Schedule a Demo
Blog August 12, 2021 Active Directory, Certificates, Certutil, Maintenance, Offline CA, PKI

Enabling Active Directory Certificate Services (ADCS) advanced audit

by Vadims Podāns

Hello S-1-1-0, here is another unscheduled blog post on enabling advanced audit in Microsoft CA. Today I went through another thread on Twitter which suggests how to enable advanced audit in Microsoft CA. Throughout the thread it was apparent that only partial solution was provided.

Person sitting at a laptop while viewing the PKI Spotlight Dashboard.

Expand Your PKI Visibility

Discover why seeing is securing with revolutionary PKI monitoring and alerting.

Learn More About PKI Spotlight®

Windows CA auditing engines

Microsoft CA implements a set of auditing engines, including:

  • Standard Events — these are top-level informational events registered in Application event log. Such as CA certificate expiration notifications and relevant errors. Standard logging is enabled by default and does not require any configuration.
  • Audit Events — these are detailed audit events registered in Security event log and display detailed activity in certificate services. Audit events are subject of this blog post. Audit events are not enabled by default.
  • Debug Log — these are low-level debug traces logged in certocm.log, certutil.log and certsrv.log. These logs are useful only for Microsoft Support who can understand them. Debug log is not enabled by default.

Configuring CA Audit engine

Audit configuration in certificate services consist of two pieces:

  1. CA\AuditFilter setting in CA configuration
  2. Object Access Audit — Certificate Services in group policies.

First step is configured either, using certutil.exe or Certification Authority MMC (certsrv.msc), Audit tab. Here is the Microsoft article on configuring audit filter: Securing PKI: Appendix B: Certification Authority Audit Filter. In most cases it is configured simply as:

certutil –setreg CA\AuditFilter 127
net stop certsvc && net start certsvc

Don’t forget to restart certificate services, when configuring audit settings in Certification Authority MMC.
Second step requires GPO configuration, either, local (for workgroup members) or domain. It is configured with Success and Failure (this one is optional) under: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Audit Certification Services:

Screenshot of the Group Policy Management Editor with "Audit Certification Services" selected under "Object Access" utilizing ADCS

In addition, audit subcategory processing must be enabled under: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings:

Screenshot of the Group Policy Management Editor with "Audit: Force audit policy subcategory settings" selected under "Security Options"

And apply the GPO to OU where CA servers reside and refresh policies on CA servers.

Verify Audit

Only after all configurations are complete, events will start to show up in Security event log:

Screenshot of the Security Event Log with "Audit Success" selected

A full list of events registered by certificate services is provided in Securing PKI: Appendix A: Events to Monitor article.
HTH

Related Resources

  • Blog A representation of PKI and digital certificate with a key lying on a blue circuit board
    November 7, 2024

    PKI Insights Recap – Is Your PKI Healthy? The Essential Guide to Comprehensive Assessments

    PKI, PKI Insights
  • Blog Image of a person sitting at a desk working on a laptop with PKI Spotlight on the screen.
    October 4, 2024

    Announcing the October 2024 PKI Spotlight® Release

    PKI, PKI Spotlight
  • Blog
    August 16, 2024

    To Revoke or Not to Revoke: Balancing Security with Performance and Operational Complexity

    CA, Certificate Authority, Certificate Revocation List, CRL, OCSP, PKI, VPN

Vadims Podāns

PKI Software Architect

View All Posts by Vadims Podāns

Comments

  • Awesome, Vadims. Just fyi, I did some research and documentation on all the available Standard and Audit Events in the last years. These extend the Securing PKI whitepaper in terms of evaluating their relation to confidentiality, integrity and availability. Find them here: Standard Events (https://www.gradenegger.eu/?p=6183), Audit Events (https://www.gradenegger.eu/?p=6218). Perhaps you want to mention that some of the Standard Events only get logged when the LogLevel (https://www.gradenegger.eu/?p=528) has been increased, as well as Audit Events 4898, 4899 and 4900 only get logged when EDITF_AUDITCERTTEMPLATELOAD flag is set.

    • I think it is a subject of more thorough document/whitepaper on eventing and auditing. Say, compose the information in different yours/mine/others blog posts, articles into a single and complete (to some extent of course) document. This blog posts focuses only on how to enable this logging. If you would like, we can cooperate on this and build a community whitepaper like I did in autoenrollment community whitepaper.

    • Hi Uwe, Do you have the English version of your articles? If you share that would be great. Thank you!

  • Nice article @Vadims! It might be worth mentioning that setting “Audit Policy Configuration” reverts all other Audit settings on the system (the Windows default Audit settings). All other settings (such as the default Logon/Logoff and other) are now in “No Audit” mode, effectively turning off a lot of settings that might be in use for other Audit purposes. I would recommend that you make an auditpol.exe /backup /file:xyz.csv on the standard configuration (the settings present on the CA server), import those settings to the GPO mentioned in this article and then change the “Certification Services” specific setting. I might be wrong, but this is how I remember it to work.

    • Hi John
      You are right, the Advanced Auditing Policy is one of those policies that overwrite all other Advanced Auditing Policy policy settings from other GPOs or locally set.
      Simplest approach is to use auditpol.exe to backup current policy settings of a server as a baseline and import it into your GPO and change the certificate service audit settings.

      auditpol.exe /backup /file:c:\auditsettings.csv

  • Hi Vadims

    Does the following have any bearing on this particular blog post?

    auditpol /set /subcategory:”other system events” /success:enable /failure:enable

    It is outlined in a Microsoft article located at https://docs.microsoft.com/en-us/windows/win32/seccng/cng-features

    The article includes the following statement

    No audit record is generated by kernel mode CNG. Administrators need to configure the audit policy to obtain all KSP audit logs from the security log. An administrator must run the following command line to configure additional audits generated by KSPs:

    auditpol /set /subcategory:”other system events” /success:enable /failure:enable

    Thanks

    • KSP auditing is a different thing and is not related to this blog post. Normally, you don’t need to audit KSP events, they are only necessary when debugging issues.

Leave a Reply

Your email address will not be published. Required fields are marked *