Hello S-1-1-0, here is another unscheduled blog post on enabling advanced audit in Microsoft CA. Today I went through another thread on Twitter which suggests how to enable advanced audit in Microsoft CA. Throughout the thread it was apparent that only partial solution was provided.
Windows CA auditing engines
Microsoft CA implements a set of auditing engines, including:
- Standard Events — these are top-level informational events registered in Application event log. Such as CA certificate expiration notifications and relevant errors. Standard logging is enabled by default and does not require any configuration.
- Audit Events — these are detailed audit events registered in Security event log and display detailed activity in certificate services. Audit events are subject of this blog post. Audit events are not enabled by default.
- Debug Log — these are low-level debug traces logged in certocm.log, certutil.log and certsrv.log. These logs are useful only for Microsoft Support who can understand them. Debug log is not enabled by default.
Configuring CA Audit engine
Audit configuration in certificate services consist of two pieces:
CA\AuditFiltersetting in CA configuration
Object Access Audit — Certificate Servicesin group policies.
First step is configured either, using
certutil.exe or Certification Authority MMC (certsrv.msc), Audit tab. Here is the Microsoft article on configuring audit filter: Securing PKI: Appendix B: Certification Authority Audit Filter. In most cases it is configured simply as:
certutil –setreg CA\AuditFilter 127 net stop certsvc && net start certsvc
Don’t forget to restart certificate services, when configuring audit settings in Certification Authority MMC.
Second step requires GPO configuration, either, local (for workgroup members) or domain. It is configured with
Failure (this one is optional) under: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Audit Certification Services:
In addition, audit subcategory processing must be enabled under: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings:
And apply the GPO to OU where CA servers reside and refresh policies on CA servers.
Only after all configurations are complete, events will start to show up in Security event log:
A full list of events registered by certificate services is provided in Securing PKI: Appendix A: Events to Monitor article.