Basic concepts

This section explains basic concepts related to Kaspersky Security Center.

Administration Server

Kaspersky Security Center components enable remote management of Kaspersky applications installed on client devices.

Devices with the Administration Server component installed will be referred to as Administration Servers (also referred to as Servers). Administration Servers must be protected, including physical protection, against any unauthorized access.

Administration Server is installed on a device as a service with the following set of attributes:

• With the name "Kaspersky Security Center Administration Server"
• Set to start automatically when the operating system starts
• With the LocalSystem account or the user account selected during the installation of Administration Server

Administration Server performs the following functions:

• Storage of the administration groups' structure
• Storage of information about the configuration of client devices
• Organization of repositories for application distribution packages
• Remote installation of applications to client devices and removal of applications
• Updating application databases and software modules of Kaspersky applications
• Management of policies and tasks on client devices
• Storage of information about events that have occurred on client devices
• Generation of reports on the operation of Kaspersky applications
• Deployment of license keys to client devices and storing information about the license keys
• Forwarding notifications about the progress of tasks (such as detection of viruses on a client device)

Naming Administration Servers in the application interface

In the interface of the MMC-based Administration Console and Kaspersky Security Center 13.1 Web Console, Administration Servers can have the following names:

• Name of the Administration Server device, for example: "device_name" or "Administration Server: device_name".
• IP address of the Administration Server device, for example: "IP_address" or "Administration Server: IP_address".
• Secondary Administration Servers and virtual Administration Servers have custom names that you specify when you connect a virtual or a secondary Administration Server to the primary Administration Server.
• If you use Kaspersky Security Center 13.1 Web Console installed on a Linux device, the application displays the names of the Administration Servers that you specified as trusted in the response file.

You can connect to Administration Server by using Administration Console or Kaspersky Security Center 13.1 Web Console.

Hierarchy of Administration Servers

Administration Servers can be arranged in a hierarchy. Each Administration Server can have several secondary Administration Servers (referred to as secondary Servers) on different nesting levels of the hierarchy. The nesting level for secondary Servers is unrestricted. The administration groups of the primary Administration Server will then include the client devices of all secondary Administration Servers. Thus, isolated and independent sections of networks can be managed by different Administration Servers which are in turn managed by the primary Server.

Virtual Administration Servers are a particular case of secondary Administration Servers.

The hierarchy of Administration Servers can be used to do the following:

• Decrease the load on Administration Server (compared to a single installed Administration Server for an entire network).
• Decrease intranet traffic and simplify work with remote offices. You do not have to establish connections between the primary Administration Server and all networked devices, which may be located, for example, in different regions. It is sufficient to install a secondary Administration Server in each network segment, distribute devices among administration groups of secondary Servers, and establish connections between the secondary Servers and the primary Server over fast communication channels.
• Distribute responsibilities among the anti-virus security administrators. All capabilities for centralized management and monitoring of the anti-virus security status in corporate networks remain available.
• How service providers use Kaspersky Security Center. The service provider only needs to install Kaspersky Security Center and Kaspersky Security Center 13.1 Web Console. To manage a large number of client devices of various organizations, a service provider can add virtual Administration Servers to the hierarchy of Administration Servers.

Each device included in the hierarchy of administration groups can be connected to one Administration Server only. You must independently monitor the connection of devices to Administration Servers. Use the feature for device search in administration groups of different Servers based on network attributes.

Virtual Administration Server

Virtual Administration Server (also referred to as virtual Server) is a component of Kaspersky Security Center intended for managing anti-virus protection of the network of a client organization.

Virtual Administration Server is a particular case of a secondary Administration Server and has the following restrictions as compared with a physical Administration Server:

• Virtual Administration Server can be created only on a primary Administration Server.
• Virtual Administration Server uses the primary Administration Server database in its operation. Data backup and restoration tasks, as well as update scan and download tasks, are not supported on a virtual Administration Server.
• Virtual Server does not support creation of secondary Administration Servers (including virtual Servers).

