Configure AD CS auditing

Add AD CS servers in ADAudit Plus

To enable AD CS auditing, you need to configure the computer on which AD CS is installed in the ADAudit Plus console.

• If you have installed AD CS on a domain controller, configure the Active Directory domain and the domain controller in ADAudit Plus. Click here to see how.
• If you have installed AD CS on a Windows server, configure the Windows server in ADAudit Plus. Click here to see how.

Configure audit policies

For AD CS auditing, you can configure the required audit policies either automatically or manually in ADAudit Plus.

Automatic configuration

To configure the audit policies automatically, follow the steps below:

• If AD CS is installed on a domain controller, click here to find the steps to enable the audit policies automatically.
• If AD CS is installed on a Windows server, click here to find the steps to enable the audit policies automatically.

Manual configuration

When configuring the audit policies manually, you can configure either the advanced audit policies or the legacy audit policies for AD CS auditing.

To configure advanced audit policies:

• Log in to any computer that has the Group Policy Management Console (GPMC) with Domain Admin credentials.
• Open the GPMC, and based on your setup, you'll either right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, then select Edit.

  Note: If AD CS has been installed on a domain controller, configure the audit policy in the Default Domain Controllers Policy GPO. If AD CS has been installed on a Windows server, configure the audit policy in the ADAuditPlusMSPolicy GPO.

• In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
• Double-click Object Access.
• Right-click Audit Certification Services in the right pane. Select Properties, then check the boxes next to Success and Failure.

  

To force advanced audit policies

After configuring the advanced audit policies, ensure that they are forced over legacy audit policies.

• Log in to any computer that has the GPMC with Domain Admin credentials.
• Open the GPMC, and based on your setup, you'll either right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, then select Edit.

  Note: If AD CS has been installed on a domain controller, configure the audit policy in the Default Domain Controllers Policy GPO. If AD CS has been installed on a Windows server, configure the audit policy in the ADAuditPlusMSPolicy GPO.

• In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
• Right-click Audit: Force audit policy subcategory settings from the right pane, select Properties, and then choose Enabled.

  

To configure legacy audit policies:

• Log in to any computer that has the GPMC with Domain Admin credentials.
• Open the GPMC, and based on your setup, you'll either right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, then select Edit.

  Note: If AD CS has been installed on a domain controller, configure the audit policy in the Default Domain Controllers Policy GPO. If AD CS has been installed on a Windows server, configure audit policy in the ADAuditPlusMSPolicy GPO.

• In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies.
• Double-click Audit Policy.
• Right-click the Object Access policy in the right pane. Select Properties, then check the boxes next to Success and Failure.

  

Enable auditing on AD CS servers

Configure CA auditing

• Log in to the AD CS server with Domain Admin credentials.
• Open the Certificate Authority management console, right-click the CA, and select Properties.
• Select the Auditing tab from the Properties window and check the boxes next to the categories listed below:
  • Change CA configuration
  • Change CA security settings
  • Issue and manage certificate requests
  • Revoke certificates and publish CRLs
  • Store and retrieve archived keys

Monitoring changes to certificate templates

Changes made to certificate templates issued by Enterprise CAs can be audited with ADAudit Plus by updating the registry. To enable certificate template auditing, open the Command Prompt as an administrator and execute the following command: