QUICK START GUIDE
FOR CORE AND SELECT
SECURITY CENTER 10
ENDPOINT SECURITY 10
About This Guide
The intention of this guide is to provide a step through of the initial installation of Kaspersky Security Center 10 and deployment of Kaspersky Endpoint Security 10 in Standard Installation mode (default).
NOTE – Standard Installation includes anti-malware and firewall technologies plus endpoint control features (Application Control, Web Control, and Device Control). There is the ability to modify the installation package in order to install Endpoint Security in other modes. This is documented in Kaspersky Security 10 for Windows Administrators Guide. Please consult your reseller or sales channel in order to discover more about the available tiers with Kaspersky Endpoint Security for Business.
This guide also offers best practice recommendations covering two of the Kaspersky Security for Business tiers, namely Core and Select.
Please note that this guide does not replace previously released deployment or administration guides from Kaspersky. Moreover, this is an aid to enable a quick start of the system – there is recommended reading of other documentation and resources, as mentioned in the Further Information section below.
CONTENTS
CHAPTER ONE – Installation of Security Center and Endpoint Security
Prerequisites for Installation 4 Installation of Security Center 5
Configuring Security Center Using Quick Start Wizard 10
Deploying Kaspersky Protection 12
Task Creation 1 - Deploy Network Agent Task 13
Task Creation 2 - Remove Existing AV Software task 15
Task Creation 3 - Deploy Kaspersky Endpoint Security Task 16
Task Creation - Result 18
Assigning Client Machines 18
CHAPTER TWO - Protection Management and Best Practises
Admin Server Settings & Policy Recommendations 20
Kaspersky Security Center Settings 20
Network Agent Settings 22
Kaspersky Endpoint Security 10 for Windows settings: servers* and workstations 23 Kaspersky Endpoint Security 10 settings: Windows Servers* specific features 27
Task Recommendations 28
Update Task Recommendations 28
Virus Scan Task Recommendations 29
CHAPTER THREE - Working with Reports and Notifications
An Introduction to Reports and Notifications 31 Working with the Statistics Dashboard 31
Configuring Your Dashboard 32
Configuring Computer Statuses 32 Event Notifications – automatic email delivery 33 Reports – scheduling delivery, creating templates & on-demand 34 Computer Selections – displaying specific information 34
CHAPTER ONE
INSTALLATION OF SECURITY CENTER 10
DEPLOYMENT OF ENDPOINT SECURITY 10
TOPICS COVERED INCLUDE; INITIAL DEPLOYMENT OF
SECURITY CENTER 10 AND ENDPOINT SECURITY 10; QUICK
START CONFIGURATION AND MIGRATION FROM EXISTING
ANTIVIRUS SOFTWARE
PREREQUISITES FOR INSTALLATION
The installation of Kaspersky Security Center 10 includes all the software components needed to start deploying Kaspersky Endpoint Security 10 to the network.
Kaspersky Endpoint Security 10 - Supported Operating systems and Requirements:
1 GB of free hard drive space Intel Pentium 1 GHz or faster 1 GB RAM
Microsoft Windows XP Professional SP3 or higher Microsoft Windows Server 2003 Standard SP2 or higher
For workstations, a complete listing is available here: http://support.kaspersky.com/kes10wks#requirements_
For servers, a complete listing is available here: http://support.kaspersky.com/kes10fs#requirements_
Kaspersky Security Center 10 – Admin Server, Database Server and Web Console Requirements:
1 GHz or higher. 1.4 GHz is a minimum for a 64-bit OS. 1 GB.RAM
10 GB.of free hard drive space
Most versions of Microsoft SQL 2005 and SQL Express 2005 or higher Various versions of MySQL
The database server can be separate to the Admin server
A complete listing is available here: http://support.kaspersky.com/ksc10#requirements_
Kaspersky Security Center 10 Server – Installation Changes:
The first step is to install Security Center, and if not already present, the following applications required for Kaspersky to operate will also be installed:
Microsoft Windows Installer 4.5 Microsoft Data Access Component 2.8 Microsoft .NET Framework 2.0 SP2 MSXML 4.0
Microsoft SQL Server 2008 Express SP2 (you can use existing SQL)
As well as these pre-requisites plus SQL services, the Security Center installer will install some, or all of the following Services listed here: http://support.kaspersky.com/9298
The Security Center comes prepopulated with Kaspersky Endpoint Security 10 ready to install to both Windows servers and workstations so there is no need to download separate setup files.
