AD CS Health and Monitoring

Template based on MS documents

• Securing Public Key Infrastructure (PKI)

Performance counters

• Requests/sec
• Failed Requests/sec
• Pending Requests/sec
• Retrievals/sec

Events

• A certificate request extension changed.
• A Certificate Services template was updated.
• A configuration entry changed in Certificate Services.
• A configuration entry changed in OCSP Responder Service
• A property of Certificate Services changed.
• A security setting was updated on the OCSP Responder Service.
• AD CS did not start: Version does not match certif.dll.
• AD CS refused to process an extremely long request.
• AD CS unrevoked the certificate for request
• An attacker could remove specific certificate types (Registry)
• Certificate Services approved a certificate request and issued a certificate.
• Certificate Services denied a certificate request.
• Certificate Services loaded a template.
• Certificate Services retrieved an archived key.
• Certificate Services revoked a certificate.
• Certificate Services template security was updated.
• OCSP Responder Service Started
• OCSP Responder Service Stopped
• One or more certificate request attributes changed.
• One or more rows have been deleted from the certificate database.
• Role separation enabled
• Role separation enabled (Registry)
• Security permissions are corrupted or missing.
• The audit filter for Certificate Services changed (Registry)
• The audit filter for Certificate Services changed.
• The certificate manager denied a pending certificate request.
• The certificate manager settings for Certificate Services changed.
• The new value enables EDITF_ATTRIBUTESUBJECTALTNAME2 (Registry)
• The Policy Modules have been changed (Registry)
• The security permissions for Certificate Services changed (Registry)
• The security permissions for Certificate Services changed.
• Was changed KRACertHash (Registry)

Services

• Certificate Service

Storage

• Database Size

Tested on Windows servers 2012R2 2016