Skip navigation

Microsoft ATA is an awesome software which they freshly purchased it from Aorato last year. The current version of ATA is 1.5. If you try to install it in a large company, you will run into heaps issue. Some issues will be fixed by next version of release some are not.

Here are some tricks and what you need to aware.

Certificates

When you install ATA console, you have choice to choose use self-sign or other certificate. When I choose other certificate which is generated by our Windows 2012 CA certificate, I found I wasn’t able to start service.

The service of Microsoft Advanced Threat Analytics Center with following error in the error log.

2016-03-30 23:22:07.0450 3392 5   00000000-0000-0000-0000-000000000000 Error [Utils] System.Security.Cryptography.CryptographicException: Invalid provider type specified.

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()   at Microsoft.Tri.Infrastructure.Utils.SecurityProvider.DecryptPrivateAsymmetric(Byte[] encryptedData, X509Certificate2 certificate)

   at Microsoft.Tri.Infrastructure.Framework.SecretManager.OnStart(

  at Microsoft.Tri.Infrastructure.Framework.Module.Start()

   at Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnStart()

   at Microsoft.Tri.Infrastructure.Framework.Module.Start()

   at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)

After consulting with Microsoft, it turns out there are two issues with my certificate.

ATA doesn’t support new version of CA Root (KSP win2008) and only support CSP(from Win2003) due to DotNet dependency issue.

ATA (version 1.5) only support certificate issued by Root CA (Yes, you read it right). so if you are using issuing CA to generate certificate, then the only choice you have is to use self-gen certificate. This issue should be fixed in the next version.

Update 01:

The way this ATA deploys is very different from traditional software.

The best sequence for installing software is:

Install ATA Center first. Once installed, configure domain connectivity settings (just a read only domain account will do).

Once that is done, DO NOT configure anything else.

Jump on ATA Gateway server and open browser to connect to ATA center, login with domain admin account-> go to configuration page->download gateway software.

The gateway software will be downloaded with zip format which contains JSON(configuration file) and exe file. JSON is composed with current configuration you setup in ATA Center. There is a chance it may screwed up with JSON and best way is to NOT configure gateway and download and use.

Once you run installation of gateway, you will have initial configuration of ATA and it will open ATA center via browser. You can configure it now.

Service on Gateway server make takes 5 minutes to finish start and enter into running state.

Update 02:

After 2 months long and through tests with ATA 1.6, we have decided not using ATA in our Production. The ATA is a fantastic software which has 3 months develop cycle and Microsoft has invested lots of resources. However, with our 50 Pen tests, only 50% of them were caught by ATA. 25% of uncaught was by design(like PTH on box and launch more  RDP session with stolen ticket on the same box) and not able to be detected. The last 25% Pen tests will be monitored in the future version(I’m talking about v2.0 or something similar.

On top of that, current version 1.6 still can’t run in production as PKI (win2012) won’t be supported.

so let’s wait for a year or two till ATA is matured enough. I will run another round test and will post here.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: