Discovering networked devices

This section describes steps you must take after the Kaspersky Security Center installation.

Scenario: Discovering networked devices

You must perform device discovery before installation of the security applications. When all networked devices are discovered, you can receive information about them and manage them through policies. Regular network polls are needed to discover if there are any new devices and whether previously discovered devices are still on the network.

Before you start network polling, make sure that the SMB protocol is enabled. Otherwise, Kaspersky Security Center cannot discover devices in the polled network. To enable the SMB protocol, follow the instructions for your operating system.

Discovery of networked devices proceeds in stages:

1. Initial device discovery

   The Quick Start Wizard guides you through initial device discovery, and helps you find networked devices such as computers, tablets, and mobile phones. You can also perform device discovery manually.

2. Configuring future polls

   Decide which type(s) of discovery you want to use regularly. Make sure that this type is enabled and that the poll schedule meets the needs of your organization. When configuring the poll schedule, use the recommendations for network polling frequency.

3. Setting up rules for adding discovered devices to administration groups (optional)

   If new devices appear on your network, they are discovered during regular polls and are automatically included in the Unassigned devices group. If you want, you can set up the rules for automatically moving these devices to the Managed devices group. You can also establish retention rules.

   If you skip this rule-setting stage, all the newly discovered devices go to the Unassigned devices group and stay there. If you want, you can move these devices to the Managed devices group manually. If you move the devices to the Managed devices group manually, you can analyze information about each device and decide whether you want to move it to an administration group, and, if so, to which group.

Results

Completion of the scenario yields the following:

• Kaspersky Security Center Administration Server discovers the devices that are on the network and provides you with information about them.
• Future polls are set up and are conducted according to the specified schedule.
• The newly discovered devices are arranged according to the configured rules. (Or, if no rules are configured, the devices stay in the Unassigned devices group).

Unassigned devices

This section provides information about how to manage devices on an enterprise network if they are not included in an administration group.

Device discovery

This section describes the types of device discovery available in Kaspersky Security Center and provides information using each type.

The Administration Server receives information about the structure of the network and devices on this network through regular polling. The information is recorded to the Administration Server database. Administration Server can use the following types of polling:

• Windows network polling. The Administration Server can perform two kinds of Windows network poll: quick and full. During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS names of devices in all network domains and workgroups. During a full poll, more information is requested from each client device, such as operating system name, IP address, DNS name, and NetBIOS name. By default, both quick poll and full poll are enabled. Windows network polling may fail to discover devices, for example, if the ports UDP 137, UDP 138, TCP 139 are closed on the router or by the firewall.
• Active Directory polling. The Administration Server retrieves information about the Active Directory unit structure and about DNS names of the devices from Active Directory groups. By default, this type of polling is enabled. We recommend that you use Active Directory polling if you use Active Directory; otherwise, the Administration Server does not discover any devices. If you use Active Directory but some of the networked devices are not listed as members, these devices cannot be discovered by Active Directory polling.
• IP range polling. The Administration Server polls the specified IP ranges using ICMP packets or the NBNS protocol and compiles a complete set of data on devices within those IP ranges. By default, this type of polling is disabled. It is not recommended to use this type of polling if you use Windows network polling and/or Active Directory polling.
• Zeroconf polling. A distribution point that polls the IPv6 network by using zero-configuration networking (also referred to as Zeroconf). By default, this type of polling is disabled. You can use Zeroconf polling if the distribution point runs Linux.

If you set up and enabled device moving rules, the newly discovered devices are automatically included in the Managed devices group. If no moving rules have been enabled, the newly discovered devices are automatically included in the Unassigned devices group.

You can modify device discovery settings for each type. For example, you may want to modify the polling schedule or to set whether to poll the entire Active Directory forest or only a specific domain.

Before you start network polling, make sure that the SMB protocol is enabled. Otherwise, Kaspersky Security Center cannot discover devices in the polled network. To enable the SMB protocol, follow the instructions for your operating system.

Windows network polling

Expand all | Collapse all

About Windows network polling

During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS names of devices in all network domains and workgroups. During a full poll, the following information is requested from each client device:

• Operating system name
• IP address
• DNS name
• NetBIOS name

Both quick polls and full polls require the following:

• Ports UDP 137/138, TCP 139, UDP 445, TCP 445 must be available in the network.
• The SMB protocol is enabled.
• The Microsoft Computer Browser service must be used, and the primary browser computer must be enabled on the Administration Server.
• The Microsoft Computer Browser service must be used, and the primary browser computer must be enabled on the client devices:
  • On at least one device, if the number of networked devices does not exceed 32.
  • On at least one device for each 32 networked devices.

