Minimum Permissions for ATP Sensor installation

%3CLINGO-SUB%20id%3D%22lingo-sub-261425%22%20slang%3D%22en-US%22%3EMinimum%20Permissions%20for%20ATP%20Sensor%20installation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-261425%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20need%20to%20have%20Global%20Admin%2FSecurity%20Admin%20credentials%20during%20the%20ATP%20sensor%20install%20or%20just%20the%20key%3F%26nbsp%3B%20Want%20to%20use%20the%20minimum%20needed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWork%20space%20creation%20created%20these%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3BAzure%20ATP%3CWORK%20space%3D%22%22%20name%3D%22%22%3E%20Administrators%3C%2FWORK%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%20%26nbsp%3B%3CSPAN%3EAzure%20ATP%3CWORK%20space%3D%22%22%20name%3D%22%22%3E%26nbsp%3B%3C%2FWORK%3E%3C%2FSPAN%3EOwners%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3BAzure%20ATP%3CWORK%20space%3D%22%22%20name%3D%22%22%3E%26nbsp%3BReaders%3C%2FWORK%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-261595%22%20slang%3D%22en-US%22%3ERe%3A%20Minimum%20Permissions%20for%20ATP%20Sensor%20installation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-261595%22%20slang%3D%22en-US%22%3EThanks%20Eli!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-261528%22%20slang%3D%22en-US%22%3ERe%3A%20Minimum%20Permissions%20for%20ATP%20Sensor%20installation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-261528%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20need%20Just%20the%20key%20to%20be%20able%20to%20connect%20to%20the%20service.%3C%2FP%3E%0A%3CP%3EFro%20the%20installation%20itself%2C%20you%20need%20to%20have%20privileges%20on%20the%20local%20machine%20to%20install%20the%20sensor.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1302925%22%20slang%3D%22en-US%22%3ERe%3A%20Minimum%20Permissions%20for%20ATP%20Sensor%20installation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1302925%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20all%20that%20ATP%20is%20gathering%20and%20doing%20on%20each%20DC%2C%20is%20it%20true%20that%20no%20user%20associated%20with%20ATP%20running%20needs%20privileges%3F%20A%20standard%20user%20would%20not%20be%20able%20to%20see%20the%20network%20traffic%2C%20read%20the%20security%20logs%2C%20or%20be%20able%20to%20run%20the%20agent%20on%20the%20DC.%20Could%20you%20explain%20the%20different%20user%20accounts%20(if%20more%20than%20one)%20that%20are%20used%20with%20ATP%20and%20what%20the%20minimum%20level%20of%20privilege%20for%20each%20is%3F%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1303977%22%20slang%3D%22en-US%22%3ERe%3A%20Minimum%20Permissions%20for%20ATP%20Sensor%20installation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1303977%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F619599%22%20target%3D%22_blank%22%3E%40derekmelber%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20need%20at%20least%20one%20directory%20service%20account%20with%20read%20access%20to%20all%20objects%20in%20the%20monitored%20domain.%26nbsp%3B%20This%20account%20can%20be%20an%20standard%20AD%20user%20or%20a%20Group%20Managed%20Service%20Account.%26nbsp%3B%20You%20configure%20this%20within%20the%20AATP%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-prerequisites%23before-you-start%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-prerequisites%23before-you-start%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20Eli%20mentioned%20for%20the%20sensor%2C%20you%20just%20need%26nbsp%3B%3CSPAN%3Eprivileges%20on%20the%20local%20machine%20to%20install%20the%20sensor.%26nbsp%3B%20There%20is%20not%20a%20second%20account%20needed%20to%20collect%20data%20with%20the%20sensor.%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1331427%22%20slang%3D%22en-US%22%3ERe%3A%20Minimum%20Permissions%20for%20ATP%20Sensor%20installation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1331427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F619599%22%20target%3D%22_blank%22%3E%40derekmelber%3C%2FA%3E%26nbsp%3B%2C%20The%20sensor%20has%20a%20few%20components%2C%20each%20running%20under%20a%20different%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20sensor%20updater%20service%20is%20running%20as%20local%20system%2C%20thus%20has%20permissions%20to%20do%20a%20lot...%3C%2FP%3E%0A%3CP%3EThe%20sensor%20itself%20is%20running%20as%20a%20local%20service%20virtual%20account%20created%20during%20deployment%2C%3CBR%20%2F%3EAnd%20since%20the%20deployment%20is%20running%20as%20admin%2C%20it%20gives%20it%20the%20permissions%20it%20needs%20locally%20to%20access%20security%20log%2C%20read%20traffic%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20domain%20credentials%20you%20are%20adding%20in%20the%20console%20UI%20are%20for%20outside%20authentications%2C%20like%20ruining%20remote%20LDAP%20queries%2C%26nbsp%3B%20%26nbsp%3BSAMR%20authentication%20to%26nbsp%3B%20endpoints%20for%20lateral%20movement%20etc%2C%20so%20low%20privileged%20account%20for%20this%20purpose%20is%20enough.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Do you need to have Global Admin/Security Admin credentials during the ATP sensor install or just the key?  Want to use the minimum needed.

 

Work space creation created these groups.

   Azure ATP<Work space Name> Administrators

   Azure ATP<Work space Name> Owners

   Azure ATP<Work space Name> Readers

 

 

Thanks

5 Replies
Highlighted

You need Just the key to be able to connect to the service.

Fro the installation itself, you need to have privileges on the local machine to install the sensor.

Highlighted
Highlighted

@Eli Ofek 

With all that ATP is gathering and doing on each DC, is it true that no user associated with ATP running needs privileges? A standard user would not be able to see the network traffic, read the security logs, or be able to run the agent on the DC. Could you explain the different user accounts (if more than one) that are used with ATP and what the minimum level of privilege for each is? Thanks!

Highlighted

@derekmelber 

You need at least one directory service account with read access to all objects in the monitored domain.  This account can be an standard AD user or a Group Managed Service Account.  You configure this within the AATP portal.

 

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#before-you-start

 

As Eli mentioned for the sensor, you just need privileges on the local machine to install the sensor.  There is not a second account needed to collect data with the sensor.   

Highlighted

@derekmelber , The sensor has a few components, each running under a different account.

 

The sensor updater service is running as local system, thus has permissions to do a lot...

The sensor itself is running as a local service virtual account created during deployment,
And since the deployment is running as admin, it gives it the permissions it needs locally to access security log, read traffic etc.

 

The domain credentials you are adding in the console UI are for outside authentications, like ruining remote LDAP queries,   SAMR authentication to  endpoints for lateral movement etc, so low privileged account for this purpose is enough.