ADCS : monitoring

Texte de remplacement généré par une machine : 3.c.2. Events monitoring
— _i 1
• Centralize, aggregate, and perform pro-active
monitoring on PKI logs:
— CA: issuing, revocation, template, permission, backup,
roles, recovery ...
— Active Directory: authentication, DNS
— Client: key usage, missing private key
. Ideally integrate it into a SIE M.
— Management packs do exists for SCOM 2007, 2010
. Useful for forensics
. Standard windows events. See 4.d. and WS. 10) .as px


Texte de remplacement généré par une machine : Default configuration:
Host Service / Default Dependencies
process identity
service Certsrv.exe Local system NO/NO
service Ocspsvc.exe Network Svc NO/NO
IlS default /certsrv ApplicationPoo
website Ildentity
lIS default /ADPoIicyProvi ApplicationPoo
website der_CEP_Usern Ildentity
lIS default /%CA_NAME% ApplicationPoo
website _CES_Usernam Ildentity


Texte de remplacement généré par une machine : Eventvwr.msc _________________
Evert Viewer (Local)
Default custom view: SS:
Active Directory Certlicate Services
L Active Directory Certificate Services Msnber of events: 2,740
7 Number of events: 2,740
Levd ¡ Date and kne I 5owce I] Task Category
(j)irtormation 12/3/2010 11:37:42 AM CertficationA&hority 26 None
(j) Irtormation 12/3/2010 11:37:36 AM CertticationAt*horlty 38 None
jWsning 12/2/2010 11:11:03 AM CertticatlonA&thorlty 77 None
________ 12L2010 11 08 OSAM ErwolTrrit -bTh-r__- 2 CertihcateErwollmentPofryserver _____ aj
j) !rtormation 12/2/20 10 11:08:05 AM ErwÀmentPohcyWebService 1 Certificate Erroliment Policy Server
(j) Irtormation 12/2/20 10 11:08:05 AM EnrolmentPolicywebService 7 Active Directory Certificate Enrolknent Policy Provider
(1) ¡rtormation 12/1/20 10 5:25:25 PM OrkïeResponderWebProxy 18 None
Warning 12/1/2010 11:40:57 AM CertticationAt*hority 77 None
O En-or 11/29/2010 11:02:13 AM OtteResponderRevocationProvider 17 None



Texte de remplacement généré par une machine : Mainly stored in the “Application” log
FUe REG_EXPAND_SZ %SysterriR:ot%’Is,.stem:32’ç1Airievt’I1Logs\AppIication. evtx
ADCS filter:
View Prope,tics (Read aily)
Filter XML
Tn prnvd an eventflItrinYPathfnrrn, clickthe Fditquerymanually cbckbne belnw.
<QuryN=”fl’ Path=”ppIirtinr”>
<Select Pttb=’Appliction’>1Systein[PrD’.tidtr[@Ntrne=’Microsoft-Windows-
Certif ic ationŠutborityJI] VSelect>
<Sele’:t Patb=’Application”>Systern[PrDAderj©Narne=Mkrosoft-Wind’Dws
<Select PetbApplicotion”>1Systein[Pro’vidtr[@Nirne=Microsoft-Windows-
O nlineRespond erWe b Proxy] jJ<JSele’:t>


Texte de remplacement généré par une machine : . Interesting logs: Applications, Security
. Required rights: Read permission on
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Appl ¡cations
• Default permissions:
_________________________________________ L Permissions for Application L
Kui,Uy [dita. —
FI E Vrw Secxity 
Group or user names:
• . ESEN1
— 9fl)J
- tr !rccc,’ .eb
) _____
I-.) O( kt h4pdiMJ
: etmy 
: I j
Tiirt E
- .?P 4a-
. ) 
: :
. reqtSem _____________
:  IP-t
I FtP.Fk
l AdrÑn.shaêois (CORPAdmwirstrators)
£2 Server Operators (CORP\Server Opeias)
[]Perm.ssions for Security
Group or user names:
Administrators (CORP\4dn*istrators)
sl eventlog
Ft,c,cn ,-