KL 002.11.6 en Unit1 v1.0.7
KL 002.11.6 en Unit1 v1.0.7
Deployment
002.11.6: Kaspersky Endpoint Security and Management. Unit I. Deployment
ed
ut
1.1 Basics of Kaspersky Endpoint Security for Business .......................................................................4
ib
Which products this course covers ...................................................................................................4
What constitutes Kaspersky Security Center ...................................................................................5
What constitutes Kaspersky Endpoint Security ................................................................................5
r
How Kaspersky Security Center manages computers .....................................................................8
How the administrator manages protection via the Console ............................................................9
st
How policies are applied to computers ...........................................................................................10
How policies work in groups ...........................................................................................................11
How tasks are applied to computers ..............................................................................................12
di
How tasks work in groups...............................................................................................................13
How Kaspersky Endpoint Security for Business is licensed ..........................................................14
What Kaspersky Security Center Cloud Console is .......................................................................15
re
1.2 What this course is about ...............................................................................................................19
What we will tell you in this course and what not ...........................................................................19
Where to learn more about the products and features that fall out of scope of this course ...........20
What this course includes...............................................................................................................21
or
2.1 What to install and in what order ....................................................................................................22
2.2 How to organize the process ..........................................................................................................23
e d
ed
Tutorial ............................................................................................................................................46
Setting up internet access ..............................................................................................................48
Downloading updates .....................................................................................................................48
Selecting devices to be protected ..................................................................................................49
ut
Select encryption key length...........................................................................................................49
Downloading information about plug-ins ........................................................................................50
Installation package files ................................................................................................................50
Kaspersky Security Network...........................................................................................................51
ib
Installing the license .......................................................................................................................52
Vulnerability assessment and patch management .........................................................................53
Creating tasks and policies.............................................................................................................54
r
Configuring email notification .........................................................................................................55
Network polling ...............................................................................................................................56
st
What's next .....................................................................................................................................57
di
4.1 Requirements for client computers .................................................................................................58
Kaspersky Endpoint Security 11.6 requirements for the operating system ...................................58
re
The virtual platforms supported by Kaspersky Endpoint Security ..................................................59
Minimum hardware requirements ...................................................................................................59
Network Agent installation requirements ........................................................................................60
4.2 How to change KES components ...................................................................................................60
or
Installation packages ......................................................................................................................60
Settings of a Kaspersky Endpoint Security package ......................................................................61
Network Agent package parameters ..............................................................................................67
4.3 How to create a new installation package ......................................................................................69
d
........................................................................................................................................................81
4.6 Installation methods........................................................................................................................82
What to do prior to the installation ..................................................................................................82
Available installation methods ........................................................................................................83
to
4.7 How to remotely install Network Agent and Kaspersky Endpoint Security ....................................84
Information on the dashboard ........................................................................................................84
Remote installation wizard..............................................................................................................85
Where to monitor the installation ....................................................................................................93
t
ed
Why install locally ...........................................................................................................................95
Stand-alone installation packages ..................................................................................................95
How to create a stand-alone package ............................................................................................96
What to do with stand-alone packages ..........................................................................................97
ut
4.9 How to install the Network Agent via Active Directory ...................................................................99
How to install applications via Active Directory ..............................................................................99
How to publish the Network Agent package in Active Directory using a task ..............................100
ib
What the task changes in Active Directory ...................................................................................101
4.10 How to uninstall incompatible applications ...................................................................................102
r
Which programs are incompatible and why uninstall them ..........................................................102
What if there are incompatible applications?................................................................................103
st
How to find out if there are any incompatible applications ...........................................................105
How to uninstall incompatible applications that have not been found ..........................................106
How to display computers with an incompatible application ........................................................108
di
How to uninstall incompatible applications using a task ..............................................................110
re
5.1 How to understand that the deployment has been completed .....................................................113
Where to look for information about the deployment ...................................................................113
Global statuses .............................................................................................................................114
Device selections ..........................................................................................................................115
or
Reports .........................................................................................................................................115
5.2 How the Administration Server discovers computers ...................................................................117
Polling types .................................................................................................................................117
Where to configure polling ............................................................................................................117
d
ed
ut
r ib
st
di
re
or
First of all, let us introduce the course and tell you which topics it covers and which it omits. You will also
learn which solutions and products are studied in this course, what they consist of, how they interact and
how they are licensed.
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
This course describes the Kaspersky Endpoint Security for Business solution that includes several
ed
Kaspersky products. This course does not cover all products; it tells only about those that can help to
protect a not-too-large Windows network. A not-too-large network in our course means approximately up
to 1000 endpoints in a single location. Endpoints in this course are servers and workstations running
Windows.
ut
To protect such a network, two Kaspersky Endpoint Security for Business products are necessary:
— Kaspersky Endpoint Security for Windows—to protect computers against threats
— Kaspersky Security Center—to centrally manage the protection
ib
Kaspersky Endpoint Security is an application that not only protects against malware and hackers, but
also can control the users’ actions and encrypt files and drives.
r
st
Kaspersky Security Center consists of several programs:
di
— Kaspersky Security Center Administration Server (“Administration Server”, “KSC Server” or
simply “Server” wherever sounds unambiguous) stores all the settings, collects events, draws up
reports, etc. It is the Server that manages protection on the administrator’s command.
re
— The database server maintains the database where the KSC Server stores events and some of
the settings. Other settings are stored on the drive among KSC Server installation files.
— Kaspersky Security Center Network Agents (further in our course, we will refer to them as
Network Agents, KSC Agents or simply Agents) connect Kaspersky Endpoint Security to the
or
Administration Server: receive settings for Kaspersky Endpoint Security from the server and
send events to the server;
— Kaspersky Security Center Administration Console provides a management system interface
for the administrator; the administrator configures parameters in the console, consults reports
d
and events and manages protection in general. Two consoles are available: traditional MMC and
a web console.
e
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
ed
Requests the reputation of programs and webpages from Kaspersky servers,
ut
Kaspersky Security
provides the latest information about threats, protects against zero-day attacks and
Network false positives
Monitors what applications do, but analyzes what a program does in general rather
ib
Behavior Detection than its individual actions. Stops applications that behave as malware. In particular,
stops programs that try to encrypt files
r
Monitors which files start vulnerable programs, and blocks attempts to start
Exploit Prevention executable files unless initiated by the user
st
Also monitors software activities on the computer. Does not allow programs that
Host Intrusion
have bad or unknown reputation to change system settings and user’s files.
Prevention Prevents them from fiddling around with the operating system and other software
di
Logs changes to the operating system and rolls back any changes performed by
Remediation Engine suspicious programs that have been detected by Behavior Detection, Exploit
re
Prevention, or File Threat Protection
Scans files whenever the user or a program creates, changes, copies, or starts one.
File Threat Protection
Blocks operations with malicious files, and quarantines these files
Scans webpages and files that the user or programs download from the internet.
or
Web Threat
Protection Blocks dangerous and phishing websites, prohibits downloading malicious files
Intercepts email messages, scans their text and attachments, deletes malicious files
Mail Threat Protection from messages
d
Firewall rules. Does not allow an unknown program or a program that has bad reputation to
establish connections
pi
Network Threat Scans network packets that the computer receives. Blocks a connection if detects
Protection indications of a network attack
co
Does not permit connecting new input devices (keyboards, etc.) to the computer
BadUSB Attack
without the user’s consent. Protects against USB devices that pretend to be
Prevention keyboards and send malicious commands to the computer
Is responsible for integration with Antimalware Scan Interface (AMSI) in Windows
10 and Windows Server 2016. AMSI is a Windows component that acts as an
AMSI Protection
be
Blocks program start according to the configured rules. Secures a computer’s state
Application Control by blocking any new applications.
Blocks access to devices according to the configured rules. The administrator can
t
Device Control prohibit access to all or some of removable drives, Wi-Fi adapters, or modems
No
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
ed
Web Control can prohibit access to social networks, job search and news websites, torrent
trackers, etc.
ut
Adaptive Anomaly particular computer. At first the component works in Smart Training mode for two
Control weeks by default. During this time, it monitors activities, informs the administrator
about them, and it is the administrator (rather than the component) who makes the
ib
decision whether a specific activity is normal for a computer.
r
st
Full Disk Encryption Encrypts all drives’ contents. Protects files on laptops, which may be lost or stolen
Encrypts individual files and folders according to the rules. Protects files on laptops,
File Level Encryption which may be lost or stolen
di
BitLocker Manages disk encryption via Microsoft BitLocker. Protects files on laptops, which
Management may be lost or stolen
re
Scans files on the specified schedule. Performs this more thoroughly than File
or
Virus Scan Threat Protection.
Informs the Central Node of Kaspersky Anti-Targeted Attack Platform about the
Endpoint Sensor programs’ activities on the computers, helps to detect Advanced Persistent Threats;
e
Integrity check Ensures that nobody can modify Kaspersky Endpoint Security files
pi
Checking connection
Checks KSN accessibility from endpoints
with KSN
co
For more details about the components and their settings, refer to Units II and III.
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
ed
ut
r ib
st
di
re
Let’s see how all components of Kaspersky Endpoint Security for Business interact.
The Network Agent connects to the Administration Server on the specified schedule, and also if
d
For the administrator to see what’s happening in the network, Network Agent sends the following data to
the server:
co
Security settings
No
Typically, Agents send only changes in the lists to the server. Once every several hours (3 hours for
some lists, 12 for others), the Server completely synchronizes the lists with the computers.
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
Administration Server accepts connections from the Network Agents on TCP port 13000. Agents
ed
establish TLS/SSL connections; they encrypt and compress data using the Administration Server
certificate.
ut
For Kaspersky Endpoint Security to protect a computer in a way the administrator wants, the Network
Agent downloads settings for Kaspersky Endpoint Security in the form of policies and tasks from the
Server.
ib
During a synchronization, Network Agent compares the computer’s tasks and policies with those of the
Administration Server, and if the administrator has changed something on the server, the Agent
r
downloads new tasks and policies.
st
Usually, computers receive tasks and policies earlier than at a planned synchronization. Network Agents
accept packets on UDP port 15000. If the Server wants an Agent to urgently connect to the Server, it
sends a special signal to this port. When the administrator modifies a task or policy, the Administration
di
Server contacts Agents on all computers to which this task or policy pertains. During a synchronization,
policies are downloaded only by those computers that have not received the signal from the Server.
The administrator can also send a synchronization request manually, via a computer’s shortcut menu in
re
the Administration Console.
Additionally, Agents connect to the Server to download updates for Kaspersky Endpoint Security. For this
purpose, they also connect to port 13000 over an SSL connection.
or
e d
pi
co
be
to
The events and statuses sent by the Network Agents help the administrator understand what is
happening in the network. The Administration Server summarizes statuses of individual computers and
displays them on the Dashboard of the Administration Console.
t
To better understand what is happening, the administrator can consult reports, which the Administration
Server draws up based on events. There are many search and filter tools in the console that help to
No
To specify settings for computer protection, the administrator creates tasks and policies in the console:
ed
— Tasks—for operations that have a logical termination. For example, update completes when
Kaspersky Endpoint Security receives all new threat descriptions; virus scanning completes
when all files in the scan scope have been scanned. That is why updates and virus scanning are
configured as tasks, which have schedules.
ut
— Policies—for all the other parameters: how to scan files that the user downloads from the internet
or receives by email, how to scan files opened by programs, which network connections to allow
and which to block. These settings are to be applied permanently to protect the computer; that is
ib
why they are specified in a policy.
If different computers need different settings, the administrator organizes computers into groups and
r
creates individual policies or tasks within each group. For example, to perform virus scanning on servers
at weekends, and on workstations in the background mode during a business day, the administrator can
st
create two groups (for servers and workstations) and create virus scan tasks with different schedules for
them.
di
re
or
e d
pi
co
A policy contains the same parameters as the local settings of Kaspersky Endpoint Security. When the
administrator configures a policy, the local protection settings are changed.
be
If the option is enabled and the lock appears closed, the parameters are applied to the computers where
the policy is enforced. The user cannot modify the values of these parameters in the local interface of
Kaspersky Endpoint Security.
to
If the option is disabled and the lock is open, the computer behaves as if this parameter has not been
specified in the policy. The user can change these parameters in the local interface.
ed
ut
r ib
st
di
Policies are applied to computer groups.
re
Even if the user has not created any groups, there is the root group on the Administration Server, which is
or
named Managed devices. If the user wants to create custom groups, they are created as subgroups
within the Managed devices group.
— There may be policies for different applications in a group, for example, the Network Agent policy
and the Kaspersky Endpoint Security policy
e
— There can be a few policies for the same application in a group, but only one of them can be
active.
pi
The Active policy is the policy that the Administration Server sends to the computers.
An Inactive policy does not influence anything, but the administrator can make it active at any
co
— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where there is no
be
Kaspersky Endpoint Security policy, the parent group’s policy is applied to the subgroup’s
computers as well
— If a group has a Kaspersky Endpoint Security policy, and there is a subgroup where another
Kaspersky Endpoint Security policy is configured, the subgroup’s computers receive the policy
configured within their subgroup. However, required (locked) parameters from the parental policy
are enforced on the subgroup’s policy, and the administrator cannot modify them. In a child
to
policy, the administrator can edit only the parameters that are not locked in the parent group’s
policy
— The administrator can choose not to apply a group policy to subgroups: in the subgroup’s policy,
clear the checkbox that regulates inheriting parameters from the parental policy. After that, the
t
ed
ut
r ib
st
di
re
The administrator manages update and virus scan settings via tasks rather than the policy.
While there can be only one type of Kaspersky Endpoint Security policy1, there are many various task
or
types in Kaspersky Endpoint Security:
— Virus Scan
— Update
— Update rollback
d
— Inventory
— Add key
e
— Integrity check
— Change application components
pi
Each task type has its own characteristic settings. For example, a virus scan task has its scope and file
scan settings, an update task has an update source and instructions which updates to download.
Unlike policies, tasks have no locks. All task settings are enforced on the computers and the user cannot
be
modify them.
Tasks can be created not only by the administrator on the Administration Server, but also by the user in
the local interface. However, if a policy is configured on the Administration Server and enforced on a
computer, it will use only the Administration Server’s tasks. Local tasks will be neither run nor even
displayed in the interface, and the user will not be able to create new local tasks.
t to
No
1One for one or a few product versions. For example, Kaspersky Endpoint Security 10 SP2 has its own policy type, and
Kaspersky Endpoint Security 10 has another. Two policies of a single Kaspersky Endpoint Security version contain the same
parameters, only the values of these parameters differ.
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
ed
ut
r ib
st
di
re
The administrator creates tasks in groups for regular activities, such as virus scanning or downloading
updates.
or
Similar to group policies, group tasks have their rules:
may differ in the scope and schedule, for example, one of the tasks may scan the whole
computer once a week, and another one, only critical areas but daily.
e
— If you want to scan for viruses the same scope with different schedules on different computers,
organize computers into respective groups and create individual tasks within each group. For
pi
example, you can run full scan on servers during the weekends, and on workstations, during
business hours in background mode.
— If there is a task in a group, and there is a subgroup with a task of the same type, the subgroup’s
co
computers will be running both tasks. Usually, this means that the administrator has not thought
over thoroughly enough which tasks are really needed.
You must be especially careful with update tasks. To update Kaspersky Endpoint Security on a
computer, there must be one update task. If an update task is configured within a group and
another one in its subgroup, both will be applied to the computers that comprise the subgroup. If
be
an update task is running already, another one will return an error if started at the same time.
