Kaspersky Security Center 10: Application Version: 10 Service Pack 1
Kaspersky Security Center 10: Application Version: 10 Service Pack 1
Kaspersky Security Center 10: Application Version: 10 Service Pack 1
Administrator's Guide
http://www.kaspersky.com
http://support.kaspersky.com
2
TABLE OF CONTENTS
ABOUT THIS DOCUMENT ..................................................................................................................................... 9
In this document ................................................................................................................................................ 9
Document conventions .................................................................................................................................... 11
SOURCES OF INFORMATION ABOUT THE APPLICATION ................................................................................. 12
Sources of information for independent research .............................................................................................. 12
Discussing Kaspersky Lab applications on the forum ........................................................................................ 13
KASPERSKY SECURITY CENTER ...................................................................................................................... 14
What's new ..................................................................................................................................................... 14
Distribution kit ................................................................................................................................................. 16
Hardware and software requirements............................................................................................................... 16
APPLICATION INTERFACE ................................................................................................................................. 19
Main application window .................................................................................................................................. 19
Console tree ................................................................................................................................................... 21
Workspace...................................................................................................................................................... 23
Set of management blocks ......................................................................................................................... 25
List of management objects........................................................................................................................ 25
Set of information blocks ............................................................................................................................ 27
Data filtering block ........................................................................................................................................... 28
Context menu.................................................................................................................................................. 30
Configuring the interface.................................................................................................................................. 30
APPLICATION LICENSING .................................................................................................................................. 32
About the End User License Agreement........................................................................................................... 32
About the license............................................................................................................................................. 32
About key........................................................................................................................................................ 33
Kaspersky Security Center licensing options .................................................................................................... 33
About restrictions of the main functionality........................................................................................................ 34
About the activation code ................................................................................................................................ 35
About the key file............................................................................................................................................. 35
KASPERSKY SECURITY CENTER QUICK START WIZARD ................................................................................ 36
BASIC CONCEPTS .............................................................................................................................................. 37
Administration Server ...................................................................................................................................... 37
Administration Server hierarchy ....................................................................................................................... 38
Virtual Administration Server............................................................................................................................ 38
Mobile device server ....................................................................................................................................... 39
Web server ..................................................................................................................................................... 39
Network Agent Administration group ................................................................................................................ 39
Administrator's workstation .............................................................................................................................. 40
Application administration plug-in..................................................................................................................... 40
Policies, application settings, and tasks............................................................................................................ 41
How local application settings relate to policies ................................................................................................ 42
MANAGING ADMINISTRATION SERVERS .......................................................................................................... 43
Connecting to an Administration Server and switching between Administration Servers ..................................... 43
Access rights to Administration Server and its objects ...................................................................................... 44
Conditions of connection to an Administration Server via the Internet ................................................................ 45
Secure connection to Administration Server ..................................................................................................... 45
Administration Server certificate ................................................................................................................. 46
Administration Server authentication during client computer connection....................................................... 46
Administration Server authentication during Administration Console connection ........................................... 46
Disconnecting from an Administration Server ................................................................................................... 46
Adding an Administration Server to the console tree ......................................................................................... 47
3
ADMINISTRATOR'S GUIDE
4
TABLE OF CONTENTS
Tunneling the connection between a client computer and Administration Server ................................................ 70
Remote connection to the desktop of a client computer .................................................................................... 70
Configuring the restart of a client computer ...................................................................................................... 71
Audit of actions on a remote client computer .................................................................................................... 71
Checking the connection between a client computer and Administration Server................................................. 72
Automatic check of connection between a client computer and Administration Server .................................. 72
Manual check of connection between a client computer and Administration Server. Klnagchk utility .............. 72
Identifying client computers on Administration Server ....................................................................................... 73
Adding computers to an administration group ................................................................................................... 73
Changing Administration Server for client computers ........................................................................................ 74
Remote turning on, turning off and restarting client computers .......................................................................... 74
Sending a message to the users of client computers ........................................................................................ 75
Controlling changes in the status of virtual machines ........................................................................................ 75
Remote diagnostics of client computers. Kaspersky Security Center remote diagnostics utility ........................... 76
Connecting the remote diagnostics utility to a client computer ..................................................................... 76
Enabling and disabling tracing, downloading the trace file ........................................................................... 78
Downloading applications' settings ............................................................................................................. 78
Downloading event logs ............................................................................................................................. 78
Starting diagnostics and downloading its results.......................................................................................... 78
Starting, stopping and restarting applications .............................................................................................. 79
MANAGING USER ACCOUNTS ........................................................................................................................... 80
Handling user accounts ................................................................................................................................... 80
Adding a user account ..................................................................................................................................... 80
Configuring rights. User roles........................................................................................................................... 81
Adding a user role ...................................................................................................................................... 81
Assigning a role to a user or a user group ................................................................................................... 81
Delivering messages to users .......................................................................................................................... 82
Viewing the list of a user's mobile devices ........................................................................................................ 82
Installing a certificate for a user........................................................................................................................ 82
Viewing the list of certificates handed to a user ................................................................................................ 83
WORKING WITH REPORTS, STATISTICS, AND NOTIFICATIONS ...................................................................... 84
Working with reports........................................................................................................................................ 84
Creating a report template .......................................................................................................................... 84
Creating and viewing a report ..................................................................................................................... 85
Saving a report .......................................................................................................................................... 85
Creating a report delivery task .................................................................................................................... 85
Working with the statistical information ............................................................................................................. 86
Configuring notification settings ....................................................................................................................... 86
Event selections .............................................................................................................................................. 87
Viewing computer selection ........................................................................................................................ 87
Customizing an event selection .................................................................................................................. 87
Creating an event selection ........................................................................................................................ 88
Exporting event selection to text file ............................................................................................................ 88
Deleting events from selection .................................................................................................................... 88
Exporting events to an SIEM system ................................................................................................................ 88
Computer selections........................................................................................................................................ 89
Viewing computer selection ........................................................................................................................ 89
Configuring a computer selection................................................................................................................ 89
Creating a computer selection .................................................................................................................... 90
Exporting settings of a computer selection to file ......................................................................................... 90
Create a computer selection by using imported settings .............................................................................. 90
Removing computers from administration groups in a selection ................................................................... 91
Policy selections.............................................................................................................................................. 91
Task selections ............................................................................................................................................... 91
5
ADMINISTRATOR'S GUIDE
6
TABLE OF CONTENTS
7
ADMINISTRATOR'S GUIDE
8
ABOUT THIS DOCUMENT
Kaspersky Security Center Administrator's Guide contains an introduction, sections that describe the application
interface, settings, and maintenance, sections that describe how to manage main tasks, and a glossary.
This guide provides instructions on how to configure and use Kaspersky Security Center.
This Guide also lists sources of information about the application and ways to get technical support.
IN THIS SECTION:
In this document .........................................................................................................................................................9
Document conventions ............................................................................................................................................. 11
IN THIS DOCUMENT
Kaspersky Security Center Administrator's Guide contains an introduction, sections that describe the application
interface, settings, and maintenance, sections that describe how to manage main tasks, and a glossary.
Application licensing
This section provides information about general concepts related to the application activation. This section describes the
purpose of the End User License Agreement, the ways of activating the application, and how to renew your license.
9
ADMINISTRATOR'S GUIDE
Managing devices access to an organization's network (Network Access Control, NAC) (see page 135)
This section provides information about how to control devices' access to an organization's network with access
restriction rules and the white list of devices.
Glossary
This section lists terms used in the guide.
10
ABOUT THIS DOCUMENT
Index
This section helps you find necessary data quickly.
DOCUMENT CONVENTIONS
Document conventions are used herein (see the table below).
Table 1. Document conventions
Warnings are highlighted with red color and boxed. Warnings contain information
Note that... about actions that may lead to some unwanted outcome.
Example: Examples are given on a yellow background under the heading "Example".
...
To configure task schedule: Introductory phrases of instructions are italicized and accompanied by the arrow
sign.
Enter help in the command line The following types of text content are set off with a special font:
The following message then appears: text in the command line;
Specify the date in dd:mm:yy text of messages displayed on the screen by the application;
format.
data that the user should enter from the keyboard.
<User name> Variables are enclosed in angle brackets. Instead of a variable, the
corresponding value should be inserted, with angle brackets omitted.
11
SOURCES OF INFORMATION ABOUT THE
APPLICATION
This section lists the sources of information about the application.
You can select the most suitable information source, depending on the issue's level of importance and urgency.
IN THIS SECTION:
Sources of information for independent research ....................................................................................................... 12
Discussing Kaspersky Lab applications on the forum ................................................................................................. 13
If you cannot find the solution to an issue on your own, we recommend that you contact Technical Support at
Kaspersky Lab.
Online help
The online help of the application comprises help files.
Context help provides information about Kaspersky Security Center windows: A description of Kaspersky Security Center
settings is followed by links to descriptions of the tasks that use these settings.
Full help provides information about how to configure and use Kaspersky Security Center.
Documentation
Application documentation consists of the files of application guides.
12
SOURC ES OF INFORMA TION AB OUT THE APPLICATION
13
KASPERSKY SECURITY CENTER
The section contains information on the purpose of Kaspersky Security Center, and its main features and components.
Kaspersky Security Center is designed for centralized execution of basic administration and maintenance tasks in an
organization's network. The application provides the administrator access to detailed information about the organization's
network security level; it allows configuring all the components of protection built using Kaspersky Lab applications.
Kaspersky Security Center is an application aimed at corporate network administrators and employees responsible for
anti-virus protection in organizations.
Using Kaspersky Security Center, you can:
Create a hierarchy of Administration Servers to manage the organization's network, as well as networks at
remote offices or client organizations.
The client organization is an organization, whose anti-virus protection is ensured by service provider.
Create a hierarchy of administration groups to manage a selection of client computers as a whole.
Manage an anti-virus protection system built based on Kaspersky Lab applications.
Create images of operating systems and deploy them on client computers over the network, as well as
performing remote installation of applications by Kaspersky Lab and other software vendors.
Perform remote administration of applications by Kaspersky Lab and other vendors installed on client
computers. Install updates, find and fix vulnerabilities.
Perform centralized deployment of keys for Kaspersky Lab applications to client devices, monitor their use, and
renew licenses.
Receive statistics and reports about the operation of applications and devices.
Receive notifications about critical events in the operation of Kaspersky Lab applications.
Control access of devices to an organization's network using access restriction rules and a white list of devices.
NAC agents are used to manage access of devices to an organization's network.
Manage mobile devices that support Kaspersky Security for Android, Exchange ActiveSync, or iOS Mobile
Device Management (iOS MDM) protocols.
Manage encryption of information stored on the hard drives of devices and removable media and users' access
to encrypted data.
Perform inventory of hardware connected to the organization's network.
Centrally manage files moved to Quarantine or Backup by anti-virus applications, as well as objects for which
processing by anti-virus applications has been postponed.
IN THIS SECTION:
What's new............................................................................................................................................................... 14
Distribution kit ........................................................................................................................................................... 16
Hardware and software requirements ........................................................................................................................ 16
WHAT'S NEW
Changes introduced in Kaspersky Security Center 10 compared to the previous version:
Management of user roles has been added as a new feature. (see the section "Configuring rights. User roles"
on page 81)
It is now possible to add internal users for managing virtual Administration Servers.
It is now possible to schedule the network scan.
Private KSN can now be configured. (see the section "Setting up access to KSN" on page 156)
14
KASPERSKY SECUR ITY CENTER
Self Service Portal has been launched, letting users take over some of the mobile device management
operations. (see the section "Self Service Portal" on page 128)
The feature of events export to SIEM systems has been implemented (see the section "Exporting events to an
SIEM system" on page 88).
It is now possible to change the path to the folder for saving downloaded updates and patches or updates and
patches waiting to be downloaded.
It is now possible to delete updates that have been downloaded.
It is now possible to deliver vulnerability fixes to client computers without installing the updates.
Administration Server updates can be managed from the application interface.
It is now possible to select an update agent for client computers based on a network analysis.
It is now possible to view information about the distribution of vulnerabilities across managed computers.
It is now possible to route traffic from mobile KES devices outside the corporate network through a connection
gateway in a demilitarized zone (DMZ).
It is now possible to manage mobile devices with remote commands.
It is now possible to set up Google Cloud Messaging to exchange push notifications between KES devices and
Administration Server.
The feature of operating system image capturing and deployment has been added (see page 107).
The option of centralized remote installation of third-party applications has been implemented (see page 111).
The option of centralized remote installation of updates for operating systems and applications has been
implemented (see page 102).
Windows Server Update Services feature has been integrated into Administration Server (see page 102).
The feature of licensing restrictions control has been added; the operational scope of the applications registry
has been expanded (see page 97).
The feature of equipment registry management has been added (see page 140).
The option of Network Access Control has been implemented for devices attempting to access the
organization's network, by applying rules and a white list of devices (see page 135).
The option of shared access to the desktop of a client computer has been added; the operational scope of the
remote desktop has been expanded.
Exchange ActiveSync Mobile Devices Server has been implemented (see page 118).
iOS MDM Mobile Devices Server has been implemented (see page 120).
The option of sending SMS messages to mobile devices users has been implemented (see page 80).
The feature of centralized remote installation of applications to managed mobile devices has been implemented.
The feature of centralized installation of certificates on managed mobile devices has been implemented.
Support of the data encryption management feature has been added for Kaspersky Endpoint Security 10 for
Windows (see page 131).
Application Control features have been expanded, the following features have been added: static analysis of
Application Control rules, creation of categories based on a set of executable files on reference computers,
display of several categories for a single executable file (see page 97).
The option of publishing selected standalone packages on a web server integrated into Administration Server
has been implemented (see page 110).
The selection of update agents is included in the set of selections generated by default.
An information pane showing the status of update agents has been added.
The option of filtering centralized lists of files in Quarantine and Backup and files with postponed processing has
been implemented.
The feature of management of a centralized list of users has been added (see page 80).
The option of excluding selected subdivisions from search in Active Directory has been added.
The option of scheduling the startup of a task on a specific day of the month has been added.
15
ADMINISTRATOR'S GUIDE
DISTRIBUTION KIT
You can purchase the application through online stores of Kaspersky Lab (for example, http://www.kaspersky.com, the
eStore section) or partner companies.
If you purchase Kaspersky Security Center in an online store, you copy the application from the store's website.
Information that is required for application activation is sent to you by email after payment.
For more details on purchase methods and the distribution kit, contact the Sales Department.
COMPONENT REQUIREMENTS
Operating system Microsoft Windows XP Professional with Update Package 2 or later installed;
Microsoft Windows XP Professional x64 or later;
Microsoft Windows Vista Business / Enterprise / Ultimate Service Pack 1 or later;
Microsoft Windows Vista Business / Enterprise / Ultimate x64 Service Pack 1 or later;
Microsoft Windows 7 Professional / Enterprise / Ultimate;
Microsoft Windows 7 Professional / Enterprise / Ultimate x64;
Microsoft Windows 8 (all editions);
Microsoft Windows 8 x64 (all editions);
Microsoft Windows Small Business Server 2003;
Microsoft Windows Small Business Server 2008;
Microsoft Windows Small Business Server 2011;
Microsoft Windows Server 2003 or later;
Microsoft Windows Server 2003 x64 or later;
Microsoft Windows Server 2008;
Microsoft Windows Server 2008 deployed in the Server Core mode;
Microsoft Windows Server 2008 x64 Service Pack 1 or later;
Microsoft Windows Server 2008 x64 deployed in the Server Core mode;
Microsoft Windows Server 2008 R2;
16
KASPERSKY SECUR ITY CENTER
COMPONENT REQUIREMENTS
Microsoft Windows Server 2008 R2 deployed in the Server Core mode;
Microsoft Windows Server 2012 (all editions);
Microsoft Windows Server 2012 deployed in the Server Core mode.
Data Access Components Microsoft Data Access Components (MDAC) 2.8 or later
Microsoft Windows DAC 6.0.
Database Management Microsoft SQL Server Express 2005, Microsoft SQL Server Express 2008, Microsoft SQL
System Server Express 2008 R2, Microsoft SQL Server Express 2008 R2 Service Pack 2, Microsoft
SQL Server Express 2012;
Microsoft SQL Server 2005, Microsoft SQL Server 2008, Microsoft SQL Server 2008 R2,
Microsoft SQL Server 2012;
MySQL Enterprise versions 5.0.67, 5.0.77, 5.0.85, 5.087 Service Pack 1, 5.091;
MySQL Enterprise versions 5.0.60 Service Pack 1, 5.0.70, 5.0.82 Service Pack 1, 5.0.90.
Web server Apache HTTP Server version 2.2.0 or later (version 2.2.23 recommended).
Table 3. Hardware requirements for Administration Server and Kaspersky Security Center Web Console
OPERATING SYSTEM CPU FREQUENCY, GHZ RAM SIZE, GB AVAILABLE DISK SPACE, GB
Administration Console
Table 4. Software requirements to Administration Console
COMPONENT REQUIREMENTS
Operating system Microsoft Windows (supported version of the operating system is determined by the
requirements of Administration Server).
Management Console Microsoft Management Console 2.0 or later.
Browser Microsoft Internet Explorer 7.0 or later when working with Microsoft Windows XP, Microsoft
Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Server 2008 R2,
or Microsoft Windows Vista;
Microsoft Internet Explorer 8.0 or later when using Microsoft Windows 7;
Microsoft Internet Explorer 10.0 or later when using Microsoft Windows 8.
OPERATING SYSTEM CPU FREQUENCY, GHZ RAM SIZE, MB AVAILABLE DISK SPACE, GB
When using the System Administration, at least 100 GB free disk space shall be available.
COMPONENT REQUIREMENTS
Operating system Microsoft Windows (supported version of the operating system is determined by the
requirements of Administration Server).
17
ADMINISTRATOR'S GUIDE
OPERATING SYSTEM CPU FREQUENCY, GHZ RAM SIZE, GB AVAILABLE DISK SPACE, GB
COMPONENT REQUIREMENTS
The version of the operating system supported is defined by the requirements of applications that can be managed using
Kaspersky Security Center.
OPERATING SYSTEM CPU RAM SIZE, FREE DISK SPACE AVAILABLE FREE DISK SPACE
FREQUENCY, GB FOR THE ADMINISTRATION AVAILABLE FOR UPDATE
GHZ AGENT, GB AGENT, GB
For concurrent installation of Network Agent and Kaspersky Endpoint Security, free disk space must be at least 2 GB.
