Discovering networked devices

This section describes search and discovery of networked devices.

Kaspersky Security Center allows you to find devices on the basis of specified criteria. You can save search results to a text file.

The search and discovery feature allows you to find the following devices:

• Managed devices in administration groups of Kaspersky Security Center Administration Server and its secondary Administration Servers.
• Unassigned devices managed by Kaspersky Security Center Administration Server and its secondary Administration Servers.

Scenario: Discovering networked devices

You must perform device discovery before installation of the security applications. When all networked devices are discovered, you can receive information about them and manage them through policies. Regular network polls are needed to discover if there are any new devices and whether previously discovered devices are still on the network.

Discovery of networked devices proceeds in stages:

1. Initial device discovery

   The Quick Start Wizard guides you through initial device discovery, and helps you find networked devices such as computers, tablets, and mobile phones. You can also perform device discovery manually.

2. Configuring future polls

   Decide which type(s) of discovery you want to use regularly. Make sure that this type is enabled and that the poll schedule meets the needs of your organization. When configuring the poll schedule, use the recommendations for network polling frequency.

3. Setting up rules for adding discovered devices to administration groups (optional)

   If new devices appear on your network, they are discovered during regular polls and are automatically included in the Unassigned devices group. If you want, you can set up the rules for automatically moving these devices to the Managed devices group. You can also establish retention rules.

   If you skip this rule-setting stage, all the newly discovered devices go to the Unassigned devices group and stay there. If you want, you can move these devices to the Managed devices group manually. If you move the devices to the Managed devices group manually, you can analyze information about each device and decide whether you want to move it to an administration group, and, if so, to which group.

Results

Completion of the scenario yields the following:

• Kaspersky Security Center Administration Server discovers the devices that are on the network and provides you with information about them.
• Future polls are set up and are conducted according to the specified schedule.
• The newly discovered devices are arranged according to the configured rules. (Or, if no rules are configured, the devices stay in the Unassigned devices group).

Device discovery

This section describes the types of device discovery available in Kaspersky Security Center and provides information using each type.

The Administration Server receives information about the structure of the network and devices on this network through regular polling. The information is recorded to the Administration Server database. Administration Server can use the following types of polling:

• Windows network polling. The Administration Server can perform two kinds of Windows network poll: quick and full. During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS names of devices in all network domains and workgroups. During a full poll, more information is requested from each client device, such as operating system name, IP address, DNS name, and NetBIOS name. By default, both quick poll and full poll are enabled. Windows network polling may fail to discover devices, for example, if the ports UDP 137, UDP 138, TCP 139 are closed on the router or by the firewall.
• Active Directory polling. The Administration Server retrieves information about the Active Directory unit structure and about DNS names of the devices from Active Directory groups. By default, this type of polling is enabled. We recommend that you use Active Directory polling if you use Active directory; otherwise, the Administration Server does not discover any devices. If you use Active Directory but some of the networked devices are not listed as members, these devices cannot be discovered by Active Directory polling.
• IP range polling. The Administration Server polls the specified IP ranges using ICMP packets or the NBNS protocol and compiles a complete set of data on devices within those IP ranges. By default, this type of polling is disabled. It is not recommended to use this type of polling if you use Windows network polling and/or Active Directory polling.

If you set up and enabled device moving rules, the newly discovered devices are automatically included in the Managed devices group. If no moving rules have been enabled, the newly discovered devices are automatically included in the Unassigned devices group.

You can modify device discovery settings for each type. For example, you may want to modify the polling schedule or to set whether to poll the entire Active Directory forest or only a specific domain.

Windows network polling

Expand all | Collapse all

About Windows network polling

During a quick poll, the Administration Server only retrieves information from the list of the NetBIOS names of devices in all network domains and workgroups. During a full poll, the following information is requested from each client device:

• Operating system name
• IP address
• DNS name
• NetBIOS name

Both quick polls and full polls require the following:

• Ports UDP 137/138, TCP 139, UDP 445, TCP 445 must be available in the network.
• The Microsoft Computer Browser service must be used, and the primary browser computer must be enabled on the Administration Server.
• The Microsoft Computer Browser service must be used, and the primary browser computer must be enabled on the client devices:
  • On at least one device, if the number of networked devices does not exceed 32.
  • On at least one device for each 32 networked devices.

The full poll can run only if the quick poll has run at least once.

Viewing and modifying the settings for Windows network polling

To modify the properties of Windows network polling:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → WINDOWS DOMAINS.
2. Click the Properties button.

   The Windows domain properties window opens.

3. Enable or disable Windows network polling by using the Enable Windows network polling toggle button.
4. Configure the poll schedule. By default, the quick polling runs every 15 minutes and the full polling runs every 60 minutes.

   Polling schedule options:

   • Every N days

     The polling runs regularly, with the specified interval in days, starting from the specified date and time.

     By default, the polling runs every day, starting from the current system date and time.

   • Every N minutes

     The polling runs regularly, with the specified interval in minutes, starting from the specified time.

   • By days of week

     The polling runs regularly, on the specified days of week, and at the specified time.

   • Every month on specified days of selected weeks

     The polling runs regularly, on the specified days of each month, and at the specified time.

   • Run missed tasks

     If the Administration Server is switched off or unavailable during the time for which the poll is scheduled, the Administration Server can either start the poll immediately after it is switched on, or wait for the next time for which the poll scheduled.

     If this option is enabled, the Administration Server starts polling immediately after it is switched on.

     If this option is disabled, the Administration Server waits for the next time for which the polling is scheduled.

     By default, this option is disabled.

5. Click the Save button.

The properties are saved and applied to all of the discovered Windows domains and workgroups.

Running the poll manually

To run the poll immediately,

Click Start quick poll or Start full poll.

When the polling is complete, you can view the list of discovered devices on the WINDOWS DOMAINS page by selecting the check box next to a domain name, and then clicking the Devices button.

Active Directory polling

Use Active Directory polling if you use Active Directory; otherwise, it is recommended to use other poll types. If you use Active Directory but some of the networked devices are not listed as members, these devices cannot be discovered by using Active Directory polling.

Kaspersky Security Center sends a request to the domain controller and receives the Active Directory device structure. Active Directory polling is performed hourly.

Viewing and modifying the settings for Active Directory polling

To view and modify the settings for Active Directory polling:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → ACTIVE DIRECTORY.
2. Click the Properties button.

   The Active Directory properties window opens.

3. In the Active Directory properties window, you can define the following settings:
   1. Turn Active Directory polling on or off by using the toggle button.
   2. Change the polling schedule.

      The default period is one hour. The data received at the next polling completely replaces the old data.

   3. Configure advanced settings to select