In addition, virtual Administration Server has the following restrictions:

• In the virtual Administration Server properties window, the number of sections is limited.
• To install Kaspersky applications remotely on client devices managed by the virtual Administration Server, you must make sure that Network Agent is installed on one of the client devices, in order to ensure communication with the virtual Administration Server. Upon first connection to the virtual Administration Server, the device is automatically assigned as a distribution point, thus functioning as a connection gateway between the client devices and the virtual Administration Server.
• A virtual Server can poll the network only through distribution points.
• To restart a malfunctioning virtual Server, Kaspersky Security Center restarts the primary Administration Server and all virtual Administration Servers.

The administrator of a virtual Administration Server has all privileges on this particular virtual Server.

Mobile Device Server

Mobile Device Server is a component of Kaspersky Security Center that provides access to mobile devices and allows managing them through Administration Console. Mobile Device Server receives information about mobile devices and stores their profiles.

There are two types of Mobile Device Server:

• Exchange Mobile Device Server. This is installed on a device where a Microsoft Exchange server has been installed, allowing data retrieval from the Microsoft Exchange server and data transmission to Administration Server. This Mobile Device Server is used for managing mobile devices that support Exchange ActiveSync protocol.
• iOS MDM Server. This Mobile Device Server is used for managing mobile devices that support Apple Push Notification service (APNs).

Mobile Device Servers of Kaspersky Security Center allow you to manage the following objects:

• An individual mobile device.
• Several mobile devices.
• Several mobile devices connected to a cluster of servers simultaneously. After connecting to a cluster of servers, the mobile devices server installed in this cluster is displayed in Administration Console as a single server.

Web Server

Kaspersky Security Center Web Server (hereinafter also referred to as Web Server) is a component of Kaspersky Security Center that is installed together with Administration Server. Web Server is designed for transmission, over a network, of stand-alone installation packages, iOS MDM profiles, and files from a shared folder.

When you create a stand-alone installation package, it is automatically published on Web Server. The link for downloading the stand-alone package is displayed in the list of created stand-alone installation packages. If necessary, you can cancel publication of the stand-alone package or you can publish it on Web Server again.

When you create an iOS MDM profile for a user's mobile device, it is also automatically published on Web Server. The published profile is automatically deleted from Web Server as soon as it is successfully installed on the user's mobile device.

The shared folder is used for storage of information that is available to all users whose devices are managed through the Administration Server. If a user has no direct access to the shared folder, he or she can be given information from that folder by means of Web Server.

To provide users with information from a shared folder by means of Web Server, the administrator must create a subfolder named "public" in the shared folder and paste the relevant information into it.

The syntax of the information transfer link is as follows:

https://<Web Server name>:<HTTPS port>/public/<object>

where:

• <Web Server name> is the name of Kaspersky Security Center Web Server.
• <HTTPS port> is an HTTPS port of Web Server that has been defined by the Administrator. The HTTPS port can be set in the Web Server section of the properties window of Administration Server. The default port number is 8061.
• <object> is the subfolder or file to which the user has access.

The administrator can send the new link to the user in any convenient way, such as by email.

By using this link, the user can download the required information to a local device.

Network Agent

Interaction between Administration Server and devices is performed by the Network Agent component of Kaspersky Security Center. Network Agent must be installed on all devices on which Kaspersky Security Center is used to manage Kaspersky applications.

Network Agent is installed on a device as a service, with the following set of attributes:

• With the name "Kaspersky Security Center 13.1 Network Agent"
• Set to start automatically when the operating system starts
• Using the LocalSystem account

A device that has Network Agent installed is called a managed device or device.

You can install Network Agent on a Windows, Linux, or Mac device. You can get the component from one of the following sources:

• Installation package in Administration Server storage (you must have Administration Server installed)
• Installation package located at Kaspersky web servers

You do not have to install Network Agent on the device where you install Administration Server, because the server version of Network Agent is automatically installed together with Administration Server.

The name of the process that Network Agent starts is klnagent.exe.

Network Agent synchronizes the managed device with the Administration Server. We recommend that you set the synchronization interval (also referred to as the heartbeat) to 15 minutes per 10,000 managed devices.