Consequently, the administrator will keep receiving update errors due to a configuration error
while updates will work correctly.
— Subgroups can be excluded from a task scope. Then the subgroup’s computers will receive only
the subgroup’s task, and the parental task will not be used
to
Unlike a policy, a task can be created for any list of computers, from a single computer to an arbitrary set
of computers belonging to different groups.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
ed
ut
r ib
st
di
re
or
We’ve studied how the components of Kaspersky Endpoint Security for Business interact, and how the
administrator manages them.
Now let us find out which licenses are available for Kaspersky Endpoint Security for Business, and what
makes them different.
d
There are several levels of licenses in Kaspersky Endpoint Security for Business:
e
— Cloud
pi
— A cloud solution that permits managing security of workstations, servers, and mobile devices via
a web browser. The Administration Server is hosted in Microsoft Azure and Kaspersky staff
takes care of the infrastructure; the administrator only deploys and manages protection. Course
KL 040 ‘Kaspersky Endpoint Security Cloud’ provides detailed information about this solution.
co
— Select
— Advanced
— The last two types of licenses are designed for the on-premises products that we will cover in
this course.
be
— Different licenses permit using different Kaspersky products and different functions within these
products.
to
You do not need to activate Kaspersky Security Center to use it. Everything which is necessary for
managing workstation protection is available without a license.
In Kaspersky Endpoint Security, a KESB Select license activates the protection and control components.
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
In Kaspersky Security Center, a KESB Select license activates the mobile device management
ed
functionality. You do not need to activate Kaspersky Security Center to be able to manage only the
protection and control on workstations and servers.
Kaspersky Endpoint Security for Business Advanced permits protecting the same types of endpoints:
workstations, servers and mobile devices, but activates more functions.
ut
In Kaspersky Endpoint Security for Windows, a KESB Advanced license permits using encryption.
ib
In Kaspersky Security Center, a KESB Advanced license allows the customer to use Vulnerability and
Patch Management; specifically, automatically download and install software fixes and updates, create
and deploy images of operating systems with pre-installed applications, etc.
r
st
If a customer does not need all KESB Advanced functions, licenses for individual functions are also
available:
di
— Encryption
— Mobile Device Management
— Vulnerability and Patch Management
re
Except for the functionality, these licenses have a limitation on the number of endpoints to be protected.
For example, a customer purchases a license for 100 nodes, and if later wants to protect more devices,
purchases a new license for, say, 150 or 200 nodes.
or
All the mentioned licenses are usually valid for a year. After that, the customer renews the license for
another year, and so on.
d
Additionally, Kaspersky supports subscription licenses. These licenses are purchased from special
e
partners, and the customer pays monthly. The customer can suspend a subscription and resume it later.
pi
With a subscription license, the customer can select which functionality level to use and change the
number of nodes every month if necessary: expand or cut down depending on the current needs.
co
Kaspersky Security Center Cloud Console is a special Kaspersky Security Center deployed in the cloud
(https://ksc.kaspersky.com). Kaspersky specialists maintain both the Administration Server and DBMS.
The administrator does not need to install the console on a workstation or server, only register with
be
Kaspersky Security Center Cloud Console and create a workspace for the company.
Kaspersky Security Center Cloud Console enables the administrator to deploy and manage the following
Kaspersky programs:
to
ed
ut
r ib
st
di
re
An administrator can connect to the corporate workspace in Kaspersky Security Center Cloud Console
using a web browser; protection applications and the Network Agent are installed on all corporate
devices.
or
Virtual machines (Azure VM) are deployed on the MS Azure cloud platform; companies’ workspaces are
created within them. Each workspace is a special instance of Kaspersky Security Center Administration
Server that has a dedicated database in Azure SQL Elastic Pool.
e d
pi
co
be
to
The administration server and the database are deployed automatically after the user completes the
workspace creation wizard.
We will use the ‘workspace’ term when talking about the Administration Server and the database server
t
If you have worked with an on-premises Kaspersky Security Center or Kaspersky Endpoint Security
Cloud, you know that to be able to connect to the Administration Server, the Network Agent must know
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
the address of the Administration Server or virtual server (and in case of Kaspersky Endpoint Security
ed
Cloud, the connection port, too).
This is not the case with Kaspersky Security Center Cloud Console. The Kaspersky Security Center
ut
Network Agent does not know the address or port of its workspace. It only knows the workspace’s ID. To
find out the address and port of its workspace, the agent connects to Hosted Discovery Service (HDS) on
port 443.
ib
Hosted Discovery Service is a special service deployed in every Microsoft data center. It polls
workspaces periodically and maintains the ‘Workspace ID – Address – Port’ list.
r
The Hosted Discovery Service returns the address and port to the agent, after which the agent connects
st
to its workspace. For the agent to be able to connect to its workspace, ports 23100-23199 and 27200-
27900 must be open in the firewall for outgoing TCP connections to *ksc.kaspersky.com.
Agents must use IDs because a workspace is not bound to a virtual machine. Workspace’s address and
di
port may change, for example, after a migration to another virtual machine in MS Azure. Migration may be
required for maintenance or load balancing.
re
or
e d
pi
co
be
To create a workspace, you need a single Kaspersky account. If you do not have one, create it. Only a
valid email address is required for that.
After you create and activate your Kaspersky account, go to ksc.kaspersky.com and create a workspace:
1. Read and accept the terms of Kaspersky Security Center Cloud Console Agreement, Privacy
to
The current version of Kaspersky Security Center Cloud Console supports only one workspace
No
per company
4. Select the country where your company is located.
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
The country you choose defines the location of the Microsoft data center where your data will be
ed
stored and processed
5. Specify the estimated number of devices you plan to protect
6. Enter your activation code or request a trial workspace
ut
If you have selected to create a trial workspace, note that the current version of the Cloud
Console does not support migration from a trial workspace to a commercial one.
Wait for an email message that the workspace has been created (up to 15 minutes). If you do not receive
ib
a message in an hour, contact the technical support.
r
— One workspace per company
st
At this writing, the Cloud Console does not support managing several companies. A workspace
can have only one primary administrator.
di
— Activation with a code
You cannot activate a workspace by a key file.
— Migration from a trial workspace to a regular workspace is not supported
re
Kaspersky offers 30-day free trial for Kaspersky Security Center Cloud Console. After the trial
period is over, you will not be able to convert a trial workspace to a commercial one. To continue
using Kaspersky Security Center Cloud Console after the trial license expires, you must remove
the trial workspace and create another one with a commercial license.
or
e d
pi
co
be
to
A hybrid management system consists of on-premises Kaspersky Security Center Administration Servers
and a workspace in Kaspersky Security Center Cloud Console.
In this management scheme, Kaspersky Security Center Cloud Console workspace acts as the primary
t
Administration Server, and the on-premises Administration Servers are connected to it as secondary
servers.
No
You can use this scheme as an interim solution during the migration.
002.11.6: Kaspersky Endpoint Security and Management. 1. Introduction
Unit I. Deployment
A hybrid management scheme is also useful for companies where many users work outside the
ed
company’s office or have many business trips, but it is still necessary to control and protect their devices.
ut
— Avoid issues related to connecting remote devices to an on-premises Administration Server:
access management, accessibility, security, and so on
ib
At the same time, the customer enjoys all the advantages of a single management system.
r
st
di
re
or
e d
pi
co
Kaspersky Endpoint Security for Business includes many products and capabilities. This course does not
cover all of them. It only talks about how to protect a not-too-large network of computers running
Windows operating systems.
be
That is why this course does not describe all the products that belong to Kaspersky Endpoint Security for
Business; instead, it focuses on:
— Kaspersky Endpoint Security for Windows
— Kaspersky Security Center
— And a little bit of Kaspersky Security for Windows Server
to
For the same reason, the course does not talk about all the capabilities of Kaspersky Endpoint Security
ed
for Windows and Kaspersky Security Center, but concentrates on how to:
— Install protection on the computers
— Manage computer protection
— Manage the Control components
ut
— Use a single Kaspersky Security Center Administration Server
ib
— Third-party vulnerability and patch management
— Creation and deployment of disks with computer images
— Protection of large, complex and distributed networks using Distribution Points, Connection
r
gateways or several Kaspersky Security Center Administration Servers
st
di
re
or
e d
pi
co
The following courses, which are devoted to other products and technologies, are available:
2–3
Protecting Windows Servers and Embedded Systems KL 005
days
ed
ut
r ib
st
di
re
This course consists of presentations and labs, which alternate. The instructor first explains every topic
with slides, and then the students put theory into practice in lab experience.
or
The Student Guide includes all slides and elaborates on all the topics and product settings.
The students complete hands-on exercises using virtual machines. The virtual environment depends on
the class: it can be VMware Workstation, VMware vSphere, Microsoft Hyper-V, etc. The Lab Guide is
designed for VMware Workstation.
e
Students use five virtual machines, which perform the following roles in the labs:
pi
Alex-
Represents a typical desktop computer in a corporate network
Desktop
be
Tom- Represents a laptop that may be taken outside the corporate network for some
Laptop time
ed
ut
r ib
st
di
re
or
d
In a deployment, all network computers must be protected, and the administrator must be able to manage
protection centrally. To achieve this, you need to install Kaspersky Security Center and Kaspersky
e
First, install the Kaspersky Security Center Administration Server. The Administration Server centrally
manages protection, and helps to install other components.
The MMC Kaspersky Administration Console is installed automatically along with the Administration
co
Server. To manage the server remotely, use remote desktop, or install Kaspersky Security Center
Administration Console on the administrator’s computer.
Web Console can also be installed automatically together with the Administration Server; when the
installation completes, the administrator is prompted which Administration Console to start.
be
In order to protect the network, install Kaspersky Endpoint Security on every computer. Kaspersky
Endpoint Security alone cannot interact with Kaspersky Security Center; install the Network Agent on
every computer to make centralized management possible.
If you need to enforce different settings on different computers, organize the computers into groups. Do
to
not create more groups than necessary. To be able to easily find computers, import the structure from
Active Directory.
ed
ut
r ib
st
di
re
You do not need much time to install all the components of Kaspersky Endpoint Security for Business.
What consumes time is troubleshooting.
or
To save time, do your homework. Try what you want to implement in a test environment. If you encounter
an issue, think how to solve it, or find a workaround to use in case the issue arises on the network
computers.
d
However, you are unlikely to stumble upon every possible issue in a test environment. Therefore, in your
real network, start with a small number of computers: 10–20. Try to select different computers to come
upon as many potential issues as possible. If you encounter new issues, return to the test environment,
e
Stage the deployment: for example, 100 computers at a time. This way, you will discover new issues
gradually, and the number of problem computers will always be small.
co
At each step, plan some extra time for troubleshooting. Do not proceed to the following step until you
decide how to solve or get around all issues. Whenever possible, solve issues in a test environment
rather than on the network computers.
Today, an IT test environment is usually made of virtual machines. If virtual machines are not available,
use the administrators’ computers for testing.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
To install the Kaspersky Security Center Administration Server, prepare a computer that meets the
ib
system requirements.
If there are fewer than 1000 endpoints in the network, the Administration Server and the database server
r
will easily share a single computer. If nodes are more numerous, use a more powerful computer or use a
dedicated computer for the database server.
st
The Administration Server computer can be either physical or virtual. If you are using a virtual Server,
make sure that the virtual environment meets the system requirements.
di
re
or
e d
pi
co
— Microsoft Windows Server 2012 Server Core / Foundation / Essentials / Standard / Datacenter
32-bit / 64-bit
— Microsoft Windows Server 2012 R2 Server Core / Foundation / Essentials / Standard /
Datacenter
— Microsoft Windows Server 2016 Server Core / Standard / Datacenter
t
ed
ut
r ib
st
di
re
It is better to use a server to host the Administration Server. However, in small networks (up to a couple
of hundred computers), a powerful workstation will do. Also, you can use a workstation in a test
environment.
or
You can install the Administration Server on the following non-server versions of Windows:
— Microsoft Windows 10 Pro / Enterprise / Education / Mobile RS5 32-bit / 64-bit
— Microsoft Windows 10 Pro / Enterprise / Education / Mobile RS4 32-bit / 64-bit
d
Microsoft Windows 10 Pro for Workstations RS3 / RS4 / RS5 / 19H1 / 19H2 / 20H1 / 20H2
— Microsoft Windows 10 Enterprise 2015 LTSC 32-bit / 64-bit
pi
To install the Administration Server on a virtual machine, use one of the following virtualization platforms:
be
A virtual machine must meet the operating system, software and hardware requirements.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
re
The Administration Server uses a database for which an SQL server is necessary. The following versions
of SQL servers are supported:
or
— Microsoft SQL Server
— Microsoft SQL Server 2012 (all editions) 64-bit
— Microsoft SQL Server 2014 (all editions) 64-bit
— Microsoft SQL Server 2016 (all editions) 64-bit
d
Microsoft SQL Server Express is not included with Kaspersky Security Center distribution anymore.
Starting with Kaspersky Security Center version 10 SPЗ, administrators are to download and install
Microsoft SQL Server Express manually. Remember that Express editions have their limitations and must
to
not be used for managing a large number of computers (more than 5000). Detailed information about this
is provided in course KL 302.
SQL server can be installed either on the same computer as the Administration Server or on any other
network computer. The Administration Server must have Read and Write access to the SQL database. If
t
the Administration Server and SQL server are installed on the same computer, access issues do not
arise.
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
In addition to the operating system, the following software must be installed on the computer:
— Microsoft .NET Framework 4 (install as a Windows component)
— Microsoft Data Access Components 2.8
ut
— Windows Data Access Components 6.0
— Windows Installer 4.5 (is included with the distribution)
ib
Allocate a new computer for the Administration Server. If it is impossible, make sure that Kaspersky
Security Center Network Agent is not installed on the computer. The installer automatically detects
previous versions of Network Agent and prompts the administrator to uninstall it.
r
st
Minimum hardware requirements are as follows:
di
— 1GHz or higher processor (1.4GHz for 64-bit systems)
— 4GB of RAM
re
— 10GB of free hard drive space (if you plan to use the Vulnerability and Patch Management
functionality, at least 100GB of free hard drive space will be necessary)
A more powerful server is required for any significant number of clients. Recommendations are available
in the Implementation Guide. Practical experience of using the Administration Server in large networks is
or
summarized in course KL 302. Kaspersky Endpoint Security and Management. Scaling.
e d
pi
co
be
t to
No
Prior to installing Kaspersky Security Center, you should install and configure a database server.
ed
You can download the installer for Kaspersky Security Center from the Kaspersky website
(https://www.kaspersky.com/small-to-medium-business-security/downloads/security-center) or from the
product page on the technical support website (http://support.kaspersky.com/ksc13#downloads).
ut
Two installers are available:
ib
a complete set of its own components, installation packages of Network Agent and Kaspersky
Endpoint Security for Windows, Microsoft .NET Framework and other software, as well as
management plug-ins for all supported products. The size of this distribution is about 1GB
r
— ksc_<version>_lite_ru.exe—the lite version of the distribution that lacks the installation
st
package of Kaspersky Endpoint Security for Windows, Microsoft .NET Framework and some
other software; as far as management plug-ins are concerned, only those of Kaspersky Security
Center components are included. The size of this distribution is about 140MB. This distribution
comes in handy when upgrading Kaspersky Security Center components
di
re
When the full distribution version is run, the installation shell starts. The installation shell allows you to
select the components to install, for example, the Administration Server or the Administration Console.
