Professional Documents
Culture Documents
SOURCES
ATA installation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/plan-design/ata-capacity-planning
https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata-step1
https://blogs.technet.microsoft.com/enterprisemobility/2016/11/04/advanced-threat-analytics-event-log-collection/
Roles:
Manages ATA Gateway and ATA Lightweight Gateway configuration settings
Receives data from ATA Gateways and ATA Lightweight Gateways
Detects suspicious activities
Runs ATA behavioral machine learning algorithms to detect abnormal behavior
Runs various deterministic algorithms to detect advanced attacks based on the attack kill
chain
Runs the ATA web console
Send email and SYSLOG notifications
Note: since ATA version 1.7, web console runs OWIN instead of IIS (source). Microsofts OWIN
implementation is called Katana.
Roles:
Capture and inspect domain controller network traffic (port mirrored traffic in the case of an
ATA Gateway and local traffic of the domain controller in the case of an ATA Lightweight
Gateway)
Receive Windows events from SIEM or Syslog servers, or from domain controllers using WEF
Retrieve data about users and computers from the Active Directory domain
Perform resolution of network entities (users, groups and computers)
Transfer relevant data to the ATA Center
Monitor multiple domain controllers from a single ATA Gateway, or monitor a single domain
controller for an ATA Lightweight Gateway.
ATA Lightweight Gateway provides the same services than a standard ATA Gateway except on the
following points (source):
Traffic is directly captured from the domain controller instead of port mirroring traffic
Per default its not a domain synchronizer candidate (see point 5)
It includes a monitoring component to evaluate the available resources on the domain
controller
Its purpose is to be installed:
o In branch offices sites
o On RODC domain controllers
o On virtual domain controllers deployed in the cloud
Be aware of an issue with domain controllers located on VMware host when using ATA Lightweight
Gateway. Refers to point 7.3 for more details.
1.4 ATA Global architecture overview
Components overview:
Process overview:
2. ATA Center installation
2.1 Prerequisites
The following requirements need to be applied before ATA Center installation (source).
As ATA Center requires intensive resources (CPU, Disk, Memory and IOPS), Microsoft provides a tool
to properly size the server (source):
You may need to remotely launch the EXE file with domain privilege and let it run during 24h (source):
During execution, program will gather information from your DC and put it into an Excel file:
Then depending on the value collected inside the Excel, you may need to adjust value like CPU,
Memory or Disk space:
If ATA Center is installed on a physical server, ATA database requires to disable NUMA in the BIOS.
ATA Center can be installed on Windows Server 2012 R2 or 2016. On Server 2012 R2, ensure that the
following update is installed: KB2919355.
For performance and management reasons, its recommended to have the Mongo database located
a separated and dedicated hard drive with high speed performance.
To enhance user access, consider creating the Active Directory groups below. We will add those
groups to local ATA groups in point 3.3:
<Company> ATA Administrators
<Company> ATA Users
<Company> ATA Viewers
2.1.6 ATA user account access
Create a domain account to provide ATA access to your domain in point 5. Do not use an account
containing words like ATA or any other word related to this software. This account should have the
following rights access:
Read access on all domain objects
Read access on deleted objects container (see next point). This will allow ATA to detect bulk
deletion of objects in the domain
To grant access on deleted objects to your ATA service account (source) to prepare point 3.2.
dsacls <deleted_object_dn> /<takeownership>
dsacls <deleted_object_dn> /G <user_or_group>:<Permissions>
Example:
dsacls "CN=Deleted Objects,DC=demo,DC=lan" /takeownership
dsacls "CN=Deleted Objects,DC=demo,DC=lan" /G demo\ad-svc-ata:LCRP
2.1.8 Certificate
A certificate is required to secure web console access. You can use your own certificate or generate
a self-signed certificate during installation process.
2.1.9 Network
ATA Center server requires two different IP for the following purpose:
Center Service
Web Console
Ensure to have defined those IP on a single NIC or on two NICs before continue with installation
process.
2.2 Installation
Configure the settings below according your configuration from point 2.1:
Once installation process is completed, check the two new created firewall rules:
2.3 Update
During update process, its recommend to choose Full option if you want to keep your data:
3. ATA Center configuration
3.1 Login
Once installation is done, connect to the web interface using the desktop shortcut. Use a local
administrator account to be authenticated:
Provide the account configured on point 2.1.6 to connect ATA to your domain:
Add domain groups created from point 2.1.5 to their respective local ATA groups on ATA Center
server (source):
3.4 Notifications
Its possible to configure email and Syslog notifications in order to be informed about security events.
Notifications are transmitted from console interface IP. Note that Wireshark has a limitation of 240
characters printed. Therefore, you will need to open the PCAP file with tcpdump in order to fully view
the message. Full SYSLOG message can be found in point 6.
4. ATA Gateway installation
4.1 Prerequisites
Follow same instructions from point 2.1.1 to perform proper Gateway sizing (source).
ATA Gateway can be installed on Windows Server 2012 R2 or 2016. On Server 2012 R2, ensure that
the following update is installed: KB2919355.
4.1.3 Software
4.1.4 Network
As ATA Gateway use port mirroring, as main data source for DPI, you may need to configure port
mirroring on all your domain controllers. It exists three kinds of port mirroring technology:
SPAN: copies network traffic from one or more switch ports to another switch port on the
same switch
RSPAN: allows to monitor network traffic from source ports distributed over multiple physical
switches
ERPSAN (Cisco proprietary, operates at layer 3): allows to monitor network traffic across
switches using GRE protocol. However, ATA doesnt support this solution and you will need
an intermediate switch or router to decapsulate the traffic into SPAN or RSPAN
Also, depending on your ATA and DC configuration (physical and/or virtual), you may check if
mirrored traffic can be handled (source). For VMware troubleshooting, see point 7.3.
4.2 Installation
4.2.1 Download
To deploy a gateway, download the setup from the web interface and install it on your gateway
server. You may need to extract him from the ZIP file to avoid installation fail.
4.2.2 Setup
The setup will choose the most appropriate gateway type for you depending if your server is a domain
controller or not:
Once gateway process configuration is done, you should see a status change:
5. Attacks and events management
Mongo database:
Troubleshooting (source)
Management (source)
Note: according Microsoft Technet (link), we are planning on supporting remote back-end
MongoDB.
ATA Gateway and ATA Center installation process create several performance counters than you can
use to monitor their health for troubleshooting and/or monitoring purpose:
6.3 ATA Lightweight Gateway issue on VMware
Using ATA Lightweight Gateway on VMware may, in some cases, create some dropped packets.
Therefore, Microsoft recommends to set those settings to Disabled on the VM NIC (source):
IPv4 Checksum Offload
Large Send Offload
Large Receive Offload (not found in NIC settings)
TCP Checksum Offload
If ATA Gateway has been installed on a DC in Core mode or with traffic capture software, the
following notification may appear:
7. Security enforcements
A list of full security enforcements provided by Microsoft can be found here.
7.1 Telemetry
Per default, several anonymized information are sent to Microsoft. You can disable this telemetry in
the About menu unchecking the box (source):
Its strongly recommended to apply the following network enforcements on ATA Center:
Keep Windows firewall enabled
Use two network adapters in different subnets
Filter access to web console with port filtering and/or with a reverse proxy