| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 4891 (0x131B) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | A configuration entry changed in Certificate Services. Node: %1 Entry: %2 Value: %3 |
| Event text (German): | A configuration entry in the certificate services was changed. Node: %1 Entry: %2 Value: %3 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: Node (win:UnicodeString)
- %2: Entry (win:UnicodeString)
- %3: Value (win:UnicodeString)
- %4: SubjectUserSid (win:SID)
- %5: SubjectUserName (win:UnicodeString)
- %6: SubjectDomainName (win:UnicodeString)
- %7: SubjectLogonId (win:HexInt64)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Description
No description has been written for this yet.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
It is rather unlikely that a registry change will be made by an attacker. Since the attacker must already have administrative rights, there would be easier ways to cause further damage. A configuration change is more likely, but this should have been notified in advance.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity rating of "Medium".
The reasoning behind this is:
Can be used to monitor for changes to Policy/Exit modules on the CA or configuration of CDP/AIA extensions.
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
External sources
- Securing Public Key Infrastructure (PKI) (Microsoft)
English 
Deutsch