Installation of Kaspersky Security Center

This section describes local installation of Kaspersky Security Center components. Two installation options are available:

• Standard. This option is recommended if you want to try out Kaspersky Security Center by, for example, testing its operation on a small area within your network. During standard installation, you only configure the database. You can also install only the default set of management plug-ins for Kaspersky applications. You can also use standard installation if you already have some experience working with Kaspersky Security Center and are able to specify all relevant settings after standard installation.
• Custom. This option is recommended if you plan to modify the Kaspersky Security Center settings, such as a path to the shared folder, accounts and ports for connection to the Administration Server, and database settings. Custom installation enables you to specify which Kaspersky management plug-ins to install. If necessary, you can start custom installation in non-interactive mode.

If at least one Administration Server is installed on the network, Servers can be installed on other devices remotely through the remote installation task using forced installation. When creating the remote installation task, you must use the Administration Server installation package.

You can use one of the following installation package types:

• ksc_<version_number>.<build number>_full_<localization language>.exe. Contains the full set of components to install. Use this package if you want to install all the components required for full functionality of Kaspersky Security Center, or to upgrade the current versions of these components.
• ksc_<version_number>.<build number>_lite_<localization language>.exe. Contains the minimum set of components required for Kaspersky Security Center to function. For example, this package does not contain any management plug-ins of Kaspersky Endpoint Security for Windows.

  Use this installation package in the following cases:

  • You want to upgrade Administration Server.
  • You already have installed the components required for full functionality of Kaspersky Security Center, and you intend to continue to use existing versions of these components.
  • You want to use Kaspersky Security Center with limited functionality.
  • You intend to use Kaspersky Security Center in enterprises where internet traffic is limited and distribution kits are downloaded separately.

Preparing for installation

Before launching installation, make sure that the hardware and software on the device meet the requirements for Administration Server and Administration Console.

It is recommended to install the Administration Server on a dedicated server instead of a domain controller.

Kaspersky Security Center stores its information in a SQL Server database. To do this, you have to install the SQL Server database on your own (learn more about how to select a DBMS). Other versions of SQL Server can also be used for storing data. They must be installed on the network before Kaspersky Security Center. Installation of Kaspersky Security Center requires administrator rights on the device on which the installation is performed.

Install Administration Server, Network Agent, and Administration Console in folders where case sensitivity is disabled. Also, case sensitivity must be disabled for the Administration Server shared folder and the Kaspersky Security Center hidden folder (%ALLUSERSPROFILE%\KasperskyLab\adminkit).

The server version of Network Agent is installed on the device together with Administration Server. Administration Server cannot be installed together with the regular version of Network Agent. If the server version of Network Agent is already installed on your device, remove it and start installation of Administration Server again.

Starting from version 10 Service Pack 3, Kaspersky Security Center supports managed service accounts and group managed service accounts. If these types of accounts are used in your domain, and you want to specify one of them as the account for the Administration Server service, then first install the account on the same device on which you want to install Administration Server. For details about installation of managed service accounts on a local device, refer to the official Microsoft documentation.

Accounts for work with the DBMS

To install Administration Server and work with it, you need a Windows account under which you will run the Administration Server installer (hereinafter also referred to as the installer), a Windows account under which you will start the Administration Server service, and an internal DBMS account to access the DBMS. You can create new accounts or use existing ones. All these accounts require specific rights. A set of the required accounts and their rights depends on the following criteria:

• DBMS type:
  • Microsoft SQL Server (with Windows authentication or SQL Server authentication)
  • MySQL or MariaDB
• DBMS location:
  • Local DBMS. A local DBMS is a DBMS installed on the same device as Administration Server.
  • Remote DBMS. A remote DBMS is a DBMS installed on a different device.
• Method of the Administration Server database creation:
  • Automatic. During the Administration Server installation, you can automatically create an Administration Server database (hereinafter also referred to as a Server database) by using the installer.
  • Manual. You can use a third-party application (for example, SQL Server Management Studio) or a script to create an empty database. After that, you can specify this database as the Server database during the Administration Server installation.

Follow the principle of least privilege when you grant rights and permissions to the accounts. This means that the granted rights should be only enough to perform the required actions.

The tables below contain information about the system rights and DBMS rights that you should grant to the accounts before you install and start Administration Server.

Microsoft SQL Server with Windows authentication

If you choose SQL Server as a DBMS, you can use Windows authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and a Windows account used to start the Administration Server service. On SQL Server, create logins for both of these Windows accounts. Depending on the creation method of the Server database, grant the required SQL Server rights to these accounts as described in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (Windows authentication).

DBMS: Microsoft SQL Server (including Express Edition) with Windows authentication

Microsoft SQL Server with SQL Server authentication

If you choose SQL Server as a DBMS, you can use SQL Server authentication to access SQL Server. Configure system rights for a Windows account used to run the installer and for a Windows account used to start the Administration Server service. On SQL Server, create a login with a password to use it for authentication. Then, grant this SQL Server account the required rights listed in the table below. For more information on how to configure rights of the accounts, see Configuring accounts for work with SQL Server (SQL Server authentication).

DBMS: Microsoft SQL Server (including Express Edition) with SQL Server authentication

Configuring SQL Server rights for Administration Server data recovery

To restore Administration Server data from the backup, start the klbackup utility under the Windows account used to install Administration Server. Before you start the klbackup utility, on SQL Server, grant the sysadmin server-level role to the SQL Server login associated with this Windows account.

MySQL and MariaDB

If you choose MySQL or MariaDB as a DBMS, create a DBMS internal account and grant this account the required rights listed in the table below. The installer and the Administration Server service use this internal DBMS account to access the DBMS. Note that the database creation method does not affect the set of required rights. For more information on how to configure the account rights, see Configuring accounts for work with MySQL and MariaDB.

DBMS: MySQL and MariaDB

Configuring privileges for Administration Server data recovery

Rights that you granted to the internal DBMS account are enough to restore Administration Server data from the backup. To start the restore, run the klbackup utility under the Windows account used to install Administration Server.

Configuring accounts for work with SQL Server (Windows authentication)

Prerequisites

Before you assign rights to the accounts, perform the following actions:

1. Make sure that you log in to the system under the local administrator account.
2. Install an environment for working with SQL Server.
3. Make sure that you have a Windows account under which you will install Administration Server.
4. Make sure that you have a Windows account under which you will start the Administration Server service.
5. On SQL Server, create a login for the Windows account used to run the Administration Server installer (hereinafter also referred to as the installer). Also, create a login for the Windows account used to start the Administration Server service.

If you use SQL Server Management Studio, on the General page of the login properties window, select the Windows Authentication option.

If you want to install Administration Server and SQL Server on devices that are located in separate Windows domains, note that these domains must have two-way trust relationships to ensure the correct operation of Administration Server, including running tasks and applying policies. For information about the required accounts for work with various DBMSs and accounts' rights, see Accounts for work with the DBMS.

Configuring the accounts to install Administration Server (automatic creation of the Administration Server database)

To configure the accounts for the Administration Server installation:

1. On SQL Server, assign the sysadmin server-level role to the login of the Windows account used to run the installer.
2. Log in to the system under the Windows account used to run the installer.
3. Run the Administration Server installer.

   The Administration Server Setup wizard starts. Follow the instructions of the wizard.

4. Select the custom installation of Administration Server option.
5. Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
6. Select the Microsoft Windows Authentication mode to establish a connection between Administration Server and SQL Server through a Windows account.
7. Specify the Windows account used to start the Administration Server service.

   You can select the Windows user account for which you created an SQL Server login earlier. Alternatively, you can automatically create a new Windows account in the KL-AK-* format by using the installer. In this case, the installer automatically creates an SQL Server login for this account. Regardless of the account choice, the installer assigns the required system rights and SQL Server rights to the Administration Server service account.

After the installation finishes, the Server database is created, and all the required system rights and SQL Server rights are assigned to the Administration Server service account. Administration Server is ready to use.

Configuring the accounts to install Administration Server (manual creation of the Administration Server database)

To configure the accounts for the Administration Server installation:

1. On SQL Server, create an empty database. This database will be used as an Administration Server database (hereinafter also referred to as a Server database).
2. For both SQL Server logins created for the Windows accounts, specify the public server-level role, and then configure the mapping to the created database:
   • Server-level role: public
   • Database role membership: db_owner, public
   • Default schema: dbo
3. Log in to the system under the Windows account used to run the installer.
4. Run the Administration Server installer.