If Linux or Mac protection is needed please approach your contractual support channel, who will direct to the relevant Kaspersky downloads.
INSTALLATION OF SECURITY CENTER
To start the installation of Security Center, run the downloaded executable. Click Next to start, and on the preceding window, read and then Agree to the License Agreement.
A Custom install allows for extra configuration such as specifying the SQL database to be used, naming the shared folder and crucially entering the account that will run the Kaspersky Administration Server service. Once this account is set you do not need to add accounts to run specific Tasks (assuming you specify an account with rights to all managed machines, such as an account with Domain Admin privileges):
Note the three checkboxes - these offer support for implementing Kaspersky NAC (Network sniffer and Access Control option), Cisco NAC and administration of Mobile devices running Kaspersky Security for Mobile.
Select these options if applicable.
NOTE! - Selecting these options may run additional services and will open ports on the Admin server. Please approach your contractual support channel.
Please see the following table for information on choosing the correct Network Size:
Specify an account to run the Kaspersky Administration Server service. This account ideally needs to have admin rights to all PCs that will be managed by the Security Center, so that deployments can occur successfully:
If you have an existing SQL server and wish to use this, click Choose existing. If you would like to discuss this option further please approach your contractual support channel:
There is the option to designate a shared folder – used to store the installation packages and updates:
Ports 13000 and 14000 (both TCP) are used for communication between the Admin Server and Network Agent. These are the default ports recommended by Kaspersky – we advise not to change these, unless there is a conflict with existing software:
It is recommended to use the static IP address for the Administration Server address:
Kaspersky Security Center can manage different versions of Kaspersky endpoint protection. Choose the appropriate plug-ins to be installed, in order to have the ability to create policies and tasks in order to centrally manage these endpoints:
Installation will proceed including a prompt to agree to the EULA for the console plug-in(s):
Once the installation has completed, there is the option to Start Administration Console which in turn will launch a Quick Start Wizard:
CONFIGURING SECURITY CENTER USING QUICK START WIZARD
Follow the Quick Start Wizard in order to enter your Activation Code and configure the use of; Kaspersky Security Network; SMTP server; proxy connections:
Keep Automatically deploy key to managed computers box checked:
Activating requires a code. The code is sent to the Kaspersky Lab activation server which returns the appropriate key files. These keys are used to license the endpoint protection (in Security Center click Repositories > Keys) but also may unlock additional functionality of Security Center (right click Admin Server > Properties > Keys):
Additional functions may include Kaspersky Endpoint Security with Encryption, Mobile Device Management, System Management Edition. Please approach your contractual support channel for more information.
The Kaspersky Security Network is an advanced cloud based technology, providing an Urgent Detection System to combat new threats as well as an application categorisation and reputation service. The service is free and only passes anonymous, basic, information into the cloud. This is an opt-in service that benefits many modules of Kaspersky protection. More can be read here: ksn.kaspersky.com
The initial protection policy to cover desktop and servers is created along with applicable tasks. Note the automatic creation of the Download Updates and Backup Tasks for the Administration Server:
For deployment of endpoint software, it is recommend to leave Start protection deployment unticked and follow the next section:
DEPLOYING KASPERSKY PROTECTION
It is recommended to deploy the Kaspersky Network Agent and Kaspersky Endpoint Security packages separately. Whilst you can install both at once, a more staggered approach benefits from granular real-time reporting and increases availability to troubleshoot at different stages of the deployment.
