Managing Administration Servers

This section provides information about working with Administration Servers and configuring them.

Creating a hierarchy of Administration Servers: adding a secondary Administration Server

You can add an Administration Server as a secondary Administration Server, thus establishing a "primary/secondary" hierarchy. Adding a secondary Administration Server is possible regardless of whether the Administration Server that you intend to use as secondary is available for connection through Administration Console.

When combining two Administration Servers into a hierarchy, make sure that port 13291 is accessible on both Administration Servers. Port 13291 is required to receive connections from Administration Console to the Administration Server.

Connecting an Administration Server as secondary in reference to the primary Administration Server

You can add an Administration Server as secondary by connecting it to the primary Administration Server via port 13000. You will need a device that has Administration Console installed from which TCP ports 13291 can be accessed on both Administration Servers: supposed primary Administration Server and supposed secondary Administration Server.

To add as secondary an Administration Server that is available for connection through Administration Console:

1. Make sure that port 13000 of the supposed primary Administration Server is available for receipt of connections from secondary Administration Servers.
2. Use Administration Console to connect to the supposed primary Administration Server.
3. Select the administration group to which you intend to add the secondary Administration Server.
4. In the workspace of the Administration Servers node of the selected group, click the Add secondary Administration Server link.

   The Add Secondary Administration Server Wizard starts.

5. At the first step of the Wizard (entering the address of the Administration Server being added to the group), enter the network name of the supposed secondary Administration Server.
6. Follow the instructions of the Wizard.

The "primary/secondary" hierarchy is built. The primary Administration Server will receive connection from the secondary Administration Server.

If you do not have a device that has Administration Console installed from which TCP ports 13291 can be accessed on both Administration Servers (if, for example, the supposed secondary Administration Server is located at a remote office and the system administrator of that office cannot open internet access to port 13291 for security reasons), you will still be able to add a secondary Administration Server.

To add as secondary an Administration Server that is not available for connection through Administration Console:

1. Make sure that port 13000 of the supposed primary Administration Server is available for connection from secondary Administration Servers.
2. Write the certificate file of the supposed primary Administration Server to an external device, such as a flash drive, or send it to the system administrator of the remote office where the Administration Server is located.

   The certificate file of the Administration Server is on the same Administration Server, at %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert\klserver.cer.

3. Write the certificate file of the supposed secondary Administration Server to an external device, such as a flash drive. If the supposed secondary Administration Server is located at a remote office, contact the system administrator of that office to prompt him or her to send you the certificate.

   The certificate file of the Administration Server is on the same Administration Server, at %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert\klserver.cer.

4. Use Administration Console to connect to the supposed primary Administration Server.
5. Select the administration group to which you intend to add the secondary Administration Server.
6. In the workspace of the Administration Servers node, click the Add secondary Administration Server link.

   The Add Secondary Administration Server Wizard starts.

7. At the first step of the Wizard (entering the address), leave the Secondary Administration Server address (optional) field blank.
8. In the Secondary Administration Server certificate file window, click the Browse button and select the certificate file of the secondary Administration Server that you saved.
9. When the Wizard is complete, use a different instance of Administration Console to connect to the supposed secondary Administration Server. If this Administration Server is located at a remote office, contact the system administrator of that office to prompt him or her to connect to the supposed secondary Administration Server and perform further due steps.
10. In the context menu of the Administration Server node, select Properties.
11. In the Administration Server properties, proceed to the Advanced section and then to the Hierarchy of Administration Servers subsection.
12. Select the This Administration Server is secondary in the hierarchy check box.

    The entry fields become available for data input and editing.

13. In the Primary Administration Server address field, enter the network name of the supposed primary Administration Server.
14. Select the previously saved file with the certificate of the supposed primary Administration Server by clicking the Browse button.
15. Click OK.

The "primary/secondary" hierarchy is built. You can connect to the secondary Administration Server through Administration Console. The primary Administration Server will receive connection from the secondary Administration Server.

Connecting the primary Administration Server to a secondary Administration Server

You can add a new Administration Server as secondary so that the primary Administration Server connects to the secondary Administration Server via port 13000. This is advisable if, for example, you place a secondary Administration Server in DMZ.

You will need a device that has Administration Console installed from which TCP ports 13291 can be accessed on both Administration Servers: supposed primary Administration Server and supposed secondary Administration Server.

To add a new Administration Server as secondary and connect the primary Administration Server via port 13000:

1. Make sure that port 13000 of the supposed secondary Administration Server is available for receipt of connections from the primary Administration Server.
2. Use Administration Console to connect to the supposed primary Administration Server.
3. Select the administration group to which you intend to add the secondary Administration Server.
4. In the workspace of the Administration Servers node of the relevant administration group, click the Add secondary Administration Server link.

   The Add Secondary Administration Server Wizard starts.

5. At the first step of the Wizard (entering the address of the Administration Server to be added to the group), enter the network name of the supposed secondary Administration Server and select the Connect primary Administration Server to secondary Administration Server in DMZ check box.
6. If you connect to the supposed secondary Administration Server by using a proxy server, at the first step of the Wizard select the Use proxy server check box and specify the connection settings.
7. Follow the instructions of the Wizard.

The hierarchy of Administration Servers is created. The secondary Administration Server will receive connection from the primary Administration Server.

Connecting to an Administration Server and switching between Administration Servers

After Kaspersky Security Center is started, it attempts to connect to an Administration Server. If several Administration Servers are available on the network, the application requests the server to which it was connected during the previous session of Kaspersky Security Center.

When the application is started for the first time after installation, it attempts to connect to the Administration Server that was specified during Kaspersky Security Center installation.

After connection to an Administration Server is established, the folders tree of that Server is displayed in the console tree.

If several Administration Servers have been added to the console tree, you can switch between them.

Administration Console is required for work with each Administration Server. Before the first connection to a new Administration Server, make sure that port 13291, which receives connections from Administration Console, is open, as well as all the remaining ports required for communication between Administration Server and other Kaspersky Security Center components.

To switch to another Administration Server:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the context menu of the node, select Connect to Administration Server.
3. In the Connection settings window that opens, in the Administration Server address field specify the name of the Administration Server to which you want to connect. You can specify an IP address or the name of a device on a Windows network as the name of the Administration Server. You can click the Advanced button to configure the connection to the Administration Server (see figure below).

   To connect to the Administration Server through a different port than the default port, enter a value in the Administration Server address field in <Administration Server name>:<Port> format.

   To connect to a virtual Administration Server, enter a value in the Administration Server address field in <Administration Server address>/<virtual server name> format.

   Users who do not have Read rights will be denied access to Administration Server.

   

   Connecting to Administration Server

4. Click OK to complete the switch between Servers.

After the Administration Server is connected, the folders tree of the corresponding node in the console tree is updated.

Access rights to Administration Server and its objects

The KLAdmins and KLOperators groups are created automatically during Kaspersky Security Center installation. These groups are granted permissions to connect to the Administration Server and to process Administration Server objects.

Depending on the type of account that is used for installation of Kaspersky Security Center, the KLAdmins and KLOperators groups are created as follows:

• If the application is installed under a user account included in a domain, the groups are created on the Administration Server and in the domain that includes the Administration Server.
• If the application is installed under a system account, the groups are created on the Administration Server only.

You can view the KLAdmins and KLOperators groups and modify the access privileges of the users that belong to the KLAdmins and KLOperators groups by using the standard administrative tools of the operating system.

The KLAdmins group is granted all access rights; the KLOperators group is granted only Read and Execute rights. The rights granted to the KLAdmins group are locked.

Users that belong to the KLAdmins group are called Kaspersky Security Center administrators, while users from the KLOperators group are called Kaspersky Security Center operators.

In addition to users included in the KLAdmins group, administrator rights for Kaspersky Security Center are also provided to the local administrators of devices on which Administration Server is installed.

You can exclude local administrators from the list of users who have Kaspersky Security Center administrator rights.

All operations started by the administrators of Kaspersky Security Center are performed using the rights of the Administration Server account.

An individual KLAdmins group can be created for each Administration Server from the network; the group will have the necessary rights for that Administration Server only.

If devices belonging to the same domain are included in the administration groups of different Administration Servers, the domain administrator is the Kaspersky Security Center administrator for all the groups. The KLAdmins group is the same for those administration groups; it is created during installation of the first Administration Server. All operations initiated by a Kaspersky Security Center administrator are performed using the account rights of the Administration Server for which these operations have been started.

After the application is installed, an administrator of Kaspersky Security Center can do the following:

• Modify the rights granted to the KLOperators groups.
• Grant rights—to access Kaspersky Security Center functionality—to other security groups and individual users who are registered on the administrator's workstation.
• Assign user access rights within each administration group.

