ATA Suspicious Activity Alert - Is it real or a false positive? (Network Steve Forum)

ATA Suspicious Activity Alert - Is it real or a false positive?

Hello --

We got the following ATA alert on a Windows 10 Enterprise Direct Access Enabled laptop which was doing a FAST ring build over build upgrade to Windows 10 Enterprise 10122 this morning:

X.X.X.X (ATA Management Server IP)/suspiciousActivity/376844bd2334dcaab3034733
W10LAPTOP (X.X.X.X)'s Kerberos tickets were stolen from DASERVER (X.X.X.X) to W10LAPTOP (X.X.X.X) and used to access ldap/DC.domain.local/domain.local.

Laptop is: W10LAPTOP. Windows 2012 R2 Domain Controller is DC.domain.local. Windows 2012 R2 Direct Access Server is DASERVER.

We guess this may be a false positive and want to confirm if we need to add ATA exceptions in a Windows 2012 R2 Environment with a Direct Access Server? If so, please explain exactly the exceptions needed. If not, we can provide all requested log files as needed.

Thank You

May 24th, 2015 3:21pm

Hi sipcomm,

I was wondering if you saw that the system asked you if this is a NAT device or a DirectAccess Proxy ?

Thanks,

The ATA Team

Free Windows Admin Tool Kit Click here and download it now

May 25th, 2015 1:32am

This topic is archived. No further replies will be accepted.