Event Source: | Microsoft Windows Security Auditing |
Event ID: | 5125 (0x1405) |
Event log: | Security |
Event type: | Information |
Event text (English): | A request was submitted to OCSP Responder Service. |
Event text (German): | A request is transmitted to the OCSP response service. |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: SubjectUserSid (win:SID)
- %2: SubjectUserName (win:UnicodeString)
- %3: SubjectDomainName (win:UnicodeString)
- %4: SubjectLogonId (win:HexInt64)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Example events
A request was submitted to OCSP Responder Service. Certificate Serial Number: 73000000ab6b883da4b84844b80000000000ab Issuer CA Name: CN=ADCS Labor Issuing CA 1, OU=IT, O=ADCS Labor, L=Munich, S=Bavaria, C=DE Revocation Status: Good
A request was submitted to OCSP Responder Service. Certificate Serial Number: 1940dca79adf43b64a043106ed6f3571 Issuer CA Name: CN=ADCS Labor Issuing CA 1, OU=IT, O=ADCS Labor, L=Munich, S=Bavaria, C=DE Revocation Status: Unknown
Description
This event is only triggered when the Audit logging is enabled for the online responder and configured to log requests to the responder.
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Revocation Status: Good
Is generated if the requested serial number is known and is not entered on a valid revocation list. Without deterministic "good", this response has no significance as to whether the certificate was issued by the certification authority at all.
Revocation Status: Revoked
Generated if the requested serial number is known and found in a valid blacklist.
Revocation Status: Unknown
Generated when the requested serial number is not known to the online responder.
In conjunction with the deterministic "good", this may indicate that a certificate is in circulation that is was not signed by the certification authority, for example, if their private key has been compromised.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
Is the online responder for a "Deterministic Good" is configured, an event with status "Unknown" may indicate that a certificate not issued by one of the configured certificate authorities was requested.
Another indication can be the serial number of the certificate. The serial numbers of a certificate issued by a Microsoft certification authority always have a common prefix (see also article "How is the serial number of a certificate formed?"). If the prefix of the serial number of the checked certificate differs, this may also indicate that a certificate not issued by one of the configured certificate authorities was requested.
You should also be alerted if certificates with the status "Revoked" (too frequent) are requested.
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
- Signing certificates bypassing the certification authority
6 thoughts on “Details zum Ereignis mit ID 5125 der Quelle Microsoft-Windows-Security-Auditing”
Comments are closed.