| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 4896 (0x1320) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | One or more rows have been deleted from the certificate database. Table ID: %1 Filter: %2 Rows Deleted: %3 |
| Event text (German): | At least one row was deleted from the certificate database. Table ID: %1 Filter: %2 Deleted rows: %3 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: TableId (win:UnicodeString)
- %2: Filter (win:UnicodeString)
- %3: RowsDeleted (win:UnicodeString)
- %4: SubjectUserSid (win:SID)
- %5: SubjectUserName (win:UnicodeString)
- %6: SubjectDomainName (win:UnicodeString)
- %7: SubjectLogonId (win:HexInt64)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Example events
One or more rows have been deleted from the certificate database.
Table ID: 0
Filters: 12
Rows Deleted: 1
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Usually there is no reason to delete records from the CA database. Deleting individual rows from the CA database could be an indication that a manipulation attempt is to be concealed.
A valid reason for deletion could be to remove expired certificates from the certificate authority database to free up space. See also article "(Mass) deletion of entries in the certification authority database (certificates, requirements, revocation lists)„.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
Usually there is no reason to delete records from the CA database. In rare cases, this may be necessary due to extreme database growth. Usually, however, such an event is considered critical and should be alerted accordingly.
Which records are affected can be determined from the previous events. In particular, the Event 4887 (Certificate Services approved a certificate request and issued a certificate.) helpful here.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity rating of "Severe".
The reasoning behind this is:
May indicate an attacker covering their tracks after issuing certificates.
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
External sources
- Securing Public Key Infrastructure (PKI) (Microsoft)
English 
Deutsch
2 thoughts on “Details zum Ereignis mit ID 4896 der Quelle Microsoft-Windows-Security-Auditing”
Comments are closed.