You can also extract installation files of the selected components into the specified folder.
or
The following products are available within the installation shell:
— Kaspersky Security Center Administration Server
— Kaspersky Security Center Administration Console
— Kaspersky Security Center Network Agent
d
— Microsoft Exchange Mobile Devices Server (a Kaspersky Security Center component designed
for managing mobile devices)
pi
This course covers only Server, Console, Network Agent and Kaspersky Endpoint Security.
co
You will be able to change almost all of these choices after the installation, except the SQL server type. If
you select Microsoft SQL, you will not be able to switch to MySQL without losing data.
You can switch to another SQL server of the same type without losing data, but it is not easy. You will
t
need to back up the Administration Server data, reinstall the Administration Server, select another SQL
No
server, and after that, restore the data from the backup copy.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
co
be
ed
ut
r ib
st
di
re
The Administration Server installer has two modes: Custom and Standard2.
Kaspersky Security Center distribution does not include a Microsoft SQL server anymore. You should
deploy and configure a Microsoft SQL or MySQL database server in the network prior to installing
e
Administration Server
pi
If you select Custom installation and leave all the default settings, the result will be exactly the same as
after the Standard installation.
co
You can install the Mobile Device Management component on the Administration Server. It enables you
to manage Kaspersky Endpoint Security for Mobile via Kaspersky Security Center. See course KL 010 for
details.
be
Under the list of components, you can change the location of Administration Server program files. If you
want to move files because drive C: lacks space, consider moving only the shared folder of
the Administration Server. It can be relocated independently of the program files, and it takes up much
more space than the other program files. The path to the shared folder will be configured later in the
installation wizard.
to
ed
ut
r ib
st
di
re
or
e d
pi
co
You can install the Web Console application either together with Kaspersky Security Center or on another
be
computer.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
Web Console is included with the distribution of Kaspersky Security Center 13 and the installation wizard
re
prompts you to specify whether you want to install Web Console together with the Kaspersky Security
Center. If you do not change anything, the Web Console will be installed with the default parameters; in
particular, port 8080 will be used for connections.
or
e d
pi
co
be
ed
Fewer From From More
Number of computers in the network than 100 to 1000 to than
100 1,000 5000 5,000
ut
Automatically randomize task start – + + +
Display slave Administration Servers – – + +
ib
Display security settings – – + +
Automatic randomization of the task start applies to the schedules of virus scan, update, vulnerability
r
search, and other group tasks.
st
If a task starts simultaneously on many computers, the load on the network and Administration Server
drastically increases. To even out the peak, tasks can start on the computers with a random delay.
di
The administrator can enable randomization and then specify the randomization range manually or select
automatic randomization. On each computer, the delay is selected randomly within the specified or
automatically chosen range.
re
If automatic randomization is used, the randomization range depends on the number of computers where
the task starts:
or
The number of computers Randomization range
0–200 0 minutes
d
200–500 5 minutes
e
Slave Administration Servers and security parameters are described in course KL 302. “Kaspersky
Endpoint Security and Management. Advanced Skills. These functions are rarely used in small and
middle-size networks.
The default settings are the same when the administrator selects either ‘From 1 000 to 5 000’ or ‘More
to
than 5 000 networked devices.’ If you select the option “More than 5,000 networked devices”, the
installation wizard will recommend that you do not use a free version of Microsoft SQL server. Detailed
information about large networks is provided in technical training KL 302 “Kaspersky Endpoint Security
and Management. Advanced Skills.
t
The network size selection only influences a couple of interface settings, which can easily be modified
No
after the installation. The threshold value that actually makes the difference is 1,000 computers.
Administration Server operation parameters do not depend on the selected network size.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
re
The Administration Server stores events, information about computers and some of its settings in the
SQL database.
or
The Administration Server supports the following types of SQL servers:
— Microsoft SQL Server
— MySQL
d
Microsoft SQL Server is an industry standard and is recommended for large networks (5,000 endpoints or
e
more).
pi
MySQL server has open source code and can run on a Linux operating system. That is why MySQL is
sometimes preferred by state institutions.
co
Starting with version 10 SP3, Kaspersky Security Center distribution does not include Microsoft SQL
Server Express. The administrator is to install and configure an SQL server unassisted. We recommend
that you do it before you start the Kaspersky Security Center installer.
be
If you decide to use a Microsoft SQL server, specify the full name of the instance and the name of the
database designed for the Administration Server.
To find the necessary instance in the network, click the button Browse. If it does not show, make sure
that SQL Server Browser service is running on the SQL server. It is disabled by default.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
If you have not installed a Microsoft SQL server in advance, you can do it without interrupting the KSC
re
installation wizard. The SQL server settings page provides two links to Microsoft webpages:
— Microsoft SQL Server 2014 SP2 Express download link (a free version recommended for small
networks up to 5000 endpoints)
or
— A link to descriptions of Microsoft SQL Server editions, where you will be able to select what you
need
e d
pi
co
be
to
The database for the Administration Server is created by the installer. Later, the Administration Server will
connect to the database to record and extract events.
t
The installer needs the permission to create a database. The Administration Server will need the read
No
If the Microsoft Windows Authentication Mode is selected, the installer connects to the SQL server
ed
under the current Windows user account. Meanwhile, the Administration Server will connect to the
database under the account of its service: KL-AK-<*> by default, or the one selected by the administrator
at a previous step.
The current user must have the right to create a database on the SQL server.
ut
If the Kaspersky Security Center administrator does not have permissions to create a database on the
SQL server, the SQL server administrator should create an empty database, and the Kaspersky Security
ib
Center administrator is to specify the names of the instance and database in the installation wizard.
The KL-AK-<*> account (or another one specified by the administrator) must have read and write
r
permissions for the database. You cannot check this before the installation, but you can grant the
selected account these permissions afterwards, or even specify another account for the Administration
st
Server service.
If you select the SQL Server Authentication Mode, specify an SQL server account rather than a
di
Windows account. Both the installer and the Administration Server will use this account to create the
database and record events there.
By default, the SQL Server Authentication Mode is disabled in all supported versions of SQL server. It is
re
considered to be obsolete and unsafe. Microsoft and Kaspersky recommend using Microsoft Windows
Authentication Mode.
If the SQL server instance is located on another computer, make sure that SQL server allows remote
connections, and that ports are not blocked by the firewall.
or
e d
pi
co
be
to
If you selected MySQL server, specify the database server address, port (typically, 3306), and database
name.
The database page does not offer a download link for MySQL. You can find MySQL products on the
t
website www.mysql.org
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
re
Specify the username and password to connect to MySQL server. The name and password will be used
by both the installer to create the database, and by the Administration Server to write into it.
or
In the latest versions of MySQL server, to enable an account to connect to the server, you need to allow a
specific address or computer name to use it on the SQL server side. See MySQL documentation for
details.
When you click Next, the wizard attempts to connect to the specified server under this account. If the
d
connection fails, the wizard returns an error that describes the issue it encountered.
e
pi
co
be
t to
No
Then the wizard prompts you to start the installation. The installation may take 5 to 15 minutes depending
on the hardware performance.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
re
On the last page, the wizard offers to start the local ММС or Web Console and proceed with the
installation in the Administration Server Quick Start Wizard. By default, Web Console starts (if it has been
installed).
or
Usually, Administration Server needs a few minutes to start working and accept connections.
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
If you select the Custom option when starting the wizard, but agree to the default settings on all wizard
ed
pages, the result will be the same as with the Standard option:
Administration Server
Network Agent
ut
Components
MMC Administration Console
Web Console
ib
%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center—program
files
Installation %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console
13—program files
r
paths
%ProgramData%\KasperskyLab\adminkit—settings
st
%ProgramData%\KasperskySC\SC_Backup—the folder for backup copies
Kaspersky Security Center Administration Server
di
Kaspersky Security Center Network Agent
Kaspersky Security Center automation object
re
Kaspersky Security Network proxy server
Services Kaspersky web server
Kaspersky Activation Proxy
Kaspersky Security Center 13 Management Service
or
Kaspersky Security Center 13 Web Console
Kaspersky Security Center 13 Web Console Message Queue
KLSHARE— local path:
Shared folder
d
%ProgramData%\KasperskyLab\adminkit\1093\.working\Share
e
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
KLAdmins
ed
Users groups KLOperators
(see course KL 302 for details)
KL-AK-<*>—starts the service of the Kaspersky Security Center Administration Server
KlScSvc—starts the services of Kaspersky Activation Proxy, Kaspersky Security
ut
Network Proxy Server and Kaspersky Web Server.
Accounts
The KL-AK-<*> and KlScSvc accounts have the same permissions as the local
administrator, but are not included in the computer built-in Administrators group
ib
KlPxeUser—a user account for the PXE server (see course KL 009 for details)
8060—http port of Kaspersky Web Server
8061—https port of Kaspersky Web Server
r
8080 —https port of the web server of Kaspersky Security Center Web Console
st
13000—for SSL connections of Network Agents
Connection ports 14000—for non-SSL connections of Network Agents and Administration Consoles
13291—for SSL connections of Administration Consoles
di
13111—port of Kaspersky Security Network proxy server service
17000—port of Kaspersky Activation Proxy
13299—for SSL connections of Kaspersky Security Center Web Console
re
SQL server Database name: KAV
Connection
DNS name of the server
address
or
Kaspersky Security Center 13 (13.0) Administration Server
Plug-ins
Kaspersky Security Center 13 (13.0) Network Agent
Kaspersky Security Center 13 (13.0) Network Agent
Installation
Microsoft Exchange Mobile device server
packages
iOS MDM Server
d
Most of these settings can be modified either during the custom installation, or in the product settings
e
after the installation is finished, or both ways. However, some of the settings cannot be edited at all after
the product is installed; some others are very difficult to change. You should consider the following very
pi
— The path to data files cannot be modified at all, which complies with Microsoft requirements
co
— To modify the path to the program files, as well as the SQL server address, you will have to
reinstall Kaspersky Security Center
— The type of SQL server (Microsoft or MySQL) cannot be modified at all, at least not in any
supported way.
be
t to
No
Web Console is not required to be installed together with Kaspersky Security Center, you can install it on
any other computer like an ordinary application.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
The Web Console’s distribution is located in the unpacked Administration Server folder:
re
Server\Packages\Web Console.
Run the installer and select the language for the installation wizard.
or
e d
pi
co
be
ed
ut
r ib
st
di
re
We recommend that you leave the default installation path unchanged.
You can change the Web Console connection port. Port 8080 is used by default.
or
e d
pi
co
be
to
Web Console installs several services in the system; in this step, the installation wizard prompts you for
the accounts under which these services will run. We recommend that you leave the default choice
unchanged; in this case, the Web Console’s services will run under the Local System and Network
Service accounts.
t
Now, decide which certificate to use: The installation wizard can generate a self-signed certificate
No
ed
ut
r ib
st
di
re
The most important step is adding trusted Administration Servers. The administrator specifies Kaspersky
Security Centers with which the Web Console will be able to interact.
or
If the Web Console is being installed on a computer where Kaspersky Security Center is running already,
this Administration Server will automatically appear on the list of trusted servers. Otherwise, you will need
to manually add your Administration Server: specify its address, port and last but not least the path to its
certificate. This certificate will then be copied to the Web Console installation folder.
d
Web Console uses port 13299 to connect to Kaspersky Security Center by default, but if necessary, you
can change it in the Administration Server properties.
e
pi
co
be
t to
No
Click the Install button to start the installation and wait for completion (5-7 minutes).
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
Now, you can either finish the wizard, or start the Web Console using the respective link. To connect to
ed
the console from the administrator’s workstation or any other remote machine, open a browser and go to
https://<IP address>:8080 (or the port that you specified during the installation).
ut
r ib
st
di
re
or
Web Console’s architecture includes numerous components and processes which are hidden from the
user; it does not make any sense to tell about them in detail either. The main component is Server Web
Console that is based on Node.js; it runs as a separate node.exe process. There are also other
d
components that run in other node.exe processes, for example, each plugin has a dedicated process.
e
Separate processes are also used for the message queue processing (nsqd.exe) and logging
(nsq_to_file.exe) subsystems.
pi
The standard Node.js process manager monitors and manages processes. Because of the operating
system limitations, the process manager starts processes under the same account under which it is
running. For this reason, two instances of the process manager run: One under the Local System, and
co
the other under the Network Service account. Limited permissions are sufficient for most processes; but
some scenarios require elevated privileges.
Now let us see which services Web Console installs in the system:
service is used solely to start the process manager under the Local System account
— Kaspersky Security Center Web Console—SrvLauncher.exe—this service is used solely to start
the process manager under the Network Service account
— Kaspersky Security Center Web Console Message Queue—nsqd.exe—an NSQ-based
to
The Web Console is a Node.js web server. The server part of the Web Console connects to Kaspersky
No
ed
ut
r ib
st
di
The client part of the Web Console is a Single Page Application (SPA). In its most basic form, SPA is a
re
web application that literally has only one page, which loads content dynamically. Meaning, when you
click an interface element in the Web Console, a JavaScript runs that loads the respective modules and
visualizes the requested content. For the user, it looks like a new page has opened.
or
e d
pi
co
be
And what are we supposed to do if the company has several Administration Servers and we want to
to
The simplest option is to install a dedicated Web Console on each Kaspersky Security Center and work
with them from different browser tabs.
t
Alternatively, you can use one Web Console as a single entry point and manage several Administration
No
Servers from it. You will need to add several trusted Administration Servers to the Web Console in this
case.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
— Either click Change | Update in Programs and Features (this is the recommended way)
— Or manually edit the configuration file сonfig.json in the Web Console installation folder (the
deprecated method)
ut
If the Web Console has several trusted KSC Servers, the login page will display an additional field,
‘Server name’.
ib
The administrator will need to select which Administration Server to connect to.
r
st
di
re
or
e d
pi
— Safari version 14
When you open the Web Console for the first time, Tutorial opens. It is a small demo that tells what is
where in the Web Console.
If you have previously used the MMC console, the Web Console will be very unfamiliar to work with at
t
first, and we strongly recommend that you read the Tutorial to acquire basic information.
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
If you’ve closed the Tutorial accidentally or want to re-run it, there is the Show Tutorial link at the bottom
re
of the main window.
The first time when you connect to the Web Console, after you complete or close the Tutorial, the Quick
Start Wizard launches automatically.
or
e d
pi
co
be
— Add a license
No
ed
ut
r ib
st
di
re
The next step prompts to configure proxy server connection parameters for internet access.
The Administration Server connects to the internet to download updates and communicate with KSN
servers of Kaspersky. Both features use common proxy server parameters.
or
The settings are rather typical: Address, port, optional username and password for authorization, and
an option to bypass proxy server for local addresses.
e d
pi
co
be
t to
The wizard connects to Kaspersky servers and downloads the current antivirus signatures. You do not
need to wait for downloading to complete, it will proceed in the background.
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
re
The next and most important step is to choose the device types and operating systems to be protected.
Depending on the selected device types, Kaspersky Security Center will offer the Web Console
management plug-ins and installation packages for download. By default, Kaspersky Security Center
or
offers to protect workstations running Windows.
If you decide to protect other devices later, re-run the Quick Start Wizard and select the necessary
assets.
e d
pi
co
be
t to
The next step is to select encryption key length. Kaspersky Endpoint Security uses the Advanced
No
Encryption Standard (AES) algorithm to encrypt files and folders stored on computers’ local and
removable drives, as well as entire removable and hard drives.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
On the Encryption in solutions page, select one of the following encryption types:
ed
— Lite encryption. This encryption type uses a 56-bit key.