You can retrieve details of the latest version of the hardware and software requirements from Technical Support website,
on the page of Kaspersky Security Center 10, in the System requirements section.
18
APPLICATION INTERFACE
This section describes the main features of the Kaspersky Security Center interface.
Viewing, creation, modification and configuration of administration groups, and centralized management of Kaspersky
Lab applications installed on client devices are performed from the administrator's workstation. The management
interface is provided by the Administration Console component. It is a specialized stand-alone snap-in that is integrated
with Microsoft Management Console (MMC); so the Kaspersky Security Center interface is standard for MMC.
Administration Console allows remote connection to Administration Server over the Internet.
For local work with client computers, the application supports remote connection to a computer through Administration
Console by using the standard Microsoft Windows Remote Desktop Connection application.
To use this functionality, you must allow remote connection to the desktop on the client computer.
IN THIS SECTION:
Main application window ........................................................................................................................................... 19
Console tree ............................................................................................................................................................. 21
Workspace ............................................................................................................................................................... 23
Data filtering block .................................................................................................................................................... 28
Context menu ........................................................................................................................................................... 30
Configuring the interface ........................................................................................................................................... 30
19
ADMINISTRATOR'S GUIDE
The appearance of the workspace of the main application window depends on which node (folder) of the console tree it
is associated with, and what functions it performs.
20
APPLICA TION INTER FACE
CONSOLE TREE
The console tree (see figure below) is designed to display the hierarchy of Administration Servers in the corporate
network, the structure of their administration groups, and other objects of the application, such as the Repositories or
Reports and notifications folders. The name space of Kaspersky Security Center can contain several nodes including
the names of servers corresponding to the installed Administration Servers included in the hierarchy.
The Administration Server <Computer name> node is a container that shows the structural organization of the selected
Administration Server. The Administration Server <Computer name> container includes the following folders:
Managed computers
User accounts
Reports and notifications
Administration Server tasks.
Tasks for specific computers.
Managing applications.
Remote installation
21
ADMINISTRATOR'S GUIDE
22
APPLICA TION INTER FACE
WORKSPACE
Workspace is an area of the main application window of Kaspersky Security Center located on the right from the console
tree (see figure below). It contains descriptions of console tree objects and their respective functions. The content of the
workspace corresponds to the object selected from the console tree.
Figure 3. Workspace
The appearance of the workspace for various console tree objects depends on the type of data displayed. Three
appearances of the workspace exist:
set of management boxes;
list of management objects;
set of information panes.
23
ADMINISTRATOR'S GUIDE
If the console tree does not display some of the items within an object of the console tree, the workspace is divided into
tabs. Each tab corresponds to an item of the console tree (see figure below).
IN THIS SECTION:
Set of management blocks ........................................................................................................................................ 25
List of management objects ...................................................................................................................................... 25
Set of information blocks ........................................................................................................................................... 27
24
APPLICA TION INTER FACE
25
ADMINISTRATOR'S GUIDE
The block of objects list management contains the header of the list and a set of links each of which corresponds to a list
management task.
The list of objects is displayed in a table view. The set of table columns can be changed through a context menu.
The block of selected object contains detailed information about an object and a set of links intended for running main
tasks of object management.
The block of data filtering allows you to create samples of objects from the list (see the section "Data filtering block" on
page 28).
26
APPLICA TION INTER FACE
27
ADMINISTRATOR'S GUIDE
Search field
The search field is used to search the list for the text entered in it.
Use the following regular expressions in the search field to search for text:
*. Replaces any sequence of characters.
Example:
To search for the words Server, Servers, or Server room, enter the expression Server* in the search field.
Example:
To search for the words Word or Ward, enter the expression W?rd in the search field.
Example:
To search for any numeral, enter the expression [0-9] in the search field.
To search for one of the charactersa, b, c, d, e, or fenter the expression [abcdef] in the search field.
Example:
To search for a phrase that contains the word Slave or Virtual (or both these words), enter the expression Slave Virtual
in the search field.
28
APPLICA TION INTER FACE
+, AND or &&. When a plus sign precedes a word, all search results will contain this word.
Example:
To search for a phrase that contains the word Slave and the word Virtual, enter either one of the following expressions
in the search field: +Slave+Virtual, Slave AND Virtual, Slave && Virtual.
OR or ||. When placed between two words, it indicates that one word or the other can be found in the text.
Example:
To search for a phrase that contains the word Slave or the word Virtual, enter either one of the following expressions in
the search field: Slave OR Virtual, Slave || Virtual.
-. When a minus sign precedes a word, no search results will contain this word.
Example:
To search for a phrase that must contain the word Slave and must not contain the word Virtual, enter the +Slave-Virtual
expression in the search field.
"<some text>". Text enclosed in quotation marks must be present in the text.
Example:
To search for a phrase that contains the word combination Slave Server, enter the expression "Slave Server" in the
search field.
Example:
To search for the words Word or Ward, enter the expression W?rd in the search field.
Example:
To search for the words Server, Servers, or Server room, enter the expression Server* in the search field.
29
ADMINISTRATOR'S GUIDE
The values of attributes depend on the statuses of computers (or network devices) and the severity levels of events. A
list of statuses of computers, network devices and severity levels of events (and corresponding icons as well) is shown in
the Appendix.
You can reset the filter by clicking the button that appears on the left of the button after you use the
filtering block for the first time.
Using the extended filtering block: You can expand the extended filtering block by clicking the Filter setup link.
Clicking the Filter setup link displays fields in which you can specify the filtering settings (see figure above) and
opens the Filtering settings window. In the Filtering settings window, use check boxes to specify the list
columns by which filtering should be performed. The selection of check boxes in the Filtering settings window
depends on the available list columns and may vary.
CONTEXT MENU
In the console tree of Kaspersky Security Center each object features its own context menu. In the console tree, the
standard commands of the Microsoft Management Console context menu are supplemented with commands used for
operations with the object. A list of objects and an additional set of context menu commands are included in the appendix.
In the workspace each item of an object selected in the tree also features a context menu containing the commands used to
handle the item. Basic types of items and corresponding additional sets of commands are included in the appendix.
30
APPLICA TION INTER FACE
31
APPLICATION LICENSING
This section provides information about general concepts related to the application licensing.
IN THIS SECTION:
About the End User License Agreement .................................................................................................................... 32
About the license ...................................................................................................................................................... 32
About key ................................................................................................................................................................. 33
Kaspersky Security Center licensing options.............................................................................................................. 33
About restrictions of the main functionality ................................................................................................................. 34
About the activation code .......................................................................................................................................... 35
About the key file ...................................................................................................................................................... 35
We recommend that you read through the terms of the End User License Agreement carefully before you start using the
application.
You can view the terms of the End User License Agreement using the following methods:
While installing Kaspersky Security Center.
By reading the document license.txt. This document is included in the application distribution kit.
You accept the terms of the End User License Agreement by confirming that you agree with the End User License
Agreement when installing the application. If you do not accept the terms of the End User License Agreement, you
should abort the application installation and renounce the use of the application.
32
APPLICA TION LICENSING
ABOUT KEY
Key is a sequence of bits that you can apply to activate and then use the application in accordance with the terms of the
End User License Agreement. Keys are generated by Kaspersky Lab specialists.
To add a key to the application, you must enter an activation code. The key is displayed in the application interface as a
unique alphanumeric sequence after you add it to the application.
The key may be blocked by Kaspersky Lab in case the terms of the License Agreement have been violated. If the key
has been blocked, you need to add another one if you want to use the application.
A key may be active or additional.
Active key a key used at the moment to work with the application. The application cannot use more than one active key.
Additional key a key that verifies the use of the application but is not used at the moment. The additional key
automatically becomes active when the license associated with the current active key expires. An additional key can be
added only if an active key has already been added.
A trial license key can be added as the active key only. A trial license key cannot be added as the additional key.
System Administration
The following functions are available:
Remote installation of operating systems.
Remote installation of software updates, scanning and fixing of vulnerabilities.
Management of device access to the corporate network (Network Access Control, NAC).
Hardware components inventory.
Licensed applications group management.
33
ADMINISTRATOR'S GUIDE
Remote permission of connection to client computers through a Microsoft Windows component named
Remote Desktop Connection.
Remote connection to client computers through Windows Desktop Sharing.
Management of user roles.
The management unit for the System Administration is a client computer in the "Managed computers" group.
For a proper functioning of Systems Management, at least 100 GB free disk space must be available.
Managing applications
You cannot run the update installation task and the update removal task. All tasks that had been started before the
license expired will be completed, but the latest updates will not be installed. For example, if the critical update
installation task had been started before the license expired, only critical updates found before the license expiration will
be installed.
Launch and editing of the synchronization, vulnerability scan, and vulnerabilities database update tasks are always
available. Also, no limitations are imposed on viewing, searching, and sorting of entries on the list of vulnerabilities and
updates.
Hardware inventory
You cannot use collection of information about new devices with NAC and the Mobile devices server. Information about
computers and connected devices is updated at that.
34
APPLICA TION LICENSING
Anti-virus security
Anti-Virus uses databases that had been installed before the license expired.
To activate the application using an activation code, you must connect to the Kaspersky Lab activation servers via the
Internet. If no connection with activation servers and Internet has been established, the application is activated using a
key file (see the section "About the key file" on page 35).
The license term countdown starts from the date when you activate the application. If you have purchased a license
entitling to the use of Kaspersky Security Center on several devices, the term of the license starts counting down from
the moment you have first applied the activation code.
If you have lost or accidentally deleted your activation code after the application activation, contact the Kaspersky Lab
Technical Support Service to recover the activation code.
The license expires no later than does the key file that was used to activate the application under this license.
Key file expiry date is a specific period starting from the day when the key file is created. The application shall
be activated using the provided key before this period expires.
The key file expiry period is automatically considered to be expired when the license for the application
activated using this key file expires.
35
KASPERSKY SECURITY CENTER QUICK
START WIZARD
This section provides information about the functionality of the Kaspersky Security Center Quick Start Wizard.
Kaspersky Security Center allows adjusting a minimum set of settings required to build a centralized management
system for anti-virus protection. This configuration is performed by using the Quick Start Wizard. While the Quick Start
Wizard is running, the following changes are made to the application:
The Wizard adds keys or codes that can be automatically distributed to computers within administration groups.
Configures interaction with Kaspersky Security Network (KSN). KSN allows retrieving information about
applications installed on managed computers in case this information can be found in Kaspersky Lab's
reputation databases. If you allowed the use of KSN, the wizard starts the KSN Proxy service that ensures
connection between KSN and client computers.
It generates settings for notification delivery by email informing of events logged in the operation of
Administration Server and managed applications (to ensure a successful notification, Messenger service should
keep running on Administration Server and all of the recipient computers).
Then the Wizard adjusts the update settings and vulnerability fixing settings of applications installed on client
computers.
Protection policies for workstations and servers are created on the top level of hierarchy of managed computers;
virus scan tasks, update tasks, and backup tasks are also created.
The Quick Start Wizard creates protection policies only for applications for which the Managed computers
folder does not contain any. The Quick Start Wizard does not create tasks if ones with the same names have
already been created for the top level in the hierarchy of managed computers.
An offer to run the Quick Start Wizard is displayed after Administration Server installation, at the first connection to it. You
can also start the Quick Start Wizard manually using the context menu of the Administration Server <Computer
name> node.
SEE ALSO:
Interaction between Administration Server and KSN Proxy service ............................................................................. 49
36
BASIC CONCEPTS
This section explains basic concepts related to Kaspersky Security Center.
IN THIS SECTION:
Administration Server................................................................................................................................................ 37
Administration Server hierarchy................................................................................................................................. 38
Virtual Administration Server ..................................................................................................................................... 38
Mobile device server ................................................................................................................................................. 39
Web server ............................................................................................................................................................... 39
Network Agent. Administration group......................................................................................................................... 39
Administrator's workstation ....................................................................................................................................... 40
Application administration plug-in .............................................................................................................................. 40
Policies, application settings and tasks ...................................................................................................................... 41
How local application settings relate to policies .......................................................................................................... 42
ADMINISTRATION SERVER
Kaspersky Security Center components allow remotely managing Kaspersky Lab applications installed on client
computers.
Computers with the Administration Server component installed will be referred to as Administration Servers (hereinafter
also referred to as Servers).
Administration Server is installed on a computer as a service with the following set of attributes:
With the name "Kaspersky Security Center Administration Server"
Using automatic startup when the operating system starts.
With the Local System account or the user account selected during the installation of the Administration
Server.
The Administration Server performs the following functions:
storage of the administration groups structure;
storage of information about the configuration of client computers;
organization of storages for application distribution packages;
remote installation of applications to client devices and removal of applications;
updating of application databases and software modules of Kaspersky Lab applications;
management of policies and tasks on client computers;
storage of information about events that have occurred on client devices;
generation of reports on the operation of Kaspersky Lab applications;
deployment of keys to client devices, and storage of information about keys;
sending notifications of the progress of tasks (for example, of viruses detected on a client computer).
37
ADMINISTRATOR'S GUIDE
Each computer included in the hierarchy of administration groups can be connected to one Administration Server only.
You must control the state of connection of computers to Administration Servers. Use the features for computer search in
administration groups of different Servers based on network attributes.
The administrator of a virtual Administration Server has all privileges on this particular virtual Server.
38
BASIC CONCEPTS
WEB SERVER
Kaspersky Security Center Web Server (hereinafter also referred to as Web Server) is a component of Kaspersky
Security Center that is installed together with Administration Server. Web Server is designed for transfer of standalone
installation packages, iOS MDM profiles, and files from the shared folder over the network.
When you create a standalone installation package, it is automatically published on Web Server. A link for download of
the standalone package is displayed in the list of standalone installation packages. If necessary, you can cancel
publication of the standalone package or publish it on Web Server again.
When you create an iOS MDM profile for a user's mobile device, it is also automatically published on Web Server. When
the profile is published, it is automatically removed from Web Server after it is successfully installed to the user's mobile
device (for more details on how to create and install an iOS MDM profile, please refer to the Kaspersky Security Center
Implementation Guide).
The shared folder is designed as a storage area for information that is available to all users whose computers are
managed via Administration Server. If a user has no direct access to the shared folder, he or she can be given
information from that folder by means of Web Server.
To provide users with information from a shared folder by means of Web Server, the administrator must create a
subfolder named "public" in the shared folder and paste the relevant information.
The syntax of the information transfer link is as follows:
http://<Web Server name>:<HTTP port>/public/<object>
where:
<Web Server name> is the name of the Kaspersky Security Center Web Server.
<HTTP port> is an HTTP port of Web Server that has been defined by the administrator. An HTTP port can be set in
the Web Server section of the properties window of Administration Server. The default port number is 8060.
<object> is the subfolder or file to which the user will receive access.
The administrator can send the new link to the user in any convenient way, such as by email.
By clicking the link, the user can download the required information to a local computer.
39
ADMINISTRATOR'S GUIDE
Network Agent is installed on a computer as a service with the following set of attributes:
With the name "Kaspersky Security Center Network Agent"
Set to automatically start when the operating system starts
Using the Local system account
Network Agent is installed on the computer together with a plug-in for interfacing with Cisco NAC. This plug-in is used if
the computer has Cisco Trust Agent installed. The settings for joint operation with Cisco NAC are specified in the
properties window of the Administration Server.
When integrated with Cisco NAC, Administration Server acts as a standard Posture Validation Server (PVS) policy
server, which an administrator may use to either allow or block access by a computer to the network, based upon the
anti-virus protection status.
A computer, server, or workstation on which Network Agent and managed Kaspersky Lab applications are installed will
be referred to as the Administration Server client (also, client computer or just computer).
The computers in a corporate network can be subdivided into groups arranged in a certain hierarchical structure. Such
groups are called administration groups. The hierarchy of administration groups is displayed in the console tree, in the
Administration Server node.
An administration group (hereinafter also referred to as group) is a set of client computers combined on the basis of a
certain trait for the purpose of managing the grouped computers as a single unit. All client computers within a group are
configured to.
Use the same application settings (which are defined in group policies).
use a common mode of applications' operation thanks to creation of group tasks with a specified collection of
settings. For example, creating and installing a common installation package, updating the application
databases and modules, scanning the computer on demand, and ensuring real-time protection.
You can create hierarchies for Servers and groups with any degree of nesting. A single hierarchy level can include slave
and virtual Administration Servers, groups, and client computers.
ADMINISTRATOR'S WORKSTATION
Computers on which the Administration Console component is installed are referred to as administrator's workstations.
Administrators can use those computers for centralized remote management of Kaspersky Lab applications installed on
client computers.
After Administration Console is installed, its icon appears in the Start Programs Kaspersky Security Center
menu and can be used to start the console.
There are no restrictions on the number of administrator's workstations. From any administrator's workstation you can
manage administration groups of several Administration Servers on the network at once. You can connect an
administrator's workstation to an Administration Server (either physical, or virtual one) of any level of hierarchy.
You can include an administrator's workstation in an administration group as a client computer.
Within the administration groups of any Administration Server, the same computer can function as an Administration
Server client, an Administration Server, or an administrator's workstation.
40
BASIC CONCEPTS
A detailed description of task types for each Kaspersky Lab application can be found in the respective application guides.
Application settings defined for an individual client computer through the local interface or remotely through
Administration Console are referred to as local application settings.
The applications installed on client computers are configured centrally by configuring policies.
A policy is a collection of application settings that are defined for an administration group. The policy does not define all
application settings.
Several policies with different values can be defined for a single application. However, there can be only one active
policy for an application at a time.
An application can run in different ways for different groups of settings. Each group can have its own policy for an
application.
The application settings are defined by the policy settings and the task settings.
Nested groups and slave Administration Servers inherit the tasks from groups that belong to higher hierarchy levels. A
task defined for a group is performed not only on client computers included in that group, but also on client computers
included in its child groups and belonging to slave Servers on all lower hierarchy levels.
Each setting represented in a policy has a "lock"attribute: . The "lock" shows whether the setting is allowed for
modification in the policies of lower hierarchy levels (for nested groups and slave Administration Servers), in task settings
and local application settings. If a parameter is "locked" in the policy, its value cannot be redefined (see the section "How
local application settings relate to policies" on page 42).
