Home / server / Questions / 970391
In Process
I say Reinstate Monica
Asked: 2019-06-07 06:33:37 +0800 CST

Security audit failure: Event ID 5061 logged on IIS server

  • 772

Recently the following audit failure event is being logged in the Windows Security event log of a Server 2012 R2 server running a Internet-facing IIS server:

Source:         Microsoft Windows security auditing.
Event ID:       5061
Task Category:  System Integrity

Event Text:

Cryptographic operation.

Subject:
    Security ID:        SYSTEM
    Account Name:       <COMPUTER NAME>
    Account Domain:     WORKGROUP
    Logon ID:           0x3E7

Cryptographic Parameters:
    Provider Name:  Microsoft Software Key Storage Provider
    Algorithm Name: RSA
    Key Name:       le-8db31aae-1218-4b40-be28-c55c618c90c6
    Key Type:       Machine key.

Cryptographic Operation:
    Operation:      Decrypt.
    Return Code:    0xC000000D

Based on help from the Sysadmins LV post Certutil tips and tricks: query cryptographic service providers (CSP and KSP) I believe the Key Name in the event text correlates to the SSL certificate used to secure web traffic for IIS. Here's abbreviated output of the certutil -store my -v showing that certificate:

PS C:\Windows\system32> certutil -v -store my
my "Personal"
================ Certificate 0 ================
X509 Certificate:
Version: 3
Serial Number: <REDACTED>
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=COMODO RSA Domain Validation Secure Server CA
    O=COMODO CA Limited
    L=Salford
    S=Greater Manchester
    C=GB

--- TEXT REMOVED FOR BREVITY ---

Subject:
    CN=www.example.com

--- TEXT REMOVED FOR BREVITY ---

  CERT_KEY_PROV_INFO_PROP_ID(2):
    Key Container = 2a746a4f293ce74d47131503de0cf745_28422b67-dacb-4e11-a06a-062dae34b9a0
  Simple container name: le-8db31aae-1218-4b40-be28-c55c618c90c6
    Provider = Microsoft RSA SChannel Cryptographic Provider
    ProviderType = c
  Flags = 20 (32)
    CRYPT_MACHINE_KEYSET -- 20 (32)
    KeySpec = 1 -- AT_KEYEXCHANGE

--- TEXT REMOVED FOR BREVITY ---

Notice that the Simple container name of the certificate matches the Key Name of the 5061 event text.

So my question is, given this context, what does this event, specifically "Return Code: 0xC000000D" and "Operation: Decrypt" mean? Should I be concerned a bad actor is attempting something against the server? Or is this just a report that some traffic returned to the server was corrupt and couldn't be decrypted? I've diligently searched the web for an answer and found no explanation.

Note that there have been no reported problems accessing the sites served on the IIS server.

windows-server-2012-r2

0 Answers