Event Source: | Microsoft Windows Security Auditing |
Event ID: | 4900 (0x1324) |
Event log: | Security |
Event type: | Information |
Event text (English): | Certificate Services template security was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %9 New Template Content: %7 Old Security Descriptor: New Security Descriptor: %8 Additional Information: Domain Controller: %6 |
Event text (German): | The security of the certificate service template has been updated. The certificate services have loaded a template. %1 v%2 (Schema V%3) %4 %5 Template change information: Old template content: %9 New template content: %7 Old security description: New security description: %8 Additional information: Domain controller: %6 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: TemplateInternalName (win:UnicodeString)
- %2: TemplateVersion (win:UnicodeString)
- %3: TemplateSchemaVersion (win:UnicodeString)
- %4: TemplateOID (win:UnicodeString)
- %5: TemplateDSObjectFQDN (win:UnicodeString)
- %6: DCDNSName (win:UnicodeString)
- %7: NewTemplateContent (win:UnicodeString)
- %8: NewSecurityDescriptor (win:UnicodeString)
- %9: OldTemplateContent (win:UnicodeString)
- : OldSecurityDescriptor (win:UnicodeString)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
In order for the certification authorities to log the security setting changes to certificate templates, the following command must be executed once on each certification authority:
certutil -setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD
After a certificate template has been put into operation, it should only rarely be necessary to change the security settings. An attacker could, assuming the appropriate rights, set up a backdoor via write or request permissions.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
This event should occur only rarely during operation. A change to the permissions of the certificate templates should be made via a Change. However, if the write permissions on certificate templates are not configured properly, this could allow unauthorized users to obtain certificates on behalf of other users. Depending on the severity, this could compromise Active Directory.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity rating of "Medium".
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
External sources
- Securing Public Key Infrastructure (PKI) (Microsoft)
- Securing PKI: Monitoring Public Key Infrastructure (Microsoft)