If you clear the Inherit settings from parent policy check box in the Inheritance of settings section of the General
section in the properties window of an inherited policy, the "lock" is lifted for that policy.
You can activate a disabled policy based on occurrence of a certain event. This means that you can, for example,
enforce stricter anti-virus protection settings during virus outbreaks.
You can also create a policy for mobile users.
Tasks for objects that are managed by a single Administration Server are created and configured in a centralized way.
The following types of tasks can be defined:
Group task is a task that defines settings for an application installed on computers within an administration
group.
Local task is a task for an individual computer.
Task for selection of computers is a task for an arbitrary set of computers included or not included in
administration groups.
Administration Server task is a task defined directly for an Administration Server.
A group task can be defined for a group even if a corresponding Kaspersky Lab application is installed only on certain
client computers of that group. In that case, the group task is performed only on the computers on which the application
is installed.
Tasks created for a client computer locally are only performed for this computer. When a client computer is synchronized
with the Administration Server, local tasks are added to the list of tasks created for that client computer.
Because application settings are defined by policies, task settings can redefine the settings that are not locked by the
policy. Task settings also can redefine the settings that can be configured only for a specific instance of a task. For
example, the drive name and masks of files to be scanned are configurable settings for the drive scan task.
A task can be run automatically (according to a schedule) or manually. Task results are saved locally and on the
Administration Server. The administrator can receive notifications about particular performed tasks and view detailed
reports.
41
ADMINISTRATOR'S GUIDE
Information about policies, application settings, and task settings for specific computers, as well as information about
group tasks, is saved on Administration Server and distributed to client computers during synchronization. During
synchronization, the Administration Server stores information about the local changes allowed by the policy that have
been performed on client computers. Additionally, the list of applications running on the client computer, their status, and
the existing tasks are updated.
This means that, when a task is run on a client computer, the application applies settings that have been defined in two
different ways:
By task settings and local application settings, if the setting is not locked against changes.
By the group policy, if the setting is locked against changes.
Local application settings are changed after the policy is first applied in accordance with the policy settings.
42
MANAGING ADMINISTRATION SERVERS
This section provides information about how to handle Administration Servers and how to configure them.
IN THIS SECTION:
Connecting to an Administration Server and switching between Administration Servers .............................................. 43
Access rights to Administration Server and its objects ................................................................................................ 44
Conditions of connection to an Administration Server via the Internet ......................................................................... 45
Secure connection to Administration Server............................................................................................................... 45
Disconnecting from an Administration Server ............................................................................................................. 46
Adding an Administration Server to the console tree .................................................................................................. 47
Removing an Administration Server from the console tree.......................................................................................... 47
Changing an Administration Server service account. Utility tool klsrvswch .................................................................. 47
Viewing and modifying the settings of an Administration Server.................................................................................. 48
When the application is started for the first time after installation, it attempts to connect to the Administration Server that
was specified during installation of Kaspersky Security Center.
After a connection to an Administration Server is established, the folders tree of that Server is displayed in the console
tree.
If several Administration Servers have been added to the console tree, you can switch between them.
To switch to another Administration Server:
1. In the console tree, select the node with the name of the required Administration Server.
2. In the context menu of the node, select Connect to Administration Server.
3. In the Connection settings window that opens, in the Server address field specify the name of the
Administration Server to which you want to connect. You can specify an IP address or the name of a computer
on a Windows network as the name of the Administration Server. You can click the Advanced button in the
bottom part of the window to configure the connection to the Administration Server (see the following figure).
To connect to the Administration Server via a port that differs from the default one, enter a value in the Server
address field in <Administration Server name>:<Port> format.
43
ADMINISTRATOR'S GUIDE
Users who have no rights to read will be denied access to Administration Server.
44
MANAGING ADMINISTRATION SERVER S
In addition to users included in the KLAdmins group, administrator rights for Kaspersky Security Center are also
provided to the local administrators of computers on which Administration Server is installed.
You can exclude local administrators from the list of users who have Kaspersky Security Center administrator rights.
All operations started by the administrators of Kaspersky Security Center are performed using the rights of the
Administration Server account.
An individual KLAdmins group can be created for each Administration Server from the network; the group will have the
necessary rights for that Administration Server only.
If computers belonging to the same domain are included in the administration groups of different Administration Servers,
the domain administrator is the Kaspersky Security Center administrator for all the groups. The KLAdmins group is the
same for those administration groups; it is created during installation of the first Administration Server. All operations
initiated by a Kaspersky Security Center administrator are performed using the account rights of the Administration
Server for which these operations have been started.
After the application is installed, an administrator of Kaspersky Security Center can:
Modify the rights granted to the KLOperators groups.
Grant rights to access the functionality of Kaspersky Security Center to other user groups and individual users
who are registered on the administrator's workstation.
Assign access rights within each administration group.
The Kaspersky Security Center administrator can assign access rights to each administration group or to other objects of
Administration Server in the Security section in the properties window of the selected object.
You can track user activity by using the records of events in the Administration Server operation. These event records
are displayed in the console tree in the Events folder, in the Audit events subfolder. These events have the severity
level Info and the event types begin with "Audit".
45
ADMINISTRATOR'S GUIDE
IN THIS SECTION:
Administration Server certificate ................................................................................................................................ 46
Administration Server authentication during client computer connection ..................................................................... 46
Administration Server authentication during Administration Console connection.......................................................... 46
If you install Network Agent to a client computer locally, you can select the Administration Server certificate manually.
The downloaded copy of the certificate is used to verify Administration Server rights and permissions during subsequent
connections.
During future sessions, Network Agent requests the Administration Server certificate at each connection of the client
computer to Administration Server and compares it with the local copy. If the copies do not match, the client computer is
not allowed access to Administration Server.
46
MANAGING ADMINISTRATION SERVER S
Correct operation of Kaspersky Security Center requires that the account used to start the Administration
Server service had the rights of administrator of the resource where the Administration Server database is
hosted.
User account. The Administration Server service is started under the account of a user within the domain.
In this case the Administration Server is to initiate all operations by using the rights of that account.
To select the user whose account will be used to start the Administration Server service:
1. Click the Find now button and select a user in the Select "User" window that opens:
Close the Select: "User" window and click the Next button.
2. In the Account password window set a password for the selected user account, if necessary.
After the wizard completes its operations, the Administration Server account is changed.
47
ADMINISTRATOR'S GUIDE
When using an SQL server in a mode that presupposes authenticating user accounts with Microsoft Windows tools,
access to the database should be granted. The user must have the status of owner of the Kaspersky Anti-Virus
database. The dbo schema is used by default.
IN THIS SECTION:
Adjusting the general settings of Administration Server .............................................................................................. 48
Configuring event processing settings ....................................................................................................................... 48
Control of virus outbreaks ......................................................................................................................................... 48
Limiting traffic ........................................................................................................................................................... 49
Configuring cooperation with Cisco Network Admission Control (NAC) ....................................................................... 49
Configuring Web Server ............................................................................................................................................ 49
Interaction between Administration Server and KSN Proxy service ............................................................................. 49
Working with internal users ....................................................................................................................................... 50
Whether the Security section is shown or hidden is determined by the user interface settings. To make this section
displayed, go to the View Configuring interface and in the Configuring interface window that opens select the
Display security settings sections check box.
48
MANAGING ADMINISTRATION SERVER S
The Virus outbreak event is generated in case of detection of Malicious object detected events in the operation of anti-
virus applications. So, you should save information about all Malicious object detected events on Administration Server in
order to recognize virus outbreaks.
You can specify the settings of saving information about any Malicious object detected event in the policies of anti-virus
applications.
When counting Infected object detected events, only information from the client computers of the master Administration
Server is to be taken into account. The information from slave Administration Servers is not taken into account. For each
slave Server the Virus outbreak event settings are adjusted individually.
LIMITING TRAFFIC
To reduce traffic volumes within a network, the application provides the option to limit the speed of data transfer to an
Administration Server from specified IP ranges and IP subnets.
You can create and configure traffic limiting rules in the Traffic section of the Administration Server properties window.
The Cisco NAC section is displayed in the properties window of Administration Server if Kaspersky Lab Cisco NAC
Posture Validation component has been installed together with Administration Server during the application installation
(for details refer to the Kaspersky Security Center Implementation Guide). Otherwise, the Cisco NAC section is not
displayed in the properties window of Administration Server.
49
ADMINISTRATOR'S GUIDE
The Internal users section is only displayed in the Administration Server properties window if the Administration Server
is virtual or contains virtual Administration Servers.
50
MANAGING ADMINISTRATION GROUPS
This section provides information about how to handle administration groups.
You can take the following actions on administration groups:
add any number of nested groups of any level of hierarchy to administration groups;
add client computers to administration groups;
change the hierarchy of administration groups by moving individual client computers and whole groups to other
groups;
remove nested groups and client computers from administration groups;
add slave and virtual Administration Servers to administration groups;
move client computers from the administration groups of an Administration Server to those of another Server;
define which Kaspersky Lab applications will be automatically installed on client computers included in a group.
IN THIS SECTION:
Creating administration groups.................................................................................................................................. 51
Moving administration groups.................................................................................................................................... 52
Deleting administration groups .................................................................................................................................. 53
Automatic creation of a structure of administration groups .......................................................................................... 53
Automatic installation of applications to computers in an administration group ............................................................ 54
The user interface settings determine whether the Administration Servers folder appears in the console tree. To make
this section displayed, go to the View Configure interface and in the Configure interface window that opens select
the Display slave Administration Servers check box.
When creating a hierarchy of administration groups, you can add client computers and virtual machines to the Managed
computers folder, as well as add nested groups. You can add slave Administration Servers to the Administration
Servers folder.
51
ADMINISTRATOR'S GUIDE
Identically to the Managed computers group, each created group initially contains the Administration Servers folder
only, which is empty, intended to handle slave Administration Servers of this group. Information about policies, tasks of
this group, and computers included is displayed on the corresponding tabs in the workspace of this group.
You cannot rename the Managed computers folder because it is a built-in element of Administration Console.
52
MANAGING AD MINISTRA TION GROUPS
2. Select Paste from the context menu of the administration group to which you need to move the
selected group.
Move the group using the main application menu:
a. Select Action Cut from the main menu.
b. Select the administration group to which you need to move the selected group, from the console tree.
c. Select Action Paste from the main menu.
Move the group to another one in the console tree using the mouse.
Example:
Office 1
Office 2
Office 3
Three groups of the first hierarchy level will be created in the target group.
The name of the nested group must be entered with a slash mark (/).
Example:
Office 1/Division 1/Department 1/Group 1
Four subgroups nested into each other will be created in the target group.
53
ADMINISTRATOR'S GUIDE
To create several nested groups of the same hierarchy level, you must specify the "full path to the group".
Example:
Office 1/Division 1/Department 1
Office 1/Division 2/Department 1
Office 1/Division 3/Department 1
Office 1/Division 4/Department 1
One group of the first hierarchy level Office 1 will be created in the destination group; this group will include four nested
groups of the same hierarchy level: "Division 1", "Division 2", "Division 3", and "Division 4". Each of these groups will
include the "Department 1" group.
Creating a structure of administration groups using the Wizard does not violate the integrity of the network: New groups
are added, but do not replace the existing ones. A client computer cannot be included in an administration group again,
because it is removed from the Unassigned computers group after the client computer is moved to the administration
group.
If, when creating a structure of administration groups, a client computer has not been included in the Unassigned
computers group by any reason (it has been shut down or lost the network connection), it will not be automatically
moved to the administration group. You can add client computers to administration groups manually after the Wizard
finishes its operation.
54
MANAGING APPLICATIONS REMOTELY
This section provides information about how to perform remote management of Kaspersky Lab applications installed on
client computers, using policies, policy profiles, tasks, and local settings of applications.
IN THIS SECTION:
Managing policies ..................................................................................................................................................... 55
Managing policy profiles............................................................................................................................................ 58
Managing tasks ........................................................................................................................................................ 61
Viewing and changing local application settings ......................................................................................................... 67
MANAGING POLICIES
The applications installed on client computers are configured centrally through definition of policies.
Policies created for applications in an administration group are displayed in the workspace, on the Policies tab. Before
the name of each policy an icon with its status is displayed.
After a policy is deleted or revoked, the application continues working with the settings specified in the policy. Those
settings can be subsequently modified manually.
Policy enforcement is performed in the following way: if a client computer is running resident tasks (real-time protection
tasks), they keep running with the new values of the settings. Any periodic tasks (on-demand scan, update of application
databases) started keep running with the values unchanged. Next time they are run with the new values of the settings.
If Administration Servers are structured hierarchically, slave Administration Servers receive policies from the master
Administration Server and distribute them to client computers. When inheritance is enabled, policy settings can be
modified on the master Administration Server. After that, any changes made to the policy settings are propagated to
inherited policies on slave Administration Servers.
If the connection is terminated between the master and slave Administration Servers, the policy on the slave Server
continues, using the applied settings. Policy settings modified on the master Administration Server are distributed to a
slave Administration Server after the connection is re-established.
If inheritance is disabled, policy settings can be modified on a slave Administration Server independently from the master
Administration Server.
If connection between Administration Server and a client computer is interrupted, the client computer starts running
under the policy for mobile users (if it is defined), or the policy keeps running under the applied settings until the
connection is re-established.
The results of policy distribution to the slave Administration Server are displayed in the policy properties window of the
console on the master Administration Server.
Results of propagation of policies to client computers are displayed in the policy properties window of Administration
Server to which they are connected.
IN THIS SECTION:
Creating a policy ....................................................................................................................................................... 56
Displaying inherited policy in a subgroup ................................................................................................................... 56
Activating a policy ..................................................................................................................................................... 56
Activating a policy automatically at the Virus outbreak event ...................................................................................... 57
Applying an out-of-office policy.................................................................................................................................. 57
Deleting a policy ....................................................................................................................................................... 57
Copying a policy ....................................................................................................................................................... 57
55
ADMINISTRATOR'S GUIDE
CREATING POLICIES
To create a policy for administration group:
1. In the console tree, select an administration group for which you want to create a policy.
2. In the workspace for the group, select the Policies tab and click the Create a policy link to run the New Policy
Wizard.
This starts the New Policy Wizard. Follow the Wizard's instructions.
You can create several policies for one application from the group, but only one policy can be active at a time. When you
create new active policy, the previous active policy becomes inactive.
When creating a policy, you can specify a minimum set of parameters required for the application to function properly. All
other values are set to the default values applied during the local installation of the application. You can change the
policy after it is created.
Settings of Kaspersky Lab applications changed after policies are applied are described in details in their respective
Guides.
After the policy is created, settings prohibited to modify (marked with the "lock" ) take effect on client computers
regardless of what settings had been specified for the application earlier.
As a result, inherited policies are displayed on the list of policies with the icon (light-colored icon). When the
settings inheritance mode is enabled, inherited policies are only available for modification in the group in which they
have been created. Modification of those inherited policies is not available in the group, which inherits them.
ACTIVATING A POLICY
To make a policy active for the selected group:
1. In the workspace of the group, on the Policies tab select the policy that you need to make active.
2. To activate the policy, perform one of the following actions:
From the context menu of the policy select Active policy.
In the policy properties window open the General section and select Active policy from the Policy status
settings group.
As a result, the policy becomes active for the selected administration group.
When a policy is applied to a large number of clients, both the load on the Administration Server and the network traffic
increase significantly for a period of time.
56
MANAGING A PPLICATIONS R EMOTELY
If a policy has been activated on the Virus outbreak event, the manual mode is the only way that you can use to
return to the previous policy.
DELETING A POLICY
To delete a policy:
1. In the workspace of a group, on the Policies tab select the policy that you need to delete.
2. Delete the policy using one of the following methods:
By selecting Delete from the context menu of the policy.
By clicking the Delete policy link located in the workspace, in the section intended for handling the
selected policy.
COPYING A POLICY
To copy a policy:
1. In the workspace of the required group, on the Policies tab select a policy.
2. From the context menu of the policy select Copy.
3. In the console tree, select a group to which you want to add the policy.
You can add a policy to the group, from which it was copied.
4. From the context menu of the list of policies for the selected group, on the Policies tab select Paste.
As a result, the policy will be copied with all its settings and applied to the computers within the group into which it
was copied. If you paste the policy to the same group from which it has been copied, the (<sequence number>)
index is automatically added to the name of the policy: (1), (2).
An active policy becomes inactive while it is copied. If necessary, you can make it active.
EXPORTING A POLICY
To export a policy:
1. Export a policy in one of the following ways:
By selecting All Tasks Export from the context menu of the policy.
57
ADMINISTRATOR'S GUIDE
By clicking the Export policy to file link located in the workspace, in the section intended for handling the
selected policy.
2. In the Save as window that opens, specify the name of the policy file and the path to save it. Click the Save
button.
IMPORTING A POLICY
To import a policy:
1. In the workspace of the required group, on the Policies tab select one of the following methods of importing
policies:
By selecting All tasks Import from the context menu of the list of policies.
Click the Import policy from file link in the management block for policy list.
2. In the window that opens, specify the path to the file from which you want to import a policy. Click the Open
button.
The policy is then displayed in the list of policies.
If a policy with the name coinciding with that of the imported policy is already included on the list of policies, the name of
the imported policy will be expanded with the with a suffix (<next number>), for example: (1), (2).
CONVERTING POLICIES
Kaspersky Security Center can convert policies from earlier versions of Kaspersky Lab applications into those from up-
to-date versions of the same applications.
Conversion is available for policies of the following applications:
Kaspersky Anti-Virus 6.0 for Windows Workstations MP4
Kaspersky Endpoint Security 8 for Windows
Kaspersky Endpoint Security 10 for Windows.
To convert policies:
1. From the console tree select Administration Server for which you want to convert policies.
2. From the context menu of Administration Server select All tasks Policies and tasks conversion wizard.
This will start the Policies and Tasks Conversion Wizard. Follow the Wizard's instructions.
After the wizard finishes its operation, new policies are created, which use the settings of policies from earlier versions of
Kaspersky Lab applications.
Policy profiles are only supported for Kaspersky Endpoint Security 10 for Windows and Kaspersky Mobile Device
Management 10 Service Pack 1.
58
MANAGING A PPLICATIONS R EMOTELY
59
ADMINISTRATOR'S GUIDE
Several policy profiles can be activated simultaneously when the activation rules trigger.
