Skip navigation
Menu
QA
<p>Q&amp;A</p>
Compute Engines

Capture All Certification Authority Configuration Changes in Windows Event Logs

 

Q: How can I make sure that all Certification Authority (CA) configuration changes are logged in the Windows event logs, no matter what tool the CA administrator uses to make those changes?

A: Windows CA administrators can use different tools to make CA configuration changes. For example, they might use the Microsoft Management Console (MMC) Certification Authority snap-in (certsrv.msc), use the certutil.exe command-line tool, or edit a CA configuration entry directly in the Windows registry editor (regedit.exe). When you configure auditing for a CA using a Windows auditing policy (by enabling auditing for the Certification Services auditing subcategory) or using the auditing settings that are available from the Certification Authority snap-in (in the CA object properties on the Auditing tab), the only configuration tool that will trigger the creation of an audit event is when the CA administrator makes the change through the Certification Authority snap-in interface. To capture CA configuration changes stored locally on a CA machine, no matter what configuration tool is used, you must configure registry auditing specifically for the Active Directory Certificate Services (AD CS) registry keys.

To enable registry auditing, you must first configure the Windows auditing policy. You can do so by using auditpol.exe from the command line or using Group Policy Object (GPO) settings. To enable registry auditing with auditpol.exe, run the command:

auditpol /set /subcategory:”registry” /success:enable /failure:enable

To set the audit policy using GPO settings, configure the Audit Registry subcategory in the Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy GPO container and set the subcategory to be enabled for both success and failure events.

After enabling registry auditing, you must configure auditing for the specific AD CS registry keys. To do this, follow these steps:

  1. Open regedit.exe and navigate to the HKEY_LOCAL_MACHINE\System\Services\CertSvc\Configuration container.
  2. Right-click the Configuration registry key and select Permissions. Click Advanced, then click Auditing.
  3. Click Select a principal, and select Authenticated Users. From the Type drop-down menu, select All. From the Applies To drop-down menu, select This key and subkeys.
  4. Click Show advanced permissions and select the following advanced permissions: Set Value, Create Subkey, Delete, Write DAC, and Write Owner.
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
empty cockpit of autonomous car
What Is a Real-Time Operating System, and Who Needs One?
Mar 05, 2024
ERP button on keyboard
5 ERP Trends to Watch in 2024
Jan 17, 2024
automation key on keyboard
Storage Management as a Case Study for Network Automation Adoption
Dec 21, 2023
Abstract technology concept lighting effect on dark blue background
Top 10 Stories About Compute Engines, Linux in 2023
Dec 18, 2023