The Kaspersky Security Center administrator can assign access rights to each administration group or to other objects of Administration Server in the Security section in the properties window of the selected object.

You can track user activity by using the records of events in the Administration Server operation. Event records are displayed in the Administration Server node on the Events tab. These events have the importance level Info events and the event types begin with "Audit".

Conditions of connection to an Administration Server over the internet

If an Administration Server is remotely located outside a corporate network, client devices can connect to it over the internet.

For devices to connect to an Administration Server over the internet, the following conditions must be met:

• The remote Administration Server must have an external IP address and the incoming port 13000 must remain open (for connection of Network Agents). We recommend that you also open UDP port 13000 (for receiving notifications of device shut down).
• Network Agents must be installed on the devices.
• When installing Network Agent on devices, you must specify the external IP address of the remote Administration Server. If an installation package is used for installation, specify the external IP address manually in the properties of the installation package, in the Settings section.
• To use the remote Administration Server to manage applications and tasks for a device, in the properties window of the device, in the General section select the Do not disconnect from the Administration Server check box. After the check box is selected, wait until the Administration Server is synchronized with the remote device. The number of client devices maintaining a continuous connection with an Administration Server cannot exceed 300.

To speed up the performance of tasks initiated by a remote Administration Server, you can open port 15000 on a device. In this case, to run a task, the Administration Server sends a special packet to Network Agent over port 15000 without waiting until completion of synchronization with the device.

Encrypted connection to an Administration Server

Data exchange between client devices and Administration Server, as well as Administration Console connection to Administration Server, can be performed using the TLS (Transport Layer Security) protocol. The TLS protocol can identify the interacting parties, encrypt the data that is transferred, and protect data against modification during transfer. The TLS protocol uses public keys to authenticate the interacting parties and encrypt data.

Authenticating Administration Server when a device is connected

When a client device connects to Administration Server for the first time, Network Agent on the device downloads a copy of the Administration Server certificate and stores it locally.

If you install Network Agent on a device locally, you can select the Administration Server certificate manually.

The downloaded copy of the certificate is used to verify Administration Server rights and permissions during subsequent connections.

During future sessions, Network Agent requests the Administration Server certificate at each connection of the device to Administration Server and compares it with the local copy. If the copies do not match, the device is not allowed access to Administration Server.

Administration Server authentication during Administration Console connection

At the first connection to Administration Server, Administration Console requests the Administration Server certificate and saves it locally on the administrator's workstation. After that, each time when Administration Console tries to connect to this Administration Server, the Administration Server is identified based on the certificate copy.

If the Administration Server certificate does not match the copy stored on the administrator's workstation, Administration Console prompts you to confirm connection to the Administration Server with the specified name and download a new certificate. After the connection is established, Administration Console saves a copy of the new Administration Server certificate, which will be used to identify the Administration Server in the future.

Configuring an allowlist of IP addresses to connect to Administration Server

By default, users can log in to Kaspersky Security Center under any device where they can open Kaspersky Security Center Web Console (hereinafter referred to as Web Console) or where MMC-based Administration Console is installed. However, you can configure Administration Server so that users can connect to it only from devices with allowed IP addresses. In this case, even if an intruder steals a Kaspersky Security Center account, he or she will not be able to log in to Kaspersky Security Center because the IP address of the intruder's device is not in the allowlist.

The IP address is verified when a user logs in to Kaspersky Security Center or runs an

application

For example, such applications include Kaspersky Anti Targeted Attack Platform and Kaspersky Security for Virtualization. It can also be a client developed by you based on OpenAPI.

Requirements for an allowlist of IP addresses

IP addresses are verified only when the following applications try to connect to Administration Server:

• Web Console Server

  If you sign in to Web Console on one device and the Web Console Server is installed on another device, you can configure a firewall on the device where the Web Console Server is installed by using the standard means of the operating system. Then, if someone tries to log in to Web Console, a firewall helps prevent intruders from interfering.

• Administration Console
• Applications interacting with Administration Server via klakaut automation objects
• Applications interacting with Administration Server via OpenAPI, such as Kaspersky Anti Targeted Attack Platform or Kaspersky Security for Virtualization

Therefore, specify addresses of the devices on which the applications listed above are installed.

You can set IPv4 and IPv6 addresses. You cannot specify ranges of IP addresses.

How to establish an allowlist of IP addresses

If you have not set an allowlist earlier, follow the instructions below.

To establish an allowlist of IP addresses to log in to Kaspersky Security Center:

1. On the Administration Server device, run the command prompt under an account with administrator rights.
2. Change your current directory to the Kaspersky Security Center installation folder (usually, <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center).
3. Enter the following command, using administrator rights:

   klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses>" -t s

   Specify IP addresses that meet the requirements listed above. Several IP addresses must be separated by a semicolon.

   Example of how to allow only one device to connect to Administration Server:

   klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0" -t s

   Example of how to allow multiple devices to connect to Administration Server:

   klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 198.51.100.0; 203.0.113.0" -t s

4. Restart the Administration Server service.

You can find out whether you have successfully configured the allowlist of IP addresses in Kaspersky Event Log on the Administration Server.

How to change an allowlist of IP addresses

You can change an allowlist just as you did when you first established it. For this purpose, run the same command and specify a new allowlist:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "<IP addresses>" -t s

If you want to delete some IP addresses from the allowlist, rewrite it. For example, your allowlist includes the following IP addresses: 192.0.2.0; 198.51.100.0; 203.0.113.0. You want to delete the 198.51.100.0 IP address. To do this, enter the following command at the command prompt:

klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "192.0.2.0; 203.0.113.0" -t s

Do not forget to restart the Administration Server service.

How to reset a configured allowlist of IP addresses

To reset an already configured allowlist of IP addresses:

1. Enter the following command at the command prompt, using administrator rights:

   klscflag -fset -pv klserver -n KLSRV_FLAG_ALLOWED_IP_ADDRESSES_FOR_GUI -v "" -t s

2. Restart the Administration Server service.

After that, IP addresses are not verified any more.

Using the klscflag utility to close port 13291

Port 13291 on the Administration Server is used for receiving connections from Administration Consoles. This port is open by default. If you do not want to use the MMC-based Administration Console or the klakaut utility, you can close this port by using the klscflag utility. This utility changes the value of the KLSRV_SP_SERVER_SSL_PORT_GUI_OPEN parameter.

To close port 13291:

1. Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
2. Execute the following command in the command line:

   klscflag -ssvset -pv klserver -s 87 -n KLSRV_SP_SERVER_SSL_PORT_GUI_OPEN -sv false -svt BOOL_T -ss "|ss_type = \"SS_SETTINGS\";"

3. Restart the Kaspersky Security Center Administration Server service.

Port 13291 is closed.

To check if port 13291 has been successfully closed:

Execute the following command in the command line:

klscflag -ssvget -pv klserver -s 87 -n KLSRV_SP_SERVER_SSL_PORT_GUI_OPEN -svt BOOL_T -ss "|ss_type = \"SS_SETTINGS\";"

This command returns the following result:

+--- (PARAMS_T)

+---KLSRV_SP_SERVER_SSL_PORT_GUI_OPEN = (BOOL_T)false

The false value means that the port is closed. Otherwise, the true value is displayed.

Disconnecting from an Administration Server

To disconnect from an Administration Server:

1. In the console tree select the node corresponding to the Administration Server that you want to disconnect.
2. In the context menu of the node select Disconnect from Administration Server.

Adding an Administration Server to the console tree

To add an Administration Server to the console tree:

1. In the Kaspersky Security Center main window, in the console tree select the Kaspersky Security Center 14 node.
2. In the context menu of the node, select New → Administration Server.

A node named Administration Server - <Device name> (Not connected) is created in the console tree from which you will be able to connect to any of the Administration Servers installed on the network.

Removing an Administration Server from the console tree

To remove an Administration Server from the console tree:

1. In the console tree select the node corresponding to the Administration Server that you want to remove.
2. In the context menu of the node select Remove.

Adding a virtual Administration Server to the console tree

To add a virtual Administration Server to the console tree:

1. In the console tree, select the node with the name of the Administration Server for which you need to create a virtual Administration Server.
2. In the Administration Server node, select the Administration Servers folder.

3. In the workspace of the Administration Servers folder, click the Add virtual Administration Server link.

   The New Virtual Administration Server Wizard starts.

4. In the Name of virtual Administration Server window, specify the name of the virtual Administration Server to be created.

