Before Start
- User account and password with read access to all objects in the monitored domains.
- Do not install Microsoft Message Analyzer on an ATA Gateway or Lightweight Gateway.
- Recommended: The user should have read-only permissions on the Deleted Objects container. This allows ATA to detect bulk deletion of objects in the domain.
- A user account of a user who has no network activities. This account is configured as the ATA Honeytoken user. To configure the Honeytoken user, you need the SID of the user account, not the username
- ATA can use Windows events 4776, 4732, 4733, 4728, 4729, 4756 and 4757 to further enhance ATA Pass-the-Hash, Brute Force, Modification to sensitive groups and Honey Tokens detections.
General
- ATA Center supports installation on a server running Windows Server 2012 R2 or Windows Server 2016.
- ATA Center can be installed on a server that is a member of a domain or workgroup.
- Before installing ATA Center running Windows 2012 R2, confirm that the following update has been installed: KB2919355.
- Virtual machine dynamic memory or any other memory ballooning feature is not supported.
- If you run the ATA Center as a virtual machine, shut down the server before creating a new checkpoint to avoid potential database corruption.
Server Specification
- When working on a physical server, the ATA database necessitates that you disable uniform memory access (NUMA) in the BIOS and you have to enable Node Interleaving in order to disable NUMA.
- For optimal performance, set the Power Option of the ATA Center to High Performance.
- The number of domain controllers you are monitoring and the load on each of the domain controllers dictates the server specifications needed
Time Synchronization
- The ATA Center server, the ATA Gateway servers, and the domain controllers must have time synchronized within five minutes of each other.
Network Adapters
- At least one network adapter (if using a physical server in a VLAN environment, it is recommended to use two network adapters)
- An IP address for communication between the ATA Center and the ATA Gateway that is encrypted using SSL on port 443. (The ATA service binds to all IP addresses that the ATA Center has on port 443.)
Ports
LDAP is required to test the credentials to be used between the ATA Gateways and the domain controllers
Protocol | Transport | Ports | To/From | Direction |
SSL (ATA Communications) | TCP | 443 | ATA Gateway | Inbound |
HTTP (optional) | TCP | 80 | Company Network | Inbound |
HTTPS | TCP | 443 | Company Network and ATA Gateway | Inbound |
SMTP (optional) | TCP | 25 | SMTP Server | Outbound |
SMTPS (optional) | TCP | 465 | SMTP Server | Outbound |
Syslog (optional) | TCP | 514 | Syslog server | Outbound |
LDAP | TCP and UDP | 389 | Domain controllers | Outbound |
LDAPS (optional) | TCP | 636 | Domain controllers | Outbound |
DNS | TCP and UDP | 53 | DNS servers | Outbound |
Kerberos (optional if domain joined) | TCP and UDP | 88 | Domain controllers | Outbound |
Windows Time (optional if domain joined) | UDP | 123 | Domain controllers | Outbound |
Certificate
- To ease the installation of ATA, you can install self-signed certificates during installation.
- Post-deployment you should replace the self-signed with a certificate from an internal Certification Authority to be used by the ATA Center.
- Make sure the ATA Center and ATA Gateways have access to your CRL distribution point.
- The certificate must have:
-
- A private key
- A provider type of either Cryptographic Service Provider (CSP) or Key Storage Provider (KSP)
- A public key length of 2048 bits
- A value set for KeyEncipherment and Server Authentication usage flags
- you can use the standard Web server Computer templates
- The process of renewing an existing certificate is not supported. The only way to renew a certificate is by creating a new certificate and configuring ATA to use the new certificate.
Add a Comment