Click Managed Computers > Create a subgroup then enter an appropriate name. The below example is called Deployment:
All deployment tasks will be created within this group and due to their nature will target any machines residing in the group (by default, overwrite installations will not happen)
A word about task creation and scheduling
Tasks can be created very easily and can either reside at the Tasks for specific computers node (whereby you can target already managed clients or newly discovered Unassigned machines) or as a Group Task within an existing group or subgroup. These groups reside in the Managed Computers section (this task will target every appropriate machine in the group and subgroup).
With regards to scheduling tasks to run – there is the Define task launch automatically check box. If this option is on, manual settings for randomization period is disabled, and administration server automatically recalculates the randomization period on every task properties modification based on the current target computers count for the task.
TASK CREATION 1 - DEPLOY NETWORK AGENT TASK
Choose Create a task and name it accordingly > Next:
Choose Install application remotely > Next:
Click Next:
Make sure Do not restart the computer is selected. Click Next:
Click Next through the Accounts screen (this is only needed if you are in a Workgroup environment). Keep Scheduled Start to Manually > Next:
TASK CREATION 2 - REMOVE EXISTING AV SOFTWARE TASK
Choose Create a task and name it accordingly >Next:
Choose Uninstall application remotely:
Choose Uninstall the incompatible application:
Select the appropriate AV, in this case AdAware has been chosen. Click OK then Next
Choose a restart option (this is needed before Kaspersky can be installed into previously-protected machines):
Click Next through the Accounts screen (this is only needed if you are in a Workgroup environment).
Change the Scheduled Start so that the Removal task runs on successful completion of the previous task (Deploy Network Agent task):
Proceed through the Wizard and click Finish
TASK CREATION 3 - DEPLOY KASPERSKY ENDPOINT SECURITY TASK
The third and final task should be created in a similar manner to the previous (Create task > Install application remotely making sure to choose the Endpoint Security package).
This can be set to run on successful completion of the removal task – and runs automatically after the reboot of the client machine. The following screenshots overleaf have points to consider:
NOTE – make sure that the Network Agent is not selected when creating this package:
A restart after installation of Kaspersky Endpoint is not needed:
TASK CREATION - RESULT
The final result will show three tasks, with the second and third set to run on completion of the first (Deploy Network Agent). Once client PCs are within the Deployment Group, then select the first task 1. Deploy Network Agent task > click Start button:
ASSIGNING CLIENT MACHINES
Client PCs can be manually placed into managed groups in a variety of ways: Within Unassigned Computers – entries can be right clicked > Move To Group
By using the Add computers to the group link, in our example, click on Deployment Group > Groups tab
Automatic movement of machines can occur by using Relocation Rules. Click Unassigned Computers > Configure rules of computer allocation link. Please refer to Security Center Help files or approach your contractual support channel for information on automatic computer allocation and using Relocation Rules.
CHAPTER TWO
PROTECTION AND MANAGEMENT
BEST PRACTISES
SOFTWARE COVERED; SECURITY CENTER 10 & NETWORK
AGENT 10, ENDPOINT SECURITY 10 AND KASPERSKY
ANTI-VIRUS FOR WINDOWS SERVER ENTERPRISE EDITION 8
ADMIN SERVER SETTINGS & POLICY RECOMMENDATIONS
This section makes suggestions as to areas you may wish to consider reviewing. The following recommendations are based on Kaspersky Lab technical and customer-based experiences.
Discussed in this section are recommendations that cover not only the Security Center and its operations but also protection and control features of the endpoint software for server and desktop operating systems. Some components are only available to customers with Select licensing and are marked with an asterisk.
Kaspersky Security Center Settings
Admin Server Backup Task:
The Backup Administration Server task is set to run daily by default. You may feel this is too often, depending on the amount of changes you make within Security Center. As such, a weekly backup would suffice:
Ensure that the backup location is a remote location, in case of failure of the Kaspersky Admin Server. This location should be write-accessible from the Admin Server:
Admin Server Events
Set all events to be registered on the Administration Server for 60 days except for informational events which should be left on 30 days.