The full poll can run only if the quick poll has run at least once.

Viewing and modifying the settings for Windows network polling

To modify the settings for the Windows network polling:

1. In the console tree, in the Device discovery folder, select the Domains subfolder.

   You can proceed from the Unassigned devices folder to the Device discovery folder by clicking the Poll now button.

   In the workspace of the Domains subfolder, the list of the devices is displayed.

2. Click Poll now.

   The domain properties window opens. If you want, modify the settings of Windows network polling:

   • Enable Windows network polling

     This option is selected by default. If you do not want to perform Windows network poll (for example, if you think that Active Directory polling is enough), you can unselect this option.

   • Set quick polling schedule

     The default period is 15 minutes.

     During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS names of devices in all network domains and workgroups.

     The data received at the next polling completely replaces the old data.

     The following polling schedule options are available:

     • Every N days

       The polling runs regularly, with the specified interval in days, starting from the specified date and time.

       By default, the polling runs every day, starting from the current system date and time.

     • Every N minutes

       The polling runs regularly, with the specified interval in minutes, starting from the specified time.

       By default, the polling runs every five minutes, starting from the current system time.

     • By days of week

       The polling runs regularly, on the specified days of week, and at the specified time.

       By default, the polling runs every Friday at 6:00:00 PM.

     • Every month on specified days of selected weeks

       The polling runs regularly, on the specified days of each month, and at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • Run missed tasks

       If the Administration Server is switched off or unavailable during the time for which the poll is scheduled, the Administration Server can either start the poll immediately after it is switched on, or wait for the next time for which the poll scheduled.

       If this option is enabled, the Administration Server starts polling immediately after it is switched on.

       If this option is disabled, the Administration Server waits for the next time for which the polling is scheduled.

       By default, this option is enabled.

   • Set full polling schedule

     The default period is one hour. The data received at the next polling completely replaces the old data.

     The following polling schedule options are available:

     • Every N days

       The polling runs regularly, with the specified interval in days, starting from the specified date and time.

       By default, the polling runs every day, starting from the current system date and time.

     • Every N minutes

       The polling runs regularly, with the specified interval in minutes, starting from the specified time.

       By default, the polling runs every five minutes, starting from the current system time.

     • By days of week

       The polling runs regularly, on the specified days of week, and at the specified time.

       By default, the polling runs every Friday at 6:00:00 PM.

     • Every month on specified days of selected weeks

       The polling runs regularly, on the specified days of each month, and at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • Run missed tasks

       If the Administration Server is switched off or unavailable during the time for which the poll is scheduled, the Administration Server can either start the poll immediately after it is switched on, or wait for the next time for which the poll scheduled.

       If this option is enabled, the Administration Server starts polling immediately after it is switched on.

       If this option is disabled, the Administration Server waits for the next time for which the polling is scheduled.

       By default, this option is enabled.

If you want to perform the poll immediately, click Poll now. Both types of polls will start.

On the virtual Administration Server you can view and edit the polling settings of the Windows network in the properties window of the distribution point, in the Device discovery section.

Active Directory polling

Expand all | Collapse all

Use Active Directory polling if you use Active Directory; otherwise, it is recommended to use other poll types. If you use Active Directory but some of the networked devices are not listed as members, these devices cannot be discovered by Active Directory polling.

Before you start network polling, make sure that the SMB protocol is enabled. Otherwise, Kaspersky Security Center cannot discover devices in the polled network. To enable the SMB protocol, follow the instructions for your operating system.

Viewing and modifying the settings for Active Directory polling

To view and modify the settings for polling Active Directory groups:

1. In the console tree, in the Device discovery folder, select the Active Directory subfolder.

   Alternatively, you can proceed from the Unassigned devices folder to the Device discovery folder by clicking the Poll now button.

2. Click Configure polling.

   The Active Directory properties window opens. If you want, modify the settings of Active Directory group polling:

   • Enable Active Directory polling

     This option is selected by default. However, if you do not use Active Directory, the poll does not retrieve any results. In this case, you can unselect this option.

   • Set polling schedule

     The default period is one hour. The data received at the next polling completely replaces the old data.

     The following polling schedule options are available:

     • Every N days

       The polling runs regularly, with the specified interval in days, starting from the specified date and time.

       By default, the polling runs every day, starting from the current system date and time.

     • Every N minutes

       The polling runs regularly, with the specified interval in minutes, starting from the specified time.

       By default, the polling runs every five minutes, starting from the current system time.

     • By days of week

       The polling runs regularly, on the specified days of week, and at the specified time.

       By default, the polling runs every Friday at 6:00:00 PM.

