Let’s audit your Microsoft Certification Authority with Microsoft Sentinel and be one step ahead of the attacker
More and more services depend on certificates for authorization and authentication. With this in mind it is especially important to monitor events from your Certification Authority (CA). In this post I want to show, how you can enable auditing on your certification authority and send the logs to Microsoft Sentinel. Keep in mind that this is one aspect of monitoring your certification authority. For more security you must also audit changes to critical Active Directory groups, which control access to the CA and members, who have access to the CA. Furthermore, we focus on CA events that we want to audit. Don’t forget common server events like successful/failed logons, clearing of event logs, account, and group changes! If the certification authority you want to monitor is a subordinate CA, because the root CA is offline, you also have to make sure, that you monitor:
- access to the server where the server resides,
- backup access and storage location and
- firewall logs.
Table of content
Prerequisites
To get everything up and running, we need the following things:
- Configured Active Directory domain
- Enterprise certification authority up and running
- Access to GPO editor and Certification Authority snap-in
- including permissions
- Azure subscription and permission
- Log Analytic workspace
- Microsoft Sentinel
Preview of the result
Below you can have a look at a schematic illustration, how the result will look like:
To put it short, we install the Azure Arc agent on our CA. If this is done, we can install the Azure Monitoring Agent and add our server to a Data Collection Rule. After all this is finished, the certification authority starts sending the logs to the Log Analytic workspace.
Check, if auditing is enabled
Let’s start with a check, if the auditing for our CA is currently set. We use the below command and check the subcategory “Certification Services”:
auditpol /get /category:”Object access”
Activate auditing
Auditpol or GPO
Auditpol
For a single computer it is possible to use “auditpol” to set the auditing preferences, but it is preferrable for domain joined CAs to use group policies. To show every possible way, we will start with the command for auditpol. To activate the auditing for “Certification Services”, do the following:
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
Because some settings can also be done through registry, we have to do the same for “Registry” auditing:
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
GPO
Keep in mind that auditpol can also be overwritten by GPO settings. This is exactly what we will look at now. Edit or create a new GPO and activate Audit Certification Services. This setting can be found under the following path: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy\Audit Policies\Object Access
The subcategory should be set to Success and Failure. See the following picture for the configuration:
After you configured the auditing for “Certification Services”, you must configure auditing for registry events. To do this, navigate in your GPO to: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy\Audit Policies\Object Access
Edit the “Audit Registry” setting and set the subcategory to enable for success and failure events. See the following image for the configuration:
Certification Authority
The following audit settings are stored in the registry of the CA as a bitmask value. Pay attention that we configure auditing of events that occur through changes in CA snap-in. A lot of settings can also be changed through registry, but we will look at this in the next chapter.
To audit a certification authority on a Windows Server, you will need to follow these steps:
- Open the Certification Authority snap-in on your Windows Server. This can be done by going to the Start menu, searching for “certification authority” and selecting the “Certification Authority” snap-in from the search results.
- In the Certification Authority snap-in, right-click on the CA that you want to audit and select “Properties” from the context menu.
- In the Properties window, switch to the “Auditing” tab.
- On the Auditing tab, select the types of events that you want to audit for this CA. You can choose from a variety of options, such as “Certificate Issued,” “Certificate Revoked,” and “Certificate Request Denied”. In my case I choose every option except “Start and stop Active Directory Certificate Services”.
- Once you have selected the events that you want to audit, click “OK” to save your changes and close the Properties window.
Description of audit events
Back up and restore the CA database
- Events that are generated, when the CA database gets a command to restore or backup.
Change CA configuration
- Changes of properties through the CA snap-in. For example, changing CRL validity period.
Change CA security settings
- Security settings that were changed through the CA snap-in. For example, change of audit filter.
Issue and manage certificate requests
- This setting might generate a lot of events, if a lot of issuances are requested. It logs received, pending, denied, and issued requests.
Revoke certificates and publish CRLs
- Controls auditing of events related to revocation and publishing of CRLs.
Store and retrieve archived keys
- Archiving keys or recovering previously archived keys. Including importing and archiving key into the CA database.
