Collection Rule for event with source CertificationAuthority and ID 92

Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.92 (Rule)

Certificate Services could not update security permissions.

Knowledge Base article:

Summary

Certification authority (CA) access control permissions ensure that authorized components and users can complete required tasks. Access control errors can identify potential problems associated with insufficient or inappropriate use of permissions.

Resolutions

Update security permissions with an authorized user account

Confirm that the user who attempted to update security permissions has been authorized to set permissions on Active Directory Certificate Services (AD CS) objects.

If you did not intend for the user to be blocked from modifying permissions on AD CS objects, you need to:

Enable auditing on the certification authority (CA).
Grant the user the needed CA administrator and certificate manager permissions on the CA.
Complete the operation as an authorized user.

To perform these procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Enable auditing on a CA

To enable auditing on a CA:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
Right-click the name of the CA, and click Properties.
Click the Auditing tab, and click Change CA security settings.
Restart the CA.
Audit administrative actions on the CA for several weeks or until you are satisfied that no other attacks are likely before disabling CA auditing.

Note: To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.

Grant administrator and certificate manager permissions on the CA

To set CA administrator and certificate manager security permissions for a CA:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
In the console tree, click the name of the CA.
On the Action menu, click Properties.
Click the Security tab, and specify the security permissions.
Complete the CA management operation as an authorized user.

For more information about the roles and security permissions available for a CA, see "Implement Role-Based Administration" in the Certification Authority Help ( http://go.microsoft.com/fwlink/?LinkId=104188).

Additional

To confirm that the CA logon context is correct:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Services.
Confirm that the word Started appears in the Status belong for the Active Directory Certificate Services service.

Element properties:

Target

Microsoft.Windows.CertificateServices.CARole.2016

Category

EventCollection

Enabled

True

Event_ID

Event Source

Microsoft-Windows-CertificationAuthority

Alert Generate

True

Alert Severity

Error

Alert Priority

High

Remotable

True

Alert Message

AD CS Access Control - Update Permissions

Event Description: {0}

Event Log

Application

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
Alert	WriteAction	System.Health.GenerateAlert	Default
WriteToCertSvcEvents	WriteAction	Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher	Default
WriteToDB	WriteAction	Microsoft.SystemCenter.CollectEvent	Default

Source Code:

<Rule ID="Microsoft.Windows.CertificateServices.CARole.2016.CertSvcEvents.92" Enabled="true" Target="CSDisc!Microsoft.Windows.CertificateServices.CARole.2016" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">92</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-CertificationAuthority</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>

    <WriteAction ID="WriteToCertSvcEvents" TypeID="Microsoft.Windows.CertificateServices.CARole.CertSvcEvents.Publisher"/>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageIDc29839b12ca94b97946a97b10b78837f"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

        <SuppressionValue>$Data/LoggingComputer$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>