   The name of a virtual Administration Server cannot be more than 255 characters long and cannot include any special characters (such as "*<>?\:|).

5. In the Enter address for device connection to virtual Administration Server window, specify the device connection address

   The connection address of a virtual Administration Server is the network address through which devices will connect to that Server. The connection address has two parts: the network address of a physical Administration Server and the name of a virtual Administration Server, separated with a slash. The name of the virtual Administration Server will be substituted automatically. The specified address will be used on the virtual Administration Server as the default address in Network Agent installation packages.

6. In the Create the virtual Administration Server administrator account window, assign a user from the list to act as virtual Server administrator, or add a new administrator account by clicking the Create button.

   You can specify multiple accounts.

A node named Administration Server <Name of virtual Administration Server> is created in the console tree.

Changing an Administration Server service account. Utility tool klsrvswch

If you have to change the Administration Server service account that was set during installation of Kaspersky Security Center, you can use a utility named klsrvswch that is designed for changing the Administration Server account.

When Kaspersky Security Center is installed, the utility is automatically copied to the application installation folder.

The number of launches of the utility is essentially unlimited.

You must launch the klsrvswch utility on the Administration Server device under the account with administrator rights that was used to install Administration Server.

The klsrvswch utility allows you to change the account type. For example, if you use a local account, you can change it to a domain account or to a managed service account (and vice versa). The klsrvswch utility does not allow you to change the account type to group managed service account (gMSA).

Windows Vista and later Windows versions do not allow the use of a LocalSystem account for the Administration Server. In these Windows versions, the LocalSystem account option is inactive.

To change an Administration Server service account to a domain account:

1. Launch the klsrvswch utility from the installation folder of Kaspersky Security Center. The default installation path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

   This action also launches the Wizard for modification of Administration Server service account. Follow the instructions of the Wizard.

2. In the Administration Server service account window, select LocalSystem account.

After the Wizard finishes, the Administration Server account is changed. The Administration Server service will start under the LocalSystem Account and use its credentials.

Correct operation of Kaspersky Security Center requires that the account used to start the Administration Server service has administrator rights to the resource where the Administration Server database is hosted.

To change an Administration Server service account to a user account or a managed service account:

1. Launch the klsrvswch utility from the installation folder of Kaspersky Security Center. The default installation path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

   This action also launches the Wizard for modification of Administration Server service account. Follow the instructions of the Wizard.

2. In the Administration Server service account window, select Custom account.
3. Click the Find now button.

   The Select User window opens.

4. In the Select User window, click the Object Types button.
5. In the object types list, select Users (if you want a user account) or Service Accounts (if you want a managed service account) and click OK.
6. In the object name field, enter the name of the account, or a part of the name, and click Check Names.
7. In the list of the matching names, select the necessary name, and then click OK.
8. If you selected Service Accounts, in the Account password window, leave the Password and Confirm password fields blank. If you selected Users, enter a new password for the user and confirm it.

The Administration Server service account will be changed to the account that you selected.

When Microsoft SQL Server is used in a mode that presupposes authenticating user accounts with Windows tools, access to the database must be granted. The user account must have the status of owner of the Kaspersky Security Center database. The dbo schema is used by default.

Changing DBMS credentials

Sometimes, you may need to change DBMS credentials, for example, in order to perform a credential rotation for security purposes.

To change DBMS credentials in a Windows environment by using klsrvswch.exe:

1. Launch the klsrvswch utility that is located in the installation folder of Kaspersky Security Center. The default installation path: <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

   You must launch the klsrvswch utility on the Administration Server device under the account with administrator rights that was used to install Administration Server.

2. Click the Next button of the Wizard until you reach the Change DBMS access credentials step.
3. At the Change DBMS access credentials step of the Wizard, perform the following:
   • Select the Apply new credentials option.
   • Specify a new account name in the Account field.
   • Specify a new password for an account in the Password field.
   • Specify the new password in the Confirm password field.

   You should specify credentials of an account that exists in the DBMS.

4. Click the Next button.

After the Wizard finishes, the DBMS credentials are changed.

Resolving issues with Administration Server nodes

The console tree in the left pane of Administration Console contains nodes of Administration Servers. You can add as many Administration Servers as you need to the console tree.

The list of Administration Server nodes in the console tree is stored in a shadow copy of a .msc file by means of Microsoft Management Console. The shadow copy of this file is located in the %USERPROFILE%\AppData\Roaming\Microsoft\MMC\ folder on the device where the Administration Console is installed. For each Administration Server node, the file contains the following information:

• Administration Server address
• Port number
• Whether TLS is in use

  This parameter depends on the port number used to connect Administration Console to the Administration Server.

• User name
• Administration Server certificate

Troubleshooting

When Administration Console connects to the Administration Server, the certificate stored locally is compared to the Administration Server certificate. If the certificates do not match, Administration Console generates an error. For example, a certificate mismatch may occur when you replace the Administration Server certificate. In this case, recreate the Administration Server node in the console.

To recreate an Administration Server node:

1. Close the Kaspersky Security Center Administration Console window.
2. Delete the Kaspersky Security Center 14 file at %USERPROFILE%\AppData\Roaming\Microsoft\MMC\.
3. Run Kaspersky Security Center Administration Console.

   You will be prompted to connect to the Administration Server and accept its existing certificate.

4. Do one of the following:
   • Accept the existing certificate by clicking the Yes button.
   • To specify your certificate, click the No button, and then browse to the certificate file to be used to authenticate the Administration Server.

The certificate issue is resolved. You can use Administration Console to connect to the Administration Server.

Viewing and modifying the settings of an Administration Server

You can adjust the settings of an Administration Server in the properties window of this Server.

To open the Properties: Administration Server window,

Select Properties in the context menu of the Administration Server node in the console tree.

Adjusting the general settings of Administration Server

You can adjust the general settings of Administration Server in the General, Administration Server connection settings, Events repository, and Security sections of the Administration Server properties window.

The Security section is not displayed in the Administration Server properties window if the display has been disabled in the Administration Console interface.

To enable the display of the Security section in Administration Console:

1. In the console tree, select the Administration Server that you want.
2. In the View menu of the main application window, select Configure interface.
3. In the Configure interface window that opens, select the Display security settings sections check box and click OK.
4. In the window with the application message, click OK.

The Security section will be displayed in the Administration Server properties window.

Administration Console interface settings

You can adjust the interface settings of Administration Console to display or hide the user interface controls related to the following features:

• Vulnerability and Patch Management
• Data encryption and protection
• Endpoint control settings
• Mobile Device Management
• Secondary Administration Servers
• Security Settings sections

To configure the Administration Console interface settings:

1. In the console tree, select the Administration Server that you want.
2. In the View menu of the main application window, select Configure interface.
3. In the Configure interface window that opens, select the check boxes next to the features that you want displayed and click OK.
4. In the window with the application message, click OK.

The selected features will be displayed in the Administration Console interface.

Event processing and storage on the Administration Server

Information about events that occur during the operation of the application and managed devices is saved in the Administration Server database. Each event is attributed to a certain type and level of severity (Critical event, Functional failure, Warning, or Info). Depending on the conditions under which an event occurred, the application can assign different levels of severity to events of the same type.

You can view types and levels of severity assigned to events in the Event configuration section of the Administration Server properties window. In the Event configuration section, you can also configure processing of every event by the Administration Server:

• Registration of events on the Administration Server and in event logs of the operating system on a device and on the Administration Server.
• Method used for notifying the administrator of an event (for example, an SMS or email message).

In the Events repository section of the Administration Server properties window, you can edit the settings of events storage in the Administration Server database by limiting the number of event records and record storage term. When you specify the maximum number of events, the application calculates an approximate amount of storage space required for the specified number. You can use this approximate calculation to evaluate whether you have enough free space on the disk to avoid database overflow. The default capacity of the Administration Server database is 400,000 events. The maximum recommended capacity of the database is 45 million events.

The application checks the database every 10 minutes. If the number of events reaches the specified maximum value plus 10,000, the application deletes the oldest events so that only the specified maximum number of events remains.

When the Administration Server deletes old events, it cannot save new events to the database. During this period of time, information about events that were rejected is written to the Kaspersky Event Log. The new events are queued and then saved to the database after the deletion operation is complete.

You can change the settings of any task to save events related to the task progress, or save only task execution results. In doing so, you will reduce the number of events in the database, increase the speed of execution of scenarios associated with analysis of the event table in the database, and lower the risk that critical events will be overwritten by a large number of events.