Administration groups

An administration group (hereinafter also referred to as group) is a logical set of managed devices combined on the basis of a specific trait for the purpose of managing the grouped devices as a single unit within Kaspersky Security Center.

All managed devices within an administration group are configured to do the following:

• Use the same application settings (which you can specify in group policies).
• Use a common operating mode for all applications through the creation of group tasks with specified settings. Examples of group tasks include creating and installing a common installation package, updating the application databases and modules, scanning the device on demand, and enabling real-time protection.

A managed device can belong to only one administration group.

You can create hierarchies that have any degree of nesting for Administration Servers and groups. A single hierarchy level can include secondary and virtual Administration Servers, groups, and managed devices. You can move devices from one group to another without physically moving them. For example, if a worker's position in the enterprise changes from that of accountant to developer, you can move this worker's computer from the Accountants administration group to the Developers administration group. Thereafter, the computer will automatically receive the application settings required for developers.

Managed device

A managed device is a computer running Windows, Linux, or macOS on which Network Agent is installed, or a mobile device on which a Kaspersky security application is installed. You can manage such devices by creating tasks and policies for applications installed on these devices. You can also receive reports from managed devices.

You can make a non-mobile managed device function as a distribution point and as a connection gateway.

A device can be managed by only one Administration Server. One Administration Server can manage up to 100,000 devices, including mobile devices.

Unassigned device

An unassigned device is a device on the network that has not been included in any administration group. You can perform some actions on unassigned devices, for example, move them to administration groups or install applications on them.

When a new device is discovered on your network, this device goes to the Unassigned devices administration group. You can configure rules for devices to be moved automatically to other administration groups after the devices are discovered.

Administrator's workstation

Administrator's workstation is a device on which Administration Console is installed or that you use to open Kaspersky Security Center 13.1 Web Console. Administrators can use these devices for centralized remote management of Kaspersky applications installed on client devices.

After Administration Console is installed on your device, its icon appears, allowing you to start Administration Console. Find it in the Start → Programs → Kaspersky Security Center menu.

There are no restrictions on the number of administrator's workstations. From any administrator's workstation you can manage administration groups of several Administration Servers on the network at once. You can connect an administrator's workstation to an Administration Server (physical or virtual) of any level of the hierarchy.

You can include an administrator's workstation in an administration group as a client device.

Within the administration groups of any Administration Server, the same device can function as an Administration Server client, an Administration Server, or an administrator's workstation.

Management plug-in

Kaspersky applications are managed through Administration Console by using a dedicated component named management plug-in. Each Kaspersky application that can be managed through Kaspersky Security Center includes a management plug-in.

Using the application management plug-in, you can perform the following actions in Administration Console:

• Creating and editing application policies and settings, as well as the settings of application tasks.
• Obtaining information about application tasks, application events, as well as application operation statistics received from client devices.

You can download management plug-ins from the Kaspersky Technical Support webpage.

Management web plug-in

A special component—the management web plug-in—is used for remote administration of Kaspersky software by means of Kaspersky Security Center 13.1 Web Console. Hereinafter, a management web plug-in is also referred to as a management plug-in. A management plug-in is an interface between Kaspersky Security Center 13.1 Web Console and a specific Kaspersky application. With a management plug-in, you can configure tasks and policies for the application.

You can download management web plug-ins from the Kaspersky Technical Support webpage.

The management plug-in provides the following:

• Interface for creating and editing application tasks and settings
• Interface for creating and editing policies and policy profiles for remote and centralized configuration of Kaspersky applications and devices
• Transmission of events generated by the application
• Kaspersky Security Center 13.1 Web Console functions for displaying operational data and events of the application, and statistics relayed from client devices

Policies

A policy is a set of Kaspersky application settings that are applied to an administration group and its subgroups. You can install several Kaspersky applications on the devices of an administration group. Kaspersky Security Center provides a single policy for each Kaspersky application in an administration group. A policy has one of the following statuses (see the table below):

The status of the policy

Policies function according to the following rules:

• Multiple policies with different values can be configured for a single application.
• Only one policy can be active for the current application.
• You can activate an inactive policy when a specific event occurs. For example, you can enforce stricter anti-virus protection settings during virus outbreaks.
• A policy can have child policies.

