Hardening Guide

Kaspersky Security Center Cloud Console is an application hosted and maintained by Kaspersky. You do not have to install Kaspersky Security Center Cloud Console on your computer or server. Kaspersky Security Center Cloud Console enables the administrator to install Kaspersky security applications on devices on a corporate network, remotely run scan and update tasks, and manage the security policies of managed applications.

Kaspersky Security Center Cloud Console is designed for centralized execution of basic administration and maintenance tasks on an organization's network. The application provides the administrator access to detailed information about the organization's network security level. Kaspersky Security Center Cloud Console allows you to configure all components of protection built by using Kaspersky applications.

Kaspersky Security Center Cloud Console has full access to protection management of client devices and is the most important component of the organization's security system. Therefore, increased protection methods are required for Kaspersky Security Center Cloud Console.

The Hardening Guide describes recommendations and features of configuring Kaspersky Security Center Cloud Console and its components, aimed to reduce the risks of its compromise.

The Hardening Guide contains the following information:

• Configuring accounts to access Kaspersky Security Center Cloud Console
• Managing protection of client devices
• Configuring protection for managed applications
• Transferring information to third-party applications

Before you start to work with Kaspersky Security Center Cloud Console, you will be prompted to read the brief version of the Hardening Guide.

Note that you cannot use Kaspersky Security Center Cloud Console until you confirm that you have read the Hardening Guide.

To read the Hardening Guide:

1. Open Kaspersky Security Center Cloud Console and log in to it. Kaspersky Security Center Cloud Console checks whether you have confirmed reading the current version of the Hardening Guide.

   If you have not yet read the Hardening Guide, a window opens and displays a brief version of it.

2. Do one of the following:
   • If you want to view the brief version of the Hardening Guide as a text document, click the Open in new window link.
   • If you want to view the full version of the Hardening Guide, click the Open the Hardening guide in Online Help link.
3. After you read the Hardening Guide, select the I confirm that I have fully read and understand the Hardening guide check box, and then click the Accept button.

Now, you can work with Kaspersky Security Center Cloud Console.

When a new version of the Hardening Guide appears, Kaspersky Security Center Cloud Console will prompt you to read it.

Planning Kaspersky Security Center Cloud Console architecture

In general, the choice of a centralized management architecture depends on the location of protected devices, access from adjacent networks, delivery schemes of database updates, and so on.

At the initial stage of architecture development, we recommend getting acquainted with the Kaspersky Security Center Cloud Console components and their interaction with each other, as well as with schemas for data traffic and port usage.

Based on this information, you can form an architecture that specifies:

• Organization of the administrator's workspaces, and methods of connecting to Kaspersky Security Center Cloud Console
• Deployment methods for Network Agent and protection software
• Using distribution points
• Using virtual Administration Servers
• Using a hierarchy of Administration Servers
• Anti-virus database update scheme
• Other information flows

Accounts and authentication

Using two-step verification with Kaspersky Security Center Cloud Console

Kaspersky Security Center Cloud Console provides two-step verification for users.

Two-step verification can help you increase the security of your account in Kaspersky Security Center Cloud Console. When this feature is enabled, every time you sign in to Kaspersky Security Center Cloud Console with your email address and password, you enter an additional one-time security code. You can receive a one-time security code by SMS or by generating this code in your authenticator app (depending on the two-step verification method that you set up).

We strongly do not recommend installing the authenticator app on the same device from which the connection to Kaspersky Security Center Cloud Console is established. You can install an authenticator app on your mobile device.

Prohibition on saving the administrator password

If you use Kaspersky Security Center Cloud Console, we strongly do not recommend saving the administrator password in the browser installed on the user device.

If the browser is compromised, an intruder can gain access to the saved passwords. Also, if a user device with saved passwords is stolen or lost, an intruder can gain access to protected data.

Restricting the Main Administrator role membership

We recommend restricting the Main Administrator role membership.

By default, after a user creates a workspace, the Main Administrator role is assigned to this user. It is useful for management, but it is critical from a security point of view, because the Main Administrator role has an extensive range of privileges. The assignment of this role to users should be strictly regulated.

You can use the predefined user roles with a preconfigured set of rights to administer Kaspersky Security Center Cloud Console.

Configuring access rights to application features

We recommend using flexible configuration of access rights to the features of Kaspersky Security Center Cloud Console for each user or group of users.

