locked
Permissions Access to ATA Console RRS feed

  • Question

  • Hello,

    I have installed ATA and added users to the local ATA Administrators Group. However, I have noticed that members of the Domain Administrators, who are not members of the ATA Administrators Group, can still access the ATA console. I have checked the other local ATA groups and their accounts are not members of these groups.

    Any ideas why this is happening and how can I prevent this ?


    Imran

    Monday, July 17, 2017 9:47 PM

Answers

  • Accounts that have admin permissions on the center machine are automatically ATA admins.

    Note that there is no real point of blocking them as being machine admins they can always add themselves to the local groups if they wanted too...

    Monday, July 17, 2017 10:21 PM
  • Hello Imran,

    On ATA Center server, any local administrator on the ATA Center is automatically a Microsoft Advanced Threat Analytics Administrator.

    Since the ATA Center server joined in the domain, the Domain Admins group is added into the local Administrators group automatically. Each domain account in the Domain Admins group can have the local administrator permissions.

    You can remove the Domain Admins from the local Administrators group, but it's not recommended to do that.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 18, 2017 5:15 AM

All replies

  • Accounts that have admin permissions on the center machine are automatically ATA admins.

    Note that there is no real point of blocking them as being machine admins they can always add themselves to the local groups if they wanted too...

    Monday, July 17, 2017 10:21 PM
  • Hello Imran,

    On ATA Center server, any local administrator on the ATA Center is automatically a Microsoft Advanced Threat Analytics Administrator.

    Since the ATA Center server joined in the domain, the Domain Admins group is added into the local Administrators group automatically. Each domain account in the Domain Admins group can have the local administrator permissions.

    You can remove the Domain Admins from the local Administrators group, but it's not recommended to do that.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 18, 2017 5:15 AM
  • Hello Andy

    Thanks for the response.

    Are there any plans in the future not to allow local administrators default access to the ATA Centre ? I would of thought that providing granular access to ATA Centre would be a more secure method than allowing by default local administrators.


    Imran

    Tuesday, July 18, 2017 10:59 PM
  • Hello Imran,

    I'm not quite sure about that. However, your feedback should be noticed here.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 19, 2017 6:27 AM
  • Hi Imran,

    Can you elaborate how not defining Local admins as ATA admins by default contribute to a more secure deployment? Local admins can always add themselves to ATA local groups being the "owners" of the machine.

    There is no way around that...

    Eli

    Wednesday, July 19, 2017 6:56 AM
  • Hello Eli,

    I realise that local admins can add them-selves to any local group. However, I think it is more secure to minimise who is a member of ATA admins, as you may not want all local admins to have access to the ATA centre console.

    I think it is more secure to have a granular approach to security access. For example, domain admins has full permissions to do perform domain wide activities but not all. They cannot extend Active Directory - you must be a member of the Enterprise Admin group do so.

    Similarly, local admins can perform local administrative tasks on the server. But I personally feel they should not have access to applications installed on the server, unless there is requirement. Local administrators should be given the option to add their account to the ATA admin group as required. To me, using this procedure is more secure than by allowing all local admins access to the ATA  Console by default.

    Hope this makes sense!


    Imran

    Wednesday, July 19, 2017 5:38 PM