Windows Event ID 4872 – Microsoft-Windows-Security-Auditing: Certificate Services Template Security Permissions Changed

Start by examining the specific details of the Event ID 4872 to understand what changed and who made the modification.

1. Open Event Viewer on the Certificate Authority server
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4872 using the filter option
4. Double-click the event to view detailed information
5. Review the following key fields:
   • Subject: Account that made the change
   • Template Name: Certificate template that was modified
   • Old Security Descriptor: Previous permissions
   • New Security Descriptor: Current permissions

Use PowerShell to query multiple events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4872} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Verify the current certificate template permissions and compare them with organizational security policies.

1. Open Certificate Templates MMC snap-in on the CA server
2. Right-click the affected template and select Properties
3. Click the Security tab to review current permissions
4. Document the current ACL settings for comparison
5. Use PowerShell to enumerate template permissions:

# Get certificate template information
Get-CATemplate | Where-Object {$_.Name -eq "YourTemplateName"} | Format-List *

# Check template permissions using ADSI
$templateDN = "CN=YourTemplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"
$template = [ADSI]"LDAP://$templateDN"
$template.nTSecurityDescriptor

Compare the security descriptor from the event with the current template permissions to identify exactly what changed.

Determine if the account that made the change was authorized and investigate the authentication context.

1. Identify the user account from the event's Subject field
2. Check if the account has legitimate administrative rights:

# Check group membership for the user
Get-ADUser -Identity "username" -Properties MemberOf | Select-Object -ExpandProperty MemberOf

# Verify Certificate Authority administrative permissions
Get-ADGroupMember -Identity "Cert Publishers" | Where-Object {$_.Name -eq "username"}
Get-ADGroupMember -Identity "Enterprise Admins" | Where-Object {$_.Name -eq "username"}

3. Review logon events around the same time to understand the authentication context:

# Look for logon events from the same user around the time of the template change
$startTime = (Get-Date).AddHours(-2)
$endTime = (Get-Date).AddHours(2)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$startTime; EndTime=$endTime} | Where-Object {$_.Message -like "*username*"}

Cross-reference with change management records to verify if this was a planned modification.

Configure comprehensive auditing to prevent unauthorized template modifications and improve detection capabilities.

1. Enable advanced audit policies for Certificate Services:

# Enable Certificate Services audit policy
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable

# Enable Object Access auditing for detailed tracking
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

2. Configure Group Policy for enhanced PKI auditing:
   • Open Group Policy Management Console
   • Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
   • Enable Audit Certification Services for both success and failure
3. Set up automated monitoring using PowerShell:

# Create a scheduled task to monitor Event ID 4872
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-CertTemplateChanges.ps1"
$trigger = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "Monitor Certificate Template Changes" -Action $action -Trigger $trigger -Principal $principal

Establish proper change control procedures and technical controls to prevent unauthorized certificate template modifications.

1. Create a baseline of all certificate template permissions:

# Export all certificate template configurations
$templates = Get-CATemplate
$baseline = @()
foreach ($template in $templates) {
    $templateInfo = @{
        Name = $template.Name
        DisplayName = $template.DisplayName
        Permissions = (Get-ACL "AD:\CN=$($template.Name),CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,$((Get-ADDomain).DistinguishedName)").Access
    }
    $baseline += $templateInfo
}
$baseline | Export-Clixml -Path "C:\PKI\TemplateBaseline-$(Get-Date -Format 'yyyyMMdd').xml"

2. Implement template permission monitoring script:

# Monitor template changes and send alerts
$lastCheck = (Get-Date).AddMinutes(-15)
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4872; StartTime=$lastCheck}
if ($events) {
    $alertMessage = "Certificate template permissions changed: $($events.Count) events detected"
    # Send email alert or write to monitoring system
    Write-EventLog -LogName Application -Source "PKI Monitor" -EventId 1001 -Message $alertMessage
}

3. Configure template security using PowerShell DSC or Group Policy to maintain consistent permissions
4. Implement approval workflows for template modifications using PowerShell workflows or third-party change management systems