| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 4898 (0x1322) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | Certificate Services loaded a template. %1 v%2 (Schema V%3) %4 %5 Template Information: Template Content: %7 Security Descriptor: %8 Additional Information: Domain Controller: %6 |
| Event text (German): | Certificate Services have loaded a template. %1 v%2 (Scheme V%3) %4 %5 Template information: Template content: %7 Security description: %8 Additional information: Domain Controller: %6 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: TemplateInternalName (win:UnicodeString)
- %2: TemplateVersion (win:UnicodeString)
- %3: TemplateSchemaVersion (win:UnicodeString)
- %4: TemplateOID (win:UnicodeString)
- %5: TemplateDSObjectFQDN (win:UnicodeString)
- %6: DCDNSName (win:UnicodeString)
- %7: TemplateContent (win:UnicodeString)
- %8: SecurityDescriptor (win:UnicodeString)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Example events
Certificate Services loaded a template.
ADCSLaborNDES v100.11 (Scheme V2)
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.3300970.10789002
CN=ADCSLaborNDES,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de
Template Information:
Template Content:
flags = 0x20241 (131649)
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1
CT_FLAG_MACHINE_TYPE -- 0x40 (64)
CT_FLAG_ADD_TEMPLATE_NAME -- 0x200 (512)
CT_FLAG_IS_MODIFIED -- 0x20000 (131072)
msPKI private key flag = 0x1010000 (16842752)
CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0x0
TEMPLATE_SERVER_VER_2003<TEMPLATE_CLIENT_VER_XP<
msPKI certificate name flag = 0x1 (1)
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1
msPKI enrollment flag = 0x0 (0)
msPKI template schema version = 2
revision = 100
msPKI template minor revision = 11
msPKI-RA-Signature = 0
msPKI minimum key size = 3072
pKIDefaultKeySpec = 1
pKIExpirationPeriod = 2 Years
pKIOverlapPeriod = 6 Weeks
cn = ADCSLaborNDES
distinguishedName = ADCSLaborNDES
msPKI-Cert-Template-OID =
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.3300970.10789002 ADCS Labor NDES
pKIKeyUsage = a0
displayName = ADCS Lab NDES
templateDescription = Computer
pKIExtendedKeyUsage =
1.3.6.1.5.5.8.2.2 IP security IKE intermediate
pKIDefaultCSPs =
Microsoft RSA SChannel Cryptographic Provider
msPKI-Supersede-Templates =
msPKI RA policies =
msPKI-RA-Application-Policies =
msPKI-Certificate-Policy =
msPKI-Certificate-Application-Policy =
1.3.6.1.5.5.8.2.2 IP security IKE intermediate
pKICriticalExtensions =
2.5.29.15 Key Usage
Security Descriptor: O:S-1-5-21-1381186052-4247692386-135928078-500G:S-1-5-21-1381186052-4247692386-135928078-519D:PAI(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-1109)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-1162)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-1171)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-1172)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-519)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;AU)(A;;LCRPRC;;;S-1-5-21-1381186052-4247692386-135928078-1109)(A;;LCRPRC;;;S-1-5-21-1381186052-4247692386-135928078-1162)(A;;LCRPRC;;;S-1-5-21-1381186052-4247692386-135928078-1171)(A;;LCRPRC;;;S-1-5-21-1381186052-4247692386-135928078-1172)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1381186052-4247692386-135928078-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1381186052-4247692386-135928078-500)(A;;LCRPLORC;;;AU)
Allow S-1-5-21-1381186052-4247692386-135928078-1109
Enroll
Allow INTRA\rudi
Enroll
Allow S-1-5-21-1381186052-4247692386-135928078-1171
Enroll
Allow S-1-5-21-1381186052-4247692386-135928078-1172
Enroll
Allow INTRA\Domain Admins
Enroll
Allow INTRA\Enterprise Admins
Enroll
Allow NT AUTHORITY\Authenticated Users
Enroll
Allow(0x00020014) S-1-5-21-1381186052-4247692386-135928078-1109
Read
Allow(0x00020014) INTRA\rudi
Read
Allow(0x00020014) S-1-5-21-1381186052-4247692386-135928078-1171
Read
Allow(0x00020014) S-1-5-21-1381186052-4247692386-135928078-1172
Read
Allow(0x000f00ff) INTRA\Domain Admins
Full Control
Allow(0x000f00ff) INTRA\Enterprise Admins
Full Control
Allow(0x000f00ff) INTRA\Administrator
Full Control
Allow(0x00020094) NT AUTHORITY\Authenticated Users
Read
Additional Information:
Domain Controller: DC01.intra.adcslabor.de
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
In order for the certification authorities to log the security setting changes to certificate templates, the following command must be executed once on each certification authority:
certutil -setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD
No description has been written for this yet.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
No description has been written for this yet.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity rating of "Medium".
The reasoning behind this is:
Alert if templates that are not expected on a CA are loaded.
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
External sources
- Securing Public Key Infrastructure (PKI) (Microsoft)
- Securing PKI: Monitoring Public Key Infrastructure (Microsoft)
English 
Deutsch
One thought on “Details zum Ereignis mit ID 4898 der Quelle Microsoft-Windows-Security-Auditing”
Comments are closed.