locked
ATA Lightweight Gateway Planning & Config Questions.... RRS feed

  • Question

  • Hi All,

    I've recently deployed ATA 1.6 as a POC in our testing environment using the ATA Lightweight Gateway on only one of the DC's. Just have a few questions I don't think are clearly covered off in the doco;

    1. Is it best practice to install the ATA Lightweight Gateway on ALL DC's in the domain to be monitored?

    2. Any issues with installing the ATA Lightweight Gateway on a read only DC?

    3. Assuming this is a no, but is it necessary to forward windows security logs for event ID 4776 for the DC on which the ATA Lightweight Gateway service is installed? The way the doco reads (could have been the lack of coffee at the time too) it could be interpreted that the ATA LW Gateway only reads forwarded events, even if the DC is forwarding them to itself.  


    • Edited by Nicoloks Monday, June 6, 2016 11:44 PM numbering
    Monday, June 6, 2016 11:43 PM

All replies

  • Ok, seems my assumption for Q3 is incorrect. Seems you do have to forward security events on the DC where the ATA LW Gateway is installed. Feedback for the doco writers, this needs to be clearly communicated in the doco. It is a reasonable assumption I think that an agent for Security Analysis software be able to read the security event log on the system which it is installed on.

    Anyway, guess just looking to find out if I should be deploying the ATA LW Gateway to all DC's? I'm assuming yes as the Windows Event Forwarding configuration is only to enhance ATA Pass-the-Hash detection. However, seeing how well my last assumption went I best double check with the experts :-) .


    Tuesday, June 7, 2016 12:32 AM
  • Hi,

    it depends on the resources of your DC. You have also the possibility to collect more than one DC into an single ATA GW....so you will have less resources in use.

    Regards

    Tuesday, June 7, 2016 5:29 AM
  • Ok.... but it is best practice to install the ATA LW Gateway on all DC's where you can?

    In the event you can't install the ATA LW gateway on all DC's, is the only option then to configure a standalone ATA gateway with port mirroring at the network level?

    Tuesday, June 7, 2016 11:19 PM
  • Hi,

    right. You have these 2 options. I would recommend to install ATA GWs and only for these DCs who cannot be configured as PortMirroring, such as physical DCs, to install ATA LW. We did this way also in the security aspect. So we can leave the DC as a DC ;)

    Regards

    Wednesday, June 8, 2016 6:10 AM