— Strong encryption. This encryption type uses a 256-bit key.
Consult your local laws and regulations when selecting the encryption key length. In some countries,
ut
strong encryption (256-bit) is prohibited by law.
r ib
st
di
re
or
d
The Quick Start Wizard checks the current list of plugins available on Kaspersky servers. The list is
co
filtered according to the devices and operating systems selected in the previous steps of the wizard.
After you select plugins, their installation starts automatically in the background. For some plugins, the
administrator must accept the terms of the License Agreement and Privacy Policy.
be
The next step is to download installation packages for Kaspersky applications that will be managed via
the Administration Server.
to
The Quick Start Wizard connects to Kaspersky servers and checks the versions of the distributions
available for the selected device types and operating systems to be protected. Typically, only applications
that are officially supported are listed. The Quick Start Wizard does not download legacy or unsupported
programs. After the administrator has selected the distributions (for example, Kaspersky Endpoint
Security for Windows 11), the download begins.
t
No
For some plugins, the administrator must accept the terms of the License Agreement and Privacy Policy.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
After the Quick Start Wizard completes, you can find the installation packages of Network Agent and
re
other Kaspersky applications in the Administration Server repository: Discovery & Deployment |
Deployment & Assignment | Installation packages.
or
e d
pi
co
be
The wizard prompts the administrator to accept the Kaspersky Security Network (KSN) statement. KSN is
the name of the cloud-assisted protection technologies of Kaspersky.
to
KSN provides extra protection for the computers by receiving the latest information about new threats
before this information is added into the traditional anti-malware signatures. In return, Kaspersky will
receive anonymous information about the files and URL addresses processed on the client computers.
The KSN service is described in more detail in the Introduction and in Unit II ‘Protection Management’.
t
No
If the administrator selects to participate in KSN, the options that enable the use of KSN and KSN proxy
are activated in the policy. If the administrator selects not to participate in KSN, the use of KSN will be
disabled in the Kaspersky Endpoint Security policy; the use of KSN proxy will be enabled nevertheless.
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
The use of KSN proxy in the policy is related to the KSN proxy functionality of the Administration Server.
ed
The KSN proxy function is implemented as a service named Kaspersky Security Network proxy server in
the Administration Server. By default, the use of KSN proxy is enabled in the Administration Server
properties.
ut
r ib
st
di
re
or
The next step is product activation. Most Kaspersky products require activation and some, particularly
Kaspersky Security Center and Kaspersky Endpoint Security, can be activated to different levels of
d
functionality. That is, depending on the license, some functions may be unavailable.
e
pi
To activate a product, you need a key or a code. Both can represent the customer’s license with all
relevant restrictions.
co
A key is a file and the product can verify its validity and restrictions locally. A code is just a string and
the product needs to connect to Kaspersky activation service online to verify its validity and restrictions.
Older versions of Kaspersky products can be activated only with a key. All recent versions can be
activated with either a key or a code.
be
Codes are more useful, because a single code can activate all products that you have purchased. With
key activation, a license often includes several different key files. A key designed for Kaspersky Security
Center cannot activate Kaspersky Endpoint Security, and vice versa. Meanwhile, a single code can
activate both.
to
Keys are indispensable when you need to activate a product on a computer without access to the
internet. If you have only a code rather than keys, add the code to the key store on the Administration
Server (on the Operations | Licensing | Kaspersky Licenses page of the Web Console). The Server
will automatically download the corresponding keys, which you will be able to export into files.
t
If computers have no internet access but are connected to the Administration Server, which does have
access, the products on the computers can be activated with a code. The products will verify the code via
No
ed
ut
r ib
st
di
re
In the Quick Start Wizard, you can submit either a key or a code. If what you have is a code than it’s all
simple, just choose the relevant option, enter the code and wait for the verification. The Administration
Server must be able to connect to the internet at this stage.
or
For more details about how to activate Kaspersky Endpoint Security on the client computers, refer to
Chapter 3 of this Unit.
e d
If you have a key, then most probably you have more than one of them, and you need to decide which
one to add to the wizard.
pi
It is common practice to specify the key that activates Kaspersky Endpoint Security. You can find out
which one it is by looking into the CompatibilityList.txt file that usually comes along with a key or a code.
You will be able to add other keys later either on the Operations | Licensing | Kaspersky Licenses
co
You can select to install a key to the client computers automatically. For this purpose, select the checkbox
Automatically deploy key to managed devices. If the Administration Server detects a managed
computer where Kaspersky Endpoint Security is not activated, it will automatically send the key selected
for automatic installation there.
be
The Vulnerability and Patch Management functionality by Kaspersky is delivered via the Network Agent
and is not related to anti-malware protection or Kaspersky Endpoint Security. The Vulnerability and Patch
Management functionality requires only the Network Agent installed on the client computers. For more
details about Vulnerability and Patch Management please refer to course KL 009.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
In the Kaspersky Security Center Quick Start Wizard, you can select which Vulnerability and Patch
re
Management mode the administration server will run:
— Windows Update synchronization—Kaspersky Security Center can act as a local WSUS server,
i.e., client computers will download Windows updates from the Administration Server instead of
e
the internet
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
At this stage, the Quick Start wizard creates the policies and tasks necessary for endpoint protection. The
ed
following policies and tasks are always created:
ut
Task Scope Schedule Parameters
Download updates to Source: Kaspersky update
Administration Server Hourly
servers
ib
the repository
Every Saturday Optimizes the database
Database maintenance Administration Server
at 1am without shrinking it
r
Backup of
st
Every other day Stores the 3 latest copies, the
Administration Server Administration Server
at 2am password is not specified
data
di
re
Policy Scope
Kaspersky Endpoint Security 11.6 for Windows The “Managed devices” group
When new
Source: Administration Server
e
Note that the group Quick Virus Scan task is not created by default anymore. Instead, Background
Scanning is enabled, which scans system areas while a computer is locked. This option is available in
co
If you want to manage on-demand scanning to the full extent, you will have to create a group scan task
with the necessary settings manually.
be
The next step is to set up email notification and delivery of reports. To have notifications about important
events sent to the administrator’s mailbox, specify the email address and SMTP server parameters
(address, port and, if necessary, authorization data). These parameters will be used when sending
to
By default, event notifications are not sent. To receive the information about events by email, turn on
notifications in the event properties. The parameters of Kaspersky Security Center events are configured
in the Administration Server properties; and parameters of Kaspersky Endpoint Security events, in
t
The wizard does not check correctness of the specified settings, but enables the administrator to do it
with the Send test message button. A test message will be sent to the specified recipient. If the wizard
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
fails to connect to the SMTP server or fails to authenticate, the corresponding error will be displayed.
ed
Then it is up to the administrator to check the inbox and make sure that the message is actually there.
ut
r ib
st
di
re
or
The wizard starts network polling by Windows tools, which works via network discovery in Windows
Explorer. (It is disabled by default in the operating system.) Do not wait for polling to complete, it will go
on in the background.
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. How to install Kaspersky Security Center
Unit I. Deployment
ed
ut
r ib
st
di
re
The last page of the Quick Start wizard displays the checkbox that allows you to start the remote
installation wizard for deploying Kaspersky Endpoint Security on the network computers. This checkbox is
selected by default, but it is preferable to adopt a deployment plan and stick to it rather than rush into
or
action:
1. Let the Server discover network computers
2. Check the settings of installation packages to install exactly what is necessary
d
If necessary, the administrator can start the Quick Start wizard again. In this case, the wizard will create
only the tasks and policies that are missing.
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
Kaspersky Endpoint Security can be installed on the following Microsoft Windows operating systems:
co
3The limitations concerning various versions of Windows 10 are described in Kaspersky knowledgebase at
https://support.kaspersky.com/13036
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
— Microsoft Small Business Server 2011 Essential / Standard x64
— Microsoft Windows Server 2008 R2 SP1 Standard / Enterprise x64 SP1
— Microsoft Windows MultiPoint Server 2011x64
An important thing to remember is that Datacenter editions of Windows Server are not supported.
ut
Kaspersky Security for Windows Server is designed for their protection.
The list of operating systems includes most Windows versions from Windows 7 / Windows Server 2008
SP2 to Windows 10 20H2 / Windows Server 2019.
r ib
st
di
re
or
e d
Kaspersky Endpoint Security 11.6 for Windows can be installed on the following virtual platforms:
pi
On Citrix PVS, Kaspersky Endpoint Security must be installed with the /pCITRIXCOMPATIBILITY=1
be
command line switch. Alternatively, you can enable this parameter in the installation package of
Kaspersky Endpoint Security for Windows.
General hardware requirements for Kaspersky Endpoint Security 11.6 are as follows:
— A 1GHz processor (that supports SSE2 instructions)
t
4 The minimum RAM with which the application can be installed is 768MB
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
— 2GB of free drive space
ut
r ib
st
di
re
or
The Kaspersky Security Center 13 Network Agent can be installed on all systems supported by
Kaspersky Endpoint Security 11.6 for Windows.
— Processor:
e
RAM requirements are actually recommendations. The Network Agent can be installed on a computer
co
In Kaspersky Security Center, installation packages are ready to be installed. A package includes
to
installation files along with the installation parameters and some product setup parameters. Installation
package parameters in a sense replace the local installation wizard and local setup wizard. Every product
has its own settings. As you know, installation packages are used in the remote installation wizards and
tasks, and for creating stand-alone installation packages.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
Kaspersky Security Center includes all packages necessary for deploying the protection system:
—
—
—
—
Network Agent
Kaspersky Endpoint Security for Windows
iOS MDM Server
Microsoft Exchange Mobile Devices Server
re
or
Packages are stored in the Discovery & Deployment | Deployment & Assignment | Installation
packages node. The following information is available for each package: Name, language and version of
the product, as well as the unique name of the package. You can find the package size in its properties,
which is the total size of all its files.
d
Packages can be created, modified and removed. If a package is used in an installation task, you can
e
remove it only after the associated task is deleted. First, delete all tasks that use the package, and then
delete the package.
pi
You can create various installation packages in Kaspersky Security Center. You can use them to install
operating systems, third-party programs, updates and critical fixes for third-party applications, and also to
run various scripts and utilities on the computers. This is described in more detail in KL 009 ‘Vulnerability
co
and Patch Management’ course. Within the framework of this chapter, we describe only the installation
packages created for Kaspersky programs.
be
Each package has general properties and settings that depend on the program for which the package
was created. To be able to review the package settings, the application plug-in must be installed in the
to
console. You can download the plugin right from the Web Console interface: At the top of the page, click
Console settings | Web plug-ins.
The General section of the package properties shows the program version and file size, and also the path
to the package file in the shared folder of the Administration Server. If necessary, an IT employee can
t
download the installation files over the network and install the application locally.
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
There is the button Update databases in the general properties of a Kaspersky Endpoint Security
co
For Kaspersky Endpoint Security to be able to work right after the installation, its installation package
includes the antivirus databases. They become obsolete over time. This is not actually a problem,
because right after Kaspersky Endpoint Security is installed, the update task starts and downloads new
databases.
be
Sometimes, however, it is necessary that the product is installed with up-to-date databases. For example,
an IT employee may take a stand-alone package to a small branch office with poor internet access. In this
case, the size of the package that the engineer carries on the removable drive is not that important.
Decreasing the traffic of the update task is more important, since it may constitute tens of megabytes if
to
In this case, you can update databases in the package prior to the installation. Unfortunately, the date of
the last update is not shown in the Web Console, but you can check it in the MMC console: in the general
package properties, in the Databases updated field.
t
The Update databases button copies a complete set of databases from the Server storage to the
No
Kaspersky Endpoint Security package. Initially, the databases are supplied within the bases.cab archive
in the installation package. After an update using the Update databases button, the archive is replaced
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
with a folder named bases. The folder’s volume is comparable to the size of the archive, since
ed
the database files are encrypted and cannot be compressed.
Kaspersky Security Center updates databases in the packages automatically when updates are
downloaded to the repository. However, this is performed only once for each package. If databases have
ever been updated automatically in a package, they will not be updated automatically any more.
ut
In fact, the Kaspersky Endpoint Security package that is added to the storage during the server
installation is updated automatically shortly after, and any other newly created Kaspersky Endpoint
Security package will be updated soon after it is created.
r ib
st
di
re
or
e d
Other parameters of the Kaspersky Endpoint Security package duplicate its interactive installation
pi
parameters. The main parameters are the list of components and the program files folder.
— Firewall
— BadUSB Attack Prevention
— AMSI Protection Provider
— Security Controls
t
— Web Control*
No
— Application Control
— Device Control*
— Adaptive Anomaly Control*
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
— Data Encryption
ed
— File Level Encryption*
— Full Disk Encryption*
— BitLocker Management
—
ut
Endpoint Sensor
— Endpoint Sensor
By default, the Standard installation components are selected. Remember that some of the components
ib
only work on workstations, while a package can be installed on any supported operating system. On
server systems, only the following components can be installed:
r
— Behavior Detection
— Exploit Prevention
st
— Remediation Engine
— File Threat Protection
— Network Threat Protection
— Firewall
di
— BadUSB Attack Prevention
— AMSI Protection Provider
— Application Control
re
— BitLocker Management
— Endpoint Sensor
Although Host Intrusion Prevention settings will also show up in Kaspersky Endpoint Security on servers,
the component will not be actually installed. Kaspersky Endpoint Security won’t control application
or
privileges on servers, e.g., it won’t block Untrusted applications on servers. The reason why Host
Intrusion Prevention settings are visible on servers is that some of these settings are also used by
the Firewall component. Host Intrusion Prevention and Firewall are described in more detail in Unit II of
this course.
d
In addition to the components, local tasks are installed. They cannot be deselected in the package
properties and are installed on all operating systems:
e
— Update
pi
— Update rollback
— Integrity check
— Virus scan
co
— Full scan
— Critical areas scan
— Custom scan
— The scan task that users can run from an object’s shortcut menu
be
Those administrators who often use the command line interface can select to automatically add
the installation folder to the %PATH% environment variable. Then they will be able to carry out product
management commands via avp.com without specifying the complete path.
t
The package has two additional parameters that provide compatibility settings. One of them, Do not
No
protect the installation process, disables self-defense during the installation. Self-defense prevents
applications (primarily malicious) from modifying Kaspersky Endpoint Security installation files. It also
blocks access to the folder where Kaspersky Endpoint Security files are installed, and to the registry keys
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
of Kaspersky software. Sometimes, self-defense conflicts with third-party applications, for example, with
ed
backup agents. That is why it can be disabled.
ut
r ib
st
di
re
Another parameter is Ensure compatibility with Citrix Provisioning Services. If you want to install
Kaspersky Endpoint Security on a virtual machine image in Citrix PVS environment, enable this option.
or
e d
pi
co
be
to
One more parameter is the Configuration file. This file defines the configuration settings used by
Kaspersky Endpoint Security after the installation.
The configuration file substitutes the setup wizard of Kaspersky Endpoint Security. If a configuration file is
not specified, the product will use the default settings. However, as soon as the Network Agent connects
t
to the Server, the Kaspersky Endpoint Security policy will be enforced, which will override the protection
No
settings. So, a configuration file is necessary if the policy does not regulate some of the product settings,
or for unmanaged devices.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
To create a configuration file, install Kaspersky Endpoint Security on a computer, but do not connect it to
ed
the Administration Server; otherwise, the group policy will not allow you to modify the local settings.