Role-based access control allows the creation of standard user roles with a predefined set of rights and the assignment of those roles to users depending on their scope of duties.

The main advantages of the role-based access control model:

• Ease of administration
• Role hierarchy
• Least privilege approach
• Segregation of duties

You can assign built-in roles to certain employees based on their positions, or create completely new roles.

While configuring roles, pay attention to the privileges associated with changing the protection state of the Administration Server device and remote installation of third-party software:

• Managing administration groups.
• Operations with Administration Server.
• Remote installation.
• Changing the parameters for storing events and sending notifications.

  This privilege allows you to set notifications that run a script or an executable module on the Administration Server device when an event occurs.

Separate account for remote installation of applications

In addition to the basic differentiation of access rights, we recommend restricting the remote installation of applications for all accounts (except for the Main Administrator or another specialized account).

We recommend using a separate account for remote installation of applications. You can assign a role or permissions to the separate account.

Managing protection of client devices

Automatic rules for moving devices between administration groups

We recommend restricting the use of automatic rules for moving devices between administration groups.

If you use automatic rules for moving devices, this may lead to propagation of policies that provide more privileges to the moved device than the device had before relocation.

Also, moving a client device to another administration group may lead to propagation of policy settings. These policy settings may be undesirable for distribution to guest and untrusted devices.

This recommendation does not apply for one-time initial allocation of devices to administration groups.

Security requirements for distribution points and connection gateways

Devices with Network Agent installed can act as a distribution point and perform the following functions:

• Distribute updates and installation packages received from Administration Server to client devices within the group.
• Perform remote installation of third-party software and Kaspersky applications on client devices.
• Poll the network to detect new devices and update information about existing ones.
• Act as a KSN proxy server for client devices.

Taking into account the available capabilities, we recommend protecting devices that act as distribution points from any type of unauthorized access (including physical).

Configuring protection for managed applications

Configuring network protection

Ensure that you have completed the Kaspersky Security Center Cloud Console initial configuration scenario. This scenario also includes performing the steps of the quick start wizard.

When the quick start wizard is running, policies and tasks with default parameters are created. These parameters may not be optimal or may even be prohibited in your organization. Therefore, we recommend configuring the created policies and tasks, and create additional policies and tasks if necessary for your organization network.

Specifying the password for disabling protection and uninstalling the application

To prevent intruders from disabling Kaspersky security applications, we strongly recommend enabling password protection for disabling protection and deinstallation of Kaspersky security applications. You can set the password, for example, for Kaspersky Endpoint Security for Windows, Kaspersky Security for Windows Servers, Network Agent, and other Kaspersky applications. After you enable password protection, we recommend locking these settings by closing the "lock."

Specifying the password for manual connection of a client device to the Administration Server (klmover utility)

The klmover utility allows you to manually connect a client device to the Administration Server. When Network Agent is installed on a client device, the utility is automatically copied to the Network Agent installation folder.

To prevent intruders from moving devices out of your Administration Server's control, we strongly recommend enabling password protection for running the klmover utility. To enable password protection, select the Use uninstallation password option in the Network Agent policy settings.

Enabling the Use uninstallation password option also enables password protection for the Cleaner tool (cleaner.exe).

The klmover utility is used only for moving managed devices under management of a virtual Administration Server.

Using Kaspersky Security Network

In all policies of managed applications and in the properties of Kaspersky Security Center Cloud Console, we recommend enabling the use of Kaspersky Security Network (KSN) and accepting the KSN Statement. When you update or upgrade Kaspersky Security Center Cloud Console, you can accept the updated KSN Statement.

Discovering new devices

We recommend properly configuring device discovery settings: set up integration with Active Directory and specify IP address ranges for discovering new devices.

For security purposes, you can use the default administration group that includes all new devices and the default policies affecting this group.

Event transfer to third-party systems

Monitoring and reporting

For timely response to security issues, we recommend configuring the monitoring and reporting features.

Export of events to SIEM systems

For fast detection of security issues before significant damage occurs, we recommend using event export in a SIEM system.

Email notifications of audit events

For timely response to emergencies, we recommend configuring Kaspersky Security Center Cloud Console to send notifications about the audit events, critical events, failure events, and warnings that it publishes.

Since these events are intra-system events, a small number of them can be expected, which is quite applicable for mailing.