Details of the event with ID 4886 of the source Microsoft-Windows-Security-Auditing

Author Uwe GradeneggerPosted on Categories Events, Security, Certification AuthorityTags
Event Source:Microsoft Windows Security Auditing
Event ID:4886 (0x1316)
Event log:Security
Event type:Information
Event text (English):Certificate Services received a certificate request. Request ID: %1 Requester: %2 Attributes: %3
Event text (German):Certificate Services has received a certificate request. Request ID: %1 Requester: %2 Attributes: %3

Parameter

The parameters contained in the event text are filled with the following fields:

  • %1: RequestId (win:UnicodeString)
  • %2: Requester (win:UnicodeString)
  • %3: Attributes (win:UnicodeString)

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Example events

 Certificate Services received a certificate request. 
 	 
 Request ID: 125 
 Requester: INTRA\CA06$ 
 Attributes:	
 cdc:DC01.intra.adcslabor.de
 rmd:CA06.intra.adcslabor.de
 
 ccm:CA06.intra.adcslabor.com

Description

The event is logged when a certificate request is sent to the certificate authority and the Issue and manage certificate requests option is enabled in the certificate authority auditing options.

Each certificate request, whether issued or not, is stored in the certification authority's database. Every user in the network can send requests to the certification authority, these are rejected if no rights are available and logged.

The additional logged attributes have the following meaning:

AbbreviationNameDescription
cdcCert Domain ControllerAn optional attribute in the certificate request. Describes the domain controller used by the requester. Usually present if the certificate request was created from a Windows computer.
rmdRequest Machine DNS NameAn optional attribute in the certificate request. Describes the DNS name of the computer from which the certificate request was sent (even if a user certificate is requested).
Usually present if the certificate request was created from a Windows computer.
ccCert Client MachineDNS name of the computer which (ICertRequest::Submit) the DCOM connection to the certification authority (may differ from rmd, e.g. if the certificate enrollment web services are upstream, or if a certificate request is submitted manually). This attribute does not seem to be determined by the client, but by the certificate authority.

The attributes "cdc" and "rmd" can be used (if configured) by the Windows default Policy module used by the certification authority to avoid certificate issuance errors due to replication latencies. Assuming a client computer is newly installed and the computer account has not yet been replicated from the domain controller at the client's location to that of the certification authority, the certification authority can contact the domain controller specified in "cdc" and determine the information that way.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

With a correspondingly high number of requests, in addition to the system load caused, it can lead to large database growth and, for example, fill the system's hard disk, which can lead to a failure of the certification authority and possibly of the connected IT services.

As a rule of thumb, 1000 certificates correspond to approximately 16 Mbytes of storage space. 1000 certificates per second would therefore correspond to approx. 1.4 TByte per day.

The attack scenario is rather unlikely, but could lead to a failure of the certification authority and IT services dependent on it due to a full hard disk.

The additional attributes "rmd" and "ccm" included in the certificate request can be helpful to identify the source of such an attack and/or to formulate the detection rules more precisely.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity score of "Low".

Related links:

External sources

en_USEnglish
de_DEDeutsch en_USEnglish