     • Every month on specified days of selected weeks

       The polling runs regularly, on the specified days of each month, and at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • Run missed tasks

       If the Administration Server is switched off or unavailable during the time for which the poll is scheduled, the Administration Server can either start the poll immediately after it is switched on, or wait for the next time for which the poll scheduled.

       If this option is enabled, the Administration Server starts polling immediately after it is switched on.

       If this option is disabled, the Administration Server waits for the next time for which the polling is scheduled.

       By default, this option is enabled.

   • Advanced

     You can select which Active Directory domains to poll:

     • Active Directory domain to which the Kaspersky Security Center belongs.
     • Domain forest to which the Kaspersky Security Center belongs.
     • Specified list of Active Directory domains.

       If you select this option, you can add domains to the polling scope:

       • Click the Add button.
       • In the corresponding fields, specify the address of the domain controller, the name and password of the account for accessing it.
       • Click OK to save changes.

       You can select the domain controller address on the list and click the Modify or Remove buttons to modify or remove it.

     • Click OK to save changes.

If you want to perform the poll immediately, click the Poll now button.

On the virtual Administration Server, you can view and edit the polling settings of Active Directory groups in the properties window of the distribution point, in the Device discovery section.

IP range polling

Expand all | Collapse all

The Administration Server polls the specified IP ranges using ICMP packets or the NBNS protocol and compiles a complete set of data on devices within those IP ranges. By default, this type of polling is disabled. It is not recommended to use this type of polling if you use Windows network polling and/or Active Directory polling.

Before you start network polling, make sure that the SMB protocol is enabled. Otherwise, Kaspersky Security Center cannot discover devices in the polled network. To enable the SMB protocol, follow the instructions for your operating system.

Viewing and modifying the settings for IP range polling

To view and modify the settings for polling IP range groups:

1. In the console tree, in the Device discovery folder, select the IP ranges subfolder.

   You can proceed from the Unassigned devices folder to the Device discovery folder by clicking Poll now.

2. If you want, in the IP ranges subfolder click Add subnet to add an IP range for polling, and then click OK.
3. Click Configure polling.

   The IP ranges properties window opens. If you want, you can modify the settings of IP range polling:

   • Enable IP range polling

     This option is not selected by default. It is not recommended to use this type of polling if you use Windows network polling and/or Active Directory polling.

   • Set polling schedule

     The default period is 420 minutes. The data received at the next polling completely replaces the old data.

     The following polling schedule options are available:

     • Every N days

       The polling runs regularly, with the specified interval in days, starting from the specified date and time.

       By default, the polling runs every day, starting from the current system date and time.

     • Every N minutes

       The polling runs regularly, with the specified interval in minutes, starting from the specified time.

       By default, the polling runs every five minutes, starting from the current system time.

     • By days of week

       The polling runs regularly, on the specified days of week, and at the specified time.

       By default, the polling runs every Friday at 6:00:00 PM.

     • Every month on specified days of selected weeks

       The polling runs regularly, on the specified days of each month, and at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • Run missed tasks

       If the Administration Server is switched off or unavailable during the time for which the poll is scheduled, the Administration Server can either start the poll immediately after it is switched on, or wait for the next time for which the poll scheduled.

       If this option is enabled, the Administration Server starts polling immediately after it is switched on.

       If this option is disabled, the Administration Server waits for the next time for which the polling is scheduled.

       By default, this option is enabled.

If you want to perform the poll immediately, click Poll now. This button is only available if you selected Enable IP range polling.

On the virtual Administration Server, you can view and edit the settings for IP range polling in the distribution point properties window, in the Device discovery section. Client devices discovered during the poll of IP ranges are displayed in the Domains folder of the virtual Administration Server.

Zeroconf polling

This polling type is supported only for Linux-based distribution points.

A distribution point can poll networks that have devices with IPv6 addresses. In this case, IP ranges are not specified and the distribution point polls the whole network by using zero-configuration networking (referred to as Zeroconf). To start using Zeroconf, you must install the avahi-browse utility on the distribution point.

To enable Zeroconf polling:

1. In the console tree, in the Device discovery folder, select the IP ranges subfolder.

   You can proceed from the Unassigned devices folder to the Device discovery folder by clicking Poll now.

2. Click Configure polling.
3. In the IP ranges properties window that opens, select Enable polling with Zeroconf technology.

After that, the distribution point starts to poll your network. In this case, the specified IP ranges are ignored.

Working with Windows domains. Viewing and changing the domain settings

To modify the domain settings:

1. In the console tree, in the Device discovery folder, select the Domains subfolder.
2. Select a domain and open its properties window in one of the following ways:
   • By selecting Properties in the context menu of the domain.
   • By clicking the Show group properties link.