Viewing log of connections to the Administration Server

The history of connections and attempts to connect to the Administration Server during its operation can be saved to a log file. The information in the file allows you to track not only connections on your network infrastructure, but unauthorized attempts to access the Administration Server as well.

To log events of connection to the Administration Server:

1. In the console tree, select the Administration Server for which you want to enable connection event logging.
2. In the context menu of the Administration Server, select Properties.
3. In the properties window that opens, in the Administration Server connection settings section, select the Connection ports subsection.
4. Enable the Log Administration Server connection events option.
5. Click the OK button to close the Administration Server properties window.

All further events of inbound connections to the Administration Server, authentication results, and SSL errors will be saved to the file %ProgramData%\KasperskyLab\adminkit\logs\sc.syslog.

Control of virus outbreaks

Kaspersky Security Center allows you to quickly respond to emerging threats of virus outbreaks. Risks of virus outbreaks are assessed by monitoring virus activity on devices.

You can configure assessment rules for threats of virus outbreaks and actions to take in case one emerges; to do this, use the Virus outbreak section of the properties window of Administration Server.

You can specify the notification procedure for the Virus outbreak event in the Event configuration section of the Administration Server properties window, in the Virus outbreak event properties window.

The Virus outbreak event is generated upon detection of Malicious object detected events during the operation of security applications. Therefore, you must save information about all Malicious object detected events on Administration Server in order to recognize virus outbreaks.

You can specify the settings for saving information about any Malicious object detected event in the policies of the security applications.

When Malicious object detected events are counted, only information from the devices of the primary Administration Server is taken into account. The information from secondary Administration Servers is not taken into account. For each secondary Server, the Virus outbreak event is configured individually.

Limiting traffic

Expand all | Collapse all

To reduce traffic volumes within a network, the application provides the option to limit the speed of data transfer to an Administration Server from specified IP ranges and IP subnets.

You can create and configure traffic-limiting rules in the Traffic section of the Administration Server properties window.

To create a traffic-limiting rule:

1. In the console tree, select the node with the name of the Administration Server for which you want to create a traffic-limiting rule.
2. In the context menu of the Administration Server, select Properties.
3. In the Administration Server properties window, select the Traffic section.
4. Click the Add button.
5. In the New rule window, specify the following settings:

   In the IP range to limit traffic section, select the method that will be used to define the subnet or range for which the data transfer rate will be limited, and then enter the values of the settings for the selected method. Select one of the following methods:

   • Specify the range by using address and network mask

     Traffic is limited based on subnet settings. Specify the subnet address and the subnet mask for determining the range in which traffic will be limited.

     You can also click Browse to add subnets from the global list of subnets.

   • Specify the range by using start and end addresses

     Traffic is limited based on a range of IP addresses. Specify the range of IP addresses in the Start and End entry fields.

     This option is selected by default.

   In the Traffic limit section, you can adjust the following restrictive settings for the data transfer rate:

   • Time interval

     Time interval during which the traffic restriction will be in force. You can specify the boundaries of the time interval in the entry fields.

   • Limit (KB/s)

     Maximum total transfer speed of incoming and outgoing data of the Administration Server. Traffic restriction will only be effective within the interval specified in the Time interval field.

   • Limit traffic for the remaining time (KB/s)

     Traffic will be limited not only within the interval specified in the Time interval field, but also at other times.

     By default, this check box is cleared. The value of this field may not match the value of the Limit (KB/s) field.

Primarily, traffic limiting rules affect the transfer of files. These rules do not apply to the traffic generated by synchronization between Administration Server and Network Agent, or between primary and secondary Administration Servers.

Configuring Web Server

Web Server is designed for publishing stand-alone installation packages, iOS MDM profiles, and files from a shared folder.

You can define the settings for Web Server connection to the Administration Server and set the Web Server certificate in the Web Server section of the Administration Server properties window.

Working with internal users

The accounts of internal users are used to work with virtual Administration Servers. Kaspersky Security Center grants the rights of real users to internal users of the application.

The accounts of internal users are created and used only within Kaspersky Security Center. No data on internal users is transferred to the operating system. Kaspersky Security Center authenticates internal users.

You can configure accounts of internal users in the User accounts folder of the console tree.

Backup and restoration of Administration Server settings

Backup of the settings of Administration Server and its database is performed through the backup task and klbackup utility. A backup copy includes all the main settings and objects pertaining to the Administration Server, such as certificates, primary keys for encryption of drives on managed devices, keys for various licenses, structure of administration groups with all of its contents, tasks, policies, etc. With a backup copy you can recover the operation of an Administration Server as soon as possible, spending from a dozen minutes to a couple of hours on this.

If no backup copy is available, a failure may lead to an irrevocable loss of certificates and all Administration Server settings. This will necessitate reconfiguring Kaspersky Security Center from scratch, and performing initial deployment of Network Agent on the organization's network again. All primary keys for encryption of drives on managed devices will also be lost, risking irrevocable loss of encrypted data on devices with Kaspersky Endpoint Security. Therefore, do not neglect regular backups of Administration Server using the standard backup task.

The Quick Start Wizard creates the backup task for Administration Server settings and sets it to run daily, at 4:00 AM. Backup copies are saved by default in the folder %ALLUSERSPROFILE%\Application Data\KasperskySC.

If an instance of Microsoft SQL Server installed on another device is used as the DBMS, you must modify the backup task by specifying a UNC path, which is available for write by both the Administration Server service and the SQL Server service, as the folder to store backup copies. This requirement derives from a special feature of backup in the Microsoft SQL Server DBMS.

If a local instance of Microsoft SQL Server is used as the DBMS, we also recommend to save backup copies on a dedicated medium in order to secure them against damage together with Administration Server.

Because a backup copy contains important data, the backup task and klbackup utility provide for password protection of backup copies. By default, the backup task is created with a blank password. You must set a password in the properties of the backup task. Neglecting this requirement causes a situation where all keys of Administration Server certificates, keys for licenses, and primary keys for encryption of drives on managed devices remain unencrypted.

In addition to the regular backup, you must also create a backup copy prior to every significant change, including installation of Administration Server upgrades and patches.

If you use Microsoft SQL Server as the DBMS, you can minimize the size of backup copies. To do this, enable the Compress backup option in the SQL Server settings.

Restoration from a backup copy is performed with the utility klbackup on an operable instance of Administration Server that has just been installed and has the same version (or later) for which the backup copy was created.

The instance of Administration Server on which the restoration is to be performed, must use a DBMS of the same type (for example, the same SQL Server or MariaDB) and the same or later version. The version of Administration Server can be the same (with an identical or later patch), or later.

This section describes standard scenarios for restoring settings and objects of Administration Server.

Using a file system snapshot to reduce the backup duration

In Kaspersky Security Center 14, the idle time of Administration Server during backup has been reduced as compared to earlier versions. Moreover, the Use file system snapshot for data backup feature has been added to the task settings. This feature provides additional idle reduction by using the klbackup utility, which creates a shadow copy of the disk during backup (this takes a few seconds) and simultaneously copies the database (this takes a few minutes at longest). When klbackup creates a shadow copy of the disk and a copy of the database, the utility makes the Administration Server connectible again.

You can use the file system snapshotting feature only if these two conditions are met:

• The Administration Server shared folder and the %ALLUSERSPROFILE%\KasperskyLab folder are located on the same logical disk and are local in reference to the Administration Server.
• The %ALLUSERSPROFILE%\KasperskyLab folder does not contain any symbolic links that have been created manually.

Do not use the feature if either of these conditions cannot be met. In this case, the application would return an error message in response to any attempt to create a file system snapshot.

To use the feature, you must have an account that has been granted the permission to create snapshots of the logical disk storing the %ALLUSERSPROFILE% folder. Note that the Administration Server service account has no such permission.

To use the file system snapshotting feature in order to reduce the backup duration:

1. In the Tasks section, select the backup task.
2. In the context menu, select Properties.
3. In the task properties window that opens, select the Settings section.
4. Select the Use file system snapshot for data backup check box.
5. In the User name and Password fields, enter the name and password of an account that has the permission to create snapshots of the logical disk storing the %ALLUSERSPROFILE% folder.
6. Click Apply.

At any further startup of the backup task, the klbackup utility will create file system snapshots thus reducing the Administration Server idle time during the task run.

A device with Administration Server is inoperable

If a device with Administration Server is inoperable due to a failure, you are recommended to perform the following actions:

• The new Administration Server must be assigned the same address: NetBIOS name, FQDN, or static IP (depending on which of them was set when Network Agents were deployed).
• Install Administration Server, using a DBMS of the same type, of the same (or later) version. You can install the same version of Server with the same (or later) patch, or a later version. After installation, do not perform the initial setup through the Wizard.
• In the Start menu, run the klbackup utility and perform restoration.