The storage time can be increased but it this will increase the database size and should not generally be necessary.
Admin Server Keys
The Administration Server has multiple functions; these are unlocked during the initial installation, by use of your Activation Code. Binary key files are auto-generated and installed into the below location. Clicking into View restrictions will give details as to the functions available:
Settings & Update Agent Assignment
By default the Security Center will hold a maximum of 400,000 events1, this can be increased for very large installs
but it could dramatically increase the database size. Providing this document is followed it should not be necessary unless Kaspersky Endpoint Security with Encryption, Systems Management or Mobile Device Management capabilities are licensed and enabled. If this is the case please approach your contractual support channel for more information.
An Update agent is a PC within the Administration server network dedicated to store and distribute database updates, installation packages, group tasks and policies. You can assign an Update agent into any administration group. This is achieved by right clicking your Managed Computers group (or a subgroup) > Properties > Update Agents. From here choose to Add and Update Agent and edit accordingly.
Turn off automatic assignment of Update Agents2 to groups with over 100 machines:
NOTE! – Update Agents use Multicast IP technology to reduce the chance of high network loads. It lowers the number of sent packages, and allows automatic installation of applications / execution of tasks as soon as a PC with installed Network agent appears in the network. This is on by default.
Virus Outbreak
These options should be disabled in the Administration Server settings/policy. These options should be used with caution especially for new installs as infections are often found during initial rollouts which could then trigger an outbreak notification.
This powerful feature can be used once you are happy with the security state of your network and configured accordingly to your requirements.
Network Agent Settings
Settings
There is the facility to prevent the uninstallation of the Network Agent through the use of a password. Enable this as shown below:
1
1 2
Events
The registration of most Info events can be reduced or disabled; this will reduce load and shrink the database size: All events save for the exceptions below: - reduce to 7 days
Application has been removed - reduce to 14 days
Update for program modules has been installed successfully - reduce to 14 days
Device connected - reduce to 14 days
Kaspersky Endpoint Security 10 for Windows settings: servers* and workstations
Protection > File Anti-VirusIf all endpoints are to be covered with security then there is a strong argument against scanning across the network for real time operations. In this case, the scanning of ‘All network drives’ is not needed under Protection Scope settings:
Advanced Settings > Application Settings
When Concede resources to other applications is selected, Kaspersky Endpoint Security suspends scheduled tasks when it detects an increased load on the CPU - this frees up operating system resources for user applications. This helps to relieve the load on the CPU and disk subsystems.
It is recommended to use password protection to prevent end users from changing Endpoint settings or uninstalling protection:
A word on exclusions and trusted processes
By default Security Center will automatically create exclusions and trusted processes in accordance to Kaspersky recommendations and also Microsoft recommendations. These are included within the Trusted Zone section(s) of the policy.
Kaspersky exclusions are very flexible and easily implemented, making use of wildcards (*), variables (?) and system variables (%). Exclusions and trusted zone is accessed via Protection > General Protection Settings. See the screenshots overleaf for some examples:
Further information on trusted zone exclusion masks for Endpoint Security is discussed here:
http://support.kaspersky.com/9398
Endpoint Control – Device Control*
If reporting on Device Control* is required, then further logging should be enabled in order to record the relevant events. The next three screenshots show the Critical, Warning and Info events needed in order to produce comprehensive reporting. These events are:
Operation with the device prohibited (a critical event) Temporary access to the device activated (a warning event) Device connected (an info event)
Endpoint Control – Web Control*
If Web Control* is used then it’s also advised to turn on logging of Access to unwanted content successfully attempted after warning:
A word on ‘best practice’ scenarios for Application Startup Control*
For best practice on the Endpoint Control* elements of Kaspersky Endpoint Security 10 require an understanding of their modes of operation and how this interacts with an organisations operation. As such it’s not possible at this time to recommend general best practice settings since these will be scenario based (for instance: “Default Deny” scenario where all applications are barred from starting except for whitelisted ones; “No Gambling During The Working Day” where gambling sites are blocked via web content filtering from 9am to 5pm).
