最近,运行面向 Internet 的 IIS 服务器的 Server 2012 R2 服务器的 Windows 安全事件日志中记录了以下审核失败事件:
Source: Microsoft Windows security auditing.
Event ID: 5061
Task Category: System Integrity
事件文本:
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: <COMPUTER NAME>
Account Domain: WORKGROUP
Logon ID: 0x3E7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: le-8db31aae-1218-4b40-be28-c55c618c90c6
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0xC000000D
根据 Sysadmins LV 帖子的帮助Certutil 技巧和窍门:查询加密服务提供商(CSP 和 KSP)certutil -store my -v我认为事件文本中的密钥名称与用于保护 IIS Web 流量的 SSL 证书相关。以下是显示该证书的简要输出:
PS C:\Windows\system32> certutil -v -store my
my "Personal"
================ Certificate 0 ================
X509 Certificate:
Version: 3
Serial Number: <REDACTED>
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Issuer:
CN=COMODO RSA Domain Validation Secure Server CA
O=COMODO CA Limited
L=Salford
S=Greater Manchester
C=GB
--- TEXT REMOVED FOR BREVITY ---
Subject:
CN=www.example.com
--- TEXT REMOVED FOR BREVITY ---
CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container = 2a746a4f293ce74d47131503de0cf745_28422b67-dacb-4e11-a06a-062dae34b9a0
Simple container name: le-8db31aae-1218-4b40-be28-c55c618c90c6
Provider = Microsoft RSA SChannel Cryptographic Provider
ProviderType = c
Flags = 20 (32)
CRYPT_MACHINE_KEYSET -- 20 (32)
KeySpec = 1 -- AT_KEYEXCHANGE
--- TEXT REMOVED FOR BREVITY ---
请注意,Simple container name证书的与Key Name5061 事件文本的相匹配。
所以我的问题是,在这种背景下,这个事件,特别是“返回代码:0xC000000D”和“操作:解密”是什么意思?我是否应该担心坏人正在试图对服务器做些什么?或者这只是一个报告,说返回到服务器的一些流量已损坏且无法解密?我在网上努力寻找答案,但没有找到任何解释。
请注意,尚未报告访问 IIS 服务器上所提供服务的站点时出现的问题。