| Event Source: | Microsoft Windows Security Auditing |
| Event ID: | 4892 (0x131C) |
| Event log: | Security |
| Event type: | Information |
| Event text (English): | A property of Certificate Services changed. Property: %1 Index: %2 Type: %3 Value: %4 |
| Event text (German): | A property of the certificate services has been changed. Property: %1 Index: %2 Type: %3 Value: %4 |
Parameter
The parameters contained in the event text are filled with the following fields:
- %1: PropertyName (win:UnicodeString)
- %2: PropertyIndex (win:UnicodeString)
- %3: PropertyType (win:UnicodeString)
- %4: PropertyValue (win:UnicodeString)
- %5: SubjectUserSid (win:SID)
- %6: SubjectUserName (win:UnicodeString)
- %7: SubjectDomainName (win:UnicodeString)
- %8: SubjectLogonId (win:HexInt64)
In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.
Example events
A property of Certificate Services changed.
Property: 29
Index: 0
Type: 4
Value: ADCSLaborNDES
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.3300970.10789002
ADCSLaborEnrollmentAgent
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.12290905.9667004
ADCSLaboratoryWebServerXXL key
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.5156301.12920431
ADCSLabWebServerECC
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.4459674.5642534
ADCSLaborKeyRecoveryAgent
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.7551014.10282049
ADCSLabRemoteDesktopAuthenticationmanual
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.10025967.9145454
ADCSLaboratoryOCSPResponseSigningmanual
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.7432440.16578047
SubCA
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.1.18
ADCSLaborRemoteDesktopAuthentication
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.5089216.3191700
ADCSLaborEnrollmentAgent(Computer)
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.14512268.4519931
ADCSLaborCEPEncryption
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.12707994.4797323
IPSECIntermediateOffline
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.1.20
ADCSLaboratoryOCSPResponseSigning
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.2829390.3424966
ADCSLabUser
1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.4136173.9322655
Description
No description has been written for this yet.
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
No description has been written for this yet.
Microsoft rating
Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity rating of "Medium".
The reasoning behind this is:
Can be used to track changes to Key Recovery Agent configuration
Related links:
- Overview of audit events generated by the Certification Authority
- Overview of the audit events generated by the online responder (OCSP)
External sources
- Securing Public Key Infrastructure (PKI) (Microsoft)
English 
Deutsch