   The Administration Server Setup wizard starts. Follow the instructions of the wizard.

5. Select the custom installation of Administration Server option.
6. Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
7. Specify the name of the created database as the Administration Server database name.
8. Select the Microsoft Windows Authentication mode to establish a connection between Administration Server and SQL Server through a Windows account.
9. Specify the Windows account used to start the Administration Server service.

   You can select the Windows user account for which you created an SQL Server login and configured the login rights earlier.

We do not recommend that you automatically create a new Windows account in the KL-AK-* format. In this case, the installer creates a new Windows account for which you have not created and configured an SQL Server account. Administration Server cannot use this account to start the Administration Server service. If it is necessary to create a KL-AK-* Windows account, do not start Administration Console after the installation. Do the following, instead:

1. Stop the kladminserver service.
2. On SQL Server, create an SQL Server login for the created KL-AK-* Windows account.
3. Grant the rights to this SQL Server login and configure the mapping to the created database:
   • Server-level role: public
   • Database role membership: db_owner, public
   • Default schema: dbo
4. Restart the kladminserver service, and then run the Administration console.

After the installation finishes, the Administration Server will use the created database to store the Server data. Administration Server is ready to use.

Configuring accounts for work with SQL Server (SQL Server authentication)

Prerequisites

Before you assign rights to the accounts, perform the following actions:

1. Make sure that you log in to the system under the local administrator account.
2. Install an environment for working with SQL Server.
3. Make sure that you have a Windows account under which you will install Administration Server.
4. Make sure that you have a Windows account under which you will start the Administration Server service.
5. On SQL Server, enable the SQL Server authentication mode.

   If you use SQL Server Management Studio, in the SQL Server Properties window, on the Security page, select the SQL Server and Windows Authentication mode option.

6. On SQL Server, create a login with a password. The Administration Server installer (hereinafter also referred to as the installer) and the Administration Server service will use this SQL Server account to access SQL Server.

   If you use SQL Server Management Studio, on the General page of the login properties window, select the SQL Server authentication option.

If you want to install Administration Server and SQL Server on devices that are located in separate Windows domains, note that these domains must have two-way trust relationships to ensure the correct operation of Administration Server, including running tasks and applying policies. For information about the required accounts for work with various DBMSs and accounts' rights, see Accounts for work with the DBMS.

Configuring the accounts to install Administration Server (automatic creation of the Administration Server database)

To configure the accounts for the Administration Server installation:

1. On SQL Server, map the SQL Server account to the default master database. The master database is a template for the Administration Server database (hereinafter also referred to as a Server database). The master database is used for mapping until the installer creates a Server database. Grant the following rights and permissions to the SQL Server account:
   • Server-level role: public
   • Database role membership for the master database: db_owner
   • Default schema for the master database: dbo
   • Permissions:
     • CONNECT ANY DATABASE
     • CONNECT SQL
     • CREATE ANY DATABASE
     • VIEW ANY DATABASE
2. Log in to the system under the Windows account used to run the installer.
3. Run the installer.

   The Administration Server Setup wizard starts. Follow the instructions of the wizard.

4. Select the custom installation of Administration Server option.
5. Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
6. Specify the Administration Server database name.
7. Select the SQL Server Authentication mode to establish a connection between Administration Server and SQL Server through the created SQL Server account. Then, specify the SQL Server account credentials.
8. Specify the Windows account used to start the Administration Server service.

   You can select an existing Windows user account or create a new Windows account in the KL-AK-* format by using the installer. Regardless of the account choice, the installer assigns the required system rights to the Administration Server service account.

After the installation finishes, the Server database is created and all the required system rights are assigned to the Administration Server service account. Administration Server is ready to use.

You can cancel the mapping to the master database, because the installer created a Server database and configured the mapping to this database during the Administration Server installation.

Since the automatic database creation requires more permissions than normal work with Administration Server, you can revoke some permissions. On SQL Server, select the SQL Server account, and then grant the following rights for work with Administration Server:

• Server-level role: public
• Database role membership for the Server database: db_owner
• Default schema for the Server database: dbo
• Permissions:
  • CONNECT SQL
  • VIEW ANY DATABASE

Configuring the accounts to install Administration Server (manual creation of the Administration Server database)

To configure the accounts for the Administration Server installation:

1. On SQL Server, create an empty database. This database will be used as an Administration Server database.
2. On SQL Server, grant the following rights and permissions to the SQL Server account:
   • Server-level role: public.
   • Database role membership for the created database: db_owner.
   • Default schema for the created database: dbo.
   • Permissions:
     • CONNECT SQL
     • VIEW ANY DATABASE
3. Log in to the system under the Windows account used to run the installer.
4. Run the installer.

   The Administration Server Setup wizard starts. Follow the instructions of the wizard.

5. Select the custom installation of Administration Server option.
6. Select the Microsoft SQL Server as a DBMS that stores the Administration Server database.
7. Specify the name of the created database as the Administration Server database name.
8. Select the SQL Server Authentication mode to establish a connection between Administration Server and SQL Server through the created SQL Server account. Then, specify the SQL Server account credentials.
9. Specify the Windows account used to start the Administration Server service.

   You can select an existing Windows user account or create a new Windows account in the KL-AK-* format by using the installer. Regardless of the account choice, the installer assigns the required system rights to the Administration Server service account.

After the installation finishes, the Administration Server will use the created database to store the Administration Server data. All the required system rights are assigned to the Administration Server service account. Administration Server is ready to use.

Configuring accounts for work with MySQL and MariaDB

Prerequisites

Before you assign rights to the accounts, perform the following actions:

1. Make sure that you log in to the system under the local administrator account.
2. Install an environment for working with MySQL or MariaDB.
3. Make sure that you have a Windows account under which you will install Administration Server.
4. Make sure that you have a Windows account under which you will start the Administration Server service.

Configuring the accounts to install Administration Server

To configure the accounts for the Administration Server installation:

1. Run an environment for working with MySQL or MariaDB under the root account that you created when you installed the DBMS.
2. Create an internal DBMS account with a password. The Administration Server installer (hereinafter also referred to as the installer) and the Administration Server service will use this internal DBMS account to access DBMS. Grant the following privileges to this account:
   • Schema privileges:
     • Administration Server database: ALL (excluding GRANT OPTION)
     • System schemes (mysql and sys): SELECT, SHOW VIEW
     • The sys.table_exists stored procedure: EXECUTE
   • Global privileges for all schemes: PROCESS, SUPER

   To create an internal DBMS account and grant the required privileges to this account, run the script below (in this script, the DBMS login is KCSAdmin, and the Administration Server database name is kav):

   /* Create a user named KSCAdmin */

   CREATE USER 'KSCAdmin'

   /* Specify a password for KSCAdmin */

   IDENTIFIED BY '<password>';

   /* Grant privileges to KSCAdmin */

   GRANT USAGE ON *.* TO 'KSCAdmin';

   GRANT ALL ON kav.* TO 'KSCAdmin';

   GRANT SELECT, SHOW VIEW ON mysql.* TO 'KSCAdmin';

   GRANT SELECT, SHOW VIEW ON sys.* TO 'KSCAdmin';

   GRANT EXECUTE ON PROCEDURE sys.table_exists TO 'KSCAdmin';

   GRANT PROCESS ON *.* TO 'KSCAdmin';

   GRANT SUPER ON *.* TO 'KSCAdmin';

   If you use MariaDB 10.5 or earlier as a DBMS, you do not need to grant the EXECUTE privilege. In this case, exclude the following command from the script: GRANT EXECUTE ON PROCEDURE sys.table_exists TO 'KSCAdmin'.

3. To view the list of privileges granted to the DBMS account, run the following script:

   SHOW grants for 'KSCAdmin'

4. To create an Administration Server database manually, run the following script (in this script, the Administration Server database name is kav):

   CREATE DATABASE kav

   DEFAULT CHARACTER SET 'ascii'

   COLLATE 'ascii_general_ci';

   Use the same database name that you specify in the script that creates the DBMS account.