Editing a policy profile is only available for policies of Kaspersky Endpoint Security 10 for Windows.
60
MANAGING A PPLICATIONS R EMOTELY
MANAGING TASKS
Kaspersky Security Center manages application installed on client computers by creating and running tasks. Tasks are
required for installing, launching and stopping applications, scanning files, updating databases and software modules,
and taking other actions on applications.
Tasks are subdivided into the following types:
Group tasks. Tasks that are performed on the client computers of the selected administration group.
Administration Server tasks. Tasks that are performed on the Administration Server.
Tasks for specific computers. Tasks that are performed on selected computers, regardless of whether they are
included in any administration groups.
Local tasks. Tasks that are performed on an individual client computer.
An application task can only be created if the management plug-in for that application is installed on the administrator's
workstation.
You can compile a list of computers for which a task should be created, by using one of the following methods:
Select computers detected by Administration Server on the network
Specify a list of computers manually. You can use an IP address (or an IP range), NetBIOS name, or DNS
name as the computer address.
Import a list of computers from a TXT file containing the addresses of computers to be added (each address
should be placed in an individual line).
If you import a list of computers from a file or create one manually, and client computers are identified by their
names, the list should contain only computers for which information has already been added to the
Administration Server database when connecting the computers or in the course of a network poll.
For each application you can create any number of group tasks, tasks for specific computers, or local tasks.
Exchange of information about tasks between an application installed on a client computer and the Kaspersky Security
Center database is carried out in the moment Network Agent is connected to Administration Server.
61
ADMINISTRATOR'S GUIDE
You can make changes to the settings of tasks, view their progress, copy, export, import, and delete them.
Tasks are launched on a client only if the application for which the task was created is running. When the application is
not running, all running tasks are canceled.
Results of tasks run are saved in the events log of Microsoft Windows and Kaspersky Security Center as in centralized
mode on Administration Server, so in local mode on each client computer.
On a virtual Administration Server, only the automatic report delivery task and the installation package creation task from
reference computer OS image are available. The repository of the virtual Administration Server displays updates
downloaded to the master Administration Server. Backup of virtual Server's data is performed along with backup of
master Administration Server's data.
The Download updates to the repository, Perform Windows Update synchronization, and Backup of
Administration Server data tasks can be created only once. If the Download updates to the repository, Back up
Administration Server data, and Windows Update synchronization tasks have been already created for
Administration Server, they will not be displayed in the task type selection window of the New Task Wizard.
62
MANAGING A PPLICATIONS R EMOTELY
Manage client computer (see the section "Remote turning on, turning off and restarting client computers" on
page 74).
Verify updates (see the section "Verifying downloaded updates" on page 143);
Distribute installation package (for more information, see Kaspersky Security Center Implementation Guide).
Install application remotely on the slave Administration Servers (for more information, see Kaspersky Security
Center Implementation Guide).
Uninstall application remotely (for more information, see Kaspersky Security Center Implementation Guide).
To create a task for a set of computers:
1. In the console tree, select the Tasks for specific computers folder.
2. Start creating the task in one of the following ways:
From the context menu of the console tree folder named Tasks for specific computers select New Task.
Click the Create a task link in the workspace.
This starts the New Task Wizard. Follow the Wizard's instructions.
As a result, inherited tasks are displayed on the list of tasks with the icon. If the settings inheritance mode is
enabled, inherited tasks can only be edited in the group in which they have been created. Inherited tasks cannot be
edited in the group that inherits the tasks.
63
ADMINISTRATOR'S GUIDE
Automatic loading of the operating system is only available on computers that support the Wake On Lan feature.
EXPORTING A TASK
You can export group tasks and tasks for specific computers into a file. Administration Server tasks and local tasks are
not available for export.
To export a task:
1. Export the task using one of the following methods:
By selecting All tasks Export from the context menu of the task.
By clicking the Export task to file link located in the workspace, in the section intended for handling the
selected policy.
2. In the Save as window that opens, specify the name of the file and the path to save it. Click the Save button.
IMPORTING A TASK
You can import group tasks and tasks for specific computers. Administration Server tasks and local tasks are not
available for import.
64
MANAGING A PPLICATIONS R EMOTELY
To import a task:
1. Select the task list to which the task should be imported:
If you want to import the task to the list of group tasks, in the workspace of the required group select the
Tasks tab.
If you want to import a task into the list of tasks for specific computers, select the Tasks for specific
computers folder from the console tree.
2. Select one of the following options to import the task:
In the context menu of the task list, select All Tasks Import.
Click the Import task from file link in the task list management block.
3. In the window that opens, specify the path to the file from which you want to import task. Click the Open button.
The task is then displayed in the task list.
If a task with the same name as that of the imported task is already included in the selected list, an index in (<serial
number>) format will be added to the name of the imported one, for example: (1), (2).
CONVERTING TASKS
You can use Kaspersky Security Center to convert tasks from earlier versions of Kaspersky Lab applications into those
from up-to-date versions of the applications.
Conversion is available for tasks of the following applications:
Kaspersky Anti-Virus 6.0 for Windows Workstations MP4
Kaspersky Endpoint Security 8 for Windows
Kaspersky Endpoint Security 10 for Windows.
To convert tasks:
1. In the console tree, select an Administration Server for which you want to convert tasks.
2. From the context menu of Administration Server select All tasks Policies and tasks conversion wizard.
This will start the Policies and Tasks Conversion Wizard. Follow the Wizard's instructions.
After the wizard completes its operation, new tasks are created, which use the settings of tasks from earlier versions of
the applications.
Running group tasks from the context menu of a client computer is allowed to users included in the KLAdmins group
(see the section "Rights of access to Administration Server and its objects" on page 44).
To start or stop a task from the context menu or the properties window of the task:
1. In the list of tasks, select a task.
2. Start or stop the task in one of the following ways:
In the context menu of the task, select Start or Stop.
In the task properties window, in the General section, click Start or Stop.
65
ADMINISTRATOR'S GUIDE
To start or stop a task from the context menu or the properties window of the client computer:
1. Select a computer from the list of computers.
2. Start or stop the task in one of the following ways:
In the context menu of the client computer, select All Tasks Run task. Select the relevant task from the
list of tasks.
The list of computers to which the task is assigned will be replaced with the computer that you have
selected. The task starts.
In the properties window of the client computer, in the Tasks section, click the or button.
66
MANAGING A PPLICATIONS R EMOTELY
You can change the values only of the settings that have not been prohibited for modification by a group policy (that is,
those settings not marked with the "lock" in a policy).
67
MANAGING CLIENT COMPUTERS
This section provides information about how to handle client computers.
IN THIS SECTION:
Connecting client computers to Administration Server ................................................................................................ 68
Connecting a client computer to Administration Server manually. Klmover utility ......................................................... 69
Tunneling the connection between a client computer and Administration Server ......................................................... 70
Remote connection to the desktop of a client computer .............................................................................................. 70
Configuring the restart of a client computer ................................................................................................................ 71
Audit of actions on a remote client computer.............................................................................................................. 71
Checking the connection between a client computer and Administration Server .......................................................... 72
Identifying client computers on Administration Server................................................................................................. 73
Adding computers to an administration group ............................................................................................................ 73
Changing Administration Server for client computers ................................................................................................. 74
Remote turning on, turning off and restarting client computers ................................................................................... 74
Sending a message to the users of client computers.................................................................................................. 75
Controlling changes in the status of virtual machines ................................................................................................. 75
Remote diagnostics of client computers. Kaspersky Security Center remote diagnostics utility .................................... 76
It is recommended to establish a continuous connection with the most important client hosts, because the Administration
Server supports only a limited number (several hundred) of concurrent connections.
68
MANAGING C LIENT COMPUTER S
When synchronizing manually, the system uses an auxiliary connection method, with which connection is initiated by
Administration Server. Before establishing the connection, you should open the UDP port. Administration Server sends a
connection request to the UDP port of the client computer. In response, the Administration Server's certificate is verified.
If the Server's certificate matches the certificate copy stored on the client computer, the connection starts establishing.
The manual launch of synchronization is also used for obtaining up-to-date information about the condition of
applications, execution of tasks, and applications' operation statistics.
69
ADMINISTRATOR'S GUIDE
70
MANAGING C LIENT COMPUTER S
To connect to the desktop of a client computer through the Remote Desktop Connection component:
1. In the administration console tree, select a client computer to which you need to obtain access.
2. In the context menu of the client computer, select All Tasks Connect to computer RDP.
As a result, the standard Windows utility mstsc.exe starts, which helps establishing connection to the remote desktop.
3. Follow the instructions shown in the utility's dialog boxes.
Upon establishing the connection to the client computer, the desktop is available in the remote connection window of
Microsoft Windows.
To connect to the desktop of a client computer through the Windows Desktop Sharing technology:
1. In the administration console tree, select a client computer to which you need to obtain access.
2. In the context menu of the client computer, select All Tasks Connect to computer Windows Desktop
Sharing.
3. In the Select remote desktop session window that opens, select the session on the client computer to which
you need to connect.
If connection to the client computer is established successfully, the desktop of the client computer will be
available in the Kaspersky Remote desktop session viewer window.
4. To start interaction with the client computer, in the main menu of the Kaspersky Remote desktop session
viewer window, select Actions Interactive mode.
SEE ALSO:
Kaspersky Security Center licensing options.............................................................................................................. 33
71
ADMINISTRATOR'S GUIDE
IN THIS SECTION:
Automatic check of connection between a client computer and Administration Server ................................................. 72
Manual check of connection between a client computer and Administration Server. Klnagchk utility ............................ 72
72
MANAGING C LIENT COMPUTER S
When installing Network Agent on a client computer, the klnagchk utility is automatically copied to the Network Agent
installation folder.
When started from the command line, the klnagchk utility can perform the following actions (depending on the keys in use):
Displays on the screen or records into an event log file the values of the connection settings of Network Agent
installed on the client computer to Administration Server.
Records into an event log file Network Agent statistics (since its last startup) and utility operation results, or
displays the information on the screen.
Makes an attempt to establish connection between Network Agent and Administration Server.
If the connection attempt fails, the utility sends an ICMP packet to check the status of the computer on which
Administration Server is installed.
To check connection between a client computer and Administration Server using the klnagchk utility,
on the client computer, start the klnagchk utility from the command line.
Utility command line syntax:
klnagchk [-logfile <file name>] [-sp] [-savecert <path to certificate file>] [-
restart]
The command-line parameters are as follows:
-logfile <file name> record the values of the settings of connection between Network Agent and
Administration Server and the utility operation results into a log file.
By default information is saved in the standard output stream (stdout). If the key is not in use, settings, results,
and error messages are displayed on the screen.
-sp show the password for the user's authentication on the proxy server.
The setting is in use if the connection to Administration Server is established via a proxy server.
-savecert <filename> save the certificate used to access the Administration Server in the specified file.
-restart restart the Network Agent after the utility has completed.
73
ADMINISTRATOR'S GUIDE
This will start the Add client computers wizard. Following its instructions, select a method of adding the client
computers to the group and create a list of computers to include in the group.
If you create the list of computers manually, you can use an IP address (or an IP range), a NetBIOS name, or a DNS
name as the address of a computer. You can add to the list manually only computers for which information has
already been added to the Administration Server database when connecting the computer, or after a network poll.
To import a list of computers from a file, specify a.txt file with a list of addresses of computers to be added. Each
address must be specified in a separate line.
After the wizard finishes its operation, the selected client computers are included in the administration group and
displayed in the list of computers under names generated by Administration Server.
You can add a client computer to the selected administration group by dragging it from the Unassigned computers
folder to the administration group folder.
If Administration Server supports the feature of encryption and data protection, when you create the Change
Administration Server task, a notification is displayed stating that in case any encrypted data are stored on computers,
you will be provided access only to encrypted data that you have handled earlier, after the computers are switched under
the management of the new server. In other cases, no access to encrypted data is provided. For the detailed
descriptions of scenarios in which no access to encrypted data is provided please refer to the Kaspersky Endpoint
Security 10 for Windows Administrator's Guide.
74
MANAGING C LIENT COMPUTER S
If you need to turn on, turn off or restart computers included in various administration groups or belonging
to none of them, create a task for specific computers (see the section "Creating a task for specific
computers" on page 62).
This starts the New Task Wizard. Follow the Wizard's instructions. In the Task type window of the New Task
Wizard select the Kaspersky Security Center node, open the Advanced folder, and select the Manage client
computer task.
3. Run the created task.
After the task is complete, the selected command (turn on, turn off, or restart) will be executed on the selected client
computers.
75
ADMINISTRATOR'S GUIDE
IN THIS SECTION:
Connecting the remote diagnostics utility to a client computer .................................................................................... 76
Enabling and disabling tracing, downloading the trace file .......................................................................................... 78
Downloading applications' settings ............................................................................................................................ 78
Downloading event logs ............................................................................................................................................ 78
Starting diagnostics and downloading its results ........................................................................................................ 78
Starting, stopping and restarting applications ............................................................................................................. 79
Connection to a client computer is only possible under the account of the local administrator of the client
computer.
76
MANAGING C LIENT COMPUTER S
5. If you have selected Access using Administration Server in the first field of the main utility window, perform
the following actions:
In the Administration Server field specify the address of Administration Server from which you intend to
connect to the client computer.
You can use an IP address, NetBIOS or DNS name as the server address.
The default value is the address of Server from which the utility has been run.
If required, select the Use SSL, Compress traffic, and Computer belongs to slave Administration
Server check boxes.
If the Computer belongs to slave Administration Server check box is selected, you can fill in the Slave
Server field with the name of the slave Administration Server, which manages the client computer. To do
this, click the Browse button.
6. To connect to the client computer, click the Enter button.
This opens the window intended for remote diagnostics of the client computer (see fig. below). The left part of the
window contains links to operations of client computer diagnostics. The right part of the window contains the objects
tree of the client computer that the utility can handle. The bottom part of the window displays the progress of the
utility's operations.
Figure 12. Remote diagnostics utility. Window of remote diagnostics of client computer
The remote diagnostics utility saves files downloaded from client computers on the desktop of the computer from which it
has been run.
77
ADMINISTRATOR'S GUIDE
Tracing can be enabled and disabled for applications with self-defense only if the client computer is connected
using tools of Administration Server.
In some cases an anti-virus application and its task should be restarted in order to enable tracing.
3. In the node of the application for which tracing is enabled, in the Trace files folder select the required file and
download it by clicking the Download file link. For large-sized files only the most recent trace parts can be
downloaded.
You can delete the highlighted trace file. The file can be deleted after tracing is disabled.
4. Disable tracing for the selected application by clicking the Disable tracing link.
78
MANAGING C LIENT COMPUTER S
79
MANAGING USER ACCOUNTS
This section provides information about users' accounts and roles supported by the application. This section contains
instructions on how to create accounts and roles for users of Kaspersky Security Center. This section also contains
instructions on how to handle list of the user's certificates and mobile devices and how to deliver messages to users.
IN THIS SECTION:
Handling user accounts ............................................................................................................................................ 80
Adding a user account .............................................................................................................................................. 80
Configuring rights. User roles .................................................................................................................................... 81
Delivering messages to users ................................................................................................................................... 82
Viewing the list of a user's mobile devices ................................................................................................................. 82
Installing a certificate for a user ................................................................................................................................. 82
Viewing the list of certificates handed to a user .......................................................................................................... 83
80
MANAGING USER ACCOUNTS
The User roles section is available if the Display security settings sections check box is selected in the interface
settings window. (see the section "Configuring the interface" on page 30)
81
ADMINISTRATOR'S GUIDE
6. In the User roles window, select a role for the user group.
7. Click OK.
As a result, the role with a set of rights for handling Administration Server will be assigned to the user of the user group.
Roles that have been assigned are displayed on the Roles tab in the Security section of the Administration Server
properties window.
The Security section is available if the Display sections with security settings check box is selected in the interface
settings window (see the section "Configuring the interface" on page 30).
82
MANAGING USER ACCOUNTS
83
WORKING WITH REPORTS, STATISTICS,
AND NOTIFICATIONS
This section provides information about how to handle reports, statistics, and selections of events and client computers in
Kaspersky Security Center, as well as how to configure Administration Server notifications.
IN THIS SECTION:
Working with reports ................................................................................................................................................. 84
Working with the statistical information ...................................................................................................................... 86
Configuring notification settings ................................................................................................................................. 86
Event selections ....................................................................................................................................................... 87
Exporting events to an SIEM system ......................................................................................................................... 88
Computer selections ................................................................................................................................................. 89
Policy selections ....................................................................................................................................................... 91
Task selections......................................................................................................................................................... 91
IN THIS SECTION:
Creating a report template ........................................................................................................................................ 84
Creating and viewing a report.................................................................................................................................... 85
Saving a report ......................................................................................................................................................... 85
Creating a report delivery task................................................................................................................................... 85
84
WORKING WITH R EPOR TS, STA TISTIC S, AND NOTIFICATIONS
After the Wizard finishes its operation, the newly created report template is added to the Reports and notifications
folder of the console tree. You can use this template for generating and viewing reports.
SAVING A REPORT
To save a created report:
1. In the console tree open the Reports and notifications folder in which report templates are listed.
2. Select the required report template from the console tree or from the workspace on the Reports tab.
3. From the context menu of the selected report template select Save.
The Report Saving Wizard starts. Follow the Wizard's instructions.
After the Wizard finishes its operation, the folder opens into which you have saved the report file.
The report delivery task is created automatically if email settings have been specified during the Kaspersky Security
Center installation.
85
ADMINISTRATOR'S GUIDE
located in the top right corner of the Statistics tab. Configuring the contents of the Statistics tab: adding
and removing statistics pages, their location.
located on the right from the page name. Configure the statistics page.
located on the right from the information pane name. Configure the information pane.
located on the right from the information pane name. Minimize the information pane.
located on the right from the information pane name. Maximize the information pane.
located in the top right corner of the Statistics tab. Print the current statistics page.
Notification via the messaging service is only available for Windows 5.X operating systems (Windows 2000, Windows
XP, Windows Server 2003).
SMS. When an event occurs, the application sends a notification to the phone numbers specified. You can
configure SMS notifications to be sent via the mail gateway or by means of the SMS Broadcasting utility.
Executable file. When an event occurs on a client computer, the executable file is launched on the
administrator's workstation. The administrator can receive the parameters of the event that has occurred by
means of the executable file.
