Details of the event with ID 4899 of the source Microsoft-Windows-Security-Auditing

Event Source:	Microsoft Windows Security Auditing
Event ID:	4899 (0x1323)
Event log:	Security
Event type:	Information
Event text (English):	A Certificate Services template was updated. %1 v%2 (Schema V%3) %4 %5 Template Change Information: Old Template Content: %8 New Template Content: %7 Additional Information: Domain Controller: %6
Event text (German):	The certificate service template has been updated. %1 v%2 (Scheme V%3) %4 %5 Template information: Template content: %7 Security description: %8 Additional information: Domain Controller: %6

Parameter

The parameters contained in the event text are filled with the following fields:

• %1: TemplateInternalName (win:UnicodeString)
• %2: TemplateVersion (win:UnicodeString)
• %3: TemplateSchemaVersion (win:UnicodeString)
• %4: TemplateOID (win:UnicodeString)
• %5: TemplateDSObjectFQDN (win:UnicodeString)
• %6: DCDNSName (win:UnicodeString)
• %7: NewTemplateContent (win:UnicodeString)
• %8: OldTemplateContent (win:UnicodeString)

In contrast to operational events, which are often understood under the term "monitoring", auditing for the certification authority is the configuration of logging of security-relevant events.

Example events

 A Certificate Services template was updated. 
  
 ADCSLabUser v101.81 (Scheme V2) 
 1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.4136173.9322655 
 CN=ADCSLaborUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de 
  
 Template Change Information: 
 	Old Template Content:	
 msPKI template minor revision = 79
 
 msPKI-Certificate-Policy =
   1.3.6.1.4.1.311.21.8.6301991.2938543.412570.1725121.735828.231.12718143.3882922
  
 	New Template Content:		
 msPKI template minor revision = 81
 
 msPKI-Certificate-Policy =
  
  
 Additional Information: 
 	Domain Controller: DC01.intra.adcslabor.de 

Description

In order for the certification authorities to log the security setting changes to certificate templates, the following command must be executed once on each certification authority:

 certutil -setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD 

Added Enhanced Key Usages usable for privileged actions to a certificate template

If an attacker succeeds in issuing certificates that are usable for Smartcard Logon (this is possible with the Enhanced Key Usages Smartcard Logon and Client Authentication), he could impersonate other users including administrative accounts.

Certificate template is changed so that the requester can specify the identity and/or approval by a certificate manager is disabled

Usually, the identities in a certificate are built by the policy module of the certification authority from the Active Directory, so that the applicant has no influence on this and impersonation of other identities is not possible. However, there are exceptional cases in which this would be necessary (web server). The policy module is notified of this by setting the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag in the template. Usually such certificate requests should then be manually checked and approved, which is communicated to the policy module via the CT_FLAG_PEND_ALL_REQUESTS flag. If a template now allows the requester to specify the identity or disables manual verification, this should be alerted.

Safety assessment

The security assessment is based on the three dimensions of confidentiality, integrity and availability.

If an attacker succeeds in issuing certificates that are usable for Smartcard Logon (this is possible with the Smartcard Logon and Client Authentication enhanced key usages), he could impersonate other users including administrative accounts. The Smartcard Logon Enhanced Key Usage should only be required for a few templates (especially Windows Hello for Business). The Client Authentication Enhanced Key Usage is unfortunately also accepted by domain controllers, and this often occurs in other cases as well. Therefore, a higher number of alerts can be expected here.

Depending on the certificate type, an attacker could gain elevated privileges if he can specify the identity of another user as the requester and the certification authority issues the certificate directly. The likelihood of an attacker modifying the template permissions in preparation for such an action ts rather low, but a misconfigured template may well be an attractive target for exploitation.

Microsoft rating

Microsoft evaluates this event in the Securing Public Key Infrastructure (PKI) Whitepaper with a severity rating of "Medium".

Related links:

• Overview of audit events generated by the Certification Authority
• Overview of the audit events generated by the online responder (OCSP)

External sources

• Securing Public Key Infrastructure (PKI) (Microsoft)
• Securing PKI: Monitoring Public Key Infrastructure (Microsoft)