Windows Event ID 4867 – Security-Auditing: Certificate Services Template Security Descriptor Modified

Start by examining the specific details of Event ID 4867 to understand what template was modified and by whom.

1. Open Event Viewer on the domain controller or CA server
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4867 using the filter option
4. Double-click the event to view detailed information including:
   • Subject: User account that made the change
   • Template Name: Certificate template that was modified
   • Old Security Descriptor: Previous permissions
   • New Security Descriptor: Updated permissions
5. Note the timestamp and correlate with any scheduled maintenance or administrative activities

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4867} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Template';Expression={$_.Properties[4].Value}}

Check the current permissions on the affected certificate template to understand the impact of the changes.

1. Open Certificate Authority console on the CA server
2. Right-click Certificate Templates and select Manage
3. Locate the template mentioned in Event ID 4867
4. Right-click the template and select Properties
5. Click the Security tab to review current permissions
6. Document who has Enroll, Read, Write, and Full Control permissions
7. Compare with your organization's PKI security policy

Use PowerShell to audit template permissions programmatically:

Import-Module ActiveDirectory
$templateName = "WebServer" # Replace with actual template name
$template = Get-ADObject -Filter "Name -eq '$templateName'" -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADDomain).DistinguishedName)" -Properties nTSecurityDescriptor
$template.nTSecurityDescriptor.Access | Format-Table IdentityReference, AccessControlType, ActiveDirectoryRights -AutoSize

Compare the old and new security descriptors to understand exactly what permissions were modified.

1. Extract the security descriptor information from Event ID 4867
2. Use the Security Descriptor Definition Language (SDDL) format shown in the event
3. Convert SDDL strings to readable format for analysis

PowerShell script to decode SDDL from the event:

# Extract SDDL from Event 4867
$event = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4867} -MaxEvents 1
$oldSDDL = $event.Properties[5].Value
$newSDDL = $event.Properties[6].Value

# Convert SDDL to readable format
$oldSD = New-Object System.Security.AccessControl.DirectorySecurity
$oldSD.SetSecurityDescriptorSddlForm($oldSDDL)
$newSD = New-Object System.Security.AccessControl.DirectorySecurity
$newSD.SetSecurityDescriptorSddlForm($newSDDL)

Write-Host "Old Permissions:" -ForegroundColor Yellow
$oldSD.Access | Format-Table IdentityReference, AccessControlType, ActiveDirectoryRights
Write-Host "New Permissions:" -ForegroundColor Green
$newSD.Access | Format-Table IdentityReference, AccessControlType, ActiveDirectoryRights

This analysis helps identify whether permissions were added, removed, or modified for specific security principals.

Cross-reference the template modification with other system events and administrative logs to establish context.

1. Check Event ID 4624 (successful logon) around the same time for the user account
2. Review Event ID 4648 (explicit credential use) if the change was made using different credentials
3. Examine Certificate Services operational logs for related events
4. Query Group Policy logs if the change might be policy-driven

PowerShell query to correlate events within a time window:

# Get Event 4867 timestamp and user
$templateEvent = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4867} -MaxEvents 1
$eventTime = $templateEvent.TimeCreated
$userName = $templateEvent.Properties[1].Value

# Look for related logon events within 1 hour
$startTime = $eventTime.AddHours(-1)
$endTime = $eventTime.AddHours(1)

$relatedEvents = Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4624,4648,4672
    StartTime=$startTime
    EndTime=$endTime
} | Where-Object {$_.Message -like "*$userName*"}

$relatedEvents | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap

Also check Certificate Services logs:

Get-WinEvent -LogName "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" -StartTime $startTime -EndTime $endTime | Select-Object TimeCreated, Id, LevelDisplayName, Message

Set up proactive monitoring to detect unauthorized certificate template modifications in real-time.

1. Create a custom Event Viewer view for Event ID 4867
2. Configure Windows Event Forwarding to centralize PKI audit events
3. Set up automated alerts for critical template modifications

PowerShell script to create a scheduled task for monitoring:

# Create monitoring script
$monitorScript = @'
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4867; StartTime=(Get-Date).AddMinutes(-5)} | ForEach-Object {
    $templateName = $_.Properties[4].Value
    $user = $_.Properties[1].Value
    $timestamp = $_.TimeCreated
    
    # Send alert for critical templates
    if ($templateName -in @("Administrator", "DomainController", "WebServer")) {
        $subject = "ALERT: Critical Certificate Template Modified"
        $body = "Template: $templateName`nUser: $user`nTime: $timestamp"
        # Add your alerting mechanism here (email, SIEM, etc.)
        Write-EventLog -LogName Application -Source "PKI Monitor" -EventId 1001 -EntryType Warning -Message $body
    }
}
'@

# Save script and create scheduled task
$monitorScript | Out-File -FilePath "C:\Scripts\PKIMonitor.ps1" -Encoding UTF8

$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\PKIMonitor.ps1"
$trigger = New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365) -Once -At (Get-Date)
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount

Register-ScheduledTask -TaskName "PKI Template Monitor" -Action $action -Trigger $trigger -Principal $principal -Description "Monitor certificate template security changes"