5. Log in to the system under the Windows account used to run the installer.
6. Run the installer.

   The Administration Server Setup wizard starts. Follow the instructions of the wizard.

7. Select the custom installation of Administration Server option.
8. Select the MySQL or MariaDB as a DBMS that stores the Administration Server database.
9. Specify the Administration Server database name. Use the same database name that you specify in the script.
10. Specify the credentials of the DBMS account that you created by the script.
11. Specify the Windows account used to start the Administration Server service.

    You can select an existing Windows user account or automatically create a new Windows account in the KL-AK-* format by using the installer. Regardless of the account choice, the installer assigns the required system rights to the Administration Server service account.

After the installation finishes, the Administration Server database is created and Administration Server is ready to use.

Scenario: Authenticating Microsoft SQL Server

Information in this section is only applicable to configurations in which Kaspersky Security Center uses Microsoft SQL Server as a database management system.

To protect Kaspersky Security Center data transferred to or from the database and data stored in the database from unauthorized access, you must secure communication between Kaspersky Security Center and SQL Server. The most reliable way to provide secure communication is to install Kaspersky Security Center and SQL Server on the same device and use the shared memory mechanism for both applications. In all other cases, we recommend that you use a SSL or TLS certificate to authenticate the SQL Server instance. You can use a certificate from a trusted certification authority (CA) or a self-signed certificate. We recommend that you use a certificate from a trusted CA because a self-signed certificate provides only limited protection.

SQL Server authentication proceeds in stages:

1. Generating a self-signed SSL or TLS certificate for SQL Server according to the certificate requirements

   If you already have a certificate for SQL Server, skip this step.

   An SSL certificate is only applicable to SQL Server versions earlier than 2016 (13.x). In SQL Server 2016 (13.x) and later versions, use a TLS certificate.

   For example, to generate a TLS certificate, enter the following command in PowerShell:

   New-SelfSignedCertificate -DnsName SQL_HOST_NAME -CertStoreLocation cert:\LocalMachine -KeySpec KeyExchange

   In the command, instead of SQL_HOST_NAME you must type the SQL Server host name if the host is included in the domain or type the fully qualified domain name (FQDN) of the host if the host is not included in the domain. The same name—host name or FQDN—must be specified as an SQL Server instance name in the Administration Server Setup Wizard.

2. Adding the certificate on the SQL Server instance

   The instructions for this stage depend on the platform on which SQL Server is running. Refer to the official documentation for details:

   • Windows
   • Linux
   • Amazon Relational Database Service
   • Windows Azure

   To use the certificate on a failover cluster, you must install the certificate on each node of the failover cluster. For details, refer to the Microsoft documentation.

3. Assigning the service account permissions

   Ensure that the service account under which the SQL Server service is run has the Full control permission to access private keys. For details, refer to the Microsoft documentation.

4. Adding the certificate to the list of trusted certificates for Kaspersky Security Center

   On the Administration Server device, add the certificate to the list of trusted certificates. For details, refer to the Microsoft documentation.

5. Enabling encrypted connections between the SQL Server instance and Kaspersky Security Center

   On the Administration Server device, set value 1 to the environment variable KLDBADO_UseEncryption. For example, in Windows Server 2012 R2, you can change environment variables by clicking Environment Variables on the Advanced tab of the System Properties window. Add a new variable, name it KLDBADO_UseEncryption, and then set value 1.

6. Additional configuration to use TLS 1.2 protocol

   If you use the TLS 1.2 protocol, then additionally do the following:

   • Ensure that the installed version of SQL Server is a 64-bit application.
   • Install Microsoft OLE DB Driver on the Administration Server device. For details, refer to the Microsoft documentation.
   • On the Administration Server device, set value 1 to the environment variable KLDBADO_UseMSOLEDBSQL. For example, in Windows Server 2012 R2, you can change environment variables by clicking Environment Variables on the Advanced tab of the System Properties window. Add a new variable, name it KLDBADO_UseMSOLEDBSQL, and then set value 1.
7. Enabling usage of TCP/IP protocol on a named instance of SQL Server

   If you use a named instance of SQL Server, then additionally enable usage of TCP/IP protocol and assign a TCP/IP port number to the SQL Server Database Engine. When you configure SQL Server connection in the Administration Server Setup Wizard, specify the SQL Server host name and the port number in the SQL Server instance name field.

Recommendations on Administration Server installation

This section contains recommendations on how to install Administration Server. This section also provides scenarios for using a shared folder on the Administration Server device in order to deploy Network Agent on client devices.

Creating accounts for the Administration Server services on a failover cluster

By default, the installer automatically creates non-privileged accounts for services of Administration Server. This behavior is the most convenient for Administration Server installation on an ordinary device.

However, installation of Administration Server on a failover cluster requires a different scenario:

1. Create non-privileged domain accounts for services of Administration Server and make them members of a global domain security group named KLAdmins.
2. In the Administration Server Installer, specify the domain accounts that have been created for the services.

Defining a shared folder

When installing Administration Server, you can specify the location of the shared folder. You can also specify the location of the shared folder after installation, in the Administration Server properties. By default, the shared folder will be created on the device with Administration Server (with read rights for the Everyone subgroup). However, in some cases (such as high load or a need for access from an isolated network), it is useful to locate the shared folder on a dedicated file resource.

The shared folder is used occasionally in Network Agent deployment.

Case sensitivity for the shared folder must be disabled.

Remote installation with Administration Server tools through Active Directory group policies

If the target devices are located within a Windows domain (no workgroups), initial deployment (installation of Network Agent and the security application on devices that are not yet managed) has to be performed through group policies of Active Directory. Deployment is performed by using the standard task for remote installation of Kaspersky Security Center. If the network is large-scale, it is useful to locate the shared folder on a dedicated file resource to reduce the load on the disk subsystem of the Administration Server device.

Remote installation through delivery of the UNC path to a stand-alone package

If the users of networked devices in the organization have local administrator rights, another method of initial deployment is to create a stand-alone Network Agent package (or even a "coupled" Network Agent package together with the security application). After you create a stand-alone package, send users a link to that package, which is stored in the shared folder. Installation starts when users click the link.

Updating from the Administration Server shared folder

In the Anti-Virus update task, you can configure updating from the shared folder of Administration Server. If the task has been assigned to a large number of devices, it is useful to locate the shared folder on a dedicated file resource.

Installing images of operating systems

Operating system images are always installed through the shared folder: devices read operating system images from the shared folder. If deployment of images is planned on a large number of corporate devices, it is useful to locate the shared folder on a dedicated file resource.

Specifying the address of the Administration Server

When installing Administration Server, you can specify the address of the Administration Server. This address will be used as the default address when creating installation packages of Network Agent.

As the Administration Server address, you can specify the following:

• NetBIOS name of the Administration Server, which is specified by default
• Fully qualified domain name (FQDN) of the Administration Server if the Domain Name System (DNS) on the organization's network has been configured and is functioning properly
• External address if the Administration Server is installed in the demilitarized zone (DMZ)

After that, you will be able to change the address of the Administration Server by using Administration Console tools; the address will not change automatically in Network Agent installation packages that have been already created.

Standard installation

Standard installation is an Administration Server installation that uses the default paths for application files, installs the default set of plug-ins, and does not enable Mobile Device Management.

To install Kaspersky Security Center Administration Server on a local device:

Run the ksc_<version number>.<build number>_full_<localization language>.exe executable file.

A window opens prompting you to select Kaspersky applications to install. In the application selection window, click the Install Kaspersky Security Center 13.1 Administration Server link to start the Administration Server Setup Wizard. Follow the instructions of the Wizard.

Step 1. Reviewing the License Agreement and Privacy Policy

At this step of the Setup Wizard, you must read the License Agreement, which is to be concluded between you and Kaspersky, as well as the Privacy Policy.

You may also be prompted to view the License Agreements and Privacy Policies for application management plug-ins that are available in the Kaspersky Security Center distribution kit.

Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, select the following check boxes in the I confirm I have fully read, understood, and accept the following section:

• The terms and conditions of this EULA
• Privacy Policy describing the handling of data

Installation of the application on your device will continue after you select both check boxes.

If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.