The settings of Administration Server or the database are corrupted

If Administration Server is inoperable due to corrupted settings or database (e.g., after a power surge), you are recommended to use the following restoration scenario:

1. Scan the file system on the damaged device.
2. Uninstall the inoperable version of Administration Server.
3. Reinstall Administration Server, using a DBMS of the same type and of the same (or later) version. You can install the same version of Server with the same (or later) patch, or a later version. After installation, do not perform the initial setup through the Wizard.
4. In the Start menu, run the utility klbackup and perform restoration.

It is prohibited to restore Administration Server in any way other than through the klbackup utility.

Any attempts to restore Administration Server through third-party software will inevitably lead to desynchronization of data on nodes of the distributed application Kaspersky Security Center and, consequently, to improper functioning of the application.

Backup copying and restoration of Administration Server data

Data backup allows you to move Administration Server from one device to another without data loss. Through backup, you can restore data when moving the Administration Server database to another device, or when upgrading to a newer version of Kaspersky Security Center. Also, you can use data backup to move Administration Server data from Kaspersky Security Center Windows under management of Kaspersky Security Center Linux (moving data from Kaspersky Security Center Linux to Kaspersky Security Center Windows is not supported).

Note that the installed management plug-ins are not backed up. After you restore Administration Server data from a backup copy, you need to download and reinstall plug-ins for managed applications.

Before you back up the Administration Server data, check whether a virtual Administration Server is added to the administration group. If a virtual Administration Server is added, make sure that an administrator is assigned to this virtual Administration Server before the backup. You cannot grant the administrator access rights to the virtual Administration Server after the backup. Note that if the administrator account credentials are lost, you will not be able to assign a new administrator to the virtual Administrator Server.

You can create a backup copy of Administration Server data in one of the following ways:

• By creating and running a data backup task through Administration Console.
• By running the klbackup utility on the device that has Administration Server installed. This utility is included in the Kaspersky Security Center distribution kit. After the installation of Administration Server, the utility is located in the root of the destination folder specified at the application installation.

The following data is saved in the backup copy of Administration Server:

• Database of Administration Server (policies, tasks, application settings, events saved on the Administration Server).
• Configuration details of the structure of administration groups and client devices.
• Repository of distribution packages of applications for remote installation.
• Administration Server certificate.

Recovery of Administration Server data is only possible using the klbackup utility.

Backup of Administration Server data task

Creating a Backup of Administration Server data task

Backup task is an Administration Server task; it is created through the Quick Start Wizard. If a backup task created by the Quick Start Wizard has been deleted, you can create one manually.

To create an Administration Server data backup task:

1. In the console tree, select the Tasks folder.
2. Start creation of the task in one of the following ways:
   • By selecting New → Task in the context menu of the Tasks folder in the console tree.
   • By clicking the Create a task button in the workspace.

The Add Task Wizard starts. Follow the instructions of the Wizard. In the Select the task type window of the Wizard select the task type named Backup of Administration Server data.

The Backup of Administration Server data task can only be created in a single copy. If the Administration Server data backup task has already been created for the Administration Server, it is not displayed in the task type selection window of the Backup Task Creation Wizard.

Configuring the Backup of Administration Server data task

After creating a backup task, you can configure the task settings.

To configure the Backup of Administration Server data task:

1. In the console tree, select the Tasks folder.
2. In the context menu of the Backup of Administration Server data task, select Properties.

The properties window of the Backup of Administration Server data task opens. The following properties are available:

• General

  In the General section, you can specify the task name, view the task creation date, the last command date, the statuses of the task launches, and task results.

• Notification

  In the Notification section you can specify the settings for storing tasks, as well as configure the notifications about the task execution results.

• Schedule

  In the Schedule section, you can specify a schedule for task start.

• Destination

  In the Destination section, you can specify the path to the folder for storage backup copies of Administration Server data.

• Settings

  In the Settings section, you can set the backup protection password and number of backup copies if needed.

  You can also create a shadow copy of the logical disk storing the %ALLUSERSPROFILE% folder and copy the Administration Server database. To do this, you must enable the Use a file system snapshot for data backup option, and then and specify the name and password of an account that has the permission to create snapshots.

• Revision history

  In the Revision history section, you can track the task modification. Every time you save changes made to the task, a revision is created.

Data backup and recovery utility (klbackup)

You can copy Administration Server data for backup and future recovery using the klbackup utility, which is part of the Kaspersky Security Center distribution kit.

The klbackup utility can run in either of the two following modes:

• Interactive
• Silent

Data backup and recovery in interactive mode

Expand all | Collapse all

To create a backup copy of Administration Server data in interactive mode:

1. Run the klbackup utility located in the Kaspersky Security Center installation folder.

   The Backup and Restore Wizard starts.

2. In the first window of the Wizard, select Perform backup of Administration Server data.

   If you select the Restore or back up Administration Server certificate only option, only a backup copy of the Administration Server certificate and private key will be saved.Backing up of the Administration Server certificate and private key can be useful when you switch managed devices under management of another Administration Server.

   Click Next.

3. In the next window of the Wizard, specify the following options:
   • Destination folder for the backup
   • Migrate to MySQL/MariaDB format

     Enable this option if you currently use SQL Server as a DBMS for Administration Server and you want to migrate the data from SQL Server to MySQL or MariaDB DBMS. Kaspersky Security Center will create a backup compatible with MySQL and MariaDB. After that, you can restore the data from the backup into MySQL or MariaDB.

   • Migrate to Azure format

     Enable this option if you currently use SQL Server as a DBMS for Administration Server and you want to migrate the data from SQL Server to Azure SQL DBMS. Kaspersky Security Center will create a backup compatible with Azure SQL. After that, you can restore the data from the backup into Azure SQL.

   • Include current date and time in the name of the backup destination folder
   • Password for the backup
4. Click the Next button to start backup.
5. If you are working with a database in a cloud environment such as Amazon Web Services (AWS) or Microsoft Azure, in the Sign In to Online Storage window, fill in the following fields:
   • For AWS:
     • S3 bucket name

       The name of the S3 bucket that you created for the Backup.

     • Access key ID

       You received the key ID (sequence of alphanumeric characters) when you created the IAM user account for working with S3 bucket storage instance.

       The field is available if you selected RDS database on an S3 bucket.

     • Secret key

       The secret key that you received with the access key ID when you created the IAM user account.

       The characters of the secret key are displayed as asterisks. After you begin entering the secret key, the Show button is displayed. Click and hold this button for the necessary amount of time to view the characters you entered.

       The field is available if you selected an AWS IAM access key for authorization instead of an IAM role.

   • For Microsoft Azure:
     • Azure storage account name

       You created the name of the Azure storage account for working with Kaspersky Security Center.

     • Azure Subscription ID

       You created the subscription on the Azure portal.

     • Azure password

       You received the password of the Application ID when you created the Application ID.

       The characters of the password are displayed as asterisks. After you begin entering the password, the Show button becomes available. Click and hold this button to view the characters you entered.

     • Azure Application ID

       You created this application ID on the Azure portal.

       You can provide only one Azure Application ID for polling and other purposes. If you want to poll another Azure segment, you must first delete the existing Azure connection.

     • Azure SQL server name

       The name and the resource group are available in your Azure SQL Server properties.

     • Azure SQL server resource group

       The name and the resource group are available in your Azure SQL Server properties.

     • Azure storage access key

       Available in the properties of your storage account, in the Access Keys section. You can use any of the keys (key1 or key2).

To recover Administration Server data in interactive mode:

1. Run the klbackup utility located in the Kaspersky Security Center installation folder. Start the utility under the same account that you used to install Administration Server.

   The Backup and Restore Wizard starts.

2. In the first window of the Wizard, select Restore Administration Server data, and then click Next.

   If you select the Restore or back up Administration Server certificate only option, the Administration Server certificate and private key will only be recovered.

   When you run the klbackup utility on the inactive failover cluster node, you will be prompted to select one of the options: specify Administration Server certificate or automatically retrieve data from Administration Server.

3. In the Restore settings window of the Wizard:
   • Specify the folder that contains a backup copy of Administration Server data.

     If you are working in a cloud environment such as AWS or Azure, specify the address of the storage. Also, make sure that the file is named backup.zip.

   • Specify the password that was entered during data backup.

     When restoring data, you must specify the same password that was entered during backup. If the path to a shared folder changed after backup, check the operation of tasks that use restored data (restore tasks and remote installation tasks). If necessary, edit the settings of these tasks. While data is being restored from a backup file, no one must access the shared folder of Administration Server. The account under which the klbackup utility is started must have full access to the shared folder.