The Properties: <Domain name> window opens where you can configure the selected domain.

Configuring retention rules for unassigned devices

Expand all | Collapse all

After Windows network polling is complete, the found devices are placed into subgroups of the Unassigned devices administration group. This administration group can be found at Advanced → Device discovery → Domains. The Domains folder is the parent group. It contains child groups named after the corresponding domains and workgroups that have been found during the network polling. The parent group may also contain the administration group of mobile devices. You can configure the retention rules of the unassigned devices for the parent group and for each of the child groups. The retention rules do not depend on the network polling settings and work even if the network polling is disabled.

To configure retention rules for unassigned devices:

1. In the console tree, in the Device discovery folder, do one of the following:
   • To configure settings of the parent group, right-click the Domains subfolder and select Properties.

     The parent group properties window opens.

   • To configure settings of a child group, right-click its name and select Properties.

     The child group properties window opens.

2. In the Devices section, specify the following settings:
   • Remove the device from the group if it has been inactive for longer than (days)

     If this option is enabled, you can specify the time interval after which the device is automatically removed from the group. By default, this option is also distributed to the child groups. The default time interval is 7 days.

     By default, this option is enabled.

   • Inherit from parent group

     If this option is enabled, the retention period for the devices in the current group is inherited from the parent group and cannot be changed.

     This option is available only for child groups.

     By default, this option is enabled.

   • Force inheritance in child groups

     The setting values will be distributed to child groups but in the properties of the child groups these settings are locked.

     By default, this option is disabled.

Your changes are saved and applied.

Working with IP ranges

You can customize existing IP ranges and create new ones.

Creating an IP range

To create an IP range:

1. In the console tree, in the Device discovery folder, select the IP ranges subfolder.
2. In the context menu of the folder, select New → IP range.
3. In the New IP range window that opens, set up the new IP range.

The new IP range appears in the IP ranges folder.

Viewing and changing the IP range settings

To modify the IP range settings:

1. In the console tree, in the Device discovery folder select the IP ranges subfolder.
2. Select an IP range and open its properties window in one of the following ways:
   • By selecting Properties in the context menu of the IP range.
   • By clicking the Show group properties link.

The Properties: <IP range name> window opens where you can configure the properties of the selected IP range.

Working with the Active Directory groups. Viewing and modifying group settings

To modify the settings for the Active Director group:

1. In the console tree, in the Device discovery folder, select the Active Directory subfolder.
2. Select an Active Directory group and open its properties window in one of the following ways:
   • By selecting Properties in the context menu of the IP range.
   • By clicking the Show group properties link.

The Properties: <Active Directory group name> window opens where you can configure the selected Active Directory group.

Creating rules for moving devices to administration groups automatically

You can configure devices to be moved automatically to administration groups after they are discovered during a poll on an enterprise network.

To configure rules for moving devices to administration groups automatically:

1. In the console tree, select the Unassigned devices folder.
2. In the workspace of this folder, click Configure rules.

This opens the Properties: Unassigned devices window. In the Move devices section, configure the rules to move devices to administration groups automatically.

The first applicable rule in the list (from the top to the bottom of the list) will be applied to a device.

Using VDI dynamic mode on client devices

A virtual infrastructure can be deployed on a corporate network using temporary virtual machines. Kaspersky Security Center detects temporary virtual machines and adds information about them to the Administration Server database. After a user finishes using a temporary virtual machine, the machine is removed from the virtual infrastructure. However, a record about the removed virtual machine can be saved in the database of the Administration Server. Also, nonexistent virtual machines can be displayed in Administration Console.

To prevent information about nonexistent virtual machines from being saved, Kaspersky Security Center supports dynamic mode for Virtual Desktop Infrastructure (VDI). The administrator can enable support of dynamic mode for VDI in the properties of the installation package of Network Agent to be installed on the temporary virtual machine.

When a temporary virtual machine is disabled, Network Agent notifies the Administration Server that the machine has been disabled. If the virtual machine has been disabled successfully, it is removed from the list of devices connected to the Administration Server. If the virtual machine is disabled with errors and Network Agent does not send a notification about the disabled virtual machine to the Administration Server, a backup scenario is used. In this scenario, the virtual machine is removed from the list of devices connected to the Administration Server after three unsuccessful attempts to synchronize with the Administration Server.

Enabling VDI dynamic mode in the properties of an installation package for Network Agent

To enable VDI dynamic mode:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.
2. In the context menu of the Network Agent installation package, select Properties.