Step 2. Selecting an installation method

In the installation type selection window, select Standard.

Standard installation is recommended if you want to try out Kaspersky Security Center by, for example, testing its operation on a small area within your enterprise network. During standard installation, you only configure the database. You do not specify any Administration Server settings: their respective default values are used instead. Standard installation does not allow you to select management plug-ins to install; only the default set of plug-ins is installed. During standard installation, no installation packages for mobile devices are created. However, you can create them later in Administration Console.

Step 3. Installing Kaspersky Security Center 13.1 Web Console

This step is displayed only if you are using a 64-bit operating system. Otherwise, this step is not displayed, because Kaspersky Security Center 13.1 Web Console does not work with 32-bit operating systems.

By default, both Kaspersky Security Center 13.1 Web Console and MMC-based Administration Console will be installed.

If you want to install only Kaspersky Security Center 13.1 Web Console:

1. Select Install only this one.
2. Choose Web-based console in the drop-down list.

Installation of Kaspersky Security Center 13.1 Web Console starts automatically after completion of Administration Server installation.

If you want to install only the MMC-based console:

1. Select Install only this one.
2. Choose MMC-based console in the drop-down list.

Page top

Step 4. Selecting network size

Specify the size of the network on which Kaspersky Security Center is to be installed. Depending on the number of devices on the network, the Wizard configures the installation and appearance of the application interface so that they match.

The following table lists the application installation settings and interface appearance settings, which are adjusted based on various network sizes.

Dependence of installation settings on the network scale selected

If you connect Administration Server to a MySQL or SQL Express database server, it is not recommended to use the application to manage more than 10,000 devices. For the MariaDB database management system, the maximum recommended number of managed devices is 20,000.

Page top

Step 5. Selecting a database

At this step of the Wizard, you must select the mechanism—Microsoft SQL Server (SQL Express) or MySQL—that will be used to store the Administration Server database. The MySQL option is relevant to both MySQL and MariaDB.

It is recommended to install the Administration Server on a dedicated server instead of a domain controller. However, if you install Kaspersky Security Center on a server that acts as a read-only domain controller (RODC), Microsoft SQL Server (SQL Express) must not be installed locally (on the same device). In this case, we recommend that you install Microsoft SQL Server (SQL Express) remotely (on a different device), or that you use MySQL or MariaDB, if you need to install the DBMS locally.

The Administration Server database structure is provided in the klakdb.chm file, which is located in the Kaspersky Security Center installation folder (this file is also available in an archive on the Kaspersky portal: klakdb.zip).

Step 6. Configuring the SQL Server

At this step of the Wizard, you configure SQL Server.

Depending on the database that you have selected, specify the following settings:

• If you selected Microsoft SQL Server (SQL Server Express) in the previous step:
  • In the SQL Server instance name field, specify the name of the SQL Server on the network. To view a list of all SQL Servers that are on the network, click the Browse button. This field is blank by default.

    If you connect to the SQL Server through a custom port, then together with the SQL Server host name specify the port number separated with a comma, for example:

    SQL_Server_host_name,1433

    If you secure communication between the Administration Server and SQL Server by means of a certificate, specify in the SQL Server instance name field the same host name that was used at the certificate generating. If you use a named instance of SQL Server, then together with the SQL Server host name specify the port number separated with a comma, for example:

    SQL_Server_name,1433

    If you use several instances of SQL Server on the same host, then additionally specify the instance name separated with a backslash, for example:

    SQL_Server_name\SQL_Server_instance_name,1433

    If a SQL Server on the enterprise network has the Always On feature enabled, specify the name of the availability group listener in the SQL Server instance name field. Note that Administration Server supports only the synchronous-commit availability mode when the Always On feature is enabled.

  • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

  If at this stage you want to install SQL Server on the device from which you are installing Kaspersky Security Center, you must stop installation and restart it after SQL Server is installed. The supported SQL Server versions are listed in the system requirements.

  If you want to install SQL Server on a remote device, you do not have to interrupt the Kaspersky Security Center Setup Wizard. Install SQL Server and resume installation of Kaspersky Security Center.

• If you selected MySQL in the previous step:
  • In the SQL Server instance name field, specify the name of the SQL Server instance. By default, the name is the IP address of the device on which Kaspersky Security Center is to be installed.
  • In the Port field, specify the port for Administration Server connection to the SQL Server database. The default port number is 3306.
  • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

Page top

Step 7. Selecting an authentication mode

Determine the authentication mode that will be used when Administration Server connects to the SQL Server.

Depending on the database that is selected, you can choose from the following authentication modes:

• For SQL Express or Microsoft SQL Server select one of the following options:
  • Microsoft Windows Authentication mode. Verification of rights uses the account used for starting Administration Server.
  • SQL Server Authentication mode. If you select this option, the account specified in the window is used to verify access rights. Fill in the Account and Password fields.

    To see the entered password, click and hold the Show button.

  For both authentication modes, the application checks if the database is available. If the database is not available, an error message is displayed, and you have to provide correct credentials.

  If the Administration Server database is stored on another device and the Administration Server account does not have access to the database server, you must use SQL Server authentication mode when installing or upgrading Administration Server. This may occur when the device that stores the database is outside the domain or when Administration Server is installed under a LocalSystem account.

• For the MySQL server or MariaDB server, specify the account and password.

Step 8. Unpacking and installing files on the hard drive

After the installation of Kaspersky Security Center components is configured, you can start installing files on the hard drive.

If installation requires additional programs, the Setup Wizard will notify you, on the Installing Prerequisites page, before installation of Kaspersky Security Center begins. The required programs are installed automatically after you click the Next button.

On the last page, you can select which console to start for work with Kaspersky Security Center:

• Start MMC-based Administration Console
• Start Kaspersky Security Center Web Console

  This option is available only if you opted to install Kaspersky Security Center 13.1 Web Console in one of the previous steps.

You can also click Finish to close the Wizard without starting work with Kaspersky Security Center. You can start the work later at any time.

At the first startup of Administration Console or Kaspersky Security Center 13.1 Web Console, you can perform the initial setup of the application.

When the Setup Wizard finishes, the following application components are installed on the hard drive on which the operating system was installed:

• Administration Server (together with the server version of Network Agent)
• Microsoft Management Console-based Administration Console
• Kaspersky Security Center 13.1 Web Console (if you chose to install it)
• Application management plug-ins available in the distribution kit

Additionally, Microsoft Windows Installer 4.5 will be installed if it was not installed previously.

Custom installation

Custom installation is an Administration Server installation during which you are prompted to select components to install and specify the folder in which the application must be installed.

Using this type of installation, you can configure the database and Administration Server, as well as install components that are not included in standard installation or management plug-ins for various Kaspersky security applications. You can also enable Mobile Device Management.

To install Kaspersky Security Center Administration Server on a local device:

Run the ksc_<version number>.<build number>_full_<localization language>.exe executable file.

A window opens prompting you to select Kaspersky applications to install. In the application selection window, click the Install Kaspersky Security Center 13.1 Administration Server link to start the Administration Server Setup Wizard. Follow the instructions of the Wizard.

Step 1. Reviewing the License Agreement and Privacy Policy

At this step of the Setup Wizard, you must read the License Agreement, which is to be concluded between you and Kaspersky, as well as the Privacy Policy.

You may also be prompted to view the License Agreements and Privacy Policies for application management plug-ins that are available in the Kaspersky Security Center distribution kit.

Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, select the following check boxes in the I confirm I have fully read, understood, and accept the following section:

• The terms and conditions of this EULA
• Privacy Policy describing the handling of data

Installation of the application on your device will continue after you select both check boxes.

If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.

Step 2. Selecting an installation method

In the installation type selection window, specify Custom.

Custom installation allows you to modify the Kaspersky Security Center settings, such as the path to the shared folder, accounts and ports for connection to the Administration Server, and database settings. Custom installation allows you to specify which Kaspersky management plug-ins to install. During custom installation, you can create installation packages for mobile devices by enabling the corresponding option.

