Q: In addition to Certification Authority (CA)–level auditing settings, are there any other configuration settings that must be set to enable auditing of CA management actions?
Setting up auditing in Windows is always a two step process: You configure what to audit, then you configure the audit policy.
February 29, 2012
A:If you've enabled all CA-level auditing settings on all CAs in your Windows public key infrastructure (PKI) hierarchy, which you would do through theAuditing tab of the CA properties, but still no CA-related events show up in your Windows security event logs, there's a fair chance you forgot toenable auditing for object access in the general audit settings on the level of your CA machines. First, you configure what exactly needs to be auditedon the object-level (in this case, on the level of the CA object). Second, you must also configure the audit policy and enable success or failureauditing for a given set of audit policy categories or subcategories. For example, you could configure your machine's audit policy to include successauditing for account login events and failure auditing for privilege use events.
To enable auditing for object access on your CA machines, open the Microsoft Management Console (MMC) Group Policy Object Editor snap-in and load theLocal Computer Policy. Expand the Local Computer PolicyComputer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy containerand enable success and failure auditing for the Audit object access audit policy category. If all your CA machines are part of the same Active Directory (AD) organizational unit (OU), you could do the same for allmachines at once by editing a Group Policy Object (GPO) that's linked to that particular OU.
About the Author
You May Also Like