Collection Rule for event with source CertificationAuthority and ID 60 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.60
  • Description:  Certificate Services refused to process an extremely long certificate request.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
AD CS Access Control High Critical

Rule Knowledgebase

Summary

Certification authority (CA) access control permissions ensure that authorized components and users can complete required tasks. Access control errors can identify potential problems associated with insufficient or inappropriate use of permissions.

Causes
This rule does not contain any causes.
Resolutions

Address an attempt to submit a long certificate request

Extremely long certificate requests can represent an attempt to launch a denial-of-service attack.

The source should be identified in the event log message. You should also review information about all failed certificate requests to detect whether there have been other unusual certificate requests.

To address this potential problem:

  • Review failed certificate requests to determine whether or not the failed request is from a known or trusted source.

  • If the request was rejected in error, modify the MaxIncomingMessageSize setting in the registry to allow larger certificate requests.

  • If the request was not rejected in error, identify the source of the request and prevent requests from being submitted from that source.

To perform these procedures, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

Review failed certificate requests

To review failed certificate requests:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Examine the failed requests contained in the Failed Requests folder and determine wether it came from a trusted source.

  • You can also open a command prompt window and run the following command: certutil -view LogFail.

  • If the request was from a legitimate source but rejected because it was too large, you can increase the maximum message size using the following procedure, or have the certificate requester submit a new certificate request.

Modify maximum message size

The default maximum message size setting is 10,000 bytes. If during your review of failed certificate requests in the previous procedure you detect legitimate certificate requests that were rejected because they exceeded this value, consider increasing this registry setting to a value that will allow similar requests to succeed.

To modify the maximum message size:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  • On the computer hosting the CA, click Start, type cmd and press ENTER.

  • Type certutil -setreg CA\MaxIncomingMessageSize <bytes> and press ENTER.

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED