Enabling Active Directory Certificate Services (ADCS) advanced audit

Vadims Podans PKI Developer

Hello S-1-1-0, here is another unscheduled blog post on enabling advanced audit in Microsoft CA. Today I went through another thread on Twitter which suggests how to enable advanced audit in Microsoft CA. Throughout the thread it was apparent that only partial solution was provided.

Windows CA auditing engines

Microsoft CA implements a set of auditing engines, including:

  • Standard Events — these are top-level informational events registered in Application event log. Such as CA certificate expiration notifications and relevant errors. Standard logging is enabled by default and does not require any configuration.
  • Audit Events — these are detailed audit events registered in Security event log and display detailed activity in certificate services. Audit events are subject of this blog post. Audit events are not enabled by default.
  • Debug Log — these are low-level debug traces logged in certocm.log, certutil.log and certsrv.log. These logs are useful only for Microsoft Support who can understand them. Debug log is not enabled by default.

Configuring CA Audit engine

Audit configuration in certificate services consist of two pieces:

  1. CA\AuditFilter setting in CA configuration
  2. Object Access Audit — Certificate Services in group policies.

First step is configured either, using certutil.exe or Certification Authority MMC (certsrv.msc), Audit tab. Here is the Microsoft article on configuring audit filter: Securing PKI: Appendix B: Certification Authority Audit Filter. In most cases it is configured simply as:

certutil –setreg CA\AuditFilter 127
net stop certsvc && net start certsvc

Don’t forget to restart certificate services, when configuring audit settings in Certification Authority MMC.

Second step requires GPO configuration, either, local (for workgroup members) or domain. It is configured with Success and Failure (this one is optional) under: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Audit Certification Services:

image

In addition, audit subcategory processing must be enabled under: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings:

image

And apply the GPO to OU where CA servers reside and refresh policies on CA servers.

Verify Audit

Only after all configurations are complete, events will start to show up in Security event log:

image

A full list of events registered by certificate services is provided in Securing PKI: Appendix A: Events to Monitor article.

HTH

About Vadims Podāns

Senior PKI Developer

3 Comments

  1. Uwe Gradenegger on August 16, 2021 at 10:50 am

    Awesome, Vadims. Just fyi, I did some research and documentation on all the available Standard and Audit Events in the last years. These extend the Securing PKI whitepaper in terms of evaluating their relation to confidentiality, integrity and availability. Find them here: Standard Events (https://www.gradenegger.eu/?p=6183), Audit Events (https://www.gradenegger.eu/?p=6218). Perhaps you want to mention that some of the Standard Events only get logged when the LogLevel (https://www.gradenegger.eu/?p=528) has been increased, as well as Audit Events 4898, 4899 and 4900 only get logged when EDITF_AUDITCERTTEMPLATELOAD flag is set.

    • Vadims Podāns on August 19, 2021 at 1:22 am

      Thanks Uwe,
      I think it is a subject of more thorough document/whitepaper on eventing and auditing. Say, compose the information in different yours/mine/others blog posts, articles into a single and complete (to some extent of course) document. This blog posts focuses only on how to enable this logging. If you would like, we can cooperate on this and build a community whitepaper like I did in autoenrollment community whitepaper.

  2. John Laerum on August 23, 2021 at 3:51 am

    Nice article @Vadims! It might be worth mentioning that setting “Audit Policy Configuration” reverts all other Audit settings on the system (the Windows default Audit settings). All other settings (such as the default Logon/Logoff and other) are now in “No Audit” mode, effectively turning off a lot of settings that might be in use for other Audit purposes. I would recommend that you make an auditpol.exe /backup /file:xyz.csv on the standard configuration (the settings present on the CA server), import those settings to the GPO mentioned in this article and then change the “Certification Services” specific setting. I might be wrong, but this is how I remember it to work.

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.