Please refer to the separate Administrators guide for the endpoint modules:
http://docs.kaspersky-labs.com/english/kes10.0_wksfswin_en.pdf
You may also find the link below useful for information regarding application whitelisting:
http://whitelist.kaspersky.com/
Kaspersky Endpoint Security 10 settings: Windows Servers* specific features
There are notable differences between the implementation of the product on Windows workstation and File Server, mostly in the difference between the installed modules:
Module/Function Workstation Server
File Anti-Virus
Mail Anti-Virus
Web Anti-Virus
IM Anti-Virus
Firewall
Network Attack Blocker
Application Startup Control
Application Privilege Control
Vulnerability Monitor
Device Control
Web Control
Antivirus scan, vulnerability scan, and update tasks
Kaspersky Security Center 10 Network Agent Connector
The above features are also dependent on which Tier is purchased – Core, Select, Advanced or Total.
NOTE! - Care should be taken when setting a single policy for both servers and workstations and as such it is generally advised to separate the policy management for file servers from workstations in the logical network (most easily achieved by creating a separate group for file servers at the same or higher level than the workstations).
TASK RECOMMENDATIONS
Updates and scan tasks, both controlled via Security Center, are discussed below. These recommendations can cover many products. The following pages focus on Kaspersky Endpoint Security 10 (KES 10) and Kaspersky Anti-Virus for Windows Server Enterprise Edition (WSEE).
A word about task creation and scheduling
Tasks can be created very easily and can either reside at the Tasks for specific computers node (whereby you can target already managed clients or newly discovered unassigned machines) or as a Group Task within an existing group or subgroup. These groups reside in the Managed Computers section (this task will target every appropriate machine in the group and subgroup).
With regards to scheduling tasks to run – there is the Define task launch automatically check box under the Schedule link on many Tasks. If this option is on, manual settings for randomization period is disabled, and administration server automatically recalculates the randomization period on every task properties modification based on the current target computers count for the task.
Update Task Recommendations
Update database (KES 10 & WSEE*)
Frequency - every 3hrs:
Update modules (WSEE* only)
Virus Scan Task Recommendations
Workstation KES 10 (Critical Areas)
Tuesday 12:01
Run missed tasks – OFF
Workstation KES 10 (Full Scan)
Manual start
Run missed tasks – OFF
Servers* KES 10 & WSEE* (Critical Areas)
Sunday 00:01
Run missed tasks – ON
Servers* KES 10 & WSEE* (Full Scan)
If you choose to run a full scan of the client machine’s hard drive, then please choose a convenient time for this to run.
Run missed tasks – ON
NOTE! – A default install of Security Center provides a Virus Scan task that targets critical areas only. It is you choice if you wish to create a ‘full scan’ task or create tasks on a per group basis (for instance a separate scan task applying to a servers group only)
CHAPTER THREE
WORKING WITH REPORTS
AND NOTIFICATIONS
HOW TO USE THE REAL-TIME DASHBOARD, SCHEDULE
REPORTS AND CONFIGURE EMAIL NOTIFICATIONS.
AN INTRODUCTION TO REPORTS AND NOTIFICATIONS
Kaspersky Security Center 10 enables you to effectively view and manage the protection of your network in a clear, simple manner. Whether you need schedule emailed reports, instant email notifications or the ability to have drill down reports with connected relevant actions – Security Center can accommodate these needs. Many aspects of this view can be customised.
A real advantage is the ability to drill-down and discover issues within three clicks – then take remedial action immediately.
This section is an introduction into working with the reporting and notification functions, it is not provided as a step-by-step guide.
