Event Source: | Microsoft Windows Security Auditing |
Event ID: | 4886 (0x1316) |
Event log: | Security |
Event type: | Information |
Event text (English): | Certificate Services received a certificate request. Request ID: %1 Requester: %2 Attributes: %3 |
Event text (German): | Certificate Services has received a certificate request. Request ID: %1 Requester: %2 Attributes: %3 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: RequestId (win:UnicodeString)
- %2: Requester (win:UnicodeString)
- %3: Attributes (win:UnicodeString)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Example events
Certificate Services received a certificate request.
Request ID: 125
Requester: INTRA\CA06$
Attributes:
cdc:DC01.intra.adcslabor.de
rmd:CA06.intra.adcslabor.de
ccm:CA06.intra.adcslabor.com
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The event is logged when a certificate request is sent to the certificate authority and the Issue and manage certificate requests option is enabled in the certificate authority auditing options.
Each certificate request, whether issued or not, is stored in the certification authority's database. Every user in the network can send requests to the certification authority, these are rejected if no rights are available and logged.
The additional logged attributes have the following meaning:
Abbreviation | Name | Description |
---|---|---|
cdc | Cert Domain Controller | An optional attribute in the certificate request. Describes the domain controller used by the requester. Usually present if the certificate request was created from a Windows computer. |
rmd | Request Machine DNS Name | An optional attribute in the certificate request. Describes the DNS name of the computer from which the certificate request was sent (even if a user certificate is requested). Usually present if the certificate request was created from a Windows computer. |
cc | Cert Client Machine | DNS name of the computer which (ICertRequest::Submit) the DCOM connection to the certification authority (may differ from rmd, e.g. if the certificate enrollment web services are upstream, or if a certificate request is submitted manually). This attribute does not seem to be determined by the client, but by the certificate authority. |
The attributes "cdc" and "rmd" can be used (if configured) by the Windows default Policy module used by the certification authority to avoid certificate issuance errors due to replication latencies. Assuming a client computer is newly installed and the computer account has not yet been replicated from the domain controller at the client's location to that of the certification authority, the certification authority can contact the domain controller specified in "cdc" and determine the information that way.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
With a correspondingly high number of requests, in addition to the system load caused, it can lead to large database growth and, for example, fill the system's hard disk, which can lead to a failure of the certification authority and possibly of the connected IT services.
As a rule of thumb, 1000 certificates correspond to approximately 16 Mbytes of storage space. 1000 certificates per second would therefore correspond to approx. 1.4 TByte per day.
The attack scenario is rather unlikely, but could lead to a failure of the certification authority and IT services dependent on it due to a full hard disk.
The additional attributes "rmd" and "ccm" included in the certificate request can be helpful to identify the source of such an attack and/or to formulate the detection rules more precisely.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
External sources
- Securing Public Key Infrastructure (PKI) (Microsoft)
- New Certificate Request Using PKCS #10 Request Format (Microsoft)
- Custom Request Attributes (Microsoft TechNet Forums)