4. Click the Next button to restore data.

Data backup and recovery in silent mode

To create a backup copy or recover Administration Server data in silent mode,

Run klbackup with the required set of keys from the command line of the device that has Administration Server installed.

Network agent flags are not restored when you use the klbackup utility. You need to configure network agent flags manually.

Utility command line syntax:

klbackup -path BACKUP_PATH [-linux_path LINUX_PATH][-node_cert CERT_PATH] [-logfile LOGFILE] [-use_ts]|[-restore] [-password PASSWORD] [-online]

If no password is specified in the command line of the klbackup utility, the utility prompts you to enter the password interactively.

Descriptions of the keys:

• -path BACKUP_PATH—Save information in the BACKUP_PATH folder, or use data from the BACKUP_PATH folder for recovery (mandatory parameter).

  The database server account and the klbackup utility should be granted permissions for changing data in the folder BACKUP_PATH.

• -linux_path LINUX_PATH—Local path to folder with backup data for SQL Server on Linux.

  The database server account and the klbackup utility should be granted permissions for changing data in the folder LINUX_PATH.

• -node_cert CERT_PATH—Server certificate file to configure inactive failover cluster node after recovery. If not set, it will be automatically retrieved from the Server.

  When you run the klbackup utility on the inactive failover cluster node, use this key to specify the path to the server certificate.

• -logfile LOGFILE—Save a report about Administration Server data backup and recovery.
• -use_ts—When saving data, copy information to the BACKUP_PATH folder, to the subfolder with a name in the klbackup YYYY-MM-DD # HH-MM-SS format, which includes the current date and operation time in UTC. If no key is specified, information is saved in the root of the folder BACKUP_PATH.

  During attempts to save information in a folder that already stores a backup copy, an error message appears. No information will be updated.

  Availability of the -use_ts key allows an Administration Server data archive to be maintained. For example, if the -path key indicates the folder C:\KLBackups, the folder klbackup 2022/6/19 # 11-30-18 then stores information about the status of the Administration Server as of June 19, 2022, at 11:30:18 AM.

• -restore—Recover Administration Server data. Data recovery is performed based on information contained in the BACKUP_PATH folder. If no key is available, data is backed up in the BACKUP_PATH folder.
• -password PASSWORD—Password to protect the sensitive data.

  A forgotten password cannot be recovered. There are no password requirements. The password length is unlimited and zero length (no password) is also possible.

  When restoring data, you must specify the same password that was entered during backup. If the path to a shared folder changed after backup, check the operation of tasks that use restored data (restore tasks and remote installation tasks). If necessary, edit the settings of these tasks. While data is being restored from a backup file, no one must access the shared folder of Administration Server. The account under which the klbackup utility is started must have full access to the shared folder. We recommend that you run the utility on a newly installed Administration Server.

• -online—Back up Administration Server data by creating a volume snapshot to minimize the offline time of the Administration Server. When you use the utility to recover data, this option is ignored.

Using the klbackup utility to switch managed devices under management of another Administration Server

The klbackup utility allows you to switch managed devices under management of another Administration Server. You can migrate managed devices between Kaspersky Security Center Windows Administration Servers.

To switch managed devices under management of another Administration Server by using the klbackup utility:

1. On the previous device, create a backup copy of the Administration Server certificate and private key by using the klbackup utility interface.

   Run the klbackup utility located in the Kaspersky Security Center installation folder, and then create a backup by using the Restore or back up Administration Server certificate only option.

2. On the previous device, disconnect Administration Server from the network.
3. Assign the same address to the device with another Administration Server.

   The new Administration Server can be assigned the NetBIOS name, FQDN, and static IP address. It depends on which Administration Server address was set in the Network Agent installation package when Network Agents were deployed. Alternatively, you can use the connection address that determines the Administration Server to which Network Agent connects (you can obtain this address on managed devices by using the klnagchk utility).

4. On a device with another Administration Server, restore the Administration Server certificate and private key from the backup copy.

   You can restore a backup copy in one of the following ways:

   • By using the klbackup utility interface

     Run the klbackup utility, and then restore a backup by using the Restore or back up Administration Server certificate only option.

   • By using the command prompt (for Kaspersky Security Center Windows Administration Server version 15.1 or later)

     Run the klbackup utility with the -cert_only key from the command line, to restore a backup copy of the Administration Server certificate and private key:

     klbackup -path <path to the backup copy of Administration Server certificate> -restore -cert_only

Managed devices are put under the management of another Administration Server. You can go to this Administration Server and ensure that managed devices are visible in the network, and that Network Agent is installed and running on them (the Yes value in the Visible, Network Agent is installed, and Network Agent is running columns).

Backup and restoring Administration Server data when using MySQL or MariaDB

You can use a data backup to migrate Administration Server data from Kaspersky Security Center Windows under management of Kaspersky Security Center Linux. Migration by using Administration Server data backup is supported only for migration to Kaspersky Security Center Linux 15.2 or later from any supported version of Kaspersky Security Center Windows.

If you use MySQL or MariaDB as a DBMS for Kaspersky Security Center Windows and for Kaspersky Security Center Linux, the lower_case_table_names parameter must match for the current and new DBMSs. Otherwise, Administration Server data will be migrated incorrectly.

Before you backup Administration Server data on Kaspersky Security Center Windows, check the lower_case_table_names parameter value. If you do not specify this parameter during the DBMS installation earlier, the default parameter value is used. The default value of the lower_case_table_names parameter for Windows is 1.

When installing MySQL or MariaDB for Kaspersky Security Center Linux, set the lower_case_table_names parameter to the same value as specified for this parameter for Windows by using the instruction from the MySQL website. If you do not specify this parameter, the default parameter value is used. For Linux-based operating systems, the default value of the lower_case_table_names parameter is different from the default value for Windows.

If you want to install MySQL 8.0, specifying the lower_case_table_names parameter according to this instruction may not work. In this case, you must first install MySQL 5.7, specify the lower_case_table_names parameter by using the instruction, and then upgrade MySQL 5.7 to MySQL 8.0. If the lower_case_table_names parameter does not match for the current and new DBMSs, Administration Server data will be restored incorrectly.

Migration to Kaspersky Security Center Linux by using Administration Server data backup

You can use a data backup to migrate the Kaspersky Security Center Windows Administration Server data to Kaspersky Security Center Linux. Before the migration, make sure that necessary features of Kaspersky Security Center Windows are supported in Kaspersky Security Center Linux.

Limitations:

• The DBMS type used for Kaspersky Security Center Linux must match the DBMS type in the backup from Kaspersky Security Center Windows.

  An exception to this is if you use Microsoft SQL Server as a DBMS for Kaspersky Security Center Windows. Since Kaspersky Security Center Linux does not support Microsoft SQL Server, you can migrate Administration Server data stored in the Microsoft SQL Server database to PostgreSQL, Postgres Pro, MySQL, or MariaDB.

• Migration of Administration Server data stored in the Microsoft SQL Server, MySQL, or MariaDB database to MySQL or MariaDB is supported for migration from any supported version of Kaspersky Security Center Windows to Kaspersky Security Center Linux version 15.2 or later.
• Migration of Administration Server data stored in the Microsoft SQL Server database to PostgreSQL or Postgres Pro is supported for migration from Kaspersky Security Center Windows version 14.2 or later to Kaspersky Security Center Linux version 15.3 or later.

  To support migration to PostgreSQL or Postgres Pro, you must install the patch 15.1.0.20748-pf2 for Kaspersky Security Center Windows Administration Server. Contact Kaspersky Technical Support to get this patch.

• If you use MySQL or MariaDB as a DBMS for Kaspersky Security Center Windows and for Kaspersky Security Center Linux, the lower_case_table_names parameter must match for the current and new DBMSs.

  Before you create a data backup, check the lower_case_table_names parameter. Then, when installing MySQL or MariaDB for Kaspersky Security Center Linux, you must set this parameter to the same value as specified for this parameter for Windows.

Stages

Migration by using the Administration Server data backup proceeds in stages:

1. Creating an up-to-date backup copy of the Kaspersky Security Center Windows Administration Server data

   Depending on the DBMS type used for Kaspersky Security Center Windows and Kaspersky Security Center Linux, do one of the following:

   • For migration to the same DBMS type: create a backup copy by using the klbackup utility or a data backup task on the device that has Administration Server installed.
   • For migration of Microsoft SQL Server to MySQL or MariaDB: create a backup copy by using the klbackup utility, with the Migrate to MySQL/MariaDB format option enabled.
   • For migration of Microsoft SQL Server to PostgreSQL or Postgres Pro:
     1. Install the patch 15.1.0.20748-pf2 for Administration Server to support migration to PostgreSQL and Postgres Pro. Contact Kaspersky Technical Support to get this patch.
     2. Create a backup copy by using the klbackup utility.

