How To Uninstall Microsoft Advanced Threat Analytics Gateway From Windows Server Core? #ATA

Introduction

A while ago, I wrote a step by step guide on how to install and evaluate Microsoft Advanced Threat Analytics (ATA).

In summary, Microsoft Advanced Threat Analytics (ATA) is a security product that helps to protect an enterprise network from advanced forms of cyberattack. ATA gathers information from Windows logs and uses deep packet inspection techniques to evaluate trends in network traffic to and from domain controllers and the behavior of users, devices, and resources. This way, ATA can detect suspicious activity generated by the various phases of an attack and generate alerts that specify the type of attack that might be in progress and the systems that are involved.

You can learn more about Microsoft Advanced Threat Analytics here.

The ATA product is divided into the following components:

  • ATA Center is the focal point of the ATA product, and requires a dedicated server known as the ATA Center. This computer is the receiver of the information gathered from your domain controllers, and the place
    where the threat analysis occurs.

The ATA product also supports two types of gateways, as follows:

  • ATA Gateway runs on a standalone server and gathers information from domain controllers using port mirroring and event forwarding.
  • ATA Lightweight Gateway runs on a domain controller itself and gathers information locally.

Both gateway types perform many of the same functions. The standalone ATA Gateway can service multiple domain controllers, up to a maximum of 50,000 packets per second of domain controller traffic. However, the ATA Lightweight Gateways service only the domain controllers on which they are installed, and support up to 10,000 packets per second.

Situation

To increase your domain controllers security further, it’s recommended to use Windows Server Core when possible.

In my environment, I have AD installed on Windows Server Core and I am leveraging the ATA Lightweight Gateway. The ATA architecture looks something like this:

Uninstall-ATA-ServerCore-02

As the network start growing, I decided to move the ATA Gateway to a dedicated server instead of using the Lightweight approach.

The new ATA architecture looks something like this:

Uninstall-ATA-ServerCore-14

In this scenario, I need to uninstall the ATA Lightweight Gateway service from the domain controller. And since I am using Windows Server Core, we don’t have Programs and Features applet (appwiz.cpl) to uninstall the program.

Uninstall ATA Lightweight Gateway

To check the list of installed applications on Windows Server Core, you can run the following PowerShell command:

Uninstall-ATA-ServerCore-06

By default, you can see all the list of installed applications in the Registry located under the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

You can open the Registry in Windows Server Core by running “regedit” or “regedt32.exe” command. In this example, we will use PowerShell.

Open Windows PowerShell as Administrator and run the following command:

This command uses the Get-ChildItem cmdlet to show all items directly within Windows PowerShell drive HKLM:, which corresponds to the HKEY_LOCAL_MACHINE registry hive. It pipes the output to the Get-ItemProperty cmdlet to view the registry entries in a more readable form. Then, it pipes the results to the Where-Object cmdlet, which filter the Windows PowerShell-related properties and display only “Microsoft Advanced Threat Analytics Gateway” details.

Uninstall-ATA-ServerCore-09

Note the key properties “UninstallString” and “QuietUninstallString“ in the screenshot above.

To uninstall the ATA Gateway, you need to copy the value of “UninstallString” or “QuietUninstallString“ and run it in an elevated command prompt and then press Enter.

In this example, I will use uninstall option.

Uninstall-ATA-ServerCore-10

As you can see below, Microsoft Advanced Threat Analytics Uninstall wizard will launch. Click Uninstall.

Uninstall-ATA-ServerCore-11

Wait couple of seconds and the ATA gateway uninstallation will complete successfully. Click Finish and then reboot your machine.

Uninstall-ATA-ServerCore-12

Hope this helps!

Until next time…

Cheers,
-Ch@rbel

About Charbel Nemnom 328 Articles

Charbel Nemnom is a Microsoft Cloud Consultant and Technical Evangelist, totally fan of the latest’s IT platform solutions, accomplished hands-on technical professional with over 15 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

Be the first to comment

Leave a Reply