Step 3. Selecting the components to be installed

Select the components of Kaspersky Security Center Administration Server that you want to install:

• Mobile Device Management. Select this check box if you must create installation packages for mobile devices when the Kaspersky Security Center Setup Wizard is running. You can also create installation packages for mobile devices manually, after Administration Server installation, by using Administration Console tools.
• SNMP agent. This component receives statistical information for the Administration Server over the SNMP protocol. The component is available if the application is installed on a device with SNMP installed.

  After Kaspersky Security Center is installed, the .mib files required for receiving statistics are located in the SNMP subfolder of the application installation folder.

Network Agent and Administration Console are not displayed in the component list. These components are installed automatically and you cannot cancel their installation.

At this step you must specify a folder for installation of Administration Server components. By default, the components are installed to <Disk>:\Program Files\Kaspersky Lab\Kaspersky Security Center. If no such folder exists, this folder is created automatically during installation. You can change the destination folder by using the Browse button.

Page top

Step 4. Installing Kaspersky Security Center 13.1 Web Console

This step is displayed only if you are using a 64-bit operating system. Otherwise, this step is not displayed, because Kaspersky Security Center 13.1 Web Console does not work with 32-bit operating systems.

By default, both Kaspersky Security Center 13.1 Web Console and MMC-based Administration Console will be installed.

If you want to install only Kaspersky Security Center 13.1 Web Console:

1. Select Install only this one.
2. Choose Web-based console in the drop-down list.

Installation of Kaspersky Security Center 13.1 Web Console starts automatically after completion of Administration Server installation.

If you want to install only the MMC-based console:

1. Select Install only this one.
2. Choose MMC-based console in the drop-down list.

Step 5. Selecting network size

Specify the size of the network on which Kaspersky Security Center is to be installed. Depending on the number of devices on the network, the Wizard configures the installation and appearance of the application interface so that they match.

The following table lists the application installation settings and interface appearance settings, which are adjusted based on various network sizes.

Dependence of installation settings on the network scale selected

If you connect Administration Server to a MySQL or SQL Express database server, it is not recommended to use the application to manage more than 10,000 devices. For the MariaDB database management system, the maximum recommended number of managed devices is 20,000.

Page top

Step 6. Selecting a database

At this step of the Wizard, you must select the mechanism—Microsoft SQL Server (SQL Express) or MySQL—that will be used to store the Administration Server database. The MySQL option is relevant to both MySQL and MariaDB.

It is recommended to install the Administration Server on a dedicated server instead of a domain controller. However, if you install Kaspersky Security Center on a server that acts as a read-only domain controller (RODC), Microsoft SQL Server (SQL Express) must not be installed locally (on the same device). In this case, we recommend that you install Microsoft SQL Server (SQL Express) remotely (on a different device), or that you use MySQL or MariaDB, if you need to install the DBMS locally.

The Administration Server database structure is provided in the klakdb.chm file, which is located in the Kaspersky Security Center installation folder (this file is also available in an archive on the Kaspersky portal: klakdb.zip).

Page top

Step 7. Configuring the SQL Server

At this step of the Wizard, you configure SQL Server.

Depending on the database that you have selected, specify the following settings:

• If you selected Microsoft SQL Server (SQL Server Express) in the previous step:
  • In the SQL Server instance name field, specify the name of the SQL Server on the network. To view a list of all SQL Servers that are on the network, click the Browse button. This field is blank by default.

    If you connect to the SQL Server through a custom port, then together with the SQL Server host name specify the port number separated with a comma, for example:

    SQL_Server_host_name,1433

    If you secure communication between the Administration Server and SQL Server by means of a certificate, specify in the SQL Server instance name field the same host name that was used at the certificate generating. If you use a named instance of SQL Server, then together with the SQL Server host name specify the port number separated with a comma, for example:

    SQL_Server_name,1433

    If you use several instances of SQL Server on the same host, then additionally specify the instance name separated with a backslash, for example:

    SQL_Server_name\SQL_Server_instance_name,1433

    If a SQL Server on the enterprise network has the Always On feature enabled, specify the name of the availability group listener in the SQL Server instance name field. Note that Administration Server supports only the synchronous-commit availability mode when the Always On feature is enabled.

  • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

  If at this stage you want to install SQL Server on the device from which you are installing Kaspersky Security Center, you must stop installation and restart it after SQL Server is installed. The supported SQL Server versions are listed in the system requirements.

  If you want to install SQL Server on a remote device, you do not have to interrupt the Kaspersky Security Center Setup Wizard. Install SQL Server and resume installation of Kaspersky Security Center.

• If you selected MySQL in the previous step:
  • In the SQL Server instance name field, specify the name of the SQL Server instance. By default, the name is the IP address of the device on which Kaspersky Security Center is to be installed.
  • In the Port field, specify the port for Administration Server connection to the SQL Server database. The default port number is 3306.
  • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

Step 8. Selecting an authentication mode

Determine the authentication mode that will be used when Administration Server connects to the SQL Server.

Depending on the database that is selected, you can choose from the following authentication modes:

• For SQL Express or Microsoft SQL Server select one of the following options:
  • Microsoft Windows Authentication mode. Verification of rights uses the account used for starting Administration Server.
  • SQL Server Authentication mode. If you select this option, the account specified in the window is used to verify access rights. Fill in the Account and Password fields.

    To see the entered password, click and hold the Show button.

  For both authentication modes, the application checks if the database is available. If the database is not available, an error message is displayed, and you have to provide correct credentials.

  If the Administration Server database is stored on another device and the Administration Server account does not have access to the database server, you must use SQL Server authentication mode when installing or upgrading Administration Server. This may occur when the device that stores the database is outside the domain or when Administration Server is installed under a LocalSystem account.

• For the MySQL server or MariaDB server, specify the account and password.

Step 9. Selecting the account to start Administration Server

Select the account that will be used to start Administration Server as a service.

• Generate the account automatically. The application creates an account named KL-AK-*, under which the kladminserver service will run.

  You can select this option if you plan to locate the shared folder and the DBMS on the same device as Administration Server.

• Select an account. The Administration Server service (kladminserver) will run under the account that you selected.

  You will have to select a domain account if, for example, you plan to use as the DBMS a SQL Server instance of any version, including SQL Express, that is located on another device, and/or you plan to locate the shared folder on another device.

  Starting from version 10 Service Pack 3, Kaspersky Security Center supports managed service accounts (MSA) and group managed service accounts (gMSA). If these types of accounts are used in your domain, you can select one of them as the account for the Administration Server service.

  Before specifying MSA or gMSA, you must install the account on the same device on which you want to install Administration Server. If the account is not installed yet, then cancel the Administration Server installation, install the account, and then restart the Administration Server installation. For details about installation of managed service accounts on a local device, refer to the official Microsoft documentation.

  To specify MSA or gMSA:

  1. Click the Browse button.
  2. In the window that opens, click the Object type button.
  3. Select the Account for services type and click OK.
  4. Select the relevant account and click OK.

The account that you selected must have different permissions, depending on the DBMS that you plan for use.

For security reasons, please do not assign the privileged status to the account under which you run Administration Server.

If later you decide to change the Administration Server account, you can use the utility for Administration Server account switching (klsrvswch).

Step 10. Selecting the account for running the Kaspersky Security Center services

Select the account under which the services of Kaspersky Security Center will run on this device:

• Generate the account automatically. Kaspersky Security Center creates a local account named KlScSvc on this device in the kladmins group. The services of Kaspersky Security Center will be run under the account that has been created.
• Select an account. The Kaspersky Security Center services will be run under the account that you selected.

  You will have to select a domain account if, for example, you intend to save reports to a folder located on a different device or if this is required by your organization's security policy. You may also have to select a domain account if you install Administration Server on a failover cluster.

For security reasons, do not grant privileged status to the account under which the services are run.

The KSN proxy service (ksnproxy), Kaspersky activation proxy service (klactprx), and Kaspersky authentication portal service (klwebsrv) will be run under the selected account.

Step 11. Selecting a shared folder

Define the location and name of the shared folder that will be used to do the following:

• Store the files necessary for remote installation of applications (these files are copied to Administration Server during creation of installation packages).
• Store updates that have been downloaded from an update source to Administration Server.

File sharing (read-only) will be enabled for all users.

You can select either of the following options:

• Create a shared folder. Create a new folder. In the text box, specify the path to the folder.
• Select an existing shared folder. Select a shared folder that already exists.