        If you run klbackup from the command line, use the -migrate postgres flag.

        If you use the klbackup interface, enable the Migrate to Postgres format option.

   After creating a backup copy, disconnect Kaspersky Security Center Windows Administration Server from the network.

2. Preparing a new device for installation of Kaspersky Security Center Linux

   At this stage of the scenario, you have to do the following:

   1. Select a new device on which to install the Administration Server. This device must meet the hardware and software requirements. Also, check that the ports used on Administration Server are available.
   2. Assign the same address to the new device.

      The new Administration Server can be assigned the NetBIOS name, FQDN, and static IP address. It depends on which Administration Server address was set in the Network Agent installation package when Network Agents were deployed. Alternatively, you can use the connection address that determines the Administration Server to which Network Agent connects (you can obtain this address on managed devices by using the klnagchk utility).

3. Installing and configuring the DBMS

   At this stage of the scenario, you have to do the following:

   1. Select the DBMS type that provides optimum performance. Take into account the number of networked devices, network topology, and workload on the network. You can choose from one of the supported DBMSs.
   2. Install the DBMS according to the DBMS type selected when creating a backup. For information about how to install the selected DBMS, refer to its documentation.

      A new database version must not be lower than the current one.

   3. Configure the DBMS for working with Kaspersky Security Center Linux.
4. Installing Kaspersky Security Center Linux and completing the migration

   At this stage of the scenario, you have to do the following:

   1. Install Kaspersky Security Center Linux on the new device.
   2. After the installation is complete, recover Administration Server data on the new device by using the klbackup utility.
   3. Install Kaspersky Security Center Web Console.

      If Kaspersky Security Center Web Console was installed earlier, reinstall it with the same response file.

   4. Open Kaspersky Security Center Web Console and connect to the Administration Server.

      The data initialization process usually takes up to 15 minutes after restoring Administration Server data, but the time depends on the hardware performance and the size of Administration Server data. During this time, Kaspersky Security Center Web Console may fail to connect and display the errors.

   5. Check the functionality of the main Administration Server features when the data initialization in the database is complete. Verify that Administration Server synchronizes with managed devices and Administration Server data is recovered.
   6. Poll domain controllers to restore information about the domain structure, user accounts, security groups, and DNS names of the devices that are included in the domains.
   7. If necessary, uninstall the Administration Server and the database server from the previous device.

      There must not be multiple Administration Servers on the same network with the same connection address and Administration Server certificate.

The administrator has access to Administration Server data and managed devices which were in Kaspersky Security Center Windows, taking into account the functionality supported in Kaspersky Security Center Linux.

Moving Administration Server and a database server to another device

Expand all | Collapse all

If you need to use Administration Server on a new device, you can move it in one of the following ways:

• Move Administration Server and the database server to a new device (the database server can be installed on the new device together with Administration Server, or on another device).
• Keep the database server on the previous device and move only Administration Server to a new device.

To move Administration Server and the database server to a new device:

1. On the previous device, create a backup of Administration Server data.

   To do this, you can run the data backup task through Administration Console or run the klbackup utility.

   If you use SQL Server as a DBMS for Administration Server, you can migrate the data from SQL Server to MySQL or MariaDB DBMS. To do this, run the klbackup utility in interactive mode to create a data backup. Enable the Migrate to MySQL/MariaDB format option in the Backup settings window of the Backup and Restore Wizard. Kaspersky Security Center will create a backup compatible with MySQL and MariaDB. After that, you can restore the data from the backup into MySQL or MariaDB.

   You can also enable the Migrate to Azure format option to if you want to migrate the data from SQL Server to Azure SQL DBMS.

2. On the previous device, disconnect Administration Server from the network.
3. Select a new device on which to install the Administration Server. Make sure that the hardware and software on the selected device meet the requirements for Administration Server, Administration Console, and Network Agent. Also, check that ports used on Administration Server are available.
4. Assign the same address to the new device.

   The new Administration Server can be assigned the NetBIOS name, FQDN, and static IP address. It depends on which Administration Server address was set in the Network Agent installation package when Network Agents were deployed. Alternatively, you can use the connection address that determines the Administration Server to which Network Agent connects (you can obtain this address on managed devices by using the klnagchk utility).

5. If needed, on another device, install the database management system (DBMS) that the Administration Server will use.

   The database can be installed on the new device together with Administration Server, or on another device. Ensure that this device meets the hardware and software requirements. When you select a DBMS, consider the number of devices covered by the Administration Server.

6. Run the installation of the Administration Server on the new device.
7. During the Administration Server installation, configure the database server connection settings.

   

   Example of the Connection settings window for Microsoft SQL Server

   Depending on where you need to locate the database server, do one of the following:

   • Keep the database server on the previous device
     1. Click the Browse button next to the SQL Server instance name field, and then select the previous device name in the list that appears.

        Note that the previous device must be available for connection with the new Administration Server.

     2. Enter the previous database name in the Database name field.
   • Move the database server to another device
     1. Click the Browse button next to the SQL Server instance name field, and then select the device name in the list that appears.
     2. Enter the new database name in the Database name field.

        Note that the new database name must match the name of database from the previous device. The names of databases must be identical, so that you can use the Administration Server backup. The default database name is KAV.

8. After the installation is complete, recover Administration Server data on the new device by using the klbackup utility.

   If you use SQL Server as a DBMS on the previous and new devices, note that the version of SQL Server installed on the new device must be the same or later than the version of SQL Server installed on the previous device. Otherwise, you cannot recover Administration Server data on the new device.

9. Open Administration Console and connect to the Administration Server.
10. Verify that all managed devices are connected to the Administration Server.
11. Uninstall the Administration Server and the database server from the previous device.

You can also use Kaspersky Security Center Web Console to move Administration Server and a database server to another device.

Avoiding conflicts between multiple Administration Servers

If you have more than one Administration Server on your network, they can see the same client devices. This may result, for example, in remote installation of the same application to one and the same device from more than one Server and other conflicts. To avoid such a situation, Kaspersky Security Center 14 allows you to prevent an application from being installed on a device managed by another Administration Server.

You can also use the Managed by a different Administration Server property as a criterion for the following purposes:

• Searching for devices
• Device selections
• Device moving rules
• Auto-tagging rules

Kaspersky Security Center 14 uses heuristics to determine whether a client device is managed by the Administration Server you are working with or by a different Administration Server.

Two-step verification

This section describes how you can use two-step verification to reduce the risk of unauthorized access to Administration Console or Kaspersky Security Center Web Console.

About two-step verification

When two-step verification is enabled for an account, a single-use security code is required, in addition to the user name and password, to log in to Administration Console or Kaspersky Security Center Web Console. With domain authentication enabled, the user only needs to enter the single-use security code.

To use two-step verification, install an authenticator app that generates single-use security codes on the mobile device or computer. You can use any application that supports the Time-based One-time Password algorithm (TOTP), such as:

• Google Authenticator
• Microsoft Authenticator
• Bitrix24 OTP
• Yandex Key

We highly recommend that you save the secret key or QR code, and keep it in a safe place. This will help you to restore access to Kaspersky Security Center Web Console in case you lose access to the mobile device.

To secure the usage of Kaspersky Security Center, you can enable two-step verification for your own account and enable two-step verification for all users.

You can exclude accounts from two-step verification. This can be necessary for service accounts that cannot receive a security code for authentication.

Rules and Limitations

To be able to activate two-step verification for all users and deactivate two-step verification for particular users:

• Ensure your account has the Modify object ACLs right in the General features: User permissions functional area.
• Enable two-step verification for your account.

To be able to deactivate two-step verification for all users:

• Ensure your account has the Modify object ACLs right in the General features: User permissions functional area.
• Log in to Kaspersky Security Center Web Console by using two-step verification.

If two-step verification is enabled for a user account on Kaspersky Security Center Administration Server version 13 or later, the user will not be able to log in to the Kaspersky Security Center Web Console versions 12, 12.1 or 12.2.

Reissuing the secret key

Any user can reissue the secret key used for two-step verification. When a user logs in to the Administration Server with the reissued secret key, the new secret key is saved for the user account. If the user enters the new secret key incorrectly, the new secret key is not saved, and the current secret key remains valid.

