Details of the event with ID 4898 of the source Microsoft-Windows-Security-Auditing

Event Source:Microsoft Windows Security Auditing
Event ID:4898 (0x1322)
Event log:Security
Event type:Information
Event text (English):Certificate Services loaded a template. %1 v%2 (Schema V%3) %4 %5 Template Information: Template Content: %7 Security Descriptor: %8 Additional Information: Domain Controller: %6
Event text (German):Certificate Services have loaded a template. %1 v%2 (Scheme V%3) %4 %5 Template information: Template content: %7 Security description: %8 Additional information: Domain Controller: %6

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: TemplateInternalName (win:UnicodeString)
  • %2: TemplateVersion (win:UnicodeString)
  • %3: TemplateSchemaVersion (win:UnicodeString)
  • %4: TemplateOID (win:UnicodeString)
  • %5: TemplateDSObjectFQDN (win:UnicodeString)
  • %6: DCDNSName (win:UnicodeString)
  • %7: TemplateContent (win:UnicodeString)
  • %8: SecurityDescriptor (win:UnicodeString)

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Example events

 Certificate Services loaded a template. 

ADCSLaborNDES v100.11 (Scheme V2)
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.3300970.10789002
CN=ADCSLaborNDES,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de

Template Information:
Template Content:
flags = 0x20241 (131649)
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1
CT_FLAG_MACHINE_TYPE -- 0x40 (64)
CT_FLAG_ADD_TEMPLATE_NAME -- 0x200 (512)
CT_FLAG_IS_MODIFIED -- 0x20000 (131072)

msPKI private key flag = 0x1010000 (16842752)
CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0x0
TEMPLATE_SERVER_VER_2003< TEMPLATE_CLIENT_VER_XP<
msPKI certificate name flag = 0x1 (1)
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 0x1

msPKI enrollment flag = 0x0 (0)

msPKI template schema version = 2

revision = 100

msPKI template minor revision = 11

msPKI-RA-Signature = 0

msPKI minimum key size = 3072

pKIDefaultKeySpec = 1

pKIExpirationPeriod = 2 Years

pKIOverlapPeriod = 6 Weeks

cn = ADCSLaborNDES

distinguishedName = ADCSLaborNDES

msPKI-Cert-Template-OID =
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.3300970.10789002 ADCS Labor NDES

pKIKeyUsage = a0

displayName = ADCS Lab NDES

templateDescription = Computer

pKIExtendedKeyUsage =
1.3.6.1.5.5.8.2.2 IP security IKE intermediate

pKIDefaultCSPs =
Microsoft RSA SChannel Cryptographic Provider

msPKI-Supersede-Templates =

msPKI RA policies =

msPKI-RA-Application-Policies =

msPKI-Certificate-Policy =

msPKI-Certificate-Application-Policy =
1.3.6.1.5.5.8.2.2 IP security IKE intermediate

pKICriticalExtensions =
2.5.29.15 Key Usage

Security Descriptor: O:S-1-5-21-1381186052-4247692386-135928078-500G:S-1-5-21-1381186052-4247692386-135928078-519D:PAI(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-1109)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-1162)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-1171)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-1172)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;DA)(OA;;RPWPCR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;S-1-5-21-1381186052-4247692386-135928078-519)(OA;;CR;0e10c968-78fb-11d2-90d4-00c04f79dc55;;AU)(A;;LCRPRC;;;S-1-5-21-1381186052-4247692386-135928078-1109)(A;;LCRPRC;;;S-1-5-21-1381186052-4247692386-135928078-1162)(A;;LCRPRC;;;S-1-5-21-1381186052-4247692386-135928078-1171)(A;;LCRPRC;;;S-1-5-21-1381186052-4247692386-135928078-1172)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1381186052-4247692386-135928078-519)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-1381186052-4247692386-135928078-500)(A;;LCRPLORC;;;AU)

Allow S-1-5-21-1381186052-4247692386-135928078-1109
Enroll
Allow INTRA\rudi
Enroll
Allow S-1-5-21-1381186052-4247692386-135928078-1171
Enroll
Allow S-1-5-21-1381186052-4247692386-135928078-1172
Enroll
Allow INTRA\Domain Admins
Enroll
Allow INTRA\Enterprise Admins
Enroll
Allow NT AUTHORITY\Authenticated Users
Enroll
Allow(0x00020014) S-1-5-21-1381186052-4247692386-135928078-1109
Read
Allow(0x00020014) INTRA\rudi
Read
Allow(0x00020014) S-1-5-21-1381186052-4247692386-135928078-1171
Read
Allow(0x00020014) S-1-5-21-1381186052-4247692386-135928078-1172
Read
Allow(0x000f00ff) INTRA\Domain Admins
Full Control
Allow(0x000f00ff) INTRA\Enterprise Admins
Full Control
Allow(0x000f00ff) INTRA\Administrator
Full Control
Allow(0x00020094) NT AUTHORITY\Authenticated Users
Read


Additional Information:
Domain Controller: DC01.intra.adcslabor.de

Description

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

In order for the certification authorities to log the security setting changes to certificate templates, the following command must be executed once on each certification authority:

certutil -setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD

No description has been written for this yet.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

No description has been written for this yet.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity rating of "Medium".

The reasoning behind this is:

Alert if templates that are not expected on a CA are loaded.

Related links:

External sources

One thought on “Details zum Ereignis mit ID 4898 der Quelle Microsoft-Windows-Security-Auditing”

Comments are closed.

en_USEnglish