Q: How can I make sure that all Certification Authority (CA) configuration changes are logged in the Windows event logs, no matter what tool the CA administrator uses to make those changes?
A: Windows CA administrators can use different tools to make CA configuration changes. For example, they might use the Microsoft Management Console (MMC) Certification Authority snap-in (certsrv.msc), use the certutil.exe command-line tool, or edit a CA configuration entry directly in the Windows registry editor (regedit.exe). When you configure auditing for a CA using a Windows auditing policy (by enabling auditing for the Certification Services auditing subcategory) or using the auditing settings that are available from the Certification Authority snap-in (in the CA object properties on the Auditing tab), the only configuration tool that will trigger the creation of an audit event is when the CA administrator makes the change through the Certification Authority snap-in interface. To capture CA configuration changes stored locally on a CA machine, no matter what configuration tool is used, you must configure registry auditing specifically for the Active Directory Certificate Services (AD CS) registry keys.
To enable registry auditing, you must first configure the Windows auditing policy. You can do so by using auditpol.exe from the command line or using Group Policy Object (GPO) settings. To enable registry auditing with auditpol.exe, run the command:
auditpol /set /subcategory:”registry” /success:enable /failure:enable
To set the audit policy using GPO settings, configure the Audit Registry subcategory in the Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy GPO container and set the subcategory to be enabled for both success and failure events.
After enabling registry auditing, you must configure auditing for the specific AD CS registry keys. To do this, follow these steps:
- Open regedit.exe and navigate to the HKEY_LOCAL_MACHINE\System\Services\CertSvc\Configuration container.
- Right-click the Configuration registry key and select Permissions. Click Advanced, then click Auditing.
- Click Select a principal, and select Authenticated Users. From the Type drop-down menu, select All. From the Applies To drop-down menu, select This key and subkeys.
- Click Show advanced permissions and select the following advanced permissions: Set Value, Create Subkey, Delete, Write DAC, and Write Owner.