The shared folder can be a local folder on the device that is used for installation or a remote directory on any client device on the corporate network. You can click the Browse button to select the shared folder, or specify the shared folder manually by entering its UNC path (for example, \\server\Share) in the corresponding field.

By default, the installer creates a local Share subfolder in the application folder that contains the components of Kaspersky Security Center.

You can define a shared folder later if needed.

Page top

Step 12. Configuring the connection to Administration Server

Expand all | Collapse all

Configure the connection to Administration Server:

• Port

  The number of the port used to connect to the Administration Server.

  The default port number is 14000.

• SSL port

  Secure Sockets Layer (SSL) port number used to securely connect to the Administration Server via SSL.

  The default port number is 13000.

• Encryption key length

  Select the length of the encryption key: 1024 bit or 2048 bit.

  A 1024-bit encryption key places a smaller load on the CPU, but it is considered obsolete because it cannot provide reliable encryption due to its technical specifications. Also, the existing hardware probably will turn out to be incompatible with SSL certificates featuring 1024-bit keys.

  A 2048-bit encryption key meets all state-of-the-art encryption standards. However, use of a 2048-bit encryption key may add to the load on a CPU.

  By default, 2048 bit (best security) is selected.

If Administration Server is installed on a device running Microsoft Windows XP Service Pack 2, the built-in system Firewall blocks TCP ports 13000 and 14000. Therefore, to allow access to Administration Server on the device after installation, these ports must be opened manually.

Step 13. Defining the Administration Server address

Specify the Administration Server address. You can select one of the following options:

• DNS domain name. You can use this method if the network includes a DNS server and client devices can use it to receive the Administration Server address.
• NetBIOS name. You can use this method if client devices receive the Administration Server address using the NetBIOS protocol or if a WINS server is available on the network.
• IP address. You can use this method if Administration Server has a static IP address that will not be subsequently changed.

Page top

Step 14. Administration Server address for connection of mobile devices

This Setup Wizard step is available if you have selected Mobile Device Management for installation.

In the Address for connection of mobile devices window, specify the external address of the Administration Server for connection of mobile devices that are outside of the local network. You can specify the IP address or Domain Name System (DNS) of the Administration Server.

Page top

Step 15. Selecting application management plug-ins

Select the application management plug-ins that need to be installed with Kaspersky Security Center.

For ease of search, plug-ins are divided into groups depending on the type of secured objects.

Step 16. Unpacking and installing files on the hard drive

After the installation of Kaspersky Security Center components is configured, you can start installing files on the hard drive.

If installation requires additional programs, the Setup Wizard will notify you, on the Installing Prerequisites page, before installation of Kaspersky Security Center begins. The required programs are installed automatically after you click the Next button.

On the last page, you can select which console to start for work with Kaspersky Security Center:

• Start MMC-based Administration Console
• Start Kaspersky Security Center Web Console

  This option is available only if you opted to install Kaspersky Security Center 13.1 Web Console in one of the previous steps.

You can also click Finish to close the Wizard without starting work with Kaspersky Security Center. You can start the work later at any time.

At the first startup of Administration Console or Kaspersky Security Center 13.1 Web Console, you can perform the initial setup of the application.

Page top

Installing Administration Server on a Microsoft failover cluster

The procedure of installing Administration Server on a failover cluster differs from both standard and custom installation on a stand-alone device.

Perform the procedure described in this section on the node that contains a common data storage of the cluster.

To install Kaspersky Security Center Administration Server on a cluster:

Run the ksc_<version number>.<build number>_full_<localization language>.exe executable file.

A window opens prompting you to select Kaspersky applications to install. In the application selection window, click the Install Kaspersky Security Center 13.1 Administration Server link to start the Administration Server Setup Wizard. Follow the instructions of the Wizard.

Step 1. Reviewing the License Agreement and Privacy Policy

At this step of the Setup Wizard, you must read the License Agreement, which is to be concluded between you and Kaspersky, as well as the Privacy Policy.

You may also be prompted to view the License Agreements and Privacy Policies for application management plug-ins that are available in the Kaspersky Security Center distribution kit.

Please carefully read the License Agreement and Privacy Policy. If you agree with all the terms of the License Agreement and the Privacy Policy, select the following check boxes in the I confirm I have fully read, understood, and accept the following section:

• The terms and conditions of this EULA
• Privacy Policy describing the handling of data

Installation of the application on your device will continue after you select both check boxes.

If you do not accept the License Agreement or the Privacy Policy, cancel installation by clicking the Cancel button.

Step 2. Selecting the type of installation on a cluster

Select the type of installation on the cluster:

• Cluster (install on all cluster nodes)

  This is the recommended option. If you select this option, Administration Server will be installed on all nodes of the cluster simultaneously.

  At the step of selecting the Administration Console for installation, you will need to select the console that will be installed on the current cluster node. If you install a console only on the cluster node, in case of node failure, you will lose access to Administration Server. We recommend that during this step, you select the MMC-based console for installation on all cluster nodes. After you install Administration Server, install Kaspersky Security Center 13.1 Web Console on a separate device that is not a cluster node. This allows you to manage Administration Server by using Kaspersky Security Center 13.1 Web Console if the cluster node fails.

• Locally (install on this device only)

  If you select this option, Administration Server will be installed only on the current node, as if on a stand-alone server, and Administration Server will not work as a cluster-aware application. For example, you may want to choose this option to save shared storage space if fault tolerance is not needed for Administration Server. In case of the current node failure, you will have to install Administration Server on another node and restore the Administration Server state from a backup.

Further steps are the same as when you use the standard or custom installation method, starting from the installation method selection step.

Page top

Step 3. Specifying the name of the virtual Administration Server

Specify the network name of the new virtual Administration Server. You will be able to use this name to connect Administration Console or Kaspersky Security Center 13.1 Web Console to Administration Server.

The name that you specify must differ from the cluster name.

Step 4. Specifying the network details of the virtual Administration Server

To specify the network details of the new virtual Administration Server instance:

1. In Network to use, select the domain network to which the current cluster node is connected.
2. Do either of the following:
   • If DHCP is used in the selected network to assign IP addresses, select the Use DHCP option.
   • If DHCP is not used in the selected network, specify the required IP address.

     The IP address that you specify must differ from the cluster IP address.

3. Click Add to apply the specified settings.

You will be able to use the automatically assigned or the specified IP address to connect Administration Console or Kaspersky Security Center Web Console to Administration Server.

Page top

Step 5. Specifying a cluster group

A cluster group is a special failover cluster role that contains common resources for all nodes. You have two options:

• Creating a new cluster group.

  This option is recommended in most cases. The new cluster group will contain all common resources that relate to the Administration Server instance.

• Selecting an existing cluster group.

  Select this option if you want to use a common resource that is already associated with an existing cluster group. For example, you may want to use this option if you want to use a storage associated with an existing cluster group and if there are no other available storage for a new cluster group.

Step 6. Selecting a cluster data storage

To select a cluster data storage:

1. In Available repositories, select the data storage to which the common resources of the virtual Administration Server instance will be installed.
2. If the selected data storage contains several volumes, under Available sections on disk drive, select the required volume.
3. In Installation path, enter the path on the common data storage to which the resources of the virtual Administration Server instance will be installed.

The data storage is selected.

Step 7. Specifying an account for remote installation

Specify the user name and password that will be used for remote installation of the virtual Administration Server instance on a passive node of the cluster.

The account that you specify must be granted administrative privileges on all nodes of the cluster.

Step 8. Selecting the components to be installed

Select the components of Kaspersky Security Center Administration Server that you want to install:

• Mobile Device Management. Select this check box if you must create installation packages for mobile devices when the Kaspersky Security Center Setup Wizard is running. You can also create installation packages for mobile devices manually, after Administration Server installation, by using Administration Console tools.
• SNMP agent. This component receives statistical information for the Administration Server over the SNMP protocol. The component is available if the application is installed on a device with SNMP installed.

  After Kaspersky Security Center is installed, the .mib files required for receiving statistics are located in the SNMP subfolder of the application installation folder.

Network Agent and Administration Console are not displayed in the component list. These components are installed automatically and you cannot cancel their installation.