To configure notification of events occurring on client devices:
1. Open the properties window of the Reports and notifications folder of the console tree in one of the following
ways:
Select Properties from the context menu of the Reports and notifications folder of the console tree.
In the workspace of the Reports and notifications folder, on the Notifications tab open the window by
clicking the Modify notification delivery settings link.
2. In the Notification section in the properties window of the Reports and notifications folder, select the
notification method and configure notification settings.
As a result, the re-adjusted notification settings are applied to all events occurring on client devices.
86
WORKING WITH R EPOR TS, STA TISTIC S, AND NOTIFICATIONS
You can configure the notification of an event in the properties window of that event. You can obtain quick access to the
settings of events by clicking the Configure Kaspersky Endpoint Security events and Modify Administration Server
event settings links.
SEE ALSO:
Configuring event processing settings ....................................................................................................................... 48
EVENT SELECTIONS
Information on the events in Kaspersky Security Center operation is saved both in the Microsoft Windows system log and
in the Kaspersky Security Center event log. You can view information from the Kaspersky Security Center event log in
the Reports and notifications folder of the console tree, the Events subfolder.
The information in the Events folder is represented in selections. Each selection includes events that meet specified
conditions. After application installation, the folder contains some standard selections. You can create additional event
selections or export event information to file.
IN THIS SECTION:
Viewing an event selection ........................................................................................................................................ 87
Customizing an event selection ................................................................................................................................. 87
Creating an event selection ....................................................................................................................................... 88
Exporting event selection to text file .......................................................................................................................... 88
Deleting events from selection .................................................................................................................................. 88
87
ADMINISTRATOR'S GUIDE
88
WORKING WITH R EPOR TS, STA TISTIC S, AND NOTIFICATIONS
4. In the SIEM system dropdown list, select the system to which you need to export events.
Events can be exported to SIEM systems, such as QRadar and ArcSight. By default, ArcSight system is
selected.
5. Specify the address of an SIEM system server and a port for connection to that server in the corresponding
fields.
Clicking the Export archive button causes the application to export newly created events to the database of
the SIEM system starting from the specified date. By default, the application exports events starting from the
current date.
6. Click OK.
As a result, after you select the Automatically export events to SIEM system database check box and configure
connection with the server, the application will automatically export all events to the SIEM system when they are
registered in the operation of Administration Server and other Kaspersky Lab applications.
COMPUTER SELECTIONS
Information about the statuses of client computers is available in the Reports and notifications folder of the console
tree, in the Computer selections subfolder.
In the Computer selections folder the data is represented as a set of selections, each of which displays information
about computers matching the specified conditions. After application installation, the folder contains some standard
selections. You can create additional computer selections, export selection settings to file or create selections with
settings imported from another file.
IN THIS SECTION:
Viewing computer selection....................................................................................................................................... 89
Configuring a computer selection .............................................................................................................................. 89
Creating a computer selection ................................................................................................................................... 90
Exporting settings of a computer selection to file ........................................................................................................ 90
Create a computer selection by using imported settings ............................................................................................. 90
Removing computers from administration groups in a selection .................................................................................. 91
89
ADMINISTRATOR'S GUIDE
If a selection named New selection already exists in the Computer selections folder, an index in (<serial number>)
format is added to the name of the selection being created, for example: (1), (2).
90
WORKING WITH R EPOR TS, STA TISTIC S, AND NOTIFICATIONS
POLICY SELECTIONS
Information about policies is available in the Reports and notifications folder of the console tree, in the Policy
selections subfolder.
The Policy selections folder displays a list of policies that have been created in administration groups. After the
application installation, the folder contains a list of policies that have been created automatically. You can update the list
and view the properties of any policy selected from the list.
TASK SELECTIONS
Information about tasks is available in the Reports and notifications folder of the console tree, in the Task selections
subfolder.
The Task selections folder displays a list of tasks that have been assigned to client computers in administration groups
and to Administration Server. After the application installation, the folder contains a list of tasks that have been created
automatically. You can update the list and view the properties of tasks, as well as run and stop tasks.
91
UNASSIGNED COMPUTERS
This section provides information about how to manage computers on an enterprise network if they are not included in an
administration group.
Information about computers within a corporate network that are not included in administration groups can be found in
the Unassigned computers folder. The Unassigned computers folder contains three subfolders: Domains, IP
subnets, and Active Directory.
The Unassigned computers folder of the virtual Administration Server does not contain the IP subnets folder. Client
computers found while polling IP subnets on the virtual Administration Server are displayed in the Domains folder.
The Domains folder contains the hierarchy of subfolders that show the structure of domains and workgroups in the
Windows network of the organization that were not included in the administration groups. Each subfolder of the Domains
folder at the lowest level contains a list of computers of the domain or of the workgroup. If you add a computer to an
administration group, the information on it is deleted from the Domains folder. If you remove a computer from the
administration group, the information on it is displayed in the Domains folder, in the domain subfolder or in the
workgroup of this computer.
The Active Directory folder displays computers reflecting the Active Directory groups structure.
The IP subnets folder displays computers reflecting the structure of IP subnetworks created within the corporate
network. You can change the IP subnets folder structure by creating and modifying the settings of existing IP subnets.
IN THIS SECTION:
Network discovery .................................................................................................................................................... 92
Working with Windows domains. Viewing and changing the domain settings .............................................................. 94
Working with IP subnets............................................................................................................................................ 94
Working with the Active Directory groups. Viewing and modifying group settings ........................................................ 95
Creating rules for moving computers to administration groups automatically ............................................................... 95
Using VDI dynamic mode on client computers ........................................................................................................... 95
NETWORK DISCOVERY
Information about the structure of the network and computers on this network is received by the Administration Server
through regular polling of the Windows network, IP subnets, and Active Directory within the corporate computer network.
The content of the Unassigned computers folder will be updated based on the results of this polling.
The Administration Server can use the following types of network scanning:
Windows network polling. There are two types of Windows network polls: quick or a full. During a quick poll,
only information on hosts in the list of NetBIOS names of all network domains and workgroups is collected.
During a full poll, the following information is requested from each client computer: operating system name, IP
address, DNS name, and NetBIOS name.
IP subnets polling. The Administration Server will poll the specified IP subnets by using ICMP packets, and
collect a complete set of data on hosts within the IP subnets.
Active Directory groups polling. The information on the Active Directory unit structure and DNS names of the
computers from the Active Directory is recorded into the Administration Server database.
Kaspersky Security Center uses the collected information and the data on corporate network structure to update the
contents of the Unassigned computers and Managed computers folders. If the computers in the corporate network
are configured to be moved to administration groups automatically, the discovered computers are included in the
administration groups.
92
UNASSIGNED COMPUTER S
IN THIS SECTION:
Viewing and modifying the settings for Windows network polling ................................................................................ 93
Viewing and modifying Active Directory group properties ........................................................................................... 93
Viewing and modifying the settings for IP subnet polling............................................................................................. 93
On the virtual Administration Server you can view and edit the polling settings of the Windows network in the properties
window of the update agent, in the Network poll section.
On the virtual Administration Server you can view and edit the settings of polling Active Directory groups in the properties
window of the update agent, in the Network poll section.
93
ADMINISTRATOR'S GUIDE
You can also change the settings of IP subnets polling in the workspace of the Unassigned computers folder by using
the Edit polling settings link in the IP subnets polling block.
On the virtual Administration Server you can view and edit the settings of polling IP subnets in the properties window of
the update agent, in the Network poll section. Client computers found during the polling of IP subnets are displayed in
the Domains folder of the virtual Administration Server.
IN THIS SECTION:
Creating an IP subnet ............................................................................................................................................... 94
Viewing and changing the IP subnet settings ............................................................................................................. 94
CREATING AN IP SUBNET
To create an IP subnet:
1. In the console tree, select the Unassigned computers folder, the IP subnets subfolder.
2. From the context menu of the folder, select NewIP subnet.
3. In the New IP subnet window that opens customize the new IP subnet.
As a result, new IP subnet appears in the IP subnets folder.
94
UNASSIGNED COMPUTER S
IN THIS SECTION:
Enabling VDI dynamic mode in the properties of an installation package for Network Agent ........................................ 96
Searching for computers making part of VDI .............................................................................................................. 96
Moving computers making part of VDI to an administration group ............................................................................... 96
95
ADMINISTRATOR'S GUIDE
96
MANAGING APPLICATIONS ON CLIENT
COMPUTERS
Kaspersky Security Center allows you to manage applications by Kaspersky Lab and other vendors installed on client
computers.
The administrator can perform the following actions:
Create categories of applications based on specified criteria
Manage categories of applications using dedicated rules
Manage applications startup on client computers
Perform inventories and maintain a registry of software installed on client computers
Fix vulnerabilities in software installed on client computers
Install updates from Windows Update and other software vendors to client computers
Monitor the use of keys for groups of licensed applications.
IN THIS SECTION:
Groups of applications .............................................................................................................................................. 97
Application vulnerabilities ........................................................................................................................................ 101
Software updates.................................................................................................................................................... 102
GROUPS OF APPLICATIONS
This section describes how to handle groups of applications installed on client computers.
97
ADMINISTRATOR'S GUIDE
IN THIS SECTION:
Creating application categories ................................................................................................................................. 98
Configuring applications launch management on client computers ............................................................................. 99
Viewing the results of statistical analysis of startup rules applied to executable files .................................................... 99
Viewing the applications registry ............................................................................................................................. 100
Creating groups of licensed applications.................................................................................................................. 100
Managing keys for groups of licensed applications................................................................................................... 100
Viewing information about executable files .............................................................................................................. 101
98
MANAGING A PPLICATIONS ON C LIENT COMPUTERS
99
ADMINISTRATOR'S GUIDE
Gathering of information about installed applications is available only for computers running on Microsoft Windows.
100
MANAGING A PPLICATIONS ON C LIENT COMPUTERS
APPLICATION VULNERABILITIES
The Software vulnerabilities folder included in the Application management folder contains a list of vulnerabilities in
applications that have been detected on client computers by the Network Agent installed on them.
The feature of analysis of information about vulnerabilities in applications is only available for computers running on
Microsoft Windows operating systems.
By opening the properties window of a selected application in the Software vulnerabilities folder, you can obtain
general information about a vulnerability, about the application where it has been detected, view the list of computers on
which the vulnerability has been found, and information about the fixing of this vulnerability.
101
ADMINISTRATOR'S GUIDE
The properties window of the vulnerability opens, displaying the following information:
Application in which the vulnerability has been detected
List of computers on which the vulnerability has been detected
Information on whether the vulnerability has been fixed.
To view the report on all detected vulnerabilities,
click the View report on software vulnerabilities link in the Software vulnerabilities folder.
A report on vulnerabilities in applications installed on client computers will be generated. You can view the report in
the Reports and notifications folder.
The feature of analysis of information about vulnerabilities in applications is only available for computers running on
Microsoft Windows operating systems.
SOFTWARE UPDATES
Kaspersky Security Center allows managing updates of software installed on client computers, and fixing vulnerabilities
in Microsoft applications and other vendors' products through installation of required updates.
Kaspersky Security Center searches for updates through the update search task and downloads them to the updates
storage. After completing the search of updates, the application provides the administrator with information about
available updates and vulnerabilities in applications that can be fixed using those updates.
Information about available updates for Microsoft Windows is provided by Windows Update service. Administration
Server can be used as Windows Update server (WSUS). To use Administration Server as Windows Update server, you
should configure synchronization of updates with Windows Update. After you have configured data synchronization with
Windows Update, Administration Server provides updates to Windows Update services on client computers in
centralized mode and with the set frequency.
102
MANAGING A PPLICATIONS ON C LIENT COMPUTERS
You can also manage software updates through a Network Agent policy. To do this, you should create a Network Agent
policy and configure software updating in the corresponding windows of the New Policy Wizard.
The administrator can view a list of available updates in the Software updates subfolder included in the Application
management folder. This folder contains a list of updates for Microsoft applications and other vendors' products
retrieved by Administration Server that can be distributed to client computers. After viewing information about available
updates, the administrator can install them to client computers.
Before installing the updates to all of the client computers, you can perform a test installation to make sure installed
updates will cause no failures to the operation of applications on the client computers.
IN THIS SECTION:
Viewing information about available updates ........................................................................................................... 103
Synchronizing updates from Windows Update with Administration Server ................................................................. 103
Automatic installation of updates on client computers............................................................................................... 104
Installing updates on client computers manually ...................................................................................................... 104
Configuring application updates in a Network Agent policy ....................................................................................... 105
You can also create the Windows Update synchronization task in the Administration Server tasks folder by clicking the
Create a task link.
103
ADMINISTRATOR'S GUIDE
104
MANAGING A PPLICATIONS ON C LIENT COMPUTERS
Upgrading to a new version of an application may cause misoperation of dependent applications on client computers.
In the settings of the updates installation task you can configure a test installation of updates.
To configure a test installation of updates:
1. In the console tree select the Installing application updates and fixing vulnerabilities task in the Managed
computers folder, on the Tasks tab.
2. Select Properties from the context menu of the task.
The properties window of the Installing application updates and fix vulnerabilities task opens.
3. In the properties window of the task, in the Test installation section select one of the available options for test
installation:
Do not scan. Select this option if you do not want to perform a test installation of updates.
Perform scan on selected computers. Select this option if you want to test updates installation on
selected computers. Click the Add button and select computers on which you want to perform a test
installation of updates.
Perform scan on computers in the specified group. Select this option if you want to test updates
installation on a group of computers. In the Specify a test group field specify a group of computers on
which you want to perform a test installation.
Install on the specified percentage of computers. Select this option if you want to test updates installation
on some portion of target computers. In the Percentage of test computers from all target computers field
specify the percentage of computers on which you want to perform a test installation of updates.
4. Upon selecting any of the options but the first one, in the Time to take the decision if the installation is to be
continued field specify the number of hours that should elapse from the test installation of updates until the
start of installation of the updates to all the target computers.
105
ADMINISTRATOR'S GUIDE
4. In the Software updates and vulnerabilities window of the Wizard, in the Windows Update search mode
section select one of the following options:
Active. Administration Server with support from Network Agent initiates a request from Windows Update on
a client computer to an update source: Windows Update Servers or WSUS. After that, Network Agent
passes information received from Windows Update to Administration Server.
Passive. If you select this option, Network Agent periodically passes Administration Server information
from Windows Update about updates retrieved at the last synchronization of Windows Update with the
update source. If no synchronization of Windows Update with an update source is performed, information
about updates on Administration Server becomes out-of-date.
Disabled. Administration Server collects no information about updates.
The newly created policy is displayed in the Managed computers folder, on the Policies tab.
If a Network Agent policy has already been created, perform the following actions:
1. In the Managed computers folder, on the Policies tab select a Network Agent policy.
2. In the context menu of the policy, select Properties. Open the properties window of the Network Agent policy.
3. In the properties window of the Network Agent policy configure Windows Update in the Software updates and
vulnerabilities section.
106
REMOTE INSTALLATION OF OPERATING
SYSTEMS AND APPLICATIONS
Kaspersky Security Center allows creating images of operating systems and deploying them on client computers over
the network, as well as performing remote installation of applications by Kaspersky Lab and other vendors.
To create images of operating systems, Windows Automated Installation Kit (WAIK) tool package should be installed on
Administration Server.
The functionality of operating system image capturing has the following features:
An operating system image cannot be captured on a computer on which Administration Server is installed.
While capturing an operating system image, a utility named sysprep.exe resets the settings of the reference
computer. If you need to restore the settings of the reference computer, you should select the Save computer
backup copy check box in the Operating System Image Creation Wizard.
The image capturing process provides for a restart of the reference computer.
Adding the client computer to WinPE environment may require configuration of the set of drivers for WinPE.
The administrator can add required drivers to the installation package with the operating system image and
specify a configuration file with the operating system settings (answer file) that should apply during installation.
107
ADMINISTRATOR'S GUIDE
Deploying images of operating systems on computers where another operating system has already
been installed
Deployment of images of operating systems on client computers where another operating system has already been
installed is performed through the remote installation task for specific computers.
IN THIS SECTION:
Creating images of operating systems ..................................................................................................................... 108
Adding drivers for Windows Preinstallation Environment (WinPE) ............................................................................ 108
Adding drivers to an installation package with an operating system image ................................................................ 109
Configuring sysprep.exe utility................................................................................................................................. 109
Deploying operating systems on new networked computers ..................................................................................... 110
Deploying operating systems on client computers .................................................................................................... 110
Creating installation packages of applications .......................................................................................................... 110
Installing applications to client computers ................................................................................................................ 111
108
REMOTE INSTA LLATION OF OPERATING SYSTEMS A ND APPLICATIONS
4. In the Add driver window specify the name of a driver and the path to the driver installation package. You can
specify the path to an installation package by clicking the Select button in the Adding driver window.
5. Click OK.
The driver will be added to the Administration Server repository. When added to the repository, the driver is
displayed in the Select driver window.
6. Click OK in the Select driver window.
The driver will be added to Windows Preinstallation Environment (WinPE).
109
ADMINISTRATOR'S GUIDE
110
REMOTE INSTA LLATION OF OPERATING SYSTEMS A ND APPLICATIONS
3. In the Select installation package type window of the Wizard click one of the following buttons:
Create Kaspersky Lab's installation package. Select this option if you want to create an installation
package for a Kaspersky Lab application.
Create installation package for specified executable file. Select this option if you want to create an
installation package for an application requested by the user.
Create installation package based on OS image of reference computer. Select this option if you want
to create an installation package with an image of the operating system of a reference computer.
The Wizard's activities create an Administration Server task named Copy the OS image from the
computer. When this task is completed, an installation package is created that you can use to deploy the
operating system image through a PXE server or the remote installation task.
4. Follow the Wizard's instructions.
The Wizard's activities create an installation package that you can use to install the application to client computers.
You can view the installation package in the Installation packages folder.
For detailed information on installation packages, see Kaspersky Security Center Implementation Guide.
111
MANAGING MOBILE DEVICES
This section describes how to manage mobile devices connected to Administration Server. For details on how to connect
mobile devices, please refer to the Kaspersky Security Center Implementation Guide.