Configure Kaspersky Endpoint Security via the local interface as necessary, and save these settings into
a file: in the Settings window, switch to the Manage Settings section.
ut
r ib
st
di
re
or
Kaspersky Endpoint Security does not work without an activation. If an interactive installation takes place,
d
the code or key can be specified in the setup wizard. Remote installation implies several ways for
activating the installed product. One of them is to specify the key file in the installation package
properties.
e
In the package properties, you can add only a key, a code cannot be added.
pi
Also, a key or code can be distributed to the selected computers by a special task.
co
Another option is to select Deploy license key automatically in the properties of key or code on the
Operations | Licensing | Kaspersky Licenses page of the Web Console.
As a last resort, a code or key can be added via the local interface of Kaspersky Endpoint Security.
be
By default, the Kaspersky Endpoint Security installer looks for and uninstalls incompatible applications:
third-party antiviruses and firewalls.
to
The list of programs that Kaspersky Endpoint Security can uninstall is rather large, but it is not
exhaustive. Usually, it does not include the most recent versions of protection solutions by other
manufacturers, or uncommon software. How to uninstall applications that Kaspersky Endpoint Security
failed to detect is described at the end of this chapter.
t
ed
ut
r ib
st
di
re
or
e d
pi
co
be
The General section of the Network Agent package is the same as that of Kaspersky Endpoint Security,
but without the button Update databases. The Network Agent has no databases.
The Settings section permits changing the installation folder and also setting the uninstallation password.
to
If the Network Agent installation folder is not specified explicitly, the standard path is used:
%ProgramFiles%\Kaspersky Lab\NetworkAgent
t
No
Agent uninstallation can be protected with a password that can be specified in the package properties.
Even users with administrator permissions will not be able to uninstall the Agent using regular tools
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
unless they know this password. However, users with administrator permissions can make the Agent
ed
inoperative if they really want to.
If you have not enabled password protection in the Network Agent installation package, enable it in the
Agent policy, where it is also available.
ut
r ib
st
di
re
or
The Connection section of the Network Agent installation package settings contains the Administration
d
Server connection parameters. The Network Agent installation wizard prompts for these settings during
the local interactive installation.
e
The main connection parameters are the Administration Server address and ports. Initially, they take
the values specified during the Administration Server installation. If the client computers and
pi
Administration Server belong to different subnets connected via a proxy server, the proxy server
parameters can also be specified in the installation package properties. These standard parameters
include the proxy server address and port, and also the username and password for authentication.
co
Remember that these parameters will be used by Network Agents when connecting to the Server, not the
other way round.
When it is the Server that initiates a connection to a client computer, for example, to enforce a policy, it
uses a UDP port. To prevent Windows Firewall from blocking requests on this port, the Network Agent
can automatically create the necessary exclusions. To modify this behavior, clear the Open Network
be
Agent ports in Microsoft Windows Firewall checkbox. By default, the Network Agent accepts
connections on UDP port 15000. This value can be changed both in the package properties and later in
the Network Agent policy.
Just like the Kaspersky Administration Console, Network Agents may establish encrypted (SSL) or non-
encrypted connections to the Server. SSL is enabled by default. Network Agents automatically download
to
and use the Administration Server certificate. In networks with strict security requirements, the certificate
can be specified manually to prevent substitution.
The advanced parameters of the Network Agent installation package are useful in networks with a
complicated infrastructure. These are described in the courses KL 009 Vulnerability and Patch
t
ed
ut
r ib
st
di
re
or
e d
pi
co
be
Installation packages included in Kaspersky Security Center are usually enough for protecting most
to
— A new version of Kaspersky Endpoint Security has been released. For an upgrade, just like for
the initial installation, an installation package is necessary. The administrator can either create
the package manually or download the new version of Kaspersky Security Center that includes a
t
new package version and reinstall Administration Server over the old one (all settings will be
saved).
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
— It is necessary to remotely install a Kaspersky product that is not included in the distribution of
ed
Kaspersky Security Center, for example, Kaspersky Security for Windows Server. Such
a package needs to be created manually.
— Different parameters are needed in several network parts. For example, according to the
deployment plan, some computers do not need Web Threat Protection and Mail Threat
ut
Protection components. To be able to deploy the system simultaneously on both categories of
computers, create an additional installation package with those non-standard settings.
To create an installation package, in the Operations | Repositories | Installation packages, click the
ib
button Add. This will open the list of available distributions for various versions and localizations.
r
st
di
re
or
e d
pi
The administrator does not need to search for the necessary installation files manually. Kaspersky
co
Security Center monitors current versions of the Kaspersky Security Center, Kaspersky Endpoint
Security, Kaspersky Security for Windows Server and other applications and enables the administrator to
create installation packages from the distributions available on Kaspersky servers.
To search for the necessary application among others, the best choice is to use the filter, where you can
be
Kaspersky Security Center manages numerous programs by Kaspersky. And the list of updates contains
not only new program versions, but also updates for them, new versions of plug-ins, various localizations
of the same applications. As a result, the list is rather long.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
To find what you need, use a filter. In the filter, you can select:
— Components:
re
— Controls—Kaspersky Security Center components
— Workstations—applications for workstation protection, including Kaspersky Endpoint Security
or
for Windows
— File Servers and Storage—programs for protecting servers and storages, for example,
Kaspersky Security for Windows Server
— Virtualization—various versions of Kaspersky Security for Virtualization
d
— Update type:
— Application distribution packages
co
— Management plug-ins
— Patches
— Updates to display:
— Only the latest versions
be
After you apply the filter, the window will show only the updates that meet the specified conditions. You
t
can also sort the contents by name, type, language and other parameters.
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
Select the necessary distribution and click the Download and create installation package button;
re
the Administration Server will automatically complete the job: download the files and create an installation
package from them.
or
e d
pi
co
be
The progress bar will stop at approximately 85% and will be waiting for you to accept the license
agreement.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
The Accept button appears dimmed by default; to have it highlighted, scroll the license agreement to the
re
end.
or
e d
pi
co
be
to
Here, we will focus on physical devices, because Kaspersky also has specialized protection applications
ed
for virtual machines.
This does not mean you cannot install the applications listed above on virtual machines. You can. But
system resources may be used in a non-optimal manner in this case.
ut
We can now focus on the difference between all three applications, their advantages, strengths and use
cases in corporate infrastructure.
ib
— Kaspersky Endpoint Security for Windows
It was designed for Windows workstations and servers.
This is the flagship cutting-edge Kaspersky application, because it combines advanced malware
r
detection technologies, for example, Behavior Analysis and Adaptive Anomaly Control. The
st
application uses full-disk and file encryption to keep data confidential on the device.
— Kaspersky Security for Windows Server
It was developed to protect Windows servers and storages. Here are some of the unique
di
capabilities of Kaspersky Security for Windows Server compared to Kaspersky Endpoint
Security:
— On a failover cluster, Kaspersky Security for Windows Server can correctly understand
re
the active node change, and apply the same scanning parameters to the shared cluster
resources involved in the failover.
— Kaspersky Security for Windows Server is installed without the interface by default; you can
manage it through Kaspersky Security Console, Kaspersky Security Center or
or
the kavshell.exe command line utility. This capability enables the administrators to install
Kaspersky Security for Windows Server on Windows Server Core.
— It can correctly recognize terminal sessions or Remote Desktop Services and send a
notification to the current user session if a threat is detected.
d
— It can protect NAS (Network Attached Storages) that often run their own proprietary
operating systems and connect to the server over specific protocols, which makes them
e
and capabilities of these products overlap to a large extent. The main distinctive feature of KESS
is installation on embedded systems (ATMs, terminals, kiosks). KESS was designed to minimize
impact on devices with relatively limited system computing powers.
Kaspersky Embedded Systems Security can be installed not only on modern Microsoft Windows
versions but also on legacy versions like Windows XP. The application also supports installation
be
ed
ut
r ib
st
di
re
Kaspersky Security for Windows Server has the following main functions.
It protects:
or
— The server file system from malware, viruses, ransomware and exploits.
— Remote desktop sessions from web and email threats, also helping control access to third-party
web resources.
d
— Data storages from malicious data transfer via public folders, also preventing encryption
attempts on NetApp storages.
e
Controls
pi
And also
— Analyses operating system logs to detect operation anomalies and server breach attempts.
— Tracks file changes to provide the administrator with information on file operations.
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
Minimum system requirements:
— Memory: 2GB + additional 512MB if the KL RAM Disk option is enabled in the update task
settings
pi
We presume that the company uses Kaspersky Security Center already, which enables the administrator
to centrally manage Kaspersky products, including Kaspersky Security for Windows Server.
to
The administrator can use the Quick Start Wizard of the Kaspersky Security Center Administration Server
to facilitate the deployment of Kaspersky Security for Windows Server.
You can use the Quick Start Wizard not only for the initial configuration of the Kaspersky Security Center
Administration Server, but also when you need to add new Kaspersky applications.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
Quick Start Wizard does the following:
—
—
—
—
Downloads management plug-ins
re
Downloads Kaspersky software installation packages
Creates policies and tasks
Downloads updates to the Administration Server repository
or
If you do not want to use the Quick Start Wizard for some reason, you can manually download the
Kaspersky Security for Windows Server distribution package from the official technical support website
(https://support.kaspersky.ru/ksws11#downloads).
e d
pi
co
be
to
You can also download product documentation and Kaspersky Security Center management plug-in from
this website. Both Kaspersky Security for Windows Server (KSWS) and the documentation are localized;
language versions include English, Russian and German.
t
No
To run the Quick Start Wizard, select Discovery & Deployment | Deployment & Assignment | Quick
Start Wizard.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
As soon as the Quick Start Wizard is completed, Kaspersky Security for Windows Server and Kaspersky
Embedded Systems Security installation packages will appear in the Kaspersky Security Center
repository of Installation Packages:
or
Discovery & Deployment | Deployment & Assignment | Installation packages. You can check
installation package properties here and edit them if necessary.
Wait for the package to download to the repository and finish the wizard.
e d
pi
co
be
t to
No
In the installation package properties, the administrator can select which Kaspersky Security for Windows
Server protection components to install.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
You can always edit an installation package and add or delete components to install. When installing via
ed
Kaspersky Security Center, only two components are required for installation: Kaspersky Security
Center Integration and On-Demand Scan. The Script Monitoring and Firewall Management
components are not installed by default.
In the real world, it is hard to imagine a situation when one would carefully select the components to be
ut
installed. We advise you to use the full set of components for installation. You can decide whether to use
them or not later and adjust the policy settings correspondingly.
ib
Server operating system protection components protect not only operating system files and data, but also
r
the entire server from various modern cyber threats. Operating system protection components are key
elements for detecting security beaches: malware propagation over the network, exploiting vulnerabilities,
st
malware execution, elevation of privilege and so on.
di
— Anti-Cryptor
— Exploit Prevention
— Network Threat Protection
— Script Monitoring
re
Real-Time File System Protection protects the server from file threats and intercepts files during
execution or reading. However, you can opt out of installing this component if Applications Launch
Control is used and you regularly run a Full Scan or Critical Area Scan task.
or
Anti-Cryptor detects ransomware activity in public folders on the target server.
Network Threat Protection checks incoming network traffic for behavior patterns typical of network
attacks.
e
Script Monitoring scans objects and scripts created using Microsoft Windows Script Technologies.
pi
co
Real-Time File Protection protects terminal or remote desktop sessions against file threats.
Traffic Security Protection components (Web Threat Protection, Mail Threat Protection, Web Control)
intercept objects in the network and mail traffic and scan them for known threats. These components also
provide anti-malware and anti-phishing protection.
be
Web Control allows or blocks access to websites based on categories, certificates or URLs.
Applications Launch Control—tracks attempts to start programs on the server and allows or blocks
to
Device Control controls the connection and use of storage devices, CD/DVD read and write drives, USB
flash drives and MTP devices. This protects the server from security threats related to file exchange with
an external device and also limits access to such devices.
t
No
Firewall Management allows you to configure parameters and transfer rules for the operating system
firewall.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
File Integrity Control monitors file changes that may indicate security breaches on the server.
ed
Log Inspection checks the integrity of the protected server by searching Windows event log for
anomalies.
ut
ICAP storage and RPC storage are counterparts of Real-Time File Protection that work with ICAP and
RPC protocols respectively.
ib
Anti-Cryptor for NetApp protects NetApp shared folders against malicious encryption.
r
st
di
re
or
e d
pi
co
In the package properties, you can specify additional settings to be used during the installation:
— Scan computer for viruses before installation. This setting is disabled by default, because
scanning will take additional time. If you enable it, only the server system memory will be
scanned rather than all the drives and boot sectors. We advise you to select this checkbox if the
server has been running without an antivirus, an antivirus by another manufacturer has been
be
— Add Microsoft recommended files to exclusions list. Microsoft Knowledge Base includes
many articles with recommendations on how to configure anti-malware software installed on
various Windows versions together with various Microsoft server products (Exchange, Forefront
TMG and so on). If this option is selected, the corresponding exclusions are automatically
created in the Trusted Zone of Kaspersky Security for Windows Server.
t
recommendations. They concern co-existence of the File Anti-Virus and the antivirus products
that protect Microsoft server applications (Exchange, Forefront TMG, etc.) For example, it is
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
Servers from the File Anti-Virus scan scope.
— Install the Script Monitoring component only for systems with AMSI support. Allows
Kaspersky Security for Windows Server to better communicate with the AMSI (Antimalware Scan
Interface) and thereby enhances the detection of some attacks, for example, fileless attacks.
ut
These settings replicate the installation settings available in the local setup wizard.
r ib
st
di
re
or
e d
Typically, the administrator manages a few Kaspersky products and/or a few versions of each product
through Kaspersky Security Center. Every product has its policies and tasks in Kaspersky Security
pi
Center. Under these conditions, computers should be grouped by the protection application. You can
prepare the Servers group in advance so that target computers will be moved there automatically.
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
or
Prior to installing Kaspersky Endpoint Security on the computers, prepare the following:
What to do Why
d
computers
check the progress
If the Administration Server has not discovered a computer,
Find out computer addresses but you know its address, you will be able to start remote
co
installation nevertheless
If there is a domain, the domain administrator password is
sufficient
Find out usernames and passwords of
the administrators For non-domain computers, you need to know the
be
The more computers, the more issues you will encounter, the
If there are many computers, phase
longer it will take you to solve them, and the longer the total
the installation
downtime will be
You will encounter at least some of the issues that can arise
t
Try to test various installation methods in the network, and you will be able to decide how to avoid or
No
ed
ut
r ib
st
di
re
Kaspersky Endpoint Security can be installed in various ways, each with its own specifics and
advantages.
or
You do not need to go to each computer, you can run the installation on many
Remote computers simultaneously, which saves time
installation
Installation can be started at any time and you will start receiving results in mere
using
minutes.
d
Kaspersky
Security However, you need to know the administrators’ passwords on the computers, and the
computers’ shared folders must be accessible over the network. Often, firewalls or
e
Center
Windows security settings block access to shared folders
pi
Again, you do not need to go to the computers and the installation can be run on many
computers simultaneously.
Moreover, you do not need to ensure access to the computers’ shared folders or know
co
Installation the computer administrators’ passwords. The computers will download and install the
via Active programs themselves.