Generally, you can use policies as preparations for emergency situations, such as a virus attack. For example, if there is an attack via flash drives, you can activate a policy that blocks access to flash drives. In this case, the current active policy automatically becomes inactive.

In order to prevent maintaining multiple policies, for example, when different occasions assume changing of several settings only, you may use policy profiles.

A policy profile is a named subset of policy settings values that replaces the settings values of a policy. A policy profile affects the effective settings formation on a managed device. Effective settings are a set of policy settings, policy profile settings, and local application settings that are currently applied for the device.

Policy profiles function according to the following rules:

• A policy profile takes an effect when a specific activation condition occurs.
• Policy profiles contain values of settings that differ from the policy settings.
• Activation of a policy profile changes the effective settings of the managed device.
• A policy can include a maximum of 100 policy profiles.

Policy profiles

Sometimes it may be necessary to create several instances of a single policy for different administration groups; you might also want to modify the settings of those policies centrally. These instances might differ by only one or two settings. For example, all the accountants in an enterprise work under the same policy—but senior accountants are allowed to use flash drives, while junior accountants are not. In this case, applying policies to devices only through the hierarchy of administration groups can be inconvenient.

To help you avoid creating several instances of a single policy, Kaspersky Security Center enables you to create policy profiles. Policy profiles are necessary if you want devices within a single administration group to run under different policy settings.

A policy profile is a named subset of policy settings. This subset is distributed on target devices together with the policy, supplementing it under a specific condition called the profile activation condition. Profiles only contain settings that differ from the "basic" policy, which is active on the managed device. Activation of a profile modifies the settings of the "basic" policy that were initially active on the device. The modified settings take values that have been specified in the profile.

Tasks

Kaspersky Security Center manages Kaspersky security applications installed on devices by creating and running tasks. Tasks are required for installing, launching, and stopping applications, scanning files, updating databases and software modules, and performing other actions on applications.

Tasks for a specific application can be created only if the management plug-in for that application is installed.

Tasks can be performed on the Administration Server and on devices.

The following tasks are performed on the Administration Server:

• Automatic distribution of reports
• Downloading of updates to the repository of the Administration Server
• Backup of Administration Server data
• Maintenance of the database
• Windows Update synchronization
• Creation of an installation package based on the operating system (OS) image of a reference device

The following types of tasks are performed on devices:

• Local tasks—Tasks that are performed on a specific device

  Local tasks can be modified either by the administrator, by using Administration Console tools, or by the user of a remote device (for example, through the security application interface). If a local task has been modified simultaneously by the administrator and the user of a managed device, the changes made by the administrator will take effect because they have a higher priority.

• Group tasks—Tasks that are performed on all devices of a specific group

  Unless otherwise specified in the task properties, a group task also affects all subgroups of the selected group. A group task also affects (optionally) devices that have been connected to secondary and virtual Administration Servers deployed in the group or any of its subgroups.

• Global tasks—Tasks that are performed on a set of devices, regardless of whether they are included in any group

For each application, you can create any number of group tasks, global tasks, or local tasks.

You can make changes to the settings of tasks, view the progress of tasks, and copy, export, import, and delete tasks.

A task is started on a device only if the application for which the task was created is running.

Results of tasks are saved in the Microsoft Windows event log and the Kaspersky Security Center event log, both centrally on the Administration Server and locally on each device.

Do not include private data in task settings. For example, avoid specifying the domain administrator password.

Task scope

The scope of a task is the set of devices on which the task is performed. The types of scope are as follows:

• For a local task, the scope is the device itself.
• For an Administration Server task, the scope is the Administration Server.
• For a group task, the scope is the list of devices included in the group.

When creating a global task, you can use the following methods to specify its scope:

• Specifying certain devices manually.

  You can use an IP address (or IP range), NetBIOS name, or DNS name as the device address.

• Importing a list of devices from a TXT file with the device addresses to be added (each address must be placed on an individual line).