IN THIS SECTION:
Managing mobile devices using an MDM policy ....................................................................................................... 112
Handling commands for mobile devices................................................................................................................... 113
Handling certificates ............................................................................................................................................... 116
Managing Exchange ActiveSync mobile devices ...................................................................................................... 118
Managing iOS MDM mobile devices ........................................................................................................................ 120
Managing KES devices ........................................................................................................................................... 126
112
MANAGING MOBILE DEV ICES
Configuring settings of synchronization with the Microsoft Exchange server and user accounts for using
corporate email on devices.
Configuring user accounts for synchronization with the LDAP directory service.
Configuring user accounts for connecting to CalDAV and CardDAV services that give users access to
corporate calendars and contact lists.
Configuring settings of the iOS interface on the user's device, such as fonts or icons for favorite websites.
Adding new security certificates on devices.
Configuring settings of the SCEP server for automatic retrieval of certificates by the device from the
Certification Center.
Adding custom settings for operation of mobile apps.
The general operating principles of an MDM policy do not differ from the operating principles of policies created for
managing other apps. An MDM policy is special in that it is assigned to an administration group that includes the iOS
MDM Mobile Device Server and the Exchange Active Sync mobile device server (hereinafter "mobile device servers"). All
settings specified in an MDM policy are first applied to mobile device servers and then to mobile devices managed by
such servers. In the case of a hierarchical structure of administration groups, slave mobile device servers receive MDM
policy settings from master mobile device servers and distribute them to mobile devices.
For detailed information about how to use the MDM policy in Administration Console of Kaspersky Security Center
please refer to the Kaspersky Security Mobile Administrator's Guide.
For all types of devices, if the Delete data command is successfully executed, all data will b deleted from the device, the
device settings will be rolled back to their default values.
After successful execution of the Delete corporate data command on an iOS MDM device, all installed configuration
profiles, provisioning profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM
profile check box has been selected, are removed from the device.
If the Delete corporate data command is successfully executed on a KES device, all corporate data, entries in Contacts,
the SMS history, the call log, the calendar, the Internet connection settings, and the user's accounts, except for the
Google account, will be deleted from the device. For a KES device, all data from the memory card will also be deleted.
113
ADMINISTRATOR'S GUIDE
114
MANAGING MOBILE DEV ICES
To retrieve the settings of Google loud Messaging, the administrator must have a Google account. For more details on
how to retrieve the settings of Google loud Messaging, please refer to the corresponding article in the Knowledge Base
on the website of Technical Support http://support.kaspersky.com/11770.
SENDING COMMANDS
To send a command to the user's mobile device:
1. In the Mobile Device Management folder of the console tree, select the Mobile devices subfolder.
The folder workspace displays a list of managed mobile devices
2. Select the user's mobile device to which you need to send a command.
3. In the context menu of the mobile device, select Show command log.
4. In the Commands for mobile devices management window, proceed to the section with the name of the
command that you need to send to the mobile device, then click the Send command button.
Depending on the command that you have selected, clicking the Send command button may open the window
of advanced settings of the application. For example, when you send the command for deleting a provisioning
profile from a device, the application prompts you to select the provisioning profile that should be deleted from
the device. Define the advanced settings of the command in that window and confirm your selection. After that,
the command will be sent to the mobile device.
You can click the Resend button to send the command to the user's mobile device once again.
You can click the Remove from queue button to cancel execution of a command that had been sent if the latter
has not yet been executed.
The Command log section displays commands that have been sent to the device, with the respective execution
statuses. You can click the Refresh button to refresh the list of commands.
5. Click the OK button to close the Commands for mobile devices management window.
115
ADMINISTRATOR'S GUIDE
HANDLING CERTIFICATES
This section contains information about how to handle certificates of mobile devices. The section contains instructions on
how to install certificates on users' mobile devices and how to configure certificate handing rules. The section also
contains instructions on how to integrate the application with the public keys infrastructure and how to configure the
support of Kerbros.
INSTALLING A CERTIFICATE
You can install three types of certificates to a user's mobile device:
General certificates for identifying the mobile device
Mail certificates for configuring the corporate mail on the mobile device
VPN certificate for setting up access to a virtual private network on the mobile device.
To install a certificate on a user's mobile device:
1. In the console tree, open the Mobile Device Management folder and select the Certificates subfolder.
2. In the workspace of the Certificates folder, click the Add certificate link to run the Certificate Installation Wizard.
Follow the Wizard's instructions.
After the Wizard completes its activities, a certificate will be created and added to the list of the user's certificates; in
addition, a notification will be sent to the user providing him or her with a link for downloading and installing the certificate
on the mobile device. You can view the list of all certificates and export it to a file (see the section "Viewing the list of
certificates handed to a user" on page 83). You can delete and re-hand certificates, as well as view their properties.
116
MANAGING MOBILE DEV ICES
117
ADMINISTRATOR'S GUIDE
3. Select Properties from the context menu of the iOS MDM Mobile devices server.
The Mobile devices server properties window opens.
4. In the properties window of the iOS MDM Mobile Devices Server, select the Settings section.
5. In the Settings section, select the Ensure compatibility with Kerberos Constrained Delegation check box.
6. Click OK.
Depending on the device model, settings of a management profile can be applied partially. The status of an
Exchange ActiveSync policy that has been applied can be viewed in the device's properties.
View information about the settings of EAS device management (see page 119). For example, the administrator
can refer to the properties of a mobile device to know the time of the last synchronization with a Microsoft
Exchange server, the ID of the EAS device, the name of the Exchange ActiveSync policy, and its current status
on the device.
Disconnect EAS devices from management if they are out of use (see page 120).
Define the settings of Active Directory polling by Exchange ActiveSync Mobile Device Server, which allows
updating the information about users' mailboxes and mobile devices.
For information about how to connect Exchange ActiveSync mobile devices to Exchange ActiveSync mobile devices
server, refer to the Kaspersky Security Center Implementation Guide.
Only one EAS device management profile can be assigned to a Microsoft Exchange mailbox.
118
MANAGING MOBILE DEV ICES
The default profile cannot be deleted. To delete the current default profile, you should assign the "default profile"
attribute to a different profile.
If you want to delete the current default profile, re-assign the 'default profile' property to another profile, then
delete the first one.
119
ADMINISTRATOR'S GUIDE
For information about how to install an iOS MDM Mobile Device Server please refer to the Kaspersky Security Center
Implementation Guide.
You can use the device properties window to view information about the configuration profile and the provisioning profile,
as well as applications installed on the iOS MDM device (see the section "Viewing information about an iOS MDM
device" on page 125).
To create a configuration profile and add it to an iOS MDM Mobile devices server:
1. In the console tree, select the Mobile Device Management folder.
2. In the workspace of the Mobile Device Management folder, select an iOS MDM Mobile devices server.
3. Select Properties from the context menu of the iOS MDM Mobile devices server.
The Mobile devices server properties window opens.
4. In the properties window of the iOS MDM Mobile devices server, select the Configuration profiles section.
5. In the Configuration profiles section, click the Create button.
The Add new configuration profile window opens.
6. In the Add new configuration profile window, specify a name and ID for the profile.
The configuration profile ID should be unique; the value should be specified in Reverse-DNS format, for
example, com.companyname.identifier.
120
MANAGING MOBILE DEV ICES
7. Click OK.
An application named iPhone Configuration Utility then starts.
8. Reconfigure the profile in iPhone Configuration Utility.
For a description of the profile settings and instructions on how to configure the profile, please refer to the
documentation enclosed with iPhone Configuration Utility.
After you have configured the profile with iPhone Configuration Utility, the new configuration profile is displayed in
the Configuration profiles section in the properties window of the iOS MDM Mobile devices server.
You can click the Modify button to modify the configuration profile.
You can click the Import button to load the configuration profile to a program.
You can click the Export button to save the configuration profile to a file.
The profile that you have created should be installed on iOS MDM devices (see the section "Installing a configuration
profile on a device" on page 121).
121
ADMINISTRATOR'S GUIDE
3. Select the user's mobile device from which you need to remove the configuration profile.
You can select multiple mobile devices to remove the profile simultaneously.
4. In the context menu of the mobile device, select Show command log.
5. In the Commands for mobile devices management window, go to the Remove profile section and click the
Send command button.
You can also send the command to the mobile device by selecting All commands from the context menu of the
device, then selecting Remove profile.
As a result, the Remove profile window opens showing the list of profiles.
6. Select from the list the profile that you need to remove from the mobile device. You can select multiple profiles
to remove them from the device simultaneously. To select the range of profiles, use the SHIFT key. To combine
profiles into a group, use the CTRL key.
7. Click the OK button to send the command to the mobile device.
When the command is executed, the selected configuration profile will be removed from the user's mobile device. If
the command is executed successfully, the current status of the command will be shown as Completed.
You can click the Resend button to send the command to the user's mobile device once again.
You can click the Remove from queue button to cancel execution of a command that had been sent if the latter
has not yet been executed.
The Command log section displays commands that have been sent to the device, with the respective execution
statuses. You can click the Refresh button to refresh the list of commands.
8. Click the OK button to close the Commands for mobile devices management window.
122
MANAGING MOBILE DEV ICES
As a result, the Select provisioning profiles window opens showing a list of provisioning profiles. Select from
the list the provisioning profile that you need to install on the mobile device. You can select multiple provisioning
profiles to install them on the device simultaneously. To select the range of provisioning profiles, use the SHIFT
key. To combine provisioning profiles into a group, use the CTRL key.
6. Click the OK button to send the command to the mobile device.
When the command is executed, the selected provisioning profile will be installed on the user's mobile device. If
the command is successfully executed, the current status of the command in the commands log will be shown
as Completed.
You can click the Resend button to send the command to the user's mobile device once again.
You can click the Remove from queue button to cancel execution of a command that had been sent if the latter
has not yet been executed.
The Command log section displays commands that have been sent to the device, with the respective execution
statuses. You can click the Refresh button to refresh the list of commands.
7. Click the OK button to close the Commands for mobile devices management window.
The profile that you have installed can be viewed and removed, if necessary (see the section "Removing a
provisioning profile from a device" on page 123).
123
ADMINISTRATOR'S GUIDE
124
MANAGING MOBILE DEV ICES
125
ADMINISTRATOR'S GUIDE
After the iOS MDM device is disconnected from management, all installed configuration profiles, the iOS MDM profile,
and applications for which the Remove together with iOS MDM profile check box has been installed, will be removed
from the device (see the section "Adding a managed application" on page 123).
Containers are used to control activities of applications running on the user's mobile device. Security policy rules can be
applied to applications placed into a container. You can configure rules for applications in the properties window of the
policy of Kaspersky Endpoint Security 10 for Mobile, in the Containers section. For more details on containers and how
to manage them, please refer to the documentation enclosed with Kaspersky Endpoint Security 10 for Mobile.
You can place a third-party app in a container. You cannot place the Kaspersky Endpoint Security 10 for Mobile
installation package into a container.
126
MANAGING MOBILE DEV ICES
127
SELF SERVICE PORTAL
This section contains information about Self Service Portal. The section provides Self Service Portal login instructions for
users as well as instructions on creating Self Service Portal accounts and adding mobile devices on Self Service Portal.
IN THIS SECTION:
About Self Service Portal ........................................................................................................................................ 128
Adding a device ...................................................................................................................................................... 129
Creating an account for Self Service Portal .............................................................................................................. 129
Self Service Portal supports mobile devices with the iOS and Android operating systems.
If necessary (for example, when the user device has been lost or stolen), the user can sign in to Self Service Portal and
send commands to the managed device. A proprietary set of commands is supported for each type of device (see the
following table).
Table 11. List of supported commands
128
SELF SERVICE PORTA L
Self Service Portal uses the global list of Kaspersky Security Center users. The list is expanded automatically when
importing users from Active Directory (see the section "Viewing and modifying Active Directory group properties" on
page 93) or manually (see the section "Adding a user account" on page 80).
If domain authorization on Self Service Portal is prohibited by the administrator, users can use alias accounts for
authorization. Creating aliases for authentication on Self Service Portal is available in the properties of user accounts
(see the section "Creating a Self Service Portal account" on page 129).
The administrator can grant users the following Self Service Portal usage permissions:
Reading;
Change;
Connect new devices;
Send only information commands.
Mugshot and Locate are information commands.
Send commands to mobile devices.
ADDING A DEVICE
Before adding a device on the Self Service Portal, the user has to accept the Self Service Portal End User License
Agreement and sign in on the portal.
The algorithm of adding a user device to Self Service Portal includes the following steps:
1. The user opens the main page of the portal.
2. Self Service Portal creates an installation package and then displays a one-time link for downloading the
installation package and a QR code in which the link is encoded. The screen shows the time interval during
which a link for downloading the installation package will be available. A message with a link for downloading
the installation package is sent to the user's email address.
The installation package is required to install Network Agent on the device and apply corporate policies.
A new installation package can be created only after the previously created package has been removed from
Administration Server.
3. By clicking the Create package to install on new device link, the user is taken to the installation package
download page on the mobile device to be added to Self Service Portal.
4. Self Service Portal determines the operating system of the user device.
If the device operating system could be determined automatically, the installation package download page
opens. If the device operating system could not be determined automatically, a window opens letting the user
choose an operating system manually.
5. The user downloads the installation package and installs Network Agent on the mobile device.
6. After Network Agent has been installed, the device connects to Administration Server.
As a result, the device will be added to the list of managed devices and the corporate policies will be applied to it. A
link to information about connecting to the Administration Server is sent to the user's email address.
129
ADMINISTRATOR'S GUIDE
3. In the properties window of the user account, in the Self Service Portal accounts section, click the Add button.
You can click the Add button to create several Self Service Portal alias accounts.
4. In the New Self Service Portal account window, specify the login and the method of user notification, and then
click .
A password for the Self Service Portal account is generated automatically. A notification of account creation will
be sent to the user's email or mobile device, containing the login and the password.
As a result, the Self Service Portal account will be created. You can create an unlimited number of Self Service
Portal accounts for a single user. After a Self Service Portal account has been created, it cannot be modified.
However, you can delete a selected account by clicking the button with a red cross on the right of the list of Self
Service Portal accounts.
To modify a Self Service Portal account:
1. In the properties window of a user account, in the Self Service Portal accounts section, select a Self Service
Portal account and click the Set new password button.
2. In the Generate new password for Self Service Portal account window, specify a method of user notification and
click the OK button.
As a result, the password will be changed. A notification of the password change will be sent to the user's email or
mobile device.
You can click the Set new password button to generate a new password for a selected Self Service Portal account.
The password will be created automatically. The new password for Self Service Portal will be sent to the user's email
or cell phone.
130
ENCRYPTION AND DATA PROTECTION
FOLDER
Encryption reduces the risk of unintentional data leakage in case your notebook, removable media or hard drive is
stolen/lost, or upon the access of unauthorized users and applications.
Kaspersky Endpoint Security 10 for Windows provides encryption functionality. Kaspersky Endpoint Security 10 for
Windows allows you to encrypt files stored on local drives of a computer and removable drives, as well as removable
storage media and hard drives entirely.
Encryption rules are configured through Kaspersky Security Center by defining policies. Encryption and decryption upon
existing rules are performed when applying a policy.
Availability of the encryption management feature is determined by the user interface settings (see the section
"Configuring the interface on page 30).
IN THIS SECTION:
Viewing the list of encrypted devices ....................................................................................................................... 131
Viewing the list of encryption events ........................................................................................................................ 132
Exporting the list of encryption events to a text file ................................................................................................... 132
Creating and viewing encryption reports .................................................................................................................. 132
131
ADMINISTRATOR'S GUIDE
Presence or absence of the Data encryption and protection folder in the console tree is determined by the user
interface settings (see the section "Configuring the interface on page 30).
Presence or absence of the Encryption and data protection folder in the console tree is determined by the user
interface settings (see the section "Configuring the interface on page 30).
132
ENCRYPTION A ND DATA PROTECTION FOLDER
Report on encryption errors containing information about errors that have occurred when running data
encryption and decryption tasks on client computers
Report on the status of computer encryption containing information about whether the status of computer
encryption meets the encryption policy
Report on file access blocking containing information about blocking applications' access to encrypted files.
To view the report on devices encryption:
1. In the console tree select the Encryption and data protection folder.
2. Do one of the following:
Click the View devices encryption report link to run the New Report Template Wizard.
Select the Encrypted devices subfolder, then click the View devices encryption report link to run the
New Report Template Wizard.
3. Follow the instructions of the New Report Template Wizard.
In the Reports and notifications folder of the console tree a new report appears. The report generation process
starts. The report is displayed in the console workspace.
To view the report on rights of access to encrypted devices:
1. In the console tree select the Encryption and data protection folder.
2. Do one of the following:
Click the View report on rights of access to encrypted devices link in the Manage encrypted devices
section to run the New Report Template Wizard.
Select the Encrypted devices subfolder, then click the View report on rights of access to encrypted
devices link to run the New Report Template Wizard.
3. Follow the instructions of the New Report Template Wizard.
In the Reports and notifications folder of the console tree a new report appears. The report generation process
starts. The report is displayed in the console workspace.
To view the report on encryption errors:
1. In the console tree select the Encryption and data protection folder.
2. Do one of the following:
Click the View report on encryption errors link in the Data encryption errors control section to run the
New Report Template Wizard.
Select the Encryption events subfolder, then click the View report on encryption errors link to run the
New Report Template Wizard.
3. Follow the instructions of the New Report Template Wizard.
In the Reports and notifications folder of the console tree a new report appears. The report generation process
starts. The report is displayed in the console workspace.
To view the report on the status of computer encryption:
1. In the console tree, select the Reports and notifications folder.
2. Do one of the following:
Right-click to activate the context menu of the Reports and notifications folder, select CreateReport
template, and run the New Report Template Wizard.
Click the Create a report template link to run the New Report Template Wizard.
3. Follow the instructions of the New Report Template Wizard. In the Selecting the report template type window,
in the Others section select Computer encryption status report.
After you have finished with the New Report Template Wizard, a new report template appears in the Reports
and notifications folder of the console tree.
4. In the Reports and notifications folder select the report template created at the previous steps.
The report generation process starts. The report appears in the workspace of the Administration Console.
133
ADMINISTRATOR'S GUIDE
For information about whether the encryption statuses of computers and removable media meet the encryption policy,
view information panes on the Statistics tab of the Reports and notifications folder (see the section "Working with
the statistical information on page 86).
To view the file access blocking report:
1. In the console tree, select the Reports and notifications folder.
2. Do one of the following:
Right-click to activate the context menu of the Reports and notifications folder, select Create Report
template, and run the New Report Template Wizard.