At this step you must specify a folder for installation of Administration Server components. By default, the components are installed to <Disk>:\Program Files\Kaspersky Lab\Kaspersky Security Center. If no such folder exists, this folder is created automatically during installation. You can change the destination folder by using the Browse button.

Page top

Step 9. Selecting network size

Specify the size of the network on which Kaspersky Security Center is to be installed. Depending on the number of devices on the network, the Wizard configures the installation and appearance of the application interface so that they match.

The following table lists the application installation settings and interface appearance settings, which are adjusted based on various network sizes.

Dependence of installation settings on the network scale selected

If you connect Administration Server to a MySQL or SQL Express database server, it is not recommended to use the application to manage more than 10,000 devices. For the MariaDB database management system, the maximum recommended number of managed devices is 20,000.

Page top

Step 10. Selecting a database

At this step of the Wizard, you must select the mechanism—Microsoft SQL Server (SQL Express) or MySQL—that will be used to store the Administration Server database. The MySQL option is relevant to both MySQL and MariaDB.

It is recommended to install the Administration Server on a dedicated server instead of a domain controller. However, if you install Kaspersky Security Center on a server that acts as a read-only domain controller (RODC), Microsoft SQL Server (SQL Express) must not be installed locally (on the same device). In this case, we recommend that you install Microsoft SQL Server (SQL Express) remotely (on a different device), or that you use MySQL or MariaDB, if you need to install the DBMS locally.

The Administration Server database structure is provided in the klakdb.chm file, which is located in the Kaspersky Security Center installation folder (this file is also available in an archive on the Kaspersky portal: klakdb.zip).

Page top

Step 11. Configuring the SQL Server

At this step of the Wizard, you configure SQL Server.

Depending on the database that you have selected, specify the following settings:

• If you selected Microsoft SQL Server (SQL Server Express) in the previous step:
  • In the SQL Server instance name field, specify the name of the SQL Server on the network. To view a list of all SQL Servers that are on the network, click the Browse button. This field is blank by default.

    If you connect to the SQL Server through a custom port, then together with the SQL Server host name specify the port number separated with a comma, for example:

    SQL_Server_host_name,1433

    If you secure communication between the Administration Server and SQL Server by means of a certificate, specify in the SQL Server instance name field the same host name that was used at the certificate generating. If you use a named instance of SQL Server, then together with the SQL Server host name specify the port number separated with a comma, for example:

    SQL_Server_name,1433

    If you use several instances of SQL Server on the same host, then additionally specify the instance name separated with a backslash, for example:

    SQL_Server_name\SQL_Server_instance_name,1433

    If a SQL Server on the enterprise network has the Always On feature enabled, specify the name of the availability group listener in the SQL Server instance name field. Note that Administration Server supports only the synchronous-commit availability mode when the Always On feature is enabled.

  • In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

  If at this stage you want to install SQL Server on the device from which you are installing Kaspersky Security Center, you must stop installation and restart it after SQL Server is installed. The supported SQL Server versions are listed in the system requirements.

  If you want to install SQL Server on a remote device, you do not have to interrupt the Kaspersky Security Center Setup Wizard. Install SQL Server and resume installation of Kaspersky Security Center.

• If you selected MySQL in the previous step:
  • In the SQL Server instance name field, specify the name of the SQL Server instance. By default, the name is the IP address of the device on which Kaspersky Security Center is to be installed.
  • In the Port field, specify the port for Administration Server connection to the SQL Server database. The default port number is 3306.

In the Database name field, specify the name of the database that has been created to store Administration Server data. The default value is KAV.

Step 12. Selecting an authentication mode

Determine the authentication mode that will be used when Administration Server connects to the SQL Server.

Depending on the database that is selected, you can choose from the following authentication modes:

• For SQL Express or Microsoft SQL Server select one of the following options:
  • Microsoft Windows Authentication mode. Verification of rights uses the account used for starting Administration Server.
  • SQL Server Authentication mode. If you select this option, the account specified in the window is used to verify access rights. Fill in the Account and Password fields.

    To see the entered password, click and hold the Show button.

  For both authentication modes, the application checks if the database is available. If the database is not available, an error message is displayed, and you have to provide correct credentials.

  If the Administration Server database is stored on another device and the Administration Server account does not have access to the database server, you must use SQL Server authentication mode when installing or upgrading Administration Server. This may occur when the device that stores the database is outside the domain or when Administration Server is installed under a LocalSystem account.

For the MySQL server or MariaDB server, specify the account and password.

Page top

Step 13. Selecting the account to start Administration Server

Select the account that will be used to start Administration Server as a service.

• Generate the account automatically. The application creates an account named KL-AK-*, under which the kladminserver service will run.

  You can select this option if you plan to locate the shared folder and the DBMS on the same device as Administration Server.

• Select an account. The Administration Server service (kladminserver) will run under the account that you selected.

  You will have to select a domain account if, for example, you plan to use as the DBMS a SQL Server instance of any version, including SQL Express, that is located on another device, and/or you plan to locate the shared folder on another device.

  Starting from version 10 Service Pack 3, Kaspersky Security Center supports managed service accounts (MSA) and group managed service accounts (gMSA). If these types of accounts are used in your domain, you can select one of them as the account for the Administration Server service.

  Before specifying MSA or gMSA, you must install the account on the same device on which you want to install Administration Server. If the account is not installed yet, then cancel the Administration Server installation, install the account, and then restart the Administration Server installation. For details about installation of managed service accounts on a local device, refer to the official Microsoft documentation.

  To specify MSA or gMSA:

  1. Click the Browse button.
  2. In the window that opens, click the Object type button.
  3. Select the Account for services type and click OK.
  4. Select the relevant account and click OK.

The account that you selected must have different permissions, depending on the DBMS that you plan for use.

For security reasons, please do not assign the privileged status to the account under which you run Administration Server.

If later you decide to change the Administration Server account, you can use the utility for Administration Server account switching (klsrvswch).

Page top

Step 14. Selecting the account for running the Kaspersky Security Center services

Select the account under which the services of Kaspersky Security Center will run on this device:

• Generate the account automatically. Kaspersky Security Center creates a local account named KlScSvc on this device in the kladmins group. The services of Kaspersky Security Center will be run under the account that has been created.
• Select an account. The Kaspersky Security Center services will be run under the account that you selected.

  You will have to select a domain account if, for example, you intend to save reports to a folder located on a different device or if this is required by your organization's security policy. You may also have to select a domain account if you install Administration Server on a failover cluster.

For security reasons, do not grant privileged status to the account under which the services are run.

The KSN proxy service (ksnproxy), Kaspersky activation proxy service (klactprx), and Kaspersky authentication portal service (klwebsrv) will be run under the selected account.

Page top

Step 15. Selecting a shared folder

Define the location and name of the shared folder that will be used to do the following:

• Store the files necessary for remote installation of applications (these files are copied to Administration Server during creation of installation packages).
• Store updates that have been downloaded from an update source to Administration Server.

File sharing (read-only) will be enabled for all users.

You can select either of the following options:

• Create a shared folder. Create a new folder. In the text box, specify the path to the folder.
• Select an existing shared folder. Select a shared folder that already exists.

The shared folder can be a local folder on the device that is used for installation or a remote directory on any client device on the corporate network. You can click the Browse button to select the shared folder, or specify the shared folder manually by entering its UNC path (for example, \\server\Share) in the corresponding field.

By default, the installer creates a local Share subfolder in the application folder that contains the components of Kaspersky Security Center.

You can define a shared folder later if needed.

Page top

Step 16. Configuring the connection to Administration Server

Expand all | Collapse all

Configure the connection to Administration Server:

• Port

  The number of the port used to connect to the Administration Server.

  The default port number is 14000.

• SSL port

  Secure Sockets Layer (SSL) port number used to securely connect to the Administration Server via SSL.

  The default port number is 13000.

• Encryption key length

  Select the length of the encryption key: 1024 bit or 2048 bit.

  A 1024-bit encryption key places a smaller load on the CPU, but it is considered obsolete because it cannot provide reliable encryption due to its technical specifications. Also, the existing hardware probably will turn out to be incompatible with SSL certificates featuring 1024-bit keys.

  A 2048-bit encryption key meets all state-of-the-art encryption standards. However, use of a 2048-bit encryption key may add to the load on a CPU.