  If you import a list of devices from a file or create a list manually, and if devices are identified by their names, the list can only contain devices for which information has already been entered into the Administration Server database. Moreover, the information must have been entered when those devices were connected or during device discovery.

• Specifying a device selection.

  Over time, the scope of a task changes as the set of devices included in the selection change. A selection of devices can be made on the basis of device attributes, including software installed on a device, and on the basis of tags assigned to devices. Device selection is the most flexible way to specify the scope of a task.

  Tasks for device selections are always run on a schedule by the Administration Server. These tasks cannot be run on devices that lack connection to the Administration Server. Tasks whose scope is specified by using other methods are run directly on devices and therefore do not depend on the device connection to the Administration Server.

  Tasks for device selections are not run on the local time of a device; instead, they are run on the local time of the Administration Server. Tasks whose scope is specified by using other methods are run on the local time of a device.

How local application settings relate to policies

You can use policies to set identical values of the application settings for all devices in a group.

The values of the settings that a policy specifies can be redefined for individual devices in a group by using local application settings. You can set only the values of settings that the policy allows to be modified, that is, the unlocked settings.

The value of a setting that the application uses on a client device is defined by the lock position () for that setting in the policy:

• If a setting modification is locked, the same value (defined in the policy) is used on all client devices.
• If a setting modification is unlocked, the application uses a local setting value on each client device instead of the value specified in the policy. The setting can then be changed in the local application settings.

This means that, when a task is run on a client device, the application applies settings that have been defined in two different ways:

• By task settings and local application settings, if the setting is not locked against changes in the policy.
• By the group policy, if the setting is locked against changes.

Local application settings are changed after the policy is first applied in accordance with the policy settings.

Distribution point

Distribution point (previously known as update agent) is a device with Network Agent installed that is used for distribution of updates, remote installation of applications, and retrieval of information about networked devices. A distribution point can perform the following functions:

• Distribute updates and installation packages received from the Administration Server to client devices within the group (including distribution through multicasting using UDP). Updates can be received either from the Administration Server or from Kaspersky update servers. In the latter case, an update task must be created for the distribution point.

  Distribution point devices running macOS cannot download updates from Kaspersky update servers.

  If one or more devices running macOS are within the scope of the Download updates to the repositories of distribution points task, the task completes with the Failed status, even if it has successfully completed on all Windows devices.

  Distribution points accelerate update distribution and free up Administration Server resources.

• Distribute policies and group tasks through multicasting using UDP.
• Act as a gateway for connection to the Administration Server for devices in an administration group.

  If a direct connection between managed devices within the group and the Administration Server cannot be established, you can use the distribution point as connection gateway to the Administration Server for this group. In this case, managed devices connect to the connection gateway, which in turn connects to the Administration Server.

  The presence of a distribution point that functions as connection gateway does not block the option of a direct connection between managed devices and the Administration Server. If the connection gateway is not available, but direct connection with the Administration Server is technically possible, managed devices are connected to the Administration Server directly.

• Poll the network to detect new devices and update information about existing ones. A distribution point can apply the same device discovery methods as the Administration Server.
• Perform remote installation of third-party software and Kaspersky applications by using tools of the distribution point operating system. Note that the distribution point can perform installation on client devices without Network Agent.

  This feature allows you to remotely transfer Network Agent installation packages to client devices located on networks to which the Administration Server has no direct access.

• Act as a proxy server participating in the Kaspersky Security Network.

  You can enable KSN proxy server on distribution point side to make the device act as a KSN proxy server. In this case, the KSN proxy service (ksnproxy) is run on the device.

Files are transmitted from the Administration Server to a distribution point over HTTP or, if SSL connection is enabled, over HTTPS. Using HTTP or HTTPS results in a higher level of performance, compared to SOAP, through cutting traffic.

Devices with Network Agent installed can be assigned distribution points either manually (by the administrator), or automatically (by the Administration Server). The full list of distribution points for specified administration groups is displayed in the report about the list of distribution points.