Directory On the other hand, the computers must be joined to the domain and the administrator
must have enough permissions within the domain to be able to publish the package. A
computer does not begin the installation immediately; everything starts only the next
time it connects to the domain, meaning, after a restart.
be
Installation The administrators do not only install Kaspersky Endpoint Security, and they may have
using third-party software installation and management tools.
third-party Specifics depend on the tool, but usually the administrator can install applications
tools remotely on many computers at a time.
to
None of the remote installation methods guarantees 100% success. Computers may
Local not be joined to the domain, their shared folders may be blocked by the firewall, and
installation the administrator may have no third-party computer management tools.
from a Sometimes, it is easier to go to the computer and install an application locally than
t
alone Stand-alone packages that can be generated in Kaspersky Security Center save time
package during a local installation: you do not need to pass through the installation wizard and
configure parameters. Simply run the installer and wait
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
For remote installation, use a method that fits your network best.
ed
On the computers where remote installation fails, install the products locally using stand-alone packages.
ut
r ib
st
di
re
or
e d
pi
There are many methods of starting a remote installation in Kaspersky Security Center. All of them are
co
based on the same mechanism. The difference is in the location of their starting points in the Console and
the number of available settings. The most popular one, especially among novices, is using the ordinary
remote installation wizard.
The Administration Server detects computers where protection solutions are not installed. The MMC
console displays this information on the Monitoring tab of the Administration Server node, in
be
the Deployment area: the indicator is yellow and a warning is shown. To fix this, the administrator can
click the Enable protection link.
to
Unfortunately, the main page of the Web Console represents minimal information when compared with
the MMC console: It is impossible to tell whether protection is installed everywhere and how many
devices are unassigned.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
There are a few ways to start the remote installation wizard:
—
—
—
re
Discovery & Deployment | Deployment & Assignment | Quick Start Wizard
Open Discovery & Deployment | Deployment & Assignment | Installation Packages, select
the necessary package and click Deploy
Open Devices | Tasks, click Add and select the task type Install application remotely
or
In addition to the wizard, you can use automatic installation within administration groups.
e d
pi
co
be
t to
The product to be installed is selected from the list of available installation packages. The standard
No
distribution of Kaspersky Security Center contains the installation packages of the current versions of
Network Agent and Kaspersky Endpoint Security for Windows.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
If Kaspersky Endpoint Security is selected in the deployment wizard, it will be installed together with the
ed
Network Agent. The wizard not only installs the selected package, but also connects the computers to
the Administration Server by installing the Network Agent on them. If the computers are already
connected, the Network Agent is not reinstalled.
ut
r ib
st
di
re
or
Installation packages of Kaspersky Endpoint Security for Windows and Network Agent can be installed on
any supported operating system: Server or Workstation, 32-bit or 64-bit.
Due to this universality, the installation package of Kaspersky Endpoint Security 11 is relatively large, just
under 200MB. There are no supported ways to reduce the size. The Network Agent package is much
d
Kaspersky Endpoint Security, unlike the Network Agent, needs to be activated to operate properly. In
the installation wizard, you can explicitly select which code or key should be used to activate the product
from the list of codes and keys added to the Kaspersky licenses repository of the Administration Server. If
necessary, you can add another code or key to the repository without quitting the wizard.
t
No
Select a key. The wizard will not just use the selected key for this installation, but also add it to the
Kaspersky Endpoint Security package. The plug-in of Kaspersky Endpoint Security does not support
activation codes in the installation package properties.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
To activate Kaspersky Endpoint Security with a code rather than key, do not select anything in the
installation wizard. Instead, open the activation code properties and select Deploy license key
di
automatically.
re
or
e d
pi
co
be
to
Even if you want to install only Kaspersky Endpoint Security, the wizard will prompt you to specify the
Network Agent installation package; this step is required and you cannot skip it.
t
No
ed
ut
r ib
st
di
Select target computers for the installation.
re
You can select managed computers, groups of computers or individual computers in the wizard.
or
If you start the wizard right after the Administration Server has been installed, there is only one computer
in the groups, the Administration Server itself. All the other computers discovered by the Administration
Server are in the Discovery & deployment | Unassigned devices node. The Administration Server may
fail to detect some computers: They will be absent from the console.
d
Why does the wizard suggest selecting groups if there are no computers there? For example, if prior to
e
deploying protection you’ve imported the computers’ structure from Active Directory. Then you already
have groups filled with computers, and you can install Kaspersky Endpoint Security by groups. How to
pi
import groups and computers from Active Directory is explained in the 5th chapter of this Unit.
Let’s now get back to the scenario where you have no groups. To select computers from among
Unassigned devices or specify addresses of undiscovered computers, click Select devices for
co
installation.
As you will see later, the remote installation wizard creates a remote installation task based on
the gathered data. If a group is selected, the wizard will create a group task; if computers, a task for
specific computers.
be
If you click Select devices for installation | Devices, the wizard will show all discovered computers:
those that have already been added to the Managed devices groups and those that are in the
Unassigned devices node so far. In the Unassigned devices node, computers are grouped by domains
and workgroups.
to
Select the target computers. If you select a group, domain or a top-level node, you will select all
computers within that group, domain or node.
To install Kaspersky Endpoint Security on the computers that the Administration Server failed to discover,
manually add their IP addresses or names. To quickly enter numerous addresses, specify a range.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
co
At the following step, the wizard prompts how to perform remote installation. There are two methods:
Using Network Agent must already be installed on the computer and must be connected
Network to the current Server.
be
Agent The Server sends a command to the Agent, the Agent downloads packages to a
temporary folder and performs the installation under the Local System account.
The administrator’s name and password do not need to be specified, access to the
computer’s shared folders is not required.
Network access to the computer’s shared folders is required.
to
Using
operating The Administration Server copies package files to the system shared folder
system tools \\<computer name>\admin$. Then the server uses Remote Procedure Call (RPC)
protocol to remotely start a service process that will perform the installation and
inform the server of the results.
t
To copy files and start the installation, you need to specify the username and
No
The wizard always tries to install products using the Network Agent. If the Network Agent is not yet
ed
installed on the computer, installation using Windows tools is tried.
If both Kaspersky Endpoint Security and Network Agent are to be installed on the computer, the wizard
first installs the Network Agent using Windows tools, and then installs Kaspersky Endpoint Security 11
using the Network Agent.
ut
r ib
st
di
re
or
d
The wizard offers to select restart parameters; however, in most cases neither the Network Agent nor
Kaspersky Endpoint Security 11 installation requires restarting the computer. The Network Agent
installation almost never requires it. During Kaspersky Endpoint Security installation, the necessity to
e
The default choice, Prompt user for action, works well for workstations. When installing the product on
servers, we recommend selecting Do not restart the computer. At a server, a user is unlikely present
and no one will react to the prompt.
co
For the user not to postpone the restart for too long, the task displays a warning every 5 minutes by
default and forces computer restart in 30 minutes. The administrator can modify these settings and
the message text.
be
The Kaspersky Endpoint Security 11 installer can detect and uninstall incompatible applications (various
protection solutions, including antiviruses, firewalls, etc.), which are not recommended to be used
concurrently with Kaspersky Endpoint Security, because this may result in serious problems for users and
computers.
to
The administrator usually knows which potentially incompatible protection solutions are installed in
the network and should uninstall them beforehand. The programs are recommended to be uninstalled
either by their built-in uninstallers or by Windows tools. The corresponding capability of the Kaspersky
Endpoint Security installer should be regarded only as a contingency measure.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
Detection of incompatible applications cannot be disabled5, since it is intended to prevent conflicts. You
ed
can modify uninstallation settings in the remote installation wizard; this is described in detail at the end of
this chapter.
ut
r ib
st
di
re
or
e d
pi
co
be
As a result of installing the Network Agent and protection software, computers should become
manageable: Use the settings of policies and tasks specified on the Administration Server. To actually
to
achieve this, computers must belong to Managed devices rather than Unassigned devices.
If a computer has the Network Agent installed, but is not included in an administration group, it will neither
send its events to the Administration Server, nor will it be included in the reports, nor use the centralized
settings specified by the administrator. It is manageable only locally.
t
No
5Cannot be disabled using the interface settings. There is a command-line parameter that disables detecting incompatible
applications; if necessary, it can be added to the package description file for remote installations.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
If the administrator selects computers rather than groups, the wizard will ask whether it is necessary to
ed
relocate the computers to an administration group, and if yes, into which one.
The selection affects only unassigned devices. If both unassigned and managed computers are on
the installation list, the managed ones will remain in their original groups. This step is displayed only if
Network Agent is installed together with Kaspersky Endpoint Security 11.
ut
r ib
st
di
re
or
d
Initially, the Network Agent is installed by Windows tools and you need to specify an account for
accessing the target computers. The deployment wizard permits specifying several accounts, in case
different administrator passwords are used on the target computers. The installer tries the accounts in
e
succession. If the first account has insufficient privileges, the next one is tried, and so on.
pi
Before trying the specified accounts, the installer attempts to act under the Administration Server service
account, which you don’t actually see on the list. However, if the administrator used the default settings
when installing the server, the server service account cannot be used for remote installations. As a result
co
of an installation with the default settings, the server service starts under the KL-AK-* account that is
created automatically and receives the rights of a local administrator (not literally, but effectively the
same). It has no rights on remote computers.
So, in most cases you have to explicitly specify accounts for accessing the target computers. In a domain
be
environment, a domain administrator account is the best choice for remote installations. In large
companies, there is usually a special account for remote installations, or the IT personnel accounts have
the necessary rights.
to
At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are
going to do. To start the task, select the checkbox Run task after Wizard finishes.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
co
be
The installation wizard uses the settings specified by the administrator to create and immediately start the
product installation task on the selected computers. After that, it automatically opens the task page in the
Web Console.
to
The task page displays the task progress on the target computers. An installation can be ready for
execution, running, waiting for reboot, completed successfully or return an error. The number of
computers in every status is displayed on the pie chart and in the table.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
To check progress on an individual computer, select it and click Device history
The task log shows the history of each task status change on the computer. The status can be the same,
or
while its description may vary. For example, an installation task log usually contains several records of
the Running status, where the first one informs of starting file copying to the remote computer;
the second one, of starting the installer; and the third one, of the installation completion.
A typical installation history of a computer shows that first the Network Agent is installed, and then
d
Kaspersky Endpoint Security. To install the agent, its files are copied into the admin$ shared folder on
the computer. After the Agent is installed, the Administration Server waits for it to connect and start the
e
Although a single Kaspersky Endpoint Security package fits all Windows versions, installation results
ed
differ on the servers and workstations.
— On workstations, all components selected in the installation package properties are installed.
— On servers, only the following components (if selected in the package):
ut
— Behavior Detection
— Exploit Prevention
— Remediation Engine
— File Threat Protection
ib
— Network Threat Protection
— Firewall
— BadUSB Attack Prevention
r
— AMSI Protection Provider
st
— Application Control
— BitLocker Management
— Endpoint Sensor
di
re
or
If remote installation fails, it often makes sense to simply go to the computer and install the applications
locally instead of troubleshooting. Especially if such computers are comparatively few.
If you use an ordinary installer, you have to complete the installation wizard. Although it doesn’t take long,
it is boring, and you may easily mistype the Administration Server address. It is best to prepare a stand-
d
alone package with all the settings, and install from it.
e
pi
co
be
t to
No
A stand-alone package in Kaspersky Security Center is a single setup.exe file that includes the
installation files and installation parameters of the product (for example, Kaspersky Endpoint Security). A
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
stand-alone package can include Network Agent installation files and the Administration Server
ed
connection parameters.
This package is designed for local installation by the IT employees, administrators or users who have
sufficient rights. It saves time and reduces the number of errors.
ut
An extremely simple installation procedure is an advantage of stand-alone packages. No parameters
need to be specified during the installation, as they are already included in the package. This helps to
save time and prevent errors, for example, when specifying the Server connection address.
ib
Also, since the stand-alone package is a single file, it is easier to handle than the standard distribution.
This eliminates the risk of missing some files and reduces the overall installation time.
r
st
di
re
or
e d
pi
Stand-alone packages can only be created in the MMC console so far. Stand-alone or ‘1–click’ packages
are created from regular installation packages available on the Installation packages page of the
co
Administration Server. A special wizard is used that prompts for the installation parameters.
When the Kaspersky Endpoint Security stand-alone installation package is created, the wizard will prompt
to include the Network Agent, so that the target computer could immediately connect to the Administration
Server.
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
Just like with a remote installation, computers can be moved into the managed category right after
ed
the installation. Leaving protected computers in the unassigned category does not make any sense.
This step appears in the wizard if the Network Agent is installed together with the main package.
ut
r ib
st
di
If you need to modify the default settings of Kaspersky Endpoint Security or select specific components to
be installed, do it within the properties of the regular installation package before starting the stand-alone
package wizard. The parameters of the installation packages are described earlier in this chapter.
re
After all the parameters are specified, the wizard generates the setup.exe installation file and places it to
the PkgInst subdirectory of the shared folder on the Administration Server. The folder that contains the
setup.exe file is named after the package. You can find the package later at the following network path:
or
\\<Administration Server name>\KLSHARE\PkgInst\<stand-alone package name>\setup.exe.
The Administration Server signs stand-alone packages with its certificate by default. This certificate is
self-signed, and Windows will display a warning when the package is run. The administrator can select to
sign packages with another certificate. Specify the necessary certificate in the properties of the
d
Advanced | Remote installation | Installation packages node, in the Sign stand-alone packages
section.
e
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
The wizard suggests that the administrator takes one of the following actions:
ed
— Open folder—for example, to copy it to a flash drive
— Sample HTML code for link publication on a website—a text window opens, which contains
HTML code of the link to the package that can be added to a webpage
ut
r ib
st
di
re
or
— Email link to stand-alone installation package—the Administration Server starts the default
email client and automatically fills in the message subject and body providing a link to
the package located in the shared folder; the only thing the administrator has to do is to specify
the recipients’ addresses
e d
pi
co
be
to
To open the list of created stand-alone packages later, go to the Installation packages page and click
View the list of stand-alone packages. You can delete unnecessary packages or send another email
t
The HTML link offered by the package wizard contains the path to the shared folder on the Administration
ed
Server. If non-domain users whose accounts have not been added to the Administration Server try to
click it, they will not be able to access the resource.
Replace the link to the network folder with the http link to the package, which can be copied from its
properties. There is a built-in web server on the Administration Server where any user can download
ut
the package from. Each stand-alone package gets a unique http link based on the package id.
The administrator can find the link in the package properties on the list of all stand-alone packages.
If stand-alone package creation wizard is started for a package repeatedly, the administrator can either
ib
re-create the stand-alone package or create another one.
r
st
di
re
or
e d
pi
co
You can also install programs using Active Directory group policies without Kaspersky Security Center.
The principle is as follows. The installation package in Microsoft Installer (.msi) file format is placed into a
shared folder for which the domain computers have Read permissions. In Active Directory, the package is
be
assigned to a group policy that is applied to the domain computers. When a client computer starts and
logs into the domain, the policy is applied and the installation package is installed automatically, even
before the user logs on to the system.
This installation method can be comparatively easy when implemented manually. Kaspersky Security
to
ed
ut
r ib
st
di
re
To publish the Network Agent package to a domain group policy, in the task (or in the installation wizard),
or
select Assign Network Agent installation in the Active Directory group policies.
This method is applicable to the Network Agent only, because after the Agent is installed, other programs
are supposed to be installed using the Agent.
e d
pi
co
be
to
For the task to complete successfully, run it under a domain administrator account. For this purpose, add
t
the domain administrator account to the Account section of the task settings.
