KnowledgeBase: A hotfix is available that records more information in event ID 5125 for an OCSP response
Last month, Microsoft released a KnowledgeBase article for Active Directory Certificate Services running on Windows Server 2008 R2 with Service Pack 1 and Windows Server 2012.
This KnowledgeBase article doesn’t apply to Windows Server 2012 R2, although the same issue exists as in Windows Server 2008 R2 and Windows Server 2012.
When you configure a server running Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012 as a Certification Authority (CA), you have the option to also configure it as an Online Responder.
The Online Responder is installed as the Online Responder Service (OSCP), an additional Server Role feature for the Active Directory Certificate Services (AD CS) Server Role. The Server Role is available in both Server with a GUI and Server Core installations.
The Online Responder is an alternative to the way Certificate Revocation Lists (CRLs) are used to check the status of a certificate, issued by a Certification Authority (CA).
When you enable auditing for requests to the Online Responder, it will log event ID 5125 in the Security log of the server, running the Online Responder Service.
Enabling auditing for the Online Responder Service
To enable request auditing for the Online Responder, you will need to audit object access on the server level. Perform these steps:
Open the Local Group Policy Editor (gpedit.msc) to adit the local Group Policy for a server running the Online Responder Service, or start the Group Policy Management Console (gpmc.msc) to create a domain-based Group Policy Object (GPO) targeting (an Organizational Unit, containing) servers, running the Online Responder Service.
Under (Policies,) Computer Configuration, expand Windows Settings, Security Settings, and Local Policies, and then click Audit Policy.
Double-click the Audit object access policy.
Select the Success and Failure check boxes, and click OK.
Then, perform these steps to enable auditing for the Online Responder:
- Open Online Responder Management (ocsp.msc), and select the Online Responder in the left pane.
- Right-click on the Online Responder and select Responder Properties from the Action menu, or click Responder Properties in the Action pane on the right.
- Click the Audit tab
- Select the Requests submitted to the Online Reponder audit option, and then click OK.
By default, Event ID 5125 will contain the following information:
However, this information does not meet the basic requirement of the Common Criteria for Information Technology Security Evaluation. The Common Criteria for Information Technology Security Evaluation is an international standard (ISO/IEC 15408) for computer security certification.
KnowledgeBase article 2891347 contains a hotfix for this issue.
After you install this hotfix, the audit event ID 5125 contains certificate serial number, issuer CA name, and revocation status. The event ID 5125 is logged resembling the following:
A request was submitted to OCSP Responder Service.
Certificate Serial Number: 61342231000000000007
Issuer CA Name: CN=ocsp-audit-CA, DC=test, DC=mydomain, DC=com
Revocation Status: Good/Revoked/Unknown/Empty String
When you want more useful auditing information on requests submitted to the Online Responder Service on Windows Server 2008 R2 with Service Pack 1 or Windows Server 2012, install this hotfix.
Related KnowledgeBase articles
2891347 A hotfix is available that records more information in event ID 5125 for an OCSP response in Windows Server 2012 and Windows Server 2008 R2 SP1
Audit Online Responder Operations
AD CS Online Responder Service
Implementing an OCSP responder: Part I - Introducing OCSP
Implementing an OCSP responder: Part II Preparing Certificate Authorities
Implementing an OCSP responder: Part III Configuring OCSP for use with Enterprise CAs
Implementing an OCSP responder: Part IV Configuring OCSP for use with Standalone CAs
Implementing an OCSP Responder: Part V High Availability
Implementing an OCSP Responder: Part VI Configuring Custom OCSP URIs via Group Policy