Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

KnowledgeBase: A hotfix is available that records more information in event ID 5125 for an OCSP response

Last month, Microsoft released a KnowledgeBase article for Active Directory Certificate Services running on Windows Server 2008 R2 with Service Pack 1 and Windows Server 2012.

Note:
This KnowledgeBase article doesn’t apply to Windows Server 2012 R2, although the same issue exists as in Windows Server 2008 R2 and Windows Server 2012.

    

The situation

When you configure a server running Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012 as a Certification Authority (CA), you have the option to also configure it as an Online Responder. 

The Online Responder is installed as the Online Responder Service (OSCP), an additional Server Role feature for the Active Directory Certificate Services (AD CS) Server Role. The Server Role is available in both Server with a GUI and Server Core installations.

The Online Responder is an alternative to the way Certificate Revocation Lists (CRLs) are used to check the status of a certificate, issued by a Certification Authority (CA).

When you enable auditing for requests to the Online Responder, it will log event ID 5125 in the Security log of the server, running the Online Responder Service.

Enabling auditing for the Online Responder Service

To enable request auditing for the Online Responder, you will need to audit object access on the server level. Perform these steps:

  1. Open the Local Group Policy Editor (gpedit.msc) to adit the local Group Policy for a server running the Online Responder Service, or start the Group Policy Management Console (gpmc.msc) to create a domain-based Group Policy Object (GPO) targeting (an Organizational Unit, containing) servers, running the Online Responder Service.

  2. Under (Policies,) Computer Configuration, expand Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.

  3. Double-click the Audit object access policy.
       
    Audit Object Access
       

  4. Select the Success and Failure check boxes, and click OK.

Then, perform these steps to enable auditing for the Online Responder:

  1. Open Online Responder Management (ocsp.msc), and select the Online Responder in the left pane.
  2. Right-click on the Online Responder and select Responder Properties from the Action menu, or click Responder Properties in the Action pane on the right.
  3. Click the Audit tab
       
    Audit Tab in the Online Responder Properties
       
  4. Select the Requests submitted to the Online Reponder audit option, and then click OK.

   

The issue

By default, Event ID 5125 will contain the following information:

Event ID 5125: "A request was submitted to OCSP Responder Service." (click for original screenshot)

However, this information does not meet the basic requirement of the Common Criteria for Information Technology Security Evaluation. The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC 15408) for computer security certification.

    

The resolution

KnowledgeBase article 2891347 contains a hotfix for this issue.

After you install this hotfix, the audit event ID 5125 contains certificate serial number, issuer CA name, and revocation status. The event ID 5125 is logged resembling the following:

A request was submitted to OCSP Responder Service.
Certificate Serial Number: 61342231000000000007
Issuer CA Name: CN=ocsp-audit-CA, DC=test, DC=mydomain, DC=com
Revocation Status: Good/Revoked/Unknown/Empty String

  

Concluding

When you want more useful auditing information on requests submitted to the Online Responder Service on Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012, install this hotfix.

Related KnowledgeBase articles

2891347 A hotfix is available that records more information in event ID 5125 for an OCSP response in Windows Server 2012 and Windows Server 2008 R2 SP1 

Further reading

Audit Online Responder Operations 
AD CS Online Responder Service  
Implementing an OCSP responder: Part I - Introducing OCSP  
Implementing an OCSP responder: Part II Preparing Certificate Authorities 
Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs 
Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs 
Implementing an OCSP Responder: Part V High Availability 
Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy

Posted: Saturday, January 04, 2014 11:00 AM by Sander Berkouwer

Comments

No Comments

Anonymous comments are disabled