A security code has an identifier referred to as issuer name. The security code issuer name is used as an identifier of the Administration Server in the authenticator app. The security code issuer name has a default value that is the same as the name of the Administration Server. You can change the name of the security code issuer name. If you change the security code issuer name, you must issue a new secret key and pass it to the authenticator app.

Scenario: configuring two-step verification for all users

This scenario describes how to enable two-step verification for all users and how to exclude user accounts from two-step verification. If you did not enable two-step verification for your account before you enable it for other users, the application opens the window for enabling two-step verification for your account, first. This scenario also describes how to enable two-step verification for your own account.

If you enabled two-step verification for your account, you may proceed to the stage of enabling of two-step verification for all users.

Prerequisites

Before you start:

• Make sure that your user account has the Modify object ACLs right of the General features: User permissions functional area for modifying security settings for other users' accounts.
• Make sure that the other users of Administration Server install an authenticator app on their devices.

Stages

Enabling two-step verification for all users proceeds in stages:

1. Installing an authenticator app on a device

   You can install any application that supports the Time-based One-time Password algorithm (TOTP), such as:

   • Google Authenticator
   • Microsoft Authenticator
   • Bitrix24 OTP
   • Yandex Key

   We strongly do not recommend installing the authenticator app on the same device from which the connection to Administration Server is established.

2. Synchronizing the authenticator app time with the time of the device on which Administration Server is installed

   Ensure that the time set in the authenticator app is synchronized with the time of Administration Server.

3. Enabling two-step verification for your account and receiving the secret key for your account

   How-to instructions:

   • For MMC-based Administration Console: Enabling two-step verification for your own account
   • For Kaspersky Security Center Web Console: Enabling two-step verification for your own account

   After you enable two-step verification for your account, you can enable two-step verification for all users.

4. Enabling two-step verification for all users

   Users with two-step verification enabled must use it to log in to Administration Server.

   How-to instructions:

   • For MMC-based Administration Console: Enabling two-step verification for all users
   • For Kaspersky Security Center Web Console: Enabling two-step verification for all users
5. Editing the name of a security code issuer

   If you have several Administration Servers with similar names, you may have to change the security code issuer names for better recognition of different Administration Servers.

   How-to instructions:

   • For MMC-based Administration Console: Editing the name of a security code issuer
   • For Kaspersky Security Center Web Console: Editing the name of a security code issuer
6. Excluding user accounts for which you do not need to enable two-step verification

   If required, you can exclude users from two-step verification. Users with excluded accounts do not have to use two-step verification to log in to Administration Server.

   How-to instructions:

   • For MMC-based Administration Console: Excluding accounts from two-step verification
   • For Kaspersky Security Center Web Console: Excluding accounts from two-step verification

Results

Upon completion of this scenario:

• Two-step verification is enabled for your account.
• Two-step verification is enabled for all user accounts of the Administration Server, except for user accounts that were excluded.

Enabling two-step verification for your own account

Before you enable two-step verification for your account, ensure that an authenticator app is installed on the mobile device. Ensure that the time set in the authenticator app is synchronized with the time of Administration Server.

To enable two-step verification for your account:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
2. In the Administration Server properties window, go to the Sections pane and select Advanced, and then Two-step verification.
3. In the Two-step verification section, click the Set up button.

   If two-step verification is already enabled for your account, clicking the Set up button resets the secret key so you can re-configure two-step verification.

   In the two-step verification properties window that opens, the secret key is displayed.

4. Enter the secret key in the authenticator app to receive one-time security code. You can specify the secret key into the authenticator app manually or scan the QR code by the authenticator app on the mobile device.
5. Specify the security code generated by the authenticator app, and then click the OK button to exit the two-step verification properties window.
6. Click the Apply button.
7. Click the OK button.

Two-step verification is enabled for your own account.

Enabling two-step verification for all users

You can enable two-step verification for all users of Administration Server if your account has the Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification.

To enable two-step verification for all users:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step verification.
3. Click the Set as required button to enable two-step verification for all users.
4. If you did not enable two-step verification for your account, the application opens the window for enabling two-step verification for your own account.
   1. Enter the secret key in the authenticator app to receive one-time security code. You can specify the secret key into the authenticator app manually or scan the QR code by the authenticator app on the mobile device to receive one-time security code.
   2. Specify the security code generated by the authenticator app, and then click the OK button to exit the two-step verification properties window.
5. In the Two-step verification section, click the Apply button, and then click the OK button.

Two-step verification is enabled for all users. From now on, all users of Administration Server, including the users that were added after enabling this option, have to configure two-step verification for their accounts, except for the users whose accounts are excluded from two-step verification.

Disabling two-step verification for a user account

To disable two-step verification for your own account:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step verification.
3. In the Two-step verification section, click the Disable button.
4. Click the Apply button.
5. Click the OK button.

Two-step verification is disabled for your account.

You can disable two-step verification of other users' accounts. This provides protection in case, for example, a user loses or breaks a mobile device.

You can disable two-step verification of another user's account only if you have the Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification. Following the steps below, you can disable two-step verification for your own account as well.

To disable two-step verification for any user account:

1. In the console tree, open the User accounts folder.

   The User accounts folder is a subfolder of the Advanced folder by default.

2. In the workspace, double-click the user account for which you want to disable two-step verification.

   For all user accounts for which two-step verification is enabled, the 2FA required column is set to Yes.

3. In the Properties: <user name> window that opens, select the Two-step verification section.
4. In the Two-step verification section, select the following options:
   • If you want to disable two-step verification for a user account, click the Disable button.
   • If you want to exclude this user account from two-step verification, select the User can pass authentication by using user name and password only option.
5. Click the Apply button.
6. Click the OK button.

Two-step verification for a user account is disabled.

If you want to restore access for a user that cannot log in to Administration Console by using two-step verification, disable two-step verification for this user account and select the User can pass authentication by using user name and password only option in the Two-step verification as described above. After that, log in to Administration Console under the user account for which you disabled two-step verification, and then enable verification again.

Disabling required two-step verification for all users

You can disable required two-step verification for all users of the Administration Server if you have Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification.

To disable two-step verification for all users:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step verification.
3. Click the Set as optional button to disable two-step verification for all the users.
4. Click the Apply button in the Two-step verification section.
5. Click the OK button in the Two-step verification section.

Two-step verification is disabled for all users. Disabling two-step verification for all users does not applied to specific accounts for which two-step verification was previously enabled separately.

Excluding accounts from two-step verification

You can exclude an account from two-step verification if your account has the Modify object ACLs right in the General features: User permissions functional area.

If a user account is excluded from two-step verification, that user can log in to Administration Console or Kaspersky Security Center Web Console without using two-step verification.

Excluding accounts from two-step verification can be necessary for service accounts that cannot pass the security code during authentication.

To exclude a user account from two-step verification:

1. If you want to exclude an Active Directory account, perform Active Directory polling to refresh the list of Administration Server users.
2. In the console tree, open the User accounts folder.

   The User accounts folder is a subfolder of the Advanced folder by default.

3. In the workspace, double-click the user account that you want to exclude from two-step verification
4. In the Properties: <user name> window that opens, select the Two-step verification section.
5. In the opened section, select the User can pass authentication by using user name and password only option.
6. In the Two-step verification section, click the Apply button, and then click the OK button.

This user account is excluded from two-step verification. You can check the excluded accounts in the list of user accounts.

Editing the name of a security code issuer

You can have several identifiers (they are called issuers) for different Administration Servers. You can change the name of a security code issuer in case, for example, the Administration Server already uses a similar name of security code issuer for another Administration Server. By default, the name of a security code issuer is the same as the name of the Administration Server.

After you change the security code issuer name you have to reissue a new secret key and pass it to the authenticator app.

To specify a new name of a security code issuer:

1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step verification.
3. Specify a new security code issuer name in the Security code issuer field.
4. Click the Apply button in the Two-step verification section.
5. Click the OK button in the Two-step verification section.

A new security code issuer name is specified for the Administration Server.

Changing the Administration Server shared folder

The Administration Server shared folder is specified during installation of the Administration Server. You can change the location of the shared folder in the Administration Server properties.

To change the shared folder:

1. Create a network share folder and configure permissions for the share and for the folder structure to allow full control rights for the Everyone subgroup.
2. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder and select Properties.
3. In the Administration Server properties window, in the Sections pane, select Advanced, and then select Administration Server shared folder.
4. In the Administration Server shared folder section, click the Change button.
5. Select the folder that you want to use as shared.
6. Click the OK button to close the Administration Server properties window.
7. Assign read rights for the Everyone subgroup for the folder that you selected as shared.