Start and stop Active Directory Certificate Services
- Events are created, if the certificate service is started or stopped. This can impact the service availability, because a cryptographic hash is generated of the CA database on startup and shutdown of the service. In small environments this won’t impact the performance, but with large databases there may be an impact.
Certificate templates
Enterprise certification authorities depend on templates to define attributes of the certificate. Standalone CAs rely on the certificate request. It is important to monitor, if templates are added or changed to the certification authority. Especially permissions on enrollment and additional usages are in our focus, because attackers could issue a certificate and gain access, as soon as changes were made.
To audit template changes, run the following command:
certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD
Registry events
To audit registry events, do the following:
- Open Registry Editor on your certification authority
- Navigate to the following key: HKEY_LOCAL_MACHINE:\System\CurrentControlSet\Services\CertSvc\Configuration
- Right click on Configuration and click on Permissions…
- Select Advanced
- Choose tab Auditing
- Click Add
- Click Select a principal
- Search for Authenticated Users
- Click OK
Next, we switch from the Basic permissions view to advanced. Click Show advanced permissions.
- Select the following auditing settings:
- Set Value
- Create SubKey
- Delete
- Write DAC
- Write Owner
2. Click OK
Now you can confirm every open window with OK. After you have closed and saved everything, reboot your server.
Azure Arc onboarding
Follow my previous post First steps with Azure Arc to onboard the server into Azure Arc.
Microsoft Sentinel monitoring
If you take a look at the Windows Security Events via AMA connector, you can choose between the following settings:
- All Security Events
- Common
- Minimal
- Custom
In the setting Common most of the events, that are specific for the CA, are already included (that is EventID 4869 to 4898). Only event 4899 and 4900 are missing. To check the list of events that are included, check the following page: Windows security event sets that can be sent to Microsoft Sentinel | Microsoft Learn
As already mentioned, event ID 4899 and 4900 are missing. The following description is given for these:
A Certificate Services template was updated (Event ID 4899)
- This event is triggered, when a template loaded by the CA has an attribute updated and an enrollment is attempted for the template. For example, if an additional EKU is added to a template, this event would trigger and provide enough information to determine the change being made.
Certificate Services template security was updated (Event ID 4900)
- This event is triggered, when security permissions on a Certificate Template loaded on a CA are changed, and an enrollment event for the template occurs.
Test the XPath query on your system before creating the Data Collection Rule. Open a PowerShell with permission to query the event log and enter the following:
$XPath = '*[System[(EventID=4899 or EventID=4900)]]'
Get-WinEvent -LogName “Security” -FilterXPath $XPath
Configure the Data collection rule from the Connector blade in Microsoft Sentinel. Search for Windows Security Events via AMA and click on Open connector page:
Click on Create data collection rule:
In this DCR we will add a query to include the missing events. Set a name that is matching your naming policy, select the correct subscription and resource group. After this click Next:
Click on Add resource(s) and add your certification authority:
Select the server and click Apply:
After the server was added click on Next:
Now choose Custom stream, add the query you can find below the image, click on Add and Next:
Security!*[System[(EventID=4899 or EventID=4900)]]
Finish the creation!
Create another DCR, but this time choose Common stream to include all other CA audit events. If you did this, you should have two DCRs assigned to your CA that collect Custom and Common events.
Conclusion
Securing the Public Key Infrastructure is a huge topic and we have only looked at a small part of it. Make sure that you look at it holistically. If you want to read further, I can recommend you the following sources:
Securing Public Key Infrastructure (PKI) | Microsoft Learn
Securing PKI: Monitoring Public Key Infrastructure | Microsoft Learn
Securing PKI: Appendix A: Events to Monitor | Microsoft Learn
If you have any suggestions or topics you would like to read about, feel free to let me know in the comments or in a private message on social media.
Furthermore, you can connect with me on LinkedIn, Twitter and Mastodon. Thanks for reading and sharing 😉
Hi
I have set up my LAB as you mentioned above (Windows 2019 DCs and CA) Rebooted etc.
The audit policy is active, but when I amend the security on an existing template I do not see event 4900 (I also checked the DC as templates are held in AD)
Any ideas why event 4900 is not appearing please (I have not looked for related events, as I am mainly interested in this one
Hi,
thanks for your comment. I will have a look at this and give you an update.
Best regards
Andreas