ATA prerequisites

Applies to: Advanced Threat Analytics version 1.9

This article describes the requirements for a successful ATA deployment in your environment.

Note

For information on how to plan resources and capacity, see ATA capacity planning.

ATA is composed of the ATA Center, the ATA Gateway and/or the ATA Lightweight Gateway. For more information about the ATA components, see ATA architecture.

The ATA System works on active directory forest boundary and supports Forest Functional Level (FFL) of Windows 2003 and above.

Before you start: This section lists information you should gather and accounts and network entities you should have, before starting ATA installation.

ATA Center: This section lists ATA Center hardware, software requirements as well as settings you need to configure on your ATA Center server.

ATA Gateway: This section lists ATA Gateway hardware, software requirements as well as settings you need to configure on your ATA Gateway servers.

ATA Lightweight Gateway: This section lists ATA Lightweight Gateway hardware, and software requirements.

ATA Console: This section lists browser requirements for running the ATA Console.

ATA architecture diagram.

Before you start

This section lists information you should gather as well as accounts and network entities you should have before starting ATA installation.

  • User account and password with read access to all objects in the monitored domains.

    Note

    If you have set custom ACLs on various Organizational Units (OU) in your domain, make sure that the selected user has read permissions to those OUs.

  • Do not install Microsoft Message Analyzer on an ATA Gateway or Lightweight Gateway. The Message Analyzer driver conflicts with the ATA Gateway and Lightweight Gateway drivers. If you run Wireshark on ATA Gateway, you will need to restart the Microsoft Advanced Threat Analytics Gateway Service after you have stopped the Wireshark capture. If not, the Gateway stops capturing traffic. Running Wireshark on an ATA Lightweight Gateway does not interfere with the ATA Lightweight Gateway.

  • Recommended: User should have read-only permissions on the Deleted Objects container. This allows ATA to detect bulk deletion of objects in the domain. For information about configuring read-only permissions on the Deleted Objects container, see the Changing permissions on a deleted object container section in the View or Set Permissions on a Directory Object article.

  • Optional: A user account of a user with no network activities. This account is configurable as an ATA Honeytoken user. To configure an account as a Honeytoken user, only the username is required. For Honeytoken configuration information, see Configure IP address exclusions and Honeytoken user.

  • Optional: In addition to collecting and analyzing network traffic to and from the domain controllers, ATA can use Windows events 4776, 4732, 4733, 4728, 4729, 4756 and 4757 to further enhance ATA Pass-the-Hash, Brute Force, Modification to sensitive groups and Honey Tokens detections. These events can be received from your SIEM or by setting Windows Event Forwarding from your domain controller. Events collected provide ATA with additional information that is not available via the domain controller network traffic.

ATA Center requirements

This section lists the requirements for the ATA Center.

General

The ATA Center supports installation on a server running Windows Server 2012 R2 Windows Server 2016 and Windows Server 2019.

Note

The ATA Center does not support Windows Server core.

The ATA Center can be installed on a server that is a member of a domain or workgroup.

Before installing ATA Center running Windows 2012 R2, confirm that the following update has been installed: KB2919355.

You can check by running the following Windows PowerShell cmdlet: [Get-HotFix -Id kb2919355].

Installation of the ATA Center as a virtual machine is supported.

Server specifications

When working on a physical server, the ATA database necessitates that you disable Non-uniform memory access (NUMA) in the BIOS. Your system may refer to NUMA as Node Interleaving, in which case you have to enable Node Interleaving in order to disable NUMA. For more information, see your BIOS documentation.

For optimal performance, set the Power Option of the ATA Center to High Performance.
The number of domain controllers you are monitoring and the load on each of the domain controllers dictates the server specifications needed. For more information, see ATA capacity planning.

For Windows Operating systems 2008R2 and 2012, Gateway is not supported in a Multi Processor Group mode. For more information about multi-processor group mode, see troubleshooting.

Time synchronization

The ATA Center server, the ATA Gateway servers, and the domain controllers must have time synchronized to within five minutes of each other.

Network adapters

You should have the following set:

  • At least one network adapter (if using physical server in VLAN environment, it is recommended to use two network adapters)

  • An IP address for communication between the ATA Center and the ATA Gateway that is encrypted using SSL on port 443. (The ATA service binds to all IP addresses that the ATA Center has on port 443.)

Ports

The following table lists the minimum ports that have to be opened for the ATA Center to work properly.