  By default, 2048 bit (best security) is selected.

If Administration Server is installed on a device running Microsoft Windows XP Service Pack 2, the built-in system Firewall blocks TCP ports 13000 and 14000. Therefore, to allow access to Administration Server on the device after installation, these ports must be opened manually.

Page top

Step 17. Defining the Administration Server address

Specify the Administration Server address. You can select one of the following options:

• DNS domain name. You can use this method if the network includes a DNS server and client devices can use it to receive the Administration Server address.
• NetBIOS name. You can use this method if client devices receive the Administration Server address using the NetBIOS protocol or if a WINS server is available on the network.
• IP address. You can use this method if Administration Server has a static IP address that will not be subsequently changed.

Page top

Step 18. Administration Server address for connection of mobile devices

This Setup Wizard step is available if you have selected Mobile Device Management for installation.

In the Address for connection of mobile devices window, specify the external address of the Administration Server for connection of mobile devices that are outside of the local network. You can specify the IP address or Domain Name System (DNS) of the Administration Server.

Page top

Step 19. Unpacking and installing files on the hard drive

After the installation of Kaspersky Security Center components is configured, you can start installing files on the hard drive.

If installation requires additional programs, the Setup Wizard will notify you, on the Installing Prerequisites page, before installation of Kaspersky Security Center begins. The required programs are installed automatically after you click the Next button.

On the last page, you can select which console to start for work with Kaspersky Security Center:

• Start MMC-based Administration Console
• Start Kaspersky Security Center Web Console

  This option is available only if you opted to install Kaspersky Security Center 13.1 Web Console in one of the previous steps.

You can also click Finish to close the Wizard without starting work with Kaspersky Security Center. You can start the work later at any time.

At the first startup of Administration Console or Kaspersky Security Center 13.1 Web Console, you can perform the initial setup of the application.

Installing Administration Server in non-interactive mode

Administration Server can be installed in non-interactive mode, that is, without the interactive input of installation settings.

To install Administration Server on a local device in non-interactive mode:

1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
2. Read the Privacy Policy. Use the command below only if you understand and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.
3. Run the command

   setup.exe /s /v"DONT_USE_ANSWER_FILE=1 EULA=1 PRIVACYPOLICY=1 <setup_parameters>"

where setup_parameters is a list of parameters and their respective values, separated with spaces (PARAM1=PARAM1VAL PARAM2=PARAM2VAL). The setup.exe file is located in the Server folder, which is part of the Kaspersky Security Center distribution kit.

The names and possible values for parameters that can be used when installing Administration Server in non-interactive mode are listed in the table below.

Parameters of Administration Server installation in non-interactive mode

For a detailed description of the Administration Server setup parameters, please refer to the Custom installation section.

Installing Administration Console on the administrator's workstation

You can install Administration Console on the administrator's workstation separately and manage Administration Server over the network using that Console.

To install Administration Console on the administrator's workstation:

1. Run the setup.exe executable file.

   A window opens prompting you to select Kaspersky applications to install.

2. In the application selection window, click the Install only Kaspersky Security Center 13.1 Administration Console link to run the Administration Console Setup Wizard. Follow the instructions of the Wizard.
3. Select a destination folder. By default, this will be <Disk>:\Program Files\Kaspersky Lab\Kaspersky Security Center Console. If such a folder does not exist, it is created automatically during the installation. You can change the destination folder by using the Browse button.
4. On the last page of the Setup Wizard click the Start button to start installation of Administration Console.

When the Wizard completes, Administration Console will be installed on the administrator's workstation.

To install Administration Console on the administrator's workstation in non-interactive mode:

1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
2. In the Distrib\Console folder of the Kaspersky Security Center distribution kit, run the setup.exe file by using the following command:

   setup.exe /s /v"EULA=1"

   If you want to install all management plug-ins from the Distrib\Console\Plugins folder together with the Administration Console, run the following command:

   setup.exe /s /v"EULA=1" /pALL

   If you want to specify which management plug-ins to install from the Distrib\Console\Plugins folder together with the Administration Console, specify the plug-ins after the "/p" key and separate them with a semicolon:

   setup.exe /s /v"EULA=1" /pP1;P2;P3

   where P1, P2, P3 are plug-in names that correspond to the plug-in folder names in the Distrib\Console\Plugins folder. For example:

   setup.exe /s /v"EULA=1" /pKES4Mac;KESS;MDM4IOS

Administration Console and the management plug-ins (if any) will be installed on the administrator's workstation.

After installing Administration Console, you must connect to the Administration Server. To do this, run Administration Console and, in the window that opens, specify the name or the IP address of the device on which Administration Server is installed, as well as the settings of the account used to connect to it. After connection to Administration Server is established, you can manage the anti-virus protection system using this Administration Console.

You can remove Administration Console with standard Microsoft Windows add / remove tools.

Changes in the system after Kaspersky Security Center installation

Administration Console icon

After Administration Console is installed on your device, its icon appears, allowing you to start Administration Console. You can find Administration Console in the Start → Programs → Kaspersky Security Center menu.

Administration Server and Network Agent services

Administration Server and Network Agent are installed on the device as services with the properties listed below. The table also contains the attributes of other services that apply on the device after Administration Server installation.

Properties of Kaspersky Security Center services

Kaspersky Security Center 13.1 Web Console services

If you install Kaspersky Security Center 13.1 Web Console on the device, then the following services are deployed (see the table below):

Kaspersky Security Center 13.1 Web Console services

Network Agent server version

The server version of Network Agent will be installed on the device together with Administration Server. The server version of Network Agent is part of Administration Server, is installed and removed together with Administration Server, and can only interact with a locally installed Administration Server. You do not have to configure the connection of Network Agent to Administration Server: configuration is implemented programmatically because the components are installed on the same device. The server version of Network Agent is installed with the same properties as the standard Network Agent and performs the same application management functions. This version will be managed by the policy of the administration group to which the client device of Administration Server belongs. For the server version of Network Agent all tasks are created from the scope of those provided for Administration Server, except for the Server change task.

Network Agent cannot be installed separately on a device that already has Administration Server installed.

You can view the properties of each service of Administration Server and Network Agent, as well as monitor their operation using standard Microsoft Windows management tools: Computer management\Services. Information about the activity of the Kaspersky Administration Server service is stored in the Microsoft Windows system log in a separate Kaspersky Event Log branch on the device where the Administration Server is installed.

We recommend that you avoid starting and stopping services manually and leave service accounts in the service settings unchanged. If necessary, you can modify the Administration Server service account using the klsrvswch utility.

User accounts and user groups

The Administration Server Installer creates the following accounts by default:

• KL-AK-*: Administration Server service account
• KlScSvc: Account for other services from the Administration Server pool
• KlPxeUser: Account for deployment of operating systems

If you selected other accounts for the Administration Server service and other services while running the Installer, the specified accounts are used.

Local security groups named KLAdmins and KLOperators with their respective sets of rights are also created automatically on the device that has Administration Server installed.

It is not recommended to install the Administration Server on a domain controller; however, if you install Administration Server on the domain controller, you must start the installer with the domain administrator rights. In this case, the installer automatically creates domain security groups named KLAdmins and KLOperators. If you install Administration Server on a computer that is not the domain controller, you must start the installer with the local administrator rights instead. In this case, the installer automatically creates local security groups named KLAdmins and KLOperators.

When configuring email notifications, you may have to create an account on the mail server for ESMTP authentication.

Removing the application

You can remove Kaspersky Security Center with standard Microsoft Windows add/remove tools. Removing the application requires starting a wizard that removes all application components from the device (including plug-ins). The wizard makes your default browser open a web page with a poll where you can tell us why you chose to stop using Kaspersky Security Center. If you have not selected removal of the shared folder (Share) during the wizard operation, you can delete it manually after completion of all related tasks.

After the application is removed, some of its files may remain in the system's temporary folder.

The Application Removal Wizard will suggest that you store a backup copy of Administration Server.

When the application is removed from Microsoft Windows 7 and Microsoft Windows 2008, premature termination of the Removal Wizard might occur. This can be avoided by disabling the User Account Control (UAC) in the operating system and restarting application removal.