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
or
If the above-mentioned option is selected, the Administration Server creates a new group named
Kaspersky_AK{GUID} for the accounts of the target computers in Active Directory.
e d
pi
co
be
to
Also, the Administration Server creates a new group policy object named Kaspersky_AK{the same
GUID} at the domain level in Active Directory and assigns installation of the Network Agent MSI package
t
The permission to apply the policy is granted only to the created group which contains the accounts of
the target computers. So, the domain level policy will be applied to the selected domain computers, not all
domain computers.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
After this, the installation is performed as per usual. The policy eventually applies to the computers. At
the next restart, computers download the Network Agent MSI package from the shared folder on
the Administration Server and install it. The installation parameters, which include server address and
or
ports, are taken from the answer file located in the same folder as the MSI package. Thus, computers
automatically connect to the Administration Server.
If the task is configured to install not only the Agent, but also another program, for example, Kaspersky
Endpoint Security, the installation will resume after the Agent connects to the Server.
d
The security group and group policy object created by the task persist in the Active Directory until the task
e
is removed from the Kaspersky Security Center or the Assign Network Agent installation in the Active
Directory group policies option is cleared in the task properties.
pi
co
be
Kaspersky Endpoint Security is not compatible with other protection solutions. Before the installation,
the conflicting programs must be uninstalled. If you do not do this, the computer may operate slowly and
unstably. In the worst-case scenario, though rare, the computer may hang, restart spontaneously, or
display a blue screen.
Protection solutions co-exist poorly because of the drivers that they install to intercept file operations,
to
network connections and system calls. The Network Agent does not install any drivers, and therefore
does not conflict with third-party protection solutions.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
— re
To uninstall protection solutions by other manufacturers, it is best to use regular tools:
The applications that have their own centralized management system should be removed via this
system
or
— If possible, uninstall third-party protection using Windows tools
If the incompatible applications cannot be uninstalled using regular tools, the administrator may use the
Kaspersky Security Center functionality for this purpose:
d
The former option is always enabled in the installation package and reliably uninstalls many widespread
versions of third-party antiviruses and firewalls. However, if you have an uncommon antivirus or a
recently released version, Kaspersky Endpoint Security installer may fail to detect it.
co
Besides, some of the incompatible applications can be detected by the installer, but cannot be
uninstalled.
be
If the installer has detected and uninstalled incompatible applications, it will require restarting the
to
computer to complete the installation of Kaspersky Endpoint Security. It is the only difference compared
to a typical installation. If there are no incompatible applications on the computer, the installer will
install everything without a restart.
The installation task has restart parameters for such cases. By default, the task will show the user a
t
message that the computer needs to be restarted every 5 minutes, and will force a restart after 30
minutes. The administrator can adjust all these intervals in the remote installation task properties.
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
co
If uninstallation of incompatible applications is disabled and a conflicting application is found during the
be
Kaspersky Endpoint Security installation, the installer returns an error. The error description explains that
the product cannot be installed if incompatible applications are installed on the computer. The
administrator needs to uninstall the conflicting programs and re-start the installation.
If it is a task that installs Kaspersky Endpoint Security together with Network Agent, it will install the
Network Agent and only after that inform about the error. This is handy, because you can use the Agent
to
ed
ut
r ib
st
di
re
If there are incompatible applications on the computer, but the installer fails to detect them, it will
complete the installation as if they did not exist. In this case, the administrator may not know for quite a
while about the conflict. Eventually, the users will complain that a computer works slowly or malfunctions.
or
When investigating the issue, the administrator will discover that there are several protection applications
on the computer.
e d
pi
co
be
to
The administrator can learn that there are third-party protection applications on the computers from the
Administration Console. The Network Agents send lists of installed software to the server, and you can
t
find the aggregate list in the Web Console, in Operations | Third-Party Applications | Applications
No
registry.
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
If the administrator suspects that there may be protection solutions by other manufacturers in the
ed
network, it makes sense to search for them on the list by the manufacturer name. For example,
Symantec, McAfee and others.
The list of computers where the program is installed is available in its properties. After that, the
administrator will only need to uninstall it.
ut
There is an Administration Server’s task that serves this purpose: Uninstall application remotely.
However, it will not be of any help immediately. The list of applications that the Agent can uninstall usually
coincides with the list of programs that can be removed by the Kaspersky Endpoint Security installer. This
ib
list is updated only when a new version or service pack is released, and new versions and service packs
for Kaspersky Endpoint Security and Kaspersky Security Center are almost always released
simultaneously.
r
st
di
re
or
e d
pi
co
Each program on the list of incompatible applications has an INI file that tells how to detect and uninstall
it.
be
To uninstall an application that is not included in the list, send the program distribution to KL technical
support and request an INI file for it. Kaspersky experts will need some time to study the application and
develop an INI file for it. This service is available only for comparatively large customers.
Copy the received INI file to the folder with other INI files on the Administration
to
After that, the Network Agent’s Uninstall application remotely task will be able to remove this program.
Run the task to uninstall all incompatible applications on all computers. Or, to save resources, make a
t
selection of only those computers where the incompatible application is installed, and run the
No
ed
ut
r ib
st
di
re
To contact technical support, use the companyaccount.kaspersky.com portal. To sign up, specify your
email address and license: Activation key or code.
or
e d
pi
co
be
To request an INI file, create a new request and select the category Make a request for Tech Support.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
In the request, select
re
— Scope—for workstations
— Product name and version—Kaspersky Endpoint Security for Windows 11.x.x.xxxx
— Request type and subtype—Installation and Incompatible Software
or
Then describe the situation and do not forget to attach the installer of the third-party program that you
want to uninstall.
e d
pi
co
be
t to
To uninstall incompatible applications, you need to create an uninstallation task and run it on the
No
ed
Devices | Device Selections. This page contains the following pre-configured selections:
ut
— There are unprocessed objects
— Many viruses detected
— Protection is disabled
— Security application is not installed
ib
— Unassigned devices with Network Agent
— New networked devices found
— Data encryption errors
r
— Device has become unmanaged
— Devices with Critical status
st
— Devices with Warning status
— Devices with Warning and Critical statuses due to vulnerabilities
— Distribution points (previously known as Update Agents)
di
These selections are hard-coded: They can neither be modified, nor deleted. There is no selection of
computers with incompatible software among them.
re
To create a selection, click Add.
Unassigned devices do not transfer lists of installed programs to the server. That is why you should
search for computers with incompatible applications either among managed, or among all computers.
d
By default, a selection does not have any conditions, and it finds all the computers within the specified
e
scope.
pi
co
be
t to
No
By default, each selection has a macrocondition with numerous microconditions. All microconditions
ed
within the macrocondition are combined with logical AND. Macroconditions are combined with logical OR.
To find computers with an incompatible application, one macrocondition is enough. Open its properties
and switch to the Third-party software details section. Specify the program name in the box Name of
incompatible security application. Save the condition and the selection. The computer selection results
ut
will contain only the computers where this program has been detected.
To display computers with various incompatible applications in a single selection, add macroconditions
and specify the other incompatible applications there.
r ib
st
di
re
or
e d
pi
Now, create an uninstallation task for this selection. Start the task creation wizard on the Devices | Tasks
page, and when prompted for the target computers, choose the created selection. Every time the task
runs it will check the contents of the selection and update the list of target computers.
co
be
t to
No
The wizard shows all the tasks you can create. Each plug-in installed in the console adds tasks of the
respective application to the list. After the standard installation of the Administration Server, you will be
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
able to create tasks for Kaspersky Security Center and Kaspersky Endpoint Security. The remote
ed
installation and uninstallation tasks are the tasks of Kaspersky Security Center.
To uninstall incompatible applications, select Kaspersky Security Center and Uninstall application
remotely in the task creation wizard.
ut
By default, the wizard offers the task name that coincides with the task type: Uninstall application
remotely. If you are uninstalling a single program, specify its name in the task name. This way, you will
be able to quickly understand in the future whether this task is still necessary, or you can delete it.
ib
Select the target computers. The available options include:
r
— Picking computers from the Managed devices group and the Unassigned devices node
st
— Specifying a computer selection name
The last option is convenient for computers that can be defined by conditions relatively easily, e.g.,
computers where incompatible applications have been detected.
di
re
or
e d
pi
co
Choose the necessary selection; when started, the task will receive up-to-the-minute list of devices where
the respective incompatible applications are installed.
be
After that, specify the name of the incompatible application to be uninstalled. You can select several
programs or even all the applications that are included in the list. Selecting more than one program
to
increases the task run time though, because such a task executes, step by step, the uninstall scripts for
all the selected programs.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 4. How to install Kaspersky Endpoint Security on computers
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
The task creation wizard also prompts for the account. In our scenario, the account is not necessary,
because the Network Agent is already installed on the computers and will run the uninstallation task
under the local system account. The account must be specified if the task is run either on computers
co
without a Network Agent, or on computers where the Network Agent has no administrator permissions.
At the last step of the wizard, you can select to run the task immediately. It is often exactly what you are
be
going to do. To start the task, select the check box Run task after Wizard finishes. It is often exactly what
you are going to do. To start the task, select the check box Run task after Wizard finishes.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
ed
ut
ib
Now you know everything to be able to install protection on all network computers:
r
— How to select components and installation parameters for Kaspersky Endpoint Security
— How to install Kaspersky Endpoint Security and Network Agent remotely
st
— How to install Kaspersky Endpoint Security and Network Agent using Active Directory
— How to create a stand-alone package for local installation
— How to create several different packages with different parameters
di
— How to install on discovered and undiscovered computers
re
— How to understand which programs are installed on which computers
— How to understand that installation has been completed in the network
For this purpose, you can use the installation task results, as well as reports, computer selections and
event selections.
or
e d
pi
co
be
to
Task results and the information available on the Managed devices group do not always provide
comprehensive information on the protection deployment in the network. Deployment by a single task on
all computers, as well as managing all computers within one group, is characteristic of small networks
t
only.
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
For a complete picture, reports are the natural information source. Reports relevant to the deployment
ed
stage are:
ut
The following selections are also very useful at the deployment stage:
ib
— New networked devices found
— Security application is not installed
— Unassigned devices with Network Agent
r
st
di
re
or
e d
pi
In the MMC console, information about protection deployment is displayed on the main page: Monitoring
tab of the Administration Server node. The Deployment area contains the number of managed
co
computers where Kaspersky Endpoint Security is not installed. If it is non-zero, a link to the selection that
includes all these computers is also displayed.
If there are any computers with the Network Agent in the Unassigned devices node, this will be reflected
in the Management scheme area with another link to the corresponding selection of computers.
be
In the Web Console, unfortunately, the information represented on the main page is rather limited. You
cannot quickly understand on which managed devices Kaspersky Endpoint Security is installed, and
which lack it.
There are only lists of managed devices distributed by statuses. However, the Critical status may include
to
devices where Kaspersky Endpoint Security is not installed as well as devices where Kaspersky Endpoint
Security is installed, but is not running for some reason.
The only advantage is that you can immediately open the list of devices with non-OK statuses and study
them in more detail.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
ed
ut
r ib
st
di
re
Computers with the Network Agent must be located within the Managed devices node. If they are
located in the Unassigned devices node, they neither send events to the Administration Server nor
receive tasks and policies from the Server.
or
That is why the Administration Server displays such computers on the Monitoring page of the MMC
console and in the corresponding selection.
e d
pi
The software version report shows the number of Kaspersky programs installed on managed computers.
ed
In particular, the number of installed Network Agents, Administration Servers and Kaspersky Endpoint
Security instances.
Various versions (builds) of the products are represented separately, which is convenient when upgrading
the products. The report shows how many computers use the current versions of the programs, and how
ut
many run older versions.
The graphic part of the report illustrates the statistics table, which lists all versions of managed products
and the number of installations for each of them.
ib
The Details table gives information on every computer: Which products are installed, which versions, etc.
r
st
di
re
or
e d
pi
Computers with a protection application, but without the Network Agent are included in the last category.
If the Network Agent is not installed, the Administration Server does not know whether a protection
be
solution is installed on the computer. This category also includes the computers where the Network Agent
is installed, but is not connected to the Administration Server. For example, computers where Agents use
an incorrect server address.
The chart and the Summary table show the number of computers in every category. Just like in
the software version report, the Details table shows the version of the Network Agent and Kaspersky
to
This report is especially useful if the administrator first moves all of the computers into the Managed
devices group, and then starts the deployment tasks. In this case, the report explicitly displays how many
t
of the managed computers are not connected to the server, and how many of those connected are not
yet protected with Kaspersky Endpoint Security.
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
If the administrator uses the remote installation wizard for the deployment and always selects
ed
the computers from unassigned devices area, this report is less useful as it does not cover unassigned
devices.
ut
r ib
st
di
re
or
e d
In the deployment wizard or when creating a deployment task, the administrator can select computers
from a list. The Administration Server makes up this list by polling the network. Polls are performed
periodically in several different ways:
pi
— IP subnet polling
The network is polled by the service of the Network Agent installed on the Administration Server rather
than by the Administration Server service. The Network Agents installed on ordinary network computers
do not poll the network.
be
Polling results are shown in the Discovery & Deployment | Discovery node separately for each
to
discovery method:
— IP ranges
— Windows Domains—computers detected during Windows network polling are grouped into
workgroups and domains;
t
computers
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
The discovered computers are also displayed on the Discovery & Deployment | Unassigned Devices
ed
page.
A computer can be shown in more than one discovery area. If a computer is detected in the HQ domain
and its address is 192.168.0.1, it will be displayed in both the Domains node and in the IP subnets node
in the corresponding folders.
ut
To modify the polling settings for every method, click Discovery & Deployment | Discovery, select the
necessary method and click Properties. You can also start any type of polling manually on their
respective pages.
r ib
st
di
re
or
e d
pi
The Administration Server collects the list of Windows network computers just like the operating system
itself. When a user opens the computer’s network places, the list of neighborhood computers grouped by
co
domains and workgroups is shown. The Administration Server can acquire the same list.
This polling method is called quick Windows network polling. It hardly places any extra load on the
network. The Computer Browser service is responsible for making up and representing the list of
computers. In every network segment there is the main computer that stores the general list and provides
be
it when requested. To receive the list, Administration Server only needs to send a request.
In the latest versions of Windows, the Computer Browser service is disabled by default or is not installed
at all. If the Administration Server cannot receive the list of computers from the Computer Browser
service, it sends a request to Active Directory and tries to receive a list of computers from it. Certainly,
only if the Administration Server is on an Active Directory domain.
to
Quick poll is performed every 15 minutes. After a quick poll, the Server receives the list of NetBIOS
names of computers, domains and workgroups.
t
No
During a full poll, the Administration Server tries to receive as much information as possible about each
computer from the quick poll results.
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
For each name, the Server resolves the name into the IP address using NetBIOS, DNS and LLMNR
ed
protocols. For the received addresses, the server performs a reverse resolution into the name, and if this
name does not coincide with the original one, receives the IP address for the new name.
The Server checks whether the IP addresses are accessible using ICMP requests and finally tries to
connect to the computers using SMB and RPC protocols to find out the operating system.
ut
All these numerous requests are necessary because names and addresses of the computers may
change. The Administration Server uses direct and reverse resolution of names and IP addresses to
distinguish new network computers from the old ones that just changed the name or IP address.
ib
As the number of requests is proportionate to the number of computers, the network activity is much
higher than with a quick poll. That is why full poll is performed hourly by default.
r
st
In polling results, the Server shows everything it was able to find out about a computer: its name,
di
address, operating system, etc.
re
or
e d
pi
co
Polling schedule is defined as a start time and a time span. A time span can be as small as a few minutes
or as large as several days or weeks. It is possible to run missed polls. If polling is performed often, this is
not necessary; but will be useful if polling is performed once a week or a month.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
ed
ut
r ib
st
di
re
For Windows network polling, the administrator can additionally specify the life span for the information on
the discovered computers. By default, this period is 7 days. If in 7 days a computer can no longer be
detected by Windows network polling, the information about this computer is deleted from the server
or
database.