Protocol Transport Port To/From Direction
SSL (ATA Communications) TCP 443 ATA Gateway Inbound
HTTP (optional) TCP 80 Company Network Inbound
HTTPS TCP 443 Company Network and ATA Gateway Inbound
SMTP (optional) TCP 25 SMTP Server Outbound
SMTPS (optional) TCP 465 SMTP Server Outbound
Syslog (optional) TCP/UPS/TLS (configurable) 514 (default) Syslog server Outbound
LDAP TCP and UDP 389 Domain controllers Outbound
LDAPS (optional) TCP 636 Domain controllers Outbound
DNS TCP and UDP 53 DNS servers Outbound
Kerberos (optional if domain joined) TCP and UDP 88 Domain controllers Outbound
Windows Time (optional if domain joined) UDP 123 Domain controllers Outbound

Note

LDAP is required to test the credentials to be used between the ATA Gateways and the domain controllers. The test is performed from the ATA Center to a domain controller to test the validity of these credentials, after which the ATA Gateway uses LDAP as part of its normal resolution process.

Certificates

To install and deploy ATA more quickly, you can install self-signed certificates during installation. If you have chosen to use self-signed certificates, after the initial deployment it is recommended to replace self-signed certificates with certificates from an internal Certification Authority to be used by the ATA Center.

Make sure the ATA Center and ATA Gateways have access to your CRL distribution point. If they don't have Internet access, follow the procedure to manually import a CRL, taking care to install all the CRL distribution points for the whole chain.

The certificate must have:

  • A private key
  • A provider type of either Cryptographic Service Provider (CSP) or Key Storage Provider (KSP)
  • A public key length of 2048 bits
  • A value set for KeyEncipherment and ServerAuthentication usage flags
  • KeySpec (KeyNumber) value of "KeyExchange" (AT_KEYEXCHANGE). The value "Signature" (AT_SIGNATURE) is not supported.
  • All Gateway machines must be able to fully validate and trust the selected Center certificate.

For example, you can use the standard Web server or Computer templates.

Warning

The process of renewing an existing certificate is not supported. The only way to renew a certificate is by creating a new certificate and configuring ATA to use the new certificate.

Note

  • If you are going to access the ATA Console from other computers, ensure that those computers trust the certificate being used by ATA Center otherwise you get a warning page that there is a problem with the website's security certificate before getting to the log in page.
  • Starting with ATA version 1.8 the ATA Gateways and Lightweight Gateways are managing their own certificates and need no administrator interaction to manage them.

ATA Gateway requirements

This section lists the requirements for the ATA Gateway.

General

The ATA Gateway supports installation on a server running Windows Server 2012 R2 or Windows Server 2016 and Windows Server 2019 (including server core). The ATA Gateway can be installed on a server that is a member of a domain or workgroup. The ATA Gateway can be used to monitor Domain Controllers with Domain Functional Level of Windows 2003 and above.

Before installing ATA Gateway running Windows 2012 R2, confirm that the following update has been installed: KB2919355.

You can check by running the following Windows PowerShell cmdlet: [Get-HotFix -Id kb2919355].

For information on using virtual machines with the ATA Gateway, see Configure port mirroring.

Note

A minimum of 5 GB of space is required and 10 GB is recommended. This includes space needed for the ATA binaries, ATA logs, and performance logs.

Server specifications

For optimal performance, set the Power Option of the ATA Gateway to High Performance.
An ATA Gateway can support monitoring multiple domain controllers, depending on the amount of network traffic to and from the domain controllers.

To learn more about dynamic memory or any other virtual machine memory management feature, see Dynamic memory.

For more information about the ATA Gateway hardware requirements, see ATA capacity planning.

Time synchronization

The ATA Center server, the ATA Gateway servers, and the domain controllers must have time synchronized to within five minutes of each other.

Network adapters

The ATA Gateway requires at least one Management adapter and at least one Capture adapter:

  • Management adapter - used for communications on your corporate network. This adapter should be configured with the following settings:

    • Static IP address including default gateway

    • Preferred and alternate DNS servers

    • The DNS suffix for this connection should be the DNS name of the domain for each domain being monitored.

      Configure DNS suffix in advanced TCP/IP settings.

      Note

      If the ATA Gateway is a member of the domain, this may be configured automatically.

  • Capture adapter - used to capture traffic to and from the domain controllers.

    Important

    • Configure port mirroring for the capture adapter as the destination of the domain controller network traffic. For more information, see Configure port mirroring. Typically, you need to work with the networking or virtualization team to configure port mirroring.
    • Configure a static non-routable IP address for your environment with no default gateway and no DNS server addresses. For example, 1.1.1.1/32. This ensures that the capture network adapter can capture the maximum amount of traffic and that the management network adapter is used to send and receive the required network traffic.

Ports

The following table lists the minimum ports that the ATA Gateway requires configured on the management adapter:

Protocol Transport Port To/From Direction
LDAP TCP and UDP 389 Domain controllers Outbound
Secure LDAP (LDAPS) TCP 636 Domain controllers Outbound
LDAP to Global Catalog TCP 3268 Domain controllers Outbound
LDAPS to Global Catalog TCP 3269 Domain controllers Outbound
Kerberos TCP and UDP 88 Domain controllers Outbound
Netlogon (SMB, CIFS, SAM-R) TCP and UDP 445 All devices on network Outbound
Windows Time UDP 123 Domain controllers Outbound
DNS TCP and UDP 53 DNS Servers Outbound
NTLM over RPC TCP 135 All devices on the network Both
NetBIOS UDP 137 All devices on the network Both
SSL TCP 443 ATA Center Outbound
Syslog (optional) UDP 514 SIEM Server Inbound

Note

As part of the resolution process done by the ATA Gateway, the following ports need to be open inbound on devices on the network from the ATA Gateways.

  • NTLM over RPC (TCP Port 135)
  • NetBIOS (UDP port 137)
  • Using the Directory service user account, the ATA Gateway queries endpoints in your organization for local admins using SAM-R (network logon) in order to build the lateral movement path graph. For more information, see Configure SAM-R required permissions.
  • The following ports need to be open inbound on devices on the network from the ATA Gateway:
  • NTLM over RPC (TCP Port 135) for resolution purposes
  • NetBIOS (UDP port 137) for resolution purposes

ATA Lightweight Gateway requirements

This section lists the requirements for the ATA Lightweight Gateway.

General

The ATA Lightweight Gateway supports installation on a domain controller running Windows Server 2008 R2 SP1 (not including Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 (including Core but not Nano).

The domain controller can be a read-only domain controller (RODC).

Before installing ATA Lightweight Gateway on a domain controller running Windows Server 2012 R2, confirm that the following update has been installed: KB2919355.

You can check by running the following Windows PowerShell cmdlet: [Get-HotFix -Id kb2919355]

If the installation is for Windows server 2012 R2 Server Core, the following update should also be installed: KB3000850.

You can check by running the following Windows PowerShell cmdlet: [Get-HotFix -Id kb3000850]

During installation, the .Net Framework 4.6.1 is installed and might cause a reboot of the domain controller.

Note

A minimum of 5 GB of space is required and 10 GB is recommended. This includes space needed for the ATA binaries, ATA logs, and performance logs.

Server specifications

The ATA Lightweight Gateway requires a minimum of 2 cores and 6 GB of RAM installed on the domain controller. For optimal performance, set the Power Option of the ATA Lightweight Gateway to High Performance. The ATA Lightweight Gateway can be deployed on domain controllers of various loads and sizes, depending on the amount of network traffic to and from the domain controllers and the amount of resources installed on that domain controller.

To learn more about dynamic memory or any other virtual machine memory management feature, see Dynamic memory.

For more information about the ATA Lightweight Gateway hardware requirements, see ATA capacity planning.

Time synchronization

The ATA Center server, the ATA Lightweight Gateway servers, and the domain controllers must have time synchronized to within five minutes of each other.

Network adapters

The ATA Lightweight Gateway monitors the local traffic on all of the domain controller's network adapters.

After deployment, you can use the ATA Console if you ever want to modify which network adapters are monitored.

Note

The Lightweight Gateway is not supported on domain controllers running Windows 2008 R2 with Broadcom Network Adapter Teaming enabled.

Ports

The following table lists the minimum ports that the ATA Lightweight Gateway requires:

Protocol Transport Port To/From Direction
DNS TCP and UDP 53 DNS Servers Outbound
NTLM over RPC TCP 135 All devices on the network Both
NetBIOS UDP 137 All devices on the network Both
SSL TCP 443 ATA Center Outbound
Syslog (optional) UDP 514 SIEM Server Inbound
Netlogon (SMB, CIFS, SAM-R) TCP and UDP 445 All devices on network Outbound

Note

As part of the resolution process performed by the ATA Lightweight Gateway, the following ports need to be open inbound on devices on the network from the ATA Lightweight Gateways.

  • NTLM over RPC
  • NetBIOS
  • Using the Directory service user account, the ATA Lightweight Gateway queries endpoints in your organization for local admins using SAM-R (network logon) in order to build the lateral movement path graph. For more information, see Configure SAM-R required permissions.
  • The following ports need to be open inbound on devices on the network from the ATA Gateway:
  • NTLM over RPC (TCP Port 135) for resolution purposes
  • NetBIOS (UDP port 137) for resolution purposes

Dynamic memory

Note

When running ATA services as a virtual machine (VM) the service requires all memory be allocated to the VM, all the time.

VM running on Description
Hyper-V Ensure that Enable Dynamic Memory is not enabled for the VM.
VMWare Ensure that the amount of memory configured and the reserved memory are the same, or select the following option in the VM setting – Reserve all guest memory (All locked).
Other virtualization host Refer to the vendor supplied documentation on how to ensure that memory is fully allocated to the VM at all times.

If you run the ATA Center as a virtual machine, shut down the server before creating a new checkpoint to avoid potential database corruption.

ATA Console

Access to the ATA Console is via a browser, supporting the browsers and settings:

  • Internet Explorer version 10 and above

  • Microsoft Edge

  • Google Chrome 40 and above

  • Minimum screen width resolution of 1700 pixels

See Also