Click the Create a report template link to run the New Report Template Wizard.
3. Follow the instructions of the New Report Template Wizard. In the Selecting the report template type window,
in the Others section select Report on access blockage to files.
After you have finished with the New Report Template Wizard, a new report template appears in the Reports
and notifications folder of the console tree.
4. In the Reports and notifications folder select the report template created at the previous steps.
The report generation process starts. The report appears in the workspace of the Administration Console.
134
MANAGING DEVICES ACCESS TO AN
ORGANIZATION'S NETWORK (NETWORK
ACCESS CONTROL, NAC)
Kaspersky Security Center allows controlling access of devices to an organization's network using access restriction
rules and a white list of devices. NAC agents are used to manage access of devices to an organization's network. An
NAC agent is installed to client computers together with Network Agent.
Two NAC agents are used in each of the broadcast segments of a network: main and redundant. The main NAC agent is
available for regular use of network access policies. When the computer hosting the main NAC agent is shut down, the
redundant NAC agent takes its functions, which ensures a continuous operation of NAC on the organization's network.
Roles of NAC agents can be deployed and distributed either manually or automatically.
Before creating network access restriction rules for devices and a white list of devices, the administrator should create
network elements. Network element is a group of devices created on the basis of criteria defined by the administrator.
The administrator can specify the following criteria for adding devices to a network element:
network attributes (IP address, MAC address)
device manufacturer
device's membership in a domain
device protection status
presence of non-installed critical application updates and security updates on the device.
When a network element is created, the administrator can create access restriction rules for it or add it to a white list.
The administrator can create the following network access restriction rules:
A rule that blocks network access for all devices included in the network element.
A rule that redirects to the authorization portal any request of network access generated by any device included
in the network element. Authorization portal is a web service that provides network access to guest devices. The
administrator creates accounts and assigns them to the users of guest devices.
A rule that allows devices included in the network element to access the specified network addresses only.
The administrator can select a network element and add it to the white list. Devices included in the white list are provided
full access to the organization's network.
IN THIS SECTION:
Switching to the NAC settings in the Network Agent properties ................................................................................ 136
Selecting an operation mode for the NAC agent ...................................................................................................... 136
Creating network elements...................................................................................................................................... 136
Creating network access restriction rules ................................................................................................................. 137
Creating a white list ................................................................................................................................................ 137
Creating a list of allowed network addresses ........................................................................................................... 138
Creating accounts to use on the authorization portal ................................................................................................ 138
Configuring the authorization page interface ............................................................................................................ 138
Configuring NAC in a Network Agent policy ............................................................................................................. 139
135
ADMINISTRATOR'S GUIDE
136
M A NA GING DE VICE S ACC E SS T O A N OR GA NIZA T ION ' S NE T WORK (N E TW OR K A CC ES S C ONTR OL , NAC)
From the Add dropdown list select criteria, which should define whether a network device will be included in the
network element that you are creating:
By network attributes. If you select this option, you can add a computer or computers to the network
element by IP address, MAC address, IP range, or subnet mask.
By manufacturer. If you select this option, you can add computers to the network element by
manufacturer.
By domain membership. If you select this option, you can add computers to the network element on the
basis of their membership in a domain. Domain membership can be used as a criterion that allows
accessing the organization's network.
By computer status. If you select this option, you can specify a computer protection status: for example,
"Critical". You can create rules restricting network access for computers with such status.
By software. If you select this option, you can add computers to the network element by operating system
type, firewall status, and availability of updates.
The added criteria are displayed in the Criteria field so that a network object should meet them.
4. Click OK.
The created network elements are displayed in the properties window of the Kaspersky Security Center Network
Agent policy, in the Network elements subsection.
137
ADMINISTRATOR'S GUIDE
3. In the Adding network elements window select the network element that you want to add to the white list.
4. Click OK.
Network elements added to the white list are displayed in the White List subsection. Devices added to the white list
are granted full access to the organization's network.
138
M A NA GING DE VICE S ACC E SS T O A N OR GA NIZA T ION ' S NE T WORK (N E TW OR K A CC ES S C ONTR OL , NAC)
4. In the Authorization page group of settings select the authorization page to which network access requests will
be redirected.
Default. Select this option if you want to use the default page on the authorization portal. To edit the default
page, click the Save to file button and save the authorization page to a file for further editing.
Custom. Select this option if you want to use an edited version of the Kaspersky Lab page or your own
version. Click the Select button and specify the path to an authorization page file.
5. Click OK.
139
INVENTORY OF EQUIPMENT DETECTED ON
THE NETWORK
Kaspersky Security Center retrieves information about the equipment detected during the network poll. Inventory covers
all equipment connected to the organization's network. Information about the equipment is updated after each new
network poll. The list of detected equipment may contain the following types of devices:
Computers
Mobile devices
Network devices
Virtual devices
OEM components
Computer peripherals
Connected devices
VoIP phones
Network storages
Equipment detected during a network poll is displayed in the Repositories subfolder of the Hardware folder of the
console tree.
The administrator can add new devices to the equipment list manually or edit information about equipment that already
exists on the network. In the properties of a device you can view and edit detailed information about that device.
The administrator can assign the "Enterprise equipment" attribute to detected devices. This attribute can be assigned
manually in the properties of a device, or the administrator can specify criteria for the attribute to be assigned
automatically. In this case, the "Enterprise equipment" attribute is assigned by device type. You can allow or prohibit
network connection of equipment by the "Enterprise equipment" attribute.
Kaspersky Security Center allows writing off equipment. To do this, select the Device is written off check box in the
properties of a device. Such device is not displayed on the equipment list.
IN THIS SECTION:
Adding information about new devices .................................................................................................................... 140
Configuring criteria used to define enterprise devices............................................................................................... 141
140
INVENTORY OF EQUIPMENT D ETEC TED ON THE NETWOR K
5. In the General section fill in the entry fields with data on the device. The General section lists the following
settings:
Corporate device. Select the check box if you want to assign the "Enterprise" attribute to the device. Using
this attribute, you can search for devices in the Hardware folder.
Device is written off. Select the check box if you do not want the device to be displayed on the list of
devices in the Hardware folder.
6. Click Apply.
The new device will be displayed in the workspace of the Hardware folder.
141
UPDATING DATABASES AND SOFTWARE
MODULES
This section describes how to download and distribute updates of databases and software modules using Kaspersky
Security Center.
To maintain the protection system's reliability, you should timely update the databases and Kaspersky Lab application
modules, managed through Kaspersky Security Center.
To update databases and Kaspersky Lab application modules that are managed through Kaspersky Security Center, the
Download updates to the repository task of the Administration Server is used. As a result, the databases and
application modules are downloaded from the update source.
The Download updates to the repository task is not available on virtual Administration Servers. The repository of the
virtual Administration Server displays updates downloaded to the master Administration Server.
You can configure the updates to be verified for performance and errors before they are distributed to client computers.
IN THIS SECTION:
Creating the task of downloading updates to the repository ...................................................................................... 142
Configuring the task of downloading updates to the repository ................................................................................. 143
Verifying downloaded updates ................................................................................................................................ 143
Configuring test policies and auxiliary tasks ............................................................................................................. 144
Viewing downloaded updates .................................................................................................................................. 145
Automatic distribution of updates ............................................................................................................................. 145
Rolling back installed updates ................................................................................................................................. 147
142
UPDATING DATABASES AND SOFTWARE MODULES
The following resources can be used as a source of updates for the Administration Server:
Kaspersky Lab update servers Kaspersky Lab's servers to which the updated anti-virus database and the
application modules are uploaded.
Master Administration Server.
FTP/HTTP server or a network updates folder an FTP server, an HTTP server, a local or a network folder
added by the user and containing the latest updates. When selecting a local folder, you should specify a folder
on a computer with Administration Server installed.
To update Administration Server from an FTP/HTTP server or a network folder, you should copy to those
resources the correct structure of folders with updates, identical to that created when using Kaspersky Lab
update servers.
Source selection depends on task settings. By default, updating is performed over the Internet from Kaspersky Lab's
update servers.
It is recommended to use computers with most reliable protection and most popular application
configuration in the network. This approach increases the quality of scans, and minimizes the risk of false
positives and the probability of virus detection during scans. If viruses are detected on the test computers,
the update verification task is considered unsuccessful.
4. Click OK to close the properties window of the downloading updates to the repository task.
143
ADMINISTRATOR'S GUIDE
As a result, the updates verification task is performed with the task of downloading updates to the repository. The
Administration Server will download updates from the source, save them in temporary storage, and run the update
verification task. If the task completes successfully, the updates will be copied from the temporary storage to the
Administration Server shared folder (<Installation folder Kaspersky Security Center\Share\Updates) and distributed
to all client computers for which the Administration Server is the source of updates.
If the results of the update verification task show that updates located in the temporary storage are incorrect or if the
update verification task completes with an error, such updates will not be copied to the shared folder, and the
Administration Server will keep the previous set of updates. The tasks that have the When new updates are
downloaded to the repository schedule type are not started then, either. These operations will be performed at the
next start of the Administration Server update download task if scanning of the new updates completes successfully.
A set of updates is considered to be incorrect if one of the following conditions is met on at least one test computer:
Update task error has occurred.
The real-time protection status of the anti-virus application has changed after applying updates.
An infected object has been detected while running the scan task.
Functional error of a Kaspersky Lab application has occurred
If none of the listed conditions is true for any test computer, the set of updates is considered to be correct and the update
verification task completes successfully.
Auxiliary group update and on-demand scan tasks take some time. These tasks are performed when the updates
verification task is executed. The updates verification task is performed when updates are downloaded to the repository.
The duration of Download updates to the repository task includes auxiliary group update and on-demand scan tasks.
You can change the settings of text policies and auxiliary tasks.
To change settings of a text policy or an auxiliary task:
1. In the console tree, select a group for which the updates verification task is created.
2. In the group workspace, select one of the following tabs:
Policies, if you want to edit the test policy settings
Tasks, if you want to change auxiliary task settings.
3. In the tab workspace select a policy or a task, whose settings you want to change.
4. Open the policy (task) properties window in one of the following ways:
From the context menu of the policy (task), select Properties.
By clicking the Change policy settings (Change task settings) link in the workspace of the selected
policy (task).
To verify updates correctly, the following restrictions should be imposed on the modification of test policies and auxiliary tasks:
In the auxiliary task settings:
Save all tasks with the Critical event and Functional failure severity levels on Administration Server.
Using the events of these types, the Administration Server analyzes the operation of applications.
Use Administration Server as the source of updates.
Specify task schedule type: Manually
In the settings of test policies:
Disable the iChecker, iSwift, and iStream scanning acceleration technologies.
Select the actions to be performed in respect of infected objects: Do not prompt / Skip / Log to report.
In the settings of test policies and auxiliary tasks:
If a computer restart is required after the installation of updates to software modules, it must be performed
immediately. If the computer is not restarted, it is impossible to test this type of updates. For some applications
installation of updates that require a restart may be prohibited or configured to prompt the user for confirmation
first. These restrictions should be disabled in the settings of test policies and auxiliary tasks.
144
UPDATING DATABASES AND SOFTWARE MODULES
IN THIS SECTION:
Distributing updates to client computers automatically.............................................................................................. 145
Distributing updates to slave Administration Servers automatically ........................................................................... 146
Installing program modules for Servers and Network Agents automatically ............................................................... 146
Creating and configuring the list of Update Agents ................................................................................................... 146
Downloading updates by Update Agents ................................................................................................................. 147
The name of the updates deployment task displayed in the Task type window depends on the
application for which you create this task. For detailed information about names of update tasks for the
selected Kaspersky Lab application, see the corresponding Guides.
b. In the Schedule wizard window, in the Scheduled start field, select When new updates are
downloaded to the repository.
As a result, the created update distribution task will start for selected computers each time the updates are
downloaded to the Administration Server repository.
If an updates distribution task for the required application is created for selected computers, to automatically distribute
updates to client computers in the task properties window in the Schedule section, select the When new updates are
downloaded to the repository option, in the Scheduled start field.
145
ADMINISTRATOR'S GUIDE
146
UPDATING DATABASES AND SOFTWARE MODULES
The task of updates download by Update Agent is a Network Agent task, the task type is Download updates to
the repository. The task of update download by an update agent is a local task: it should be created
individually for each computer that acts as an update agent.
147
WORKING WITH APPLICATION KEYS
This section describes the features of Kaspersky Security Center related to handling keys of managed Kaspersky Lab
applications.
Kaspersky Security Center allows you to perform centralized distribution of keys for Kaspersky Lab applications on client
computers, monitor their use, and renew licenses.
When adding a key using Kaspersky Security Center, the settings of the key are saved on Administration Server. Based
on this information, the application generates a report on the use of keys and notifies the administrator of expiry of
licenses and violation of license restrictions implied by the settings of keys. You can configure notifications of the use of
keys within the Administration Server settings.
IN THIS SECTION:
Viewing information about keys in use ..................................................................................................................... 148
Adding a key to the Administration Server repository ............................................................................................... 148
Deleting an Administration Server key ..................................................................................................................... 149
Deploying a key to client computers ........................................................................................................................ 149
Automatic deployment of a key ............................................................................................................................... 149
Creating and viewing a key usage report ................................................................................................................. 150
information about the key is received from a client computer connected to the Administration Server. The
file of this key is stored outside of the Administration Server.
the key file is stored in the Administration Server repository. Automatic distribution is disabled for this key.
the key file is stored in the Administration Server repository. Automatic distribution is enabled for this key.
You can view information about which keys are applied to the application on a client computer by opening the application
properties window from the Applications section of the client computer properties window.
148
WORKING WITH A PPLICATION KEYS
After the active key is deleted, such features as Systems Management (see the section "Kaspersky Security Center
licensing options" on page 33) and Mobile devices management (see the section "Kaspersky Security Center
licensing options" on page 33) become unavailable for Administration Server. You can add (see the section "Adding a
key to the Administration Server repository" on page 148) a key that has been deleted, or add a different key.
149
ADMINISTRATOR'S GUIDE
150
DATA STORAGES
This section provides information about data stored on the Administration Server and used for tracking the condition of
client computers and servicing them.
The data used to track the status of client computers are displayed in Repositories folder of the console tree.
The Repositories folder contains the following objects:
the updates downloaded by the Administration Server that are distributed to client computers (see the section
"Viewing downloaded updates" on page 145);
list of hardware items detected in the network;
keys that were found on client computers (see the section "Working with application keys" on page 148);
files quarantined on client computers by anti-virus applications;
files placed into repositories on client computers;
files assigned for scanning later by anti-virus applications.
IN THIS SECTION:
Exporting a list of repository objects to a text file ...................................................................................................... 151
Installation packages .............................................................................................................................................. 151
Quarantine and Backup .......................................................................................................................................... 152
Unprocessed files ................................................................................................................................................... 154
INSTALLATION PACKAGES
Kaspersky Security Center places installation packages of applications by Kaspersky Lab and third-party vendors to data
storage areas.
An installation package is a set of files required to install an application. An installation package contains the setup
settings and initial configuration of the application being installed.
If you want to install an application to a client computer, you should create an installation package for that application
(see the section "Creating installation packages of applications on page 110) or use an existing one. The list of created
installation packages is stored in the Remote installation folder of the console tree, the Installation packages
subfolder.
For detailed information on installation packages, see Kaspersky Security Center Implementation Guide.
151
ADMINISTRATOR'S GUIDE
Operations with Quarantine and Backup are supported for versions 6.0 or later of Kaspersky Anti-Virus for Windows
Workstations and Kaspersky Anti-Virus for Windows Servers, as well as for Kaspersky Endpoint Security 10 for Windows.
Kaspersky Security Center does not copy files from repositories to Administration Server. All files are stored in the
repositories on client computers. You can restore files only on a computer where an anti-virus application that placed the
file into the repository is installed.
IN THIS SECTION:
Enabling remote management for files in the repositories ......................................................................................... 152
Viewing properties of a file placed in repository........................................................................................................ 152
Removing files from repositories ............................................................................................................................. 153
Restoring files from repositories .............................................................................................................................. 153
Saving a file from repositories to disk ...................................................................................................................... 153
Scanning files in Quarantine ................................................................................................................................... 153
The location of Inform Administration Server settings group in the policy properties window and the names of
check boxes depend on selected anti-virus application.
152
DATA STORAGES
153
ADMINISTRATOR'S GUIDE
UNPROCESSED FILES
The information about unprocessed files found on client computers is stored in the Repositories folder, the
Unprocessed files subfolder.
Postponed processing and disinfection by an anti-virus application are performed upon request or after a specified event.
You can configure the postponed processing.
154
KASPERSKY SECURITY NETWORK (KSN)
This section describes how to use an infrastructure of online services named Kaspersky Security Network (KSN). The
section provides the details on KSN, as well as instructions on how to enable KSN, configure access to KSN, and view
the statistics of the use of KSN proxy server.
ABOUT KSN
Kaspersky Security Network (KSN) is an infrastructure of online services that provides access to the online Knowledge
Base of Kaspersky Lab, which contains information about the reputation of files, web resources, and software. The use
of data from Kaspersky Security Network ensures faster response by Kaspersky Lab applications to unknown threats,
improves the effectiveness of some protection components, and reduces the risk of false positives. KSN allows using
Kaspersky Lab's reputation databases to retrieve information about applications installed on client computers.
By participating in KSN, you agree to send to Kaspersky Lab in automatic mode information about the operation of
Kaspersky Lab applications (see the section "About data provision" on page 155) installed on client computers that are
managed by Kaspersky Security Center, in accordance with the KSN Statement. Information is transferred in accordance
with the current KSN access settings (see the section "Setting up access to KSN" on page 156).
The application prompts you to join KSN when installing the application and when running the Quick Start Wizard (see
the section "Kaspersky Security Center Quick Start Wizard" on page 36). You can start or stop using KSN at any
moment when using the application (see the section "Enabling and disabling KSN" on page 156).
Client computers managed by Administration Server interact with KSN through the KSN Proxy service. The use of the
KSN Proxy service provides you with the following options:
Client computers can send requests to KSN and transfer information to KSN even if they do not have direct
access to the Internet.
KSN Proxy caches processed data, thus reducing the workload on the outbound channel and the time period
spent for waiting for information requested by a client computer.
