificate expires. An attacker could remove specific certificate types (such as Code Signing) that would allow a previously revoked certificate that malware was signed with to validate successfully again after the next CRL publication.This value is not changed during normal CA operation.

4657

“EditFlags”

Medium

Alert if the new value enables EDITF_ATTRIBUTESUBJECTALTNAME2. This can be identified by taking the value found in the “New Value” field and performing a bitwise “AND” operation with 262144 (the decimal value for the bitmask for the EDITF_ATTRIBUTESUBJECTALTNAME2 value). Adding this value will allow any certificate request to contain arbitrary alternative names.

4657

"KRACertHash"

Medium

This will happen rarely in normal operations and an attacker who has control of a valid KRA certificate could assign it to a CA to get access to any private keys that are subsequently archived on the CA.

4657

"RoleSeparationEnabled"

Medium

Role separation allows for a CA to tightly control the rights of a specific user and enforce that all users can only have one role on the system (CA Admin, Cert Issuer, administrator, Auditor). A local administrator can always disable role separation, which may allow an account who should not have rights to perform an operation to be eligible for those rights.

4657

"Security"

High

This alert is raised when the permissions on the CA are modified. These permissions control which users and groups are allowed to Read CA information, issue certificates, manage the CA settings and enroll for certificates from a given CA. Modification could allow an attacker to give privileges to an unwanted account for enrollment.This is a similar alert to 4882.

4657

"ExitModules","Active"

High

Indicates a change to the default exit module(s) being used by the CA. Exit modules allow additional actions to be performed by the CA after an event occurs (issuance, revocation, CRL publishing, etc.). Additions/deletions of exit modules occur very infrequently in normal operations and may indicate tampering with the CA.

4657

"PolicyModules","Active"

High

Indicates a change to the active policy module being used by the CA. The policy module control certificate issuance and is changed very infrequently in normal operations.

See Also

Securing Public Key Infrastructure (PKI)
Securing PKI: Introduction
Securing PKI: Planning a CA Hierarchy
Securing PKI: Physical Controls for Securing PKI
Securing PKI: PKI Process Security
Securing PKI: Technical Controls for Securing PKI
Securing PKI: Planning Certificate Algorithms and Usages
Securing PKI: Protecting CA Keys and Critical Artifacts
Securing PKI: Monitoring Public Key Infrastructure
Securing PKI: Compromise Response
Securing PKI: Appendix B: Certification Authority Audit Filter
Securing PKI: Appendix C: Delegating Active Directory PKI Permissions
Securing PKI: Appendix D: Glossary of Terms
Securing PKI: Appendix E: PKI Basics
Securing PKI: Appendix F: List of Recommendations by Impact Level
Security and Protection
Secure Windows Server 2012 R2 and Windows Server 2012