The scope of a distribution point is the administration group to which it has been assigned by the administrator, as well as its subgroups of all levels of embedding. If multiple distribution points have been assigned in the hierarchy of administration groups, Network Agent on the managed device connects to the nearest distribution point in the hierarchy.

A network location can also be the scope of distribution points. The network location is used for manual creation of a set of devices to which the distribution point will distribute updates. Network location can be determined only for devices running a Windows operating system.

If distribution points are assigned automatically by the Administration Server, it assigns them by broadcast domains, not by administration groups. This occurs when all broadcast domains are known. Network Agent exchanges messages with other Network Agents in the same subnet and then sends Administration Server information about itself and other Network Agents. Administration Server can use that information to group Network Agents by broadcast domains. Broadcast domains are known to Administration Server after more than 70% Network Agents in administration groups are polled. Administration Server polls broadcast domains every two hours. After distribution points are assigned by broadcast domains, they cannot be re-assigned by administration groups.

If the administrator manually assigns distribution points, they can be assigned to administration groups or network locations.

Network Agents with the active connection profile do not participate in broadcast domain detection.

Kaspersky Security Center assigns each Network Agent a unique IP multicast address that differs from every other address. This allows you to avoid network overload that might occur due to IP overlaps. The feature of unique address assignment functions in Kaspersky Security Center 10 Service Pack 3 and later versions. IP multicast addresses that were assigned in previous versions of the application will not be changed.

If two or more distribution points are assigned to a single network area or to a single administration group, one of them becomes the active distribution point, and the rest become standby distribution points. The active distribution point downloads updates and installation packages directly from the Administration Server, while standby distribution points receive updates from the active distribution point only. In this case, files are downloaded once from the Administration Server and then are distributed among distribution points. If the active distribution point becomes unavailable for any reason, one of the standby distribution points becomes active. The Administration Server automatically assigns a distribution point to act as standby.

The distribution point status (Active/Standby) is displayed with a check box in the klnagchk report.

A distribution point requires at least 4 GB of free disk space. If the free disk space of the distribution point is less than 2 GB, Kaspersky Security Center creates an incident with the Warning importance level. The incident will be published in the device properties, in the Incidents section.

Running remote installation tasks on a device assigned as a distribution point requires additional free disk space. The volume of free disk space must exceed the total size of all installation packages to be installed.

Running any updating (patching) tasks and vulnerability fix tasks on a device assigned as a distribution point requires additional free disk space. The volume of free disk space must be at least twice the total size of all patches to be installed.

Devices functioning as distribution points must be protected, including physical protection, against any unauthorized access.

Connection gateway

A connection gateway is a Network Agent acting in a special mode. A connection gateway accepts connections from other Network Agents and tunnels them to the Administration Server through its own connection with the Server. Unlike an ordinary Network Agent, a connection gateway waits for connections from the Administration Server rather than establishes connections to the Administration Server.

A connection gateway can receive connections from up to 10,000 devices.

You have two options for using connection gateways:

• We recommend that you install a connection gateway in a demilitarized zone (DMZ). For other Network Agents installed on out-of-office devices, you need to specially configure a connection to Administration Server through the connection gateway.

  A connection gateway does not in any way modify or process data that is transmitted from Network Agents to Administration Server. Moreover, it does not write this data into any buffer and therefore cannot accept data from a Network Agent and later forward it to Administration Server. If Network Agent attempts to connect to Administration Server through the connection gateway, but the connection gateway cannot connect to Administration Server, Network Agent perceives this as if Administration Server is inaccessible. All data remains on Network Agent (not on the connection gateway).

  A connection gateway cannot connect to Administration Server through another connection gateway. It means that Network Agent cannot simultaneously be a connection gateway and use a connection gateway to connect to Administration Server.

  All connection gateways are included in the list of distribution points in the Administration Server properties.

• You can also use connection gateways within the network. For example, automatically assigned distribution points also become connection gateways in their own scope. However, within an internal network, connection gateways do not provide considerable benefit. They reduce the number of network connections received by Administration Server, but do not reduce the volume of incoming data. Even without connection gateways, all devices could still connect to Administration Server.