You can configure KSN Proxy in the KSN proxy server section of the Administration Server properties window (see the
section "Setting up access to KSN" on page 156).
155
ADMINISTRATOR'S GUIDE
Provision of data is accepted on a voluntary basis. The data provision feature can be enabled or disabled at any moment
in the application settings window (see the section "Interaction of Administration Server with the KSN Proxy service" on
page 49).
Private KSN is supported by Kaspersky Security Center 10 Service Pack 1 and Kaspersky Endpoint Security 10
Service Pack 1.
156
KASPERSKY SECUR ITY NETWOR K (KSN)
157
CONTACTING TECHNICAL SUPPORT
SERVICE
This section provides information about the ways and conditions for providing you support.
IN THIS SECTION:
About technical support .......................................................................................................................................... 158
Technical support by phone .................................................................................................................................... 158
Technical Support via Kaspersky CompanyAccount................................................................................................. 158
Before contacting Technical Support, please read the support rules (http://support.kaspersky.com/support/rules).
158
CONTACTING TEC HNICA L SUPPORT SERV ICE
159
GLOSSARY
A
ACTIVE KEY
ADDITI ONA L KE Y
A key that certifies the right to use the application but is not currently being used.
A computer, server, or workstation on which Network Agent and managed Kaspersky Lab applications are running.
A set of computers grouped together in accordance with the performed functions and the Kaspersky Lab applications
installed on those machines. Computers are grouped for convenience of management as one single entity. A group can
include other groups. A group can contain group policies for each application installed in it and appropriate group tasks.
The level of the user's rights and privileges required for administration of Exchange objects within an Exchange
organization.
ANTI-VIR US DATABASES
Databases that contain information about computer security threats that are known to Kaspersky Lab at the time of
release of the anti-virus databases. Records that are contained in anti-virus databases allow detecting malicious code in
scanned objects. The anti-virus databases are created by Kaspersky Lab specialists and updated hourly.
AUT HE NTICA TI ON A GE NT
An interface for passing the authentication process to access encrypted hard drives and load the operating system after
the system hard drive has been encrypted.
AVAILABLE UPDATE
A package of updates for the modules of a Kaspersky Lab application including a set of urgent patches released during a
certain time interval, and modifications to the application architecture.
C
CONFI GURATI ON PROFILE
Policy that contains a collection of settings and restrictions for an iOS MDM mobile device.
D
DEMILITARIZED ZONE (DMZ)
Demilitarized zone is a segment of a local network that contains servers, which respond to requests from the global Web.
In order to ensure the security of an organization's local network, access to the LAN from the demilitarized zone is
protected with a firewall.
160
GLOSSARY
E
EAS DEVICE
A mobile device connected to Administration Server over Exchange ActiveSync protocol. Devices on iOS, Android,
and Windows Phone operating systems can be connected and managed over Exchange ActiveSync protocol.
A component of Kaspersky Security Center that is installed in a client computer, allowing Exchange ActiveSync mobile
devices to connect to Administration Server.
G
GENERAL CERTIFICATE
A group of applications created on the basis of criteria set by the administrator (for example, by vendor), for which
statistics of installations to client computers are maintained.
GROUP TASK
A task defined for an administration group and performed on all client computers within this group.
I
INSTA LLATI ON PAC KA GE
A set of files created for remote installation of a Kaspersky Lab application by using the Kaspersky Security Center
remote administration system. The installation package contains a range of settings needed to install the application and
get it running immediately after installation. Parameter values correspond to application defaults. The installation
package is created using files with the .kpd and .kud extensions included in the application distribution kit.
The accounts of internal users are used to work with virtual Administration Servers. Under the account of an internal
user, the administrator of a virtual Administration Server can start Kaspersky Security Center Web Console to check the
anti-virus security status of a network. Kaspersky Security Center grants the rights of real users to internal users of the
application.
The accounts of internal users are created and used only within Kaspersky Security Center. No data on internal users is
transferred to the operating system. Kaspersky Security Center authenticates internal users.
A mobile device that is connected to the iOS MDM Mobile Device Server over iOS MDM protocol. Devices running on
iOS operating system can be connected and managed over iOS MDM protocol.
A component of Kaspersky Security Center, installed to a client computer and allowing connection of iOS mobile devices
to Administration Server and management of iOS mobile devices through Apple Push Notifications (APNs) service.
Collection of settings for connection of iOS mobile devices to Administration Server. The user installs an iOS MDM profile
to a mobile device, after which this mobile device connects to Administration Server.
161
ADMINISTRATOR'S GUIDE
K
KES DEVICE
A mobile device that is connected to Administration Server and managed through Kaspersky Endpoint Security for
Android.
The person managing the application operations through the Kaspersky Security Center system of remote centralized
administration.
L
LOCA L TASK
M
MDM POLI CY
A collection of application settings used for managing mobile devices through Kaspersky Security Center. Different
application settings are used to manage different types of mobile devices. A policy includes the settings for complete
configuration of all application features.
A component of Kaspersky Security Center that provides access to mobile devices and allows managing them through
Administration Console.
N
NETWOR K A GE NT
A Kaspersky Security Center component that enables interaction between the Administration Server and Kaspersky Lab
applications that are installed on a specific network node (workstation or server). This component is common for all of the
company's products for Windows. Separate versions of Network Agent exist for Kaspersky Lab products developed for
Novell, Unix and Mac.
P
POLICY
A set of application settings in an administration group managed through Kaspersky Security Center. Application settings
can differ in various groups. A specific policy is defined for each application. A policy includes the settings for complete
configuration of all application features.
162
GLOSSARY
PR OFI LE
A collection of settings of Exchange ActiveSync mobile devices that define their behavior when connected to a Microsoft
Exchange server.
Collection of settings for applications operation on iOS mobile devices. A provisioning profile contains information about
the license; it is linked to a specific application.
R
REST ORAT I ON
Relocation of the original object from Quarantine or Backup to its original folder where the object had been stored before
it was quarantined, disinfected or deleted, or to a user-defined folder.
Restoration of Administration Server data from the information saved in Backup by using the backup utility. The utility can
restore:
Information database of the Administration Server (policies, tasks, application settings, events saved on the
Administration Server)
Configuration information about the structure of administration groups and client computers
Repository of the installation files for remote installation of applications (content of the folders: Packages,
Uninstall Updates)
Administration Server certificate
ROLE GR OUP
A group of users of Exchange ActiveSync mobile devices who are granted identical administrator rights (see section
"Administrator rights" on page 160).
T
TASK
Functions performed by a Kaspersky Lab application are implemented as tasks, for example: Real-time protection, Full
Scan, Database update.
A task assigned for a set of client computers from arbitrary administration groups and performed on those hosts.
U
UPDATE AGE NT
A computer within an administration group that acts as an intermediary node of communication between the computers
in the same group and the Administration Server.
An Update Agent can perform the following functions:
Manage updates and installation packages received from the Administration Server by distributing them to client
computers in the group (including such method as multicasting via UDP).
This feature accelerates the distribution of updates and allows freeing up Administration Server resources.
Distribute policies and group tasks through multicasting via UDP.
Act as a connection gateway to the Administration Server for computers in the group.
If direct connection between managed computers in the group and the Administration Server cannot be
established, the Update Agent can be used as a connection gateway to the Administration Server for this group.
In this case, managed computers will be connected to the connection gateway, which, in its turn, will be
connected to the Administration Server.
163
ADMINISTRATOR'S GUIDE
The availability of an Update Agent that operates as the connection gateway does not block the option of direct
connection between managed computers and the Administration Server. If the connection gateway is not
available, but direct connection with the Administration Server is technically possible, managed computers will
be connected to the Server directly.
Poll the computer network in which it is located.
Perform remote installation of the application through Microsoft Windows tools, including installation on client
computers without Network Agent.
This feature allows remotely transfer installation packages of Network Agent to client computers located on
networks to which the Administration Server has no direct access.
You can view the full list of Update Agents for specified administration groups by creating a report on the list of Update
Agents.
The scope of an Update Agent is the administration group to which it has been assigned, as well as its subgroups of all
levels of embedding. If several Update Agents have been assigned in the hierarchy of administration groups, the
Network Agent of the managed computer connects to the hierarchically closest Update Agent.
V
VIRTUAL ADMINISTRATION SERVER
A component of Kaspersky Security Center, designed for management of the protection system of a client organization's
network.
Virtual Administration Server is a particular case of a slave Administration Server and has the following restrictions as
compared with physical Administration Server:
Virtual Administration Server can be created only on master Administration Server.
Virtual Administration Server uses the database of the master Administration Server in its operation: data
backup tasks, data recovery tasks, update check tasks, and update download tasks are not supported on the
virtual Server. These tasks exist only on master Administration Server.
Virtual Server does not support creation of slave Administration Servers (including virtual Servers).
VULNERABI LIT Y
A flaw in an operating system or an application that may be exploited by malware makers to penetrate into the operating
system or the application and corrupt its integrity. A large number of vulnerabilities in an operating system makes it
unreliable, because viruses that have penetrated into the operating system may cause operation failures in the operating
system itself and in installed applications.
W
WIND OWS SE RVER UPDA TE SERV ICE S (WSUS)
An application used for distribution of updates for Microsoft applications on users' computers in an organization's
network.
164
KASPERSKY LAB ZAO
Kaspersky Lab software is internationally renowned for its protection: against viruses, malware, spam, network and
hacker attacks, and other threats.
In 2008, Kaspersky Lab was rated among the worlds top four leading vendors of information security software solutions
for end users (IDC Worldwide Endpoint Security Revenue by Vendor). Kaspersky Lab is the preferred developer of
computer protection systems among home users in Russia, according to the COMCON survey "TGI-Russia 2009".
Kaspersky Lab was founded in Russia in 1997. Today, it is an international group of companies headquartered in
Moscow with five regional divisions that manage the company's activity in Russia, Western and Eastern Europe, the
Middle East, Africa, North and South America, Japan, China, and other countries in the Asia-Pacific region. The
company employs more than 2000 qualified specialists.
PRODUCTS. Kaspersky Labs products provide protection for all systemsfrom home computers to large corporate
networks.
The personal product range includes anti-virus applications for desktop, laptop, and tablet computers, as well as for
smartphones and other mobile devices.
Kaspersky Lab delivers applications and services to protect workstations, file and web servers, mail gateways, and
firewalls. Used in conjunction with Kaspersky Labs centralized management system, these solutions ensure effective
automated protection for companies and organizations against computer threats. Kaspersky Lab's products are certified
by the major test laboratories, are compatible with the software of many suppliers of computer applications, and are
optimized to run on many hardware platforms.
Kaspersky Labs virus analysts work around the clock. Every day they uncover hundreds of new computer threats, create
tools to detect and disinfect them, and include them in the databases used by Kaspersky Lab applications. Kaspersky
Lab anti-virus database is updated hourly, Anti-Spam database every 5 minutes.
TECHNOLOGIES. Many technologies that are now part and parcel of modern anti-virus tools were originally developed
by Kaspersky Lab. It is no coincidence that many other developers use the Kaspersky Anti-Virus kernel in their products,
including: SafeNet (USA), Alt-N Technologies (USA), Blue Coat Systems (USA), Check Point Software Technologies
(Israel), Clearswift (UK), CommuniGate Systems (USA), Openwave Messaging (Ireland), D-Link (Taiwan), M86 Security
(USA), GFI Software (Malta), IBM (USA), Juniper Networks (USA), LANDesk (USA), Microsoft (USA), Netasq+Arkoon
(France), NETGEAR (USA), Parallels (USA), SonicWALL (USA), WatchGuard Technologies (USA), and ZyXEL
Communications (Taiwan). Many of the companys innovative technologies are patented.
ACHIEVEMENTS. Over the years, Kaspersky Lab has won hundreds of awards for its services in combating computer
threats. For example, in 2010 Kaspersky Anti-Virus received a few top Advanced+ awards in a test held by AV-
Comparatives, an acknowledged Austrian anti-virus laboratory. But Kaspersky Lab's main achievement is the loyalty of
its users worldwide. The companys products and technologies protect more than 300 million users, and its corporate
clients number more than 200,000.
165
INFORMATION ABOUT THIRD-PARTY CODE
Information about third-party code is contained in a file named legal_notices.txt and stored in the application installation
folder.
166
ABOUT NAC/ARP ENFORCEMENT
TECHNOLOGY
The NAC Solution/ARP Enforcement technology is legal technology dedicated to securing and regulating access to a
corporate network by ensuring device compliance to corporate security policies.
167
ENHANCED PROTECTION WITH
KASPERSKY SECURITY NETWORK
Kaspersky Lab offers an extra layer of protection to users through the Kaspersky Security Network. This protection
method is designed to combat advanced persistent threats and zero-day attacks. Integrated cloud technologies and the
expertise of Kaspersky Lab virus analysts make Kaspersky Endpoint Security the unsurpassed choice for protection
against the most sophisticated network threats.
Details on enhanced protection in Kaspersky Endpoint Security are available on the Kaspersky Lab website.
168
TRADEMARK NOTICE
The registered trademarks and service marks are the property of their owners.
Active Directory, Data Access, Internet Explorer, Microsoft, SQL Server, Windows, Windows Server and Windows Vista
are trademarks of Microsoft Corporation registered in the United States and elsewhere.
Apache and the Apache feather logo are trademarks owned by the Apache Software Foundation.
Cisco is a registered trademark or trademark of Cisco Systems, Inc. and / or its affiliates in the United States and certain
other countries.
Linux is a trademark owned by Linus Torvalds and registered in the U.S. and elsewhere.
Mac, Mac OS, Apple, iPhone, and iTunes are registered trademarks of Apple Inc.
Novell is a trademark owned by Novell, Inc. and registered in the United States and elsewhere.
UNIX is a trademark registered in the U.S. and elsewhere; use under license from X/Open Company Limited.
169
INDEX
A
Adding
Administration Server ...................................................................................................................................... 47
Client computer ............................................................................................................................................... 73
Administration groups ........................................................................................................................................... 37
Administration Server............................................................................................................................................ 37
Administration Server certificate ............................................................................................................................ 46
C
Certificate
general .................................................................................................................................................... 82, 116
installing a certificate for a user ................................................................................................................. 82, 116
mail ......................................................................................................................................................... 82, 116
VPN ......................................................................................................................................................... 82, 116
Cisco Network Admission Control.......................................................................................................................... 49
Client computers................................................................................................................................................... 39
Connecting to Administration Server ................................................................................................................ 69
Message to user.............................................................................................................................................. 75
Console tree ......................................................................................................................................................... 21
Context menu ....................................................................................................................................................... 30
E
Encryption .......................................................................................................................................................... 131
Event selections
Create ............................................................................................................................................................ 88
settings ........................................................................................................................................................... 87
Viewing log ..................................................................................................................................................... 87
Exchange ActiveSync mobile device ................................................................................................................... 118
Exchange ActiveSync mobile device server ......................................................................................................... 118
Export
Policies ........................................................................................................................................................... 57
Tasks.............................................................................................................................................................. 64
G
Group of licensed applications ............................................................................................................................ 100
Group tasks
Filter ............................................................................................................................................................... 66
Inheritance ...................................................................................................................................................... 63
Groups
Structure ......................................................................................................................................................... 53
I
Image................................................................................................................................................................. 108
Import
Policies ........................................................................................................................................................... 58
Tasks.............................................................................................................................................................. 64
iOS MDM mobile device...................................................................................................................................... 120
IP subnet
Change ...................................................................................................................................................... 93, 94
Create ............................................................................................................................................................ 94
K
Kaspersky Lab ZAO............................................................................................................................................ 165
Key ............................................................................................................................................................... 33, 148
170
INDEX
L
Limiting traffic ....................................................................................................................................................... 49
M
Manage
Client computer ............................................................................................................................................... 74
Initial setup ..................................................................................................................................................... 36
Keys ............................................................................................................................................................. 148
Policies ........................................................................................................................................................... 55
Managing the application ...................................................................................................................................... 55
N
Network discovery ................................................................................................................................................ 92
Notifications.......................................................................................................................................................... 86
P
Policies Activation................................................................................................................................................. 56
Policies and tasks conversion wizard................................................................................................................ 58, 65
Policies Copying ................................................................................................................................................... 57
Policies Create ..................................................................................................................................................... 56
Policies Export...................................................................................................................................................... 57
Policies Import ...................................................................................................................................................... 58
Policies Removal .................................................................................................................................................. 57
Policy ................................................................................................................................................................... 41
Policy profile......................................................................................................................................................... 58
Policy profile
Create ....................................................................................................................................................... 59
Removal .................................................................................................................................................... 61
Polling
Active Directory groups ................................................................................................................................... 93
IP subnets....................................................................................................................................................... 93
Windows network ............................................................................................................................................ 93
R
Remove
Administration Server ...................................................................................................................................... 47
Policy.............................................................................................................................................................. 57
Report template
Create ............................................................................................................................................................ 84
Reports
Create ............................................................................................................................................................ 85
Delivery .......................................................................................................................................................... 85
Keys ............................................................................................................................................................. 150
View ............................................................................................................................................................... 85
S
Statistics .............................................................................................................................................................. 86
Storages
Applications registry ...................................................................................................................................... 100
Installation packages ..................................................................................................................................... 151
Keys ............................................................................................................................................................. 148
T
Task..................................................................................................................................................................... 41
Adding key .................................................................................................................................................... 148
171
ADMINISTRATOR'S GUIDE
Tasks
Changing the Administration Server ................................................................................................................. 74
Execution........................................................................................................................................................ 66
Export ............................................................................................................................................................. 64
Group ............................................................................................................................................................. 62
Import ............................................................................................................................................................. 64
Local............................................................................................................................................................... 63
Managing client computers .............................................................................................................................. 74
Reports delivery .............................................................................................................................................. 85
Viewing results ................................................................................................................................................ 66
U
Update
distribution ............................................................................................................................................. 145, 146
Retrieval ....................................................................................................................................................... 142
Scan ............................................................................................................................................................. 143
View ............................................................................................................................................................. 145
Update Agents.................................................................................................................................................... 146
Updating the application...................................................................................................................................... 102
User role
add ............................................................................................................................................................... 117
User roles............................................................................................................................................................. 81
User role
add............................................................................................................................................................ 81
assign........................................................................................................................................................ 81
V
Virtual Administration Server ................................................................................................................................. 38
Vulnerability........................................................................................................................................................ 101
172