Collection Rule for event with source CertificationAuthority and ID 92 Rule

  • ID:  Microsoft.Windows.CertificateServices.CARole.6.3.CertSvcEvents.92
  • Description:  Certificate Services could not update security permissions.
  • Target:  Certificate Service (2012 R2)
  • Enabled:  On Essential Monitoring

Overridable Parameters

Parameter Name Default Value Description Override
Priority 2  
Severity 2  

Run As Profiles

Name
Default

Alert Details

Message Priority Severity
AD CS Access Control High Critical

Rule Knowledgebase

Summary

Certification authority (CA) access control permissions ensure that authorized components and users can complete required tasks. Access control errors can identify potential problems associated with insufficient or inappropriate use of permissions.

Causes
This rule does not contain any causes.
Resolutions

Update security permissions with an authorized user account

Confirm that the user who attempted to update security permissions has been authorized to set permissions on Active Directory Certificate Services (AD CS) objects.

If you did not intend for the user to be blocked from modifying permissions on AD CS objects, you need to:

  • Enable auditing on the certification authority (CA).

  • Grant the user the needed CA administrator and certificate manager permissions on the CA.

  • Complete the operation as an authorized user.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Enable auditing on a CA

To enable auditing on a CA:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • Right-click the name of the CA, and click Properties.

  • Click the Auditing tab, and click Change CA security settings.

  • Restart the CA.

  • Audit administrative actions on the CA for several weeks or until you are satisfied that no other attacks are likely before disabling CA auditing.

Note: To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.

Grant administrator and certificate manager permissions on the CA

To set CA administrator and certificate manager security permissions for a CA:

  • On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

  • In the console tree, click the name of the CA.

  • On the Action menu, click Properties.

  • Click the Security tab, and specify the security permissions.

  • Complete the CA management operation as an authorized user.

For more information about the roles and security permissions available for a CA, see "Implement Role-Based Administration" in the Certification Authority Help (http://go.microsoft.com/fwlink/?LinkId=104188).

External References
This rule does not contain any external references.

See Also for Active Directory Certificate Services Management Pack


Downloads for Active Directory Certificate Services Management Pack

AZURE OPTIMIZATION ASSESSMENT GET STARTED
MIGRATION TO AZURE GET STARTED
SYSTEM CENTER MIGRATION TO AZURE GET STARTED
MIGRATION TO AZURE FOR SQL AND WINDOWS 2008 GET STARTED