my personal blog about systemcenter

All posts in ATA

Thycotis Weak Password Finder and Microsoft Advanced Threat Analytics

Categories: Active Directory, Advanced Threat Analytics, ATA, Thycotic
Comments Off on Thycotis Weak Password Finder and Microsoft Advanced Threat Analytics

Thycotic made a free tool available to check for bad password in Active Directory

UNCOVER YOUR MOST VULNERABLE SECURITY GAPS: FREE WEAK PASSWORD FINDER FOR ACTIVE DIRECTORY

https://thycotic.com/solutions/free-it-tools/

If we dig into the about file

The core functionality of this product has been inspired by Jakob Heidelberg https://www.linkedin.com/in/heidelberg and developed by Michael Grafnetter https://www.linkedin.com/in/grafnetter.

We can see where the inspiration and development came from , and thank you to Thycotic for making this tool available for free

This is just a quick drill through with the detection from Advanced Threat Analytics

clip_image002[1]

Running on a member server pointing to DC and Domain

clip_image004[1]

Using the overpowered administrator i have logged on with

clip_image006[1]

and ready to scan

clip_image008[1]

Looking through all AD objects

clip_image010[1]

And reporting time

clip_image012[1]

Something very pretty to present to security/management

clip_image014[1]

with 26 items on the todo list to fix

clip_image016[1]

and to the point of the post , Microsoft Advanced Threat Analytics catches the non standard replication

When time permits further digging in the tool , for production enviroment i would always run this in a restored domain controller without network access even though i trust the people involved in this

MongoDB and Microsoft Advanced Threat Analyties and Secure by Default

Categories: Advanced Threat Analytics, ATA, MONGODB, Ransomware
Comments Off on MongoDB and Microsoft Advanced Threat Analyties and Secure by Default

The last few days we seen very public attacks on unsecured MongoDB databases exposed directly to the internet

MongoDB ransom attacks soar, body count hits 27,000 in hours

http://www.theregister.co.uk/2017/01/09/mongodb/

and respons from MondoDB

https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data

These attacks are preventable with the extensive security protections built into MongoDB. You need to use these features correctly, and our security documentation will help you do so. Here are pointers to the relevant documentation and other useful resources:

and a reference to their securty manual on how to secure mongodb

So was looking on where we are using mongodb and found our Advanced Thread Analytics install , this isnt internet connected but a internal attack wiping the database could be bad enough so we looked

image

Local Host listener only

image

and doublecheck in the mongod config file

And the only acceptable result , secure by default , thx Microsoft and MongoDB

Updating ATA to version 1.7

Categories: Active Directory, ATA, Security
Comments Off on Updating ATA to version 1.7

Microsoft is keeping the fast pace with update to the star of their “classic” AD security solution

image

So we saw version 1.7 drop yesterday

New Major Features are

· Role based access control.

· Windows Server core support.

· Reconnaissance using Directory Services Enumeration detection.

· Pass-the-Ticket detections enhancements.

Unusual Protocol Implementation detection enhancements

Link : https://support.microsoft.com/en-us/kb/3185481

Personally we are looking fwd to RBAC its a major improvement for the majority of our customers and highly requested

image

Starting the install , we are upgrading fra 1.6.1 , we have a few enviroments on 1.4 and there is NO direct upgrade to 1.7

image

At upgrade we can either upgrade the whole database or do a partial migration , we opted for partial as having ATA offline for a longer duration wasnt a option , the database is placed on SSD so its unlikely it will take a day but we will test that in another enviroment

image

Sucess

image

New UX for updating agent and improved progress indicator

And we now have a few new security groups

image

image

image

This now means we can give auditors access to the enviroment without handing them the keys to the kingdom Smile

ATA 1.6 Unable to bind to the underlying transport , unable to access console

Categories: ATA, Microsoft Advanced Threat Analytics
Comments Off on ATA 1.6 Unable to bind to the underlying transport , unable to access console

On a recent Advanced Threat Analytics 1.6 install we got

Event 15005 HTTPEVENT

Unable to bind to the underlying transport for xxx.xxx.xxx.xxx:5985. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine.  The data field contains the error number.

After reboot and was then unable to access the webconsole of the ATA Center Install

Workaround for now set World Wide Web Publishing to delayed automatic start

Upgrading Microsoft Advanced Threat Analytics from 1.4 to version 1.5

Categories: AD, ATA, Microsoft Advanced Threat Analytics
Comments Off on Upgrading Microsoft Advanced Threat Analytics from 1.4 to version 1.5

Our experience upgrading Microsoft ATA to version 1.5

Following

https://msdn.microsoft.com/en-us/library/mt612814.aspx

Follow these steps to update to ATA version 1.5:

1.Download update 1.5

2.Update the ATA Center

3.Download the updated ATA Gateway package

4.Update the ATA Gateways

We did a prodcution upgrade of our ATA installation , and ratined data to avoid relearing everything

After the upgrade of the central ATA server we jumped into the ATA console

clip_image002

Health Center says System Healthy but a drill down to configuration shows that all gateways are outdated as step 4 wasn’t completed

clip_image003

So configuration shows all gateways needs a update

clip_image005

And since this is one of the first upgrades everything is handled manually

clip_image007

Update is 30 seconds in our environment

clip_image009

Gateways goes into not synced and after a few seconds its synced correctly and we can continue with the next gateways

clip_image010

And repeat times 4 , we had one gateway that needed a reboot

clip_image012

And we now have ATA running version 1.5 ready to detect once again

Overall very smooth installation and in our small environment we have less than an hour downtime for upgrading to a never and better install.

Personally I would love the system heath to report on the main screen that gateways needs update , if this is handled from separate teams in a large org it could be help full on the main screen