Microsoft Advanced Threat Analytics is an on-premise solution to help protect organizations by identifying multiple advanced attacks and inside threats. From my previous post Microsoft Advanced Threat Analytics – Overview, I have discussed what is ATA, How ATA works and its architecture. Also, I discussed the capacity planning which helps when you are deploying the ATA components in your environment. From this post, I’m going to explain step by step, how you deploy Advance threat analytics on your environment according to the Microsoft best practices.
I have a production environment with single forest single domain Active Directory environment with two domain controllers running on Windows Server 2016. ATA Deployment scope with include ATA Center running in a separate Windows server 2016 server and ATA lightweight gateway will be installed in both domain controllers.
- ATA Center – VM with Windows server 2016
- ATA Light weight gateway – Domain controller 1
- ATA Light weight gateway – Domain controller 2
ATA Capacity Planning
Before deploying ATA on your environment, it’s better to do the capacity planning which will helps to identify the hardware configuration required for ATA Center and also any additional CPU or Memory requirements for Current Domain controllers where you install the lightweight domain controllers.
Microsoft has released the ATA Sizing tool to do this capacity planning.
Download - https://aka.ms/atasizingtool
Sizing tool will collect packets for second information from domain controllers and its recommend you to run this at least 24 hours. ATA Sizing tool will provide a report as an output in excel format.
More Information - https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-capacity-planning
Deploying ATA Center
ATA Center is the main component of the ATA Architecture, it can be deployed on a separate server or co exists with other services according to your capacity requirements.
Download and Install ATA Center
- ATA Center can be downloaded from Volume Licensing Portal, MSDN or Technet evaluation. If you already have licenses and installing ATA at production, you need to download it from Volume licensing portal. Following is the evaluation URL
- Login to the server with administrative access
- If you are running the setup from Windows server 2016 there are no prerequisites are required, but from 2012R2, you need to install .Net 4.5 framework.
- Double click and run the ATA Center setup and select the language
- Click next windows updates screen
- In Configure the Center screen, you need to select an SSL Certificate, this is to have an encrypted communication with gateways and the center. If you are running a full production environment its better to use a public SSL Certificate or you can use a self-sign certificate. To install the ATA Center using Self-sign certificate click create a self-sign certificate and Install
- Installation will complete with few minutes
Configuring and Installing ATA Gateway
- After installing the center, Login to the center by typing localhost on Internet explorer,
- Click Provide a username and password and type a domain user name, Domain user permissions will be enough. Click Test connection and Save.
- After configuring the account, you can download the Gateway Setup, Download the setup by clicking Gateway Setup. This setup will contain both standard gateway and lightweight gateway.
- Here I’m installing the lightweight gateway, so copy the installation to a domain controller and run the setup by double clicking.
- Standard Gateway will be grayed, and you can only select the Lightweight Gateway because you are running the set up on a Domain Controller.
- Select the Installation path and click Install, setup will complete the installation in few
- After installation completes, login to the ATA Center console, click Gateways, you can see the agent is reporting and the domain controller name, gateway type, service status is reporting in the console.