This interval can be specified independently for every domain or workgroup. Also, you can specify a
common life span and use it for the whole Windows network.
d
The Administration Server requests from Active Directory the structure of containers (units) and the list of
ed
computers for each of them.
Additionally, the Administration Server requests the list of users and security groups. Working with AD
users falls outside the scope of this course. See courses KL 010 and KL 302 for details.
ut
In a large network, the total volume of all lists (computers, users, groups) may be very large, and that is
why Active Directory polling is performed every 60 minutes by default.
r ib
st
di
re
or
e d
Polling parameters for Active Directory are similar to those for Windows network polling. There is an
option to turn off this polling method entirely and a schedule.
pi
There is no explicit lifetime parameter for the polling results. Each polling replaces the previous results:
— Deletes the computers and units that have been removed from Active Directory
In the Advanced polling parameters, the administrator can select the polling scope:
— The Active Directory domain to which the Administration Server belongs (the default choice)
be
To add a domain to the polling scope, specify the address of the domain controller, and the name and
password of the account for accessing it.
to
You can selectively disable polling for some organizational units in their properties.
When the administrator changes the polling scope, after the next polling, the Server will show only the
new scope contents. For example, if the administrator has disabled polling within a unit, after the next
polling, the Administration Server will delete all the information about the contents of this unit from its
t
database. Also, if the Server scanned several domains previously and the administrator deletes one of
No
the domains from the list, after the next polling, the Server will delete all data about this domain from its
database.
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
ed
ut
r ib
st
di
re
or
IP range polling works similarly to full Windows network polling. However, the original list of computers is
not received as a result of quick polling; it is the list of IP addresses from the IP ranges specified by the
administrator.
d
The server tries to resolve each address into a name, and the name into an address again; then checks
whether the address answers ICMP ECHO REQUESTs, etc.
e
To find out the device type, the Server also sends SNMP requests.
pi
The polling results include only those computers that answered the ICMP request.
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
Initially, the Administration Server gets IP ranges for polling from the network settings of the computer
ed
where it is installed. If, for example, the computer address is 192.168.0.1 and the subnet mask is
255.255.255.0, the Administration Server automatically includes the 192.168.0.0/24 subnet to the scan
list and polls all addresses from 192.168.0.1 to 192.168.0.254.
IP subnets polling parameters include the list of polled IP subnets, the enabling checkbox and the
ut
schedule. When this polling method is enabled, the default period is 420 minutes (7 hours).
r ib
st
di
re
or
d
In order to poll subnets to which Administration Server does not belong, you need to add them to the list
manually. You can specify a subnet using either its address and mask, or the first and last IP address of
e
The life span for the polling results is 24 hours by default. If an IP address is not verified by polling in 24
hours, it is removed from the results. Such a short life span tries to account for dynamic IP addresses
(assigned over DHCP protocol), which can change frequently. When modifying the settings, make sure
co
One subnet can comprise several IP ranges. Additional ranges are configured in the subnet properties.
be
Whereas named subnets are not allowed to overlap, Ranges may overlap within a subnet.
You can enable and disable scanning independently for every subnet.
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
co
If you want to monitor polling, you can do it only in the MMC console. When the network is being polled,
be
the Advanced | Device discovery page displays the progress. Detailed information is available in the
Administration Server statistics (Administration Server properties: Advanced | Administration Server
operation statistics). There you can find the time of the last poll performed by each method, polling
progress percentage and the name of the polled domain for Windows network polling.
to
The administrator can configure notifications about new computers found in the network.
The corresponding event is available in the properties of the Administration Server, and you can enable
t
To receive information about new computers, open the Event configuration tab in the Administration
Server properties. Find the event New device found on the Info tab. Open the event properties and
enable the option Notify by email.
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
ed
ut
r ib
st
di
For notifications, the Server uses the parameters that you specified in the Quick Start wizard when
re
installing the Administration Server. If you are not sure that the correct delivery parameters have been
specified, check them in the General | Notification section in the server properties.
or
e d
pi
co
be
to
After the initial installation, there is only one group on the Administration Server—Managed devices.
With a single group, the same protection policy and task schedule is applied to all computers, which is not
t
always preferred.
No
Even in small networks, it may be necessary to use different protection settings for servers and
workstations. In large networks, where different groups of users need various types of software, the
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
capability to create policies with different exclusions for different users is extremely useful. The computers
ed
must be placed into different groups to be able to apply different policies6.
From a practical point of view, it is convenient when computers in Kaspersky Security Center are
organized into the same groups as in Active Directory, or into groups corresponding to IP subnets used in
the organization. This way, the administrator can quickly understand where the computer is located to
ut
send an IT employee there.
There are also other examples of group use. Often, especially in large networks, the administrators create
groups to organize the deployment process. Computers without the Agent or a protection application are
ib
placed into the Deploy Agent group, where the Network Agent automatic installation task is created. The
computers with installed Agent are moved into the Uninstall Incompatible Apps group, where the task
for uninstalling incompatible applications is configured. The computers without incompatible applications
r
are moved into the Deploy KES group, where the task of automatic installation of Kaspersky Endpoint
st
Security is created. Finally, the completely protected computers are moved into the permanent
management structure.
di
re
or
e d
pi
co
Unlike the MMC console, where groups are created as simply as folders in Windows Explorer, Web
Console can be a bit challenging. First, groups are created within the Managed devices node. Then you
can create new groups either in the same node or inside the created groups.
be
To create a new group in Web Console, click Devices | Hierarchy of groups. Then select the group
within which you want to create a subgroup and click Add.
Enter the name of the group in the window that opens. It will then appear as a subnode in the structure of
managed devices.
to
If a group is no longer necessary, you can delete it on the condition that there are no computers in either
the group or subgroups.
Groups can be moved within the hierarchy of managed devices. For example, if the structure of groups
t
reflects physical computer locations and the HR department moves from Building 1 to Building 2, the HR
No
6Starting with version 10 Service Pack 1, Kaspersky Security Center provides the capability to apply different configuration
profiles to different computers within the same group. For more details, refer to course KL 302.
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
subgroup can be easily relocated together with its computers from the group Building 1 to the group
ed
Building 2. For this purpose, select the group that you want to move, click Move, and specify the group
into which you want to move it.
ut
r ib
st
di
re
Another method of creating a subgroup is to open the properties of the parent group. On the General tab,
or
there is the Add button that creates a subgroup.
e d
pi
co
be
to
At first sight, it is not quite clear how to navigate within the group structure in the Web Console. However,
there is an almost imperceptible navigation button: Devices | Groups, which displays the existing group
structure, and when you select a group, the list of its policies opens. The Change Structure button
t
ed
ut
r ib
st
di
re
In the Web Administration Console, you can move computers using one method only, which is applicable
to managed and unassigned devices. Select one or several computers, click Move to Group, and specify
the target group.
or
e d
pi
co
be
to
If the network is large enough and the planned structure of managed devices requires a large number of
groups, creating a hierarchy using the methods described above can be very labor-intensive. Sometimes
it is easier to import a group structure from the network polling results or from a text file.
t
If administrators want to arrange the managed devices in the exact same order as their network, to
No
combine them into the same workgroups or domains and subdivisions, they can use the structure import
functionality.
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
You can import the structure of your Windows network, Active Directory or a structure defined in a text
ed
file. In the first two cases you may import either the entire structure (groups including computers) or just
groups. When importing the topology from a text file, only groups can be created.
Computer import affects unassigned hosts only. If some computers from a workgroup or an Active
Directory unit that is being imported are already present in a group of managed devices, the wizard will
ut
not relocate them.
To run the wizard, select the Managed devices group and click Import. In the wizard, specify the
structure to be imported and the destination group. You can also import only a structure from Windows
ib
network or Active Directory, and disable importing the computers.
r
st
di
re
or
e d
Windows network topology and a structure defined in a text file are always imported completely. When
importing an Active Directory structure, you can select the domain or unit to be imported. The other
domains and units will be ignored.
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
The wizard is designed for initial creation of the structure of managed devices. It is not intended for
ed
regular synchronization of structures of Kaspersky Security Center, with, for example, Active Directory. If
you need to synchronize, configure the computer relocation rules.
ut
r ib
st
di
re
A structure import via a text file must be prepared manually. Every group or subgroup must be specified
or
on a separate line within the text file. Subgroups are specified using their full paths. Use the backslash
path delimiters, for example:
Office1\Subdivision1\Department1
Office1\Subdivision1\Department2
d
Office2
Office3\Subdivision1
e
If a subgroup path contains groups that do not exist yet, they are created.
pi
Groups created during the import procedure are completely identical to the groups created manually. You
can rename, move, delete them, etc.
co
be
If groups in Kaspersky Security Center are to reproduce IP subnets or Active Directory units, the
administrator can easily automate the computers’ distribution into the groups. Computer relocation rules
serve this purpose.
to
The list of relocation rules is located on the Discovery & Deployment | Deployment & Assignment |
Moving Rules page.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
ed
ut
r ib
st
di
re
or
e d
pi
co
In some cases, computer relocation rules are created automatically in the Kaspersky Security Center. For
example, when the administrator selects to move unassigned devices into a group in the remote
installation wizard or when creating a stand-alone package, the Administration Server creates a relocation
rule for this operation. These rules can be viewed on the list and can be disabled, but cannot be deleted
be
or edited. The server deletes them automatically when the corresponding task or stand-alone package is
deleted.
to
— Where to move—the name of the group in the structure of managed devices where the hosts
matching the rule conditions will be relocated
No
ed
ut
r ib
st
di
When creating a rule, specify its name. Use one that explains the rule purpose, since only the names are
re
shown on the rule list. Also, you will need to select the destination group—where to move the computers.
or
Afterwards, decide when to apply the rule to the computers. Three capabilities are available:
— Run once for each device—as soon as the rule is created, it will be applied to all computers in
the server database, and then it will be applied only to new computers when they are discovered
d
— Run once for each device, then at every Network Agent reinstallation—is similar to the previous
option, but if the Network Agent is reinstalled on a computer, the rule will be reapplied to such
a host
e
manually moved to another group, the Administration Server will immediately return it to
the location specified in the rule. If the computer attributes are changed, a permanent rule will
react accordingly, while a one-time rule will not
co
The rules created by the Administration Server for installation tasks and stand-alone packages Run once
for each device, then at every Network Agent reinstallation.
Permanent rules are more convenient in a sense, but create a persistent computational load on the
Administration Server.
be
to
Other rule settings specify the conditions the computer must meet for the rule to be applied. The first
condition is located in the General section and is named Move only devices that do not belong to an
administration group.
t
With this option selected, a rule—even a permanent one—will not hamper the administrator to manually
move computers in the groups. It affects only unassigned devices. To apply such a rule to a computer
No
within a group, just delete the computer from the group. When deleted from the managed devices
structure, the computer becomes unassigned and the rule will apply to it.
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
If the Move only devices that do not belong to an administration group checkbox is cleared, the rule
ed
applies to all computers in the server database and the corresponding computers are moved into the
specified group no matter what happens. This does not prevent the administrator from deleting these
computers from the Administration Server database, though.
ut
r ib
st
di
re
or
d
Many of the relocation conditions are related to the network attributes of the computers:
— NetBIOS name
e
— DNS domain
— IP address
— Server connection IP address (if a computer is behind a NAT gateway, the connection address is
co
To apply a rule to several computers, you can specify IP addresses as ranges, and names can be
specified as masks with “*” and “?” wildcards. If these options are insufficient, you can always create
several rules with different conditions that will move computers to the same group.
be
Conditions for devices may include operating system version, architecture and currently installed Service
Pack. Several operating systems can be specified within a rule. If the administrator wants to automatically
move all servers into the Servers group, it will be necessary to create only one rule that will take care of
to
all servers of all versions used in the network. For example, Windows Server 2008 R2 and Windows
Server 2012 R2.
Also, there is the Network Agent is running condition. This condition can separate the computers
already connected to the Administration Server from those that need to be connected.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
ed
ut
r ib
st
di
re
A relocation rule has a condition for virtual machines. Virtual machines running on different virtualization
platforms can be moved into different groups. Protection of virtual machines is described in courses
KL 014 Kaspersky Security for Virtualization | Agentless and KL 031 Kaspersky Security for Virtualization
| Light Agent.
or
If these conditions are insufficient, computers can be tagged and you can configure conditions using the
tags. For more details, refer to course KL 302.
e d
pi
co
be
t to
There are similar conditions for the computers within the Active Directory structure:
No
Relocation rules permit configuring synchronization with Active Directory. For this purpose, enable
ed
additional options under the condition Apply the rule to Active Directory organization unit:
— Including child organization units—if the selected unit has child units, computers within them
will be moved into the destination group
ut
— Move computers from child organizational units to corresponding subgroups—if
the selected unit has child units, and the destination group has the corresponding subgroups,
computers from the child units will be moved into the corresponding subgroups
— Create missing subgroups—if the selected unit has child units, and the destination group has
ib
no corresponding subgroups, the Administration Server will create these subgroups and move
the computers of the child unit there
r
— Delete subgroups that are not present in the Active directory—the opposite of the previous
option. When an organizational unit is deleted from the Active Directory, this option will remove
st
the respective group from the Kaspersky Security Center.
If all the four options are enabled, an updatable copy of Active Directory structure will be created in
the destination group. If a unit is created or deleted in Active Directory, or computers are moved from one
di
unit to another, Kaspersky Security Center will automatically repeat these changes in its group structure.
In addition to units, Active Directory has groups, which may contain computer accounts. To move
re
computers into groups according to the domain groups, select the condition The device is member of
Active Directory group and specify the group name.
or
e d
pi
co
A tag is an additional attribute that the administrator can assign to devices and use it to configure
relocation rules more flexibly. The administrator can assign tags manually to each device individually or
be
several devices at once, or configure automatic tag allocation rules. A device can have several tags
assigned.
Relocation rules may be applied to devices without the specified tags or to the devices that have at least
one of the specified tags.
to
To assign tags, select one or several devices, open the properties window and switch to the Tags tab.
There is also a link there: Set up automatic tagging rules. Automatic tag allocation rules can also be
configured on the Devices | Tags | Auto-tagging rules page.
t
In some cases, it makes sense to assign tags automatically when deploying the protection application.
You can also do it in the Network Agent package properties. To assign different tags to computers during
No
the installation, create several installation packages for the Network Agent, specify the necessary tag
within each package, and use different packages for different computers.
002.11.6: Kaspersky Endpoint Security and Management. 5. How to organize computers into groups
Unit I. Deployment
Regardless of how a tag was added to the system or assigned to a device, you will be able to assign it to
ed
any other device as well afterwards.
ut
r ib
st
di
re
or
The created rules are organized into a list where their order makes a difference. Permanent rules have
priority over the others. Among rules of the same type, the higher the rule is on the list, the higher its
priority. In other words, if a computer meets the conditions of several rules, only the top one is applied.
d
Use arrows to rearrange the rules. Also, a rule can be applied manually using the Force button. This
permits re-applying a non-permanent rule. For the permanent rules, the button does nothing, since
e
The Rule execution wizard prompts for the group where the rule is to be applied, and moves
pi
the computers that meet the rule conditions from the selected group to the group specified in the rule.
There is an option that permits skipping the computers to which this rule has already been applied and
only force the rule on new computers.
co
be
t to
No
v1.0.6