| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 4881 (0x1311) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | Certificate Services stopped. Certificate Database Hash: %1 Private Key Usage Count: %2 CA Certificate Hash: %3 CA Public Key Hash: %4 |
| Event text (German): | The certificate services have been terminated. Certificate database hash: %1 Private key usage count: %2 Certification authority hash: %3 Certification authority public key hash: %4 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: CertificateDatabaseHash (win:UnicodeString)
- %2: PrivateKeyUsageCount (win:UnicodeString)
- %3: CACertificateHash (win:UnicodeString)
- %4: CAPublicKeyHash (win:UnicodeString)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Example events
Certificate Services stopped. Certificate Database Hash: 23 5f 0c 21 8d c0 d7 ff ed 94 c6 ac 1c 3e 0e 28 df 0d e9 59 b1 1d 29 0a 77 2a c8 b8 36 d6 a0 c6 Private Key Usage Count: 0 CA Certificate Hash: a4 0e 27 c7 04 60 d0 cd 0a f7 de 40 88 10 58 69 ad 90 af 60 CA Public Key Hash: b2 9a 5c 06 5f 93 92 63 81 2c cc f0 46 68 4f 07 66 c2 ef 7d
Description
Private Key Counting
If a hardware security module (HSM) is used that supports private key counting, and if this function is supported in the capolicy.inf of the certification authority is configured, analogous to the Event no. 4880 under "Private Key Usage Count" logs the number of corresponding accesses.
Checksum of the certification authority database
This event is logged if the "Start and stop Active Directory Certificate Services" option is enabled in the Certificate Authority audit settings.
If this option is enabled, a checksum of the certification authority database is generated when the certification authority service is started and stopped. The checksums of these two events can be compared to detect offline tampering with the certification authority database.
However, this can cause performance problems for the certification authority. See article "Performance problems with auditing of "Start and stop Active Directory Certificate Services".„.
If an NDES server is installed and the certification authority has a very large database, the installation may even abort because of this. For this see article "Role configuration for the Network Device Enrollment Service (NDES) fails with error message "Failed to enroll RA certificates. The RPC server is unavailable. 0x800706ba (Win32: 1722 RPC_S_SERVER_UNAVAILABLE)".„.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
If the checksum changes between exiting and starting the certification authority database, this may indicate that the certification authority database has been tampered with.
There are also legitimate reasons why the checksum of the certificate authority database has changed between quitting and starting the service, for example if the database has been defragmented. See also article "Compacting (defragmenting) the certification authority database„.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
External sources
- Securing Public Key Infrastructure (PKI) (Microsoft)
English 
Deutsch
2 thoughts on “Details zum Ereignis mit ID 4881 der Quelle Microsoft-Windows-Security-Auditing”
Comments are closed.