   The Properties: Kaspersky Security Center Network Agent window opens.

3. In the Properties: Kaspersky Security Center Network Agent window, select the Advanced section.
4. In the Advanced section, select the Enable dynamic mode for VDI option.

The device on which Network Agent is to be installed will be a part of VDI.

Searching for devices that are part of VDI

To find unassigned devices that make up part of VDI:

1. Select Search from the context menu of the Unassigned devices folder.

   To see a list of all devices that are part of Virtual Desktop Infrastructure, select Search from the context menu of the Administration Server folder.

2. In the Search window, on the Virtual machines tab, select Yes in the Part of Virtual Desktop Infrastructure settings group.
3. Click the Find now button.

The list of unassigned devices that are part of Virtual Desktop Infrastructure is displayed.

Moving devices from VDI to an administration group

To move devices that are part of VDI to an administration group:

1. In the workspace of the Unassigned devices folder, click Configure rules.

   This opens the properties window of the Unassigned devices folder.

2. In the properties window of the Unassigned devices folder, in the Move devices section, click the Add button.

   The New rule window opens.

3. In the New rule window, select the Virtual machines section.
4. In the This is a virtual machine drop-down list, select Yes.

A rule will be created for device relocation to an administration group.

Equipment inventory

The hardware list (Repositories → Hardware) that you use to inventory equipment is populated in two ways: automatically and manually. After each network polling, all detected devices are added to the list automatically; however, you can also add devices manually if you do not want to poll the network. You can add other devices to the list manually, for example, routers, printers, or device hardware.

In the properties of a device, you can view and edit detailed information about that device.

The hardware list may contain the following types of devices:

• Computers
• Mobile devices
• Network devices
• Virtual devices
• OEM components
• Computer peripherals
• Connected devices
• VoIP phones
• Network repositories

The administrator can assign the Enterprise equipment attribute to detected devices. This attribute can be assigned manually in the properties of a device, or the administrator can specify criteria for the attribute to be assigned automatically. In this case, the Enterprise equipment attribute is assigned by device type.

Kaspersky Security Center allows writing off equipment. To do this, select the Device is written off option in the properties of a device. The device is not displayed on the equipment list.

An administrator can manage the list of programmable logic controllers (PLC) in the Hardware folder. Detailed information on managing the PLC list is provided in the Kaspersky Industrial CyberSecurity for Nodes User Guide.

Adding information about new devices

To add information about new devices on the network:

1. In the Repositories folder of the console tree, select the Hardware subfolder.
2. In the workspace of the Hardware folder, click the Add device button to open the New device window.

   The New device window opens.

3. In the New device window, in the Type drop-down list select a device type that you want to add.
4. Click OK.

   The device properties window opens on the General section.

5. In the General section, fill in the entry fields with data on the device. The General section lists the following settings:
   • Enterprise device. Select the check box if you want to assign the Enterprise attribute to the device. Using this attribute, you can search for devices in the Hardware folder.
   • Device is written off. Select the check box if you do not want the device to be displayed in the list of devices in the Hardware folder.
6. Click Apply.

The new device will be displayed in the workspace of the Hardware folder.

Configuring criteria used to define enterprise devices

To configure criteria of detection for enterprise devices:

1. In the Repositories folder of the console tree, select the Hardware subfolder.
2. In the workspace of the Hardware folder, click the Additional actions button and select Set up rule for Enterprise devices in the drop-down list.

   The hardware properties window opens.

3. In the hardware properties window, in the Enterprise devices section, select a method for assigning the Enterprise attribute to the device:
   • Set the Enterprise device attribute manually for the device. The Enterprise hardware attribute is assigned to the device manually in the device properties window, in the General section.
   • Set the Enterprise device attribute automatically for the device. In the By device type block of settings, specify device types to which the application will automatically assign the Enterprise attribute.

     This option affects only the devices that were added through network polling. For the devices added manually, set the Enterprise attribute manually.

4. Click OK.

The criteria of detection for enterprise devices are configured.

Configuring custom fields

To configure custom fields of devices:

1. In the Repositories folder of the console tree, select the Hardware subfolder.
2. In the workspace of the Hardware folder, click the Additional actions button and select Configure custom data fields in the drop-down list.

   The hardware properties window opens.

3. In the hardware properties window, select the Custom fields section and click the Add button.

   The Add field window opens.

4. In the Add field window, specify the name of the custom field that will be displayed in the hardware properties.

   You can create multiple custom fields with unique names.

5. Click OK.

The custom fields that have been added are displayed in the Custom fields section of the hardware properties. You can use custom fields to provide specific information about devices. For example, this could be the internal order number for a hardware purchase.