WORKING WITH THE STATISTICS DASHBOARD
Click into Protection Status page, here you will have an overview of protection. In the below example a Critical machine is referenced:
Selecting the Critical link runs a targeted report, showing all Clients with a Critical Status. There may be many reasons for turning Critical. Note the Status Description column in the picture overleaf:
Also, there is the ability to right click a computer entry then right click > All tasks > Run a Task (such as an ad-hoc Update or Scan task):
This results in the starting of a predefined task, targeting the correct clients in order to rectify their Critical status.
This is a great method of working and can result in swift diagnosis and immediate action – there no need to drill through the management structure, run a search or guess why a machine is classed as warning or critical.
CONFIGURING YOUR DASHBOARD
The dashboard is an ideal viewpoint and can be customised so that you view only what matters. This makes for a very powerful and efficient management tool when coupled with the ability to act easily on what is displayed, as per above.
Select any of the wrench icons as shown below to configure an existing page to: Add further info panels into the page 1
Edit an existing info panel and change its display 2 Create your own new page 3
CONFIGURING COMPUTER STATUSES
Security Center will change the status of machines according to the settings contained within the Computer status areas under the Properties of the Managed Computers group and/or sub groups. These settings are inherited throughout the group hierarchy. Default settings include Set computer to Critical if: Not scanned for a long time = More than 14 days; Set computer to Warning if: Not connected for a long time = More than 7 days.
Consider changing these variables to suit your needs. Right click on Managed Computers group > Properties > Computer status:
1
EVENT NOTIFICATIONS – AUTOMATIC EMAIL DELIVERY
Every state change to a client protected with Kaspersky Endpoint Security 8 has an event registered back into the Security Center. This allows for the dashboard reports and enables production of on-demand reports. When an event is received by the Security Center you can be notified via email. Whilst much of Kaspersky functions, from updates and scans through to virus disinfection, are automated, there are occasions when email notifications can be useful.
For instance, a Critical event will be registered when a network attack is detected – this could indicate an internal network threat (network worm for example). An email notification can easily be set up.
The following two screenshots show how this can be set:
NOTE! – you may need to first set up email relaying. Go to Reports and notifications > Notifications > Modify notification delivery settings and enter your SMTP server details.
REPORTS – SCHEDULING DELIVERY, CREATING TEMPLATES & ON-DEMAND
Reports in the Security Center contain information about the condition of the anti-virus protection. These reports are generated based on event information and can be configured in many ways:
To automatically send the report via email1 – this occurs on a scheduled basis (the creation of which is wizard-driven)
To create your own report template2
To utilise or customise the existing default reports (green hyperlinks)3
COMPUTER SELECTIONS – DISPLAYING SPECIFIC INFORMATION
Computer selections can be used to filter specific computers based on conditional formatting - in order to display outdated clients, newly discovered machines, detected virus and much more. This reporting and management mechanism uses the same Events as the Reports section but uses the data to allow for specific, appropriate actions to occur.
Information about the status of client computers is available in the Event and computer selections > Computer selections subfolder.
Within Computer Selections you have the ability run Actions (towards bottom-right hand side of the console) on the displayed information. This can include, but not limited to:
Create a new task – which guides you through a task creation wizard
Perform an existing scan task – reuse a previous task to treat ‘problem’ machines:
1
2
SUMMARY
This guide has covered the initial installation of Security Center 10 and how to best deploy Endpoint Security in a migration scenario. Also topics such as working with the real-time dashboard, setting up email notifications and scheduling reports have been covered.
Areas also covered include configuring software settings for the Security Center Server and for the Endpoint protection and controls; working with the real-time dashboard; setting up email notifications and scheduling reports has been discussed
As previously mentioned, not all features are available to all customers please enquire further if you are unsure or need extra information as to the tiers available in Kaspersky Endpoint Security for Business.
Further Information
Additional information about deployment and other Kaspersky settings can be found in the newly revised help files within the software. There is also documentation available: http://www.kaspersky.co.uk/docs and technical articles on http://www.kaspersky.com/support
Feel free to contact us if you have any further questions or specific issues. Kaspersky Lab UK Business Support Team
Email: [email protected]
