Microsoft Advanced Threat Analytics is an on-premise solution to help protect organizations by identifying multiple advanced attacks and inside threats. From my previous post Microsoft Advanced Threat Analytics – Overview, I have discussed what is ATA, How ATA works and its architecture. Also, I discussed the capacity planning which helps when you are deploying the ATA components in your environment. From this post, I’m going to explain step by step, how you deploy Advance threat analytics on your environment according to the Microsoft best practices.
Deployment scenario
I have a production environment with single forest single domain Active Directory environment with two domain controllers running on Windows Server 2016. ATA Deployment scope with include ATA Center running in a separate Windows server 2016 server and ATA lightweight gateway will be installed in both domain controllers.
- ATA Center – VM with Windows server 2016
- ATA Light weight gateway – Domain controller 1
- ATA Light weight gateway – Domain controller 2
ATA Capacity Planning
Before deploying ATA on your environment, it’s better to do the capacity planning which will helps to identify the hardware configuration required for ATA Center and also any additional CPU or Memory requirements for Current Domain controllers where you install the lightweight domain controllers.
Microsoft has released the ATA Sizing tool to do this capacity planning.
Download - https://aka.ms/atasizingtool
Sizing tool will collect packets for second information from domain controllers and its recommend you to run this at least 24 hours. ATA Sizing tool will provide a report as an output in excel format.
More Information - https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-capacity-planning
Deploying ATA Center
ATA Center is the main component of the ATA Architecture, it can be deployed on a separate server or co exists with other services according to your capacity requirements.
Download and Install ATA Center
- ATA Center can be downloaded from Volume Licensing Portal, MSDN or Technet evaluation. If you already have licenses and installing ATA at production, you need to download it from Volume licensing portal. Following is the evaluation URL
https://www.microsoft.com/en-gb/evalcenter/evaluate-microsoft-advanced-threat-analytics
- Login to the server with administrative access
- If you are running the setup from Windows server 2016 there are no prerequisites are required, but from 2012R2, you need to install .Net 4.5 framework.
- Double click and run the ATA Center setup and select the language
- Click next windows updates screen
- In Configure the Center screen, you need to select an SSL Certificate, this is to have an encrypted communication with gateways and the center. If you are running a full production environment its better to use a public SSL Certificate or you can use a self-sign certificate. To install the ATA Center using Self-sign certificate click create a self-sign certificate and Install
- Installation will complete with few minutes
Configuring and Installing ATA Gateway
- After installing the center, Login to the center by typing localhost on Internet explorer,
- Click Provide a username and password and type a domain user name, Domain user permissions will be enough. Click Test connection and Save.
- After configuring the account, you can download the Gateway Setup, Download the setup by clicking Gateway Setup. This setup will contain both standard gateway and lightweight gateway.
- Here I’m installing the lightweight gateway, so copy the installation to a domain controller and run the setup by double clicking.
- Standard Gateway will be grayed, and you can only select the Lightweight Gateway because you are running the set up on a Domain Controller.
- Select the Installation path and click Install, setup will complete the installation in few
- After installation completes, login to the ATA Center console, click Gateways, you can see the agent is reporting and the domain controller name, gateway type, service status is reporting in the console.
Like that you need to install gateway agents on all domain controllers and there is no additional configuration required if you are using lightweight gateways. If you are using standard gateways you need to configure the port mirroring and security event forwarding.
Additional Configurations
After installing the ATA Center and the gateways, ATA installation completes. There are a few additional configurations available according to your need. Let’s discuss on configuring Email notifications, Honey token accounts and schedule reports.
Configuring Mail Notifications
Before configuring notifications, you need to specify the Mail server, the SMTP server endpoint and the port. Navigate to ATA Console – Configurations – Mail server to fill the information.
Next, navigate to the Notifications and set the email accounts which need to be notified when a health issue or suspicious activity is detected.
Configure schedule reports
After configuring the mail server, you can schedule the reports to be generated and email it in a given time. ATA Console – Configurations – Schedule reports
Configure Honeytoken Accounts
Honeytoken accounts are accounts that pretend they are sensitive to attract attackers. ATA will monitor every action against these accounts and provide notifications in the dashboard. You can rename your Administrator, root or admin accounts to something that hard to guess and create low privileges accounts using the same names and add those accounts in the honeytoken section in the ATA Center configurations.
ATA Center – Configurations – Entity tags and add account names in Honeytoken accounts
That is the most common configuration you have to perform when installing ATA in a single forest with lightweight gateways. In the next post, I’m hoping to cover how to simulate few attacks to see how ATA is picking them up.
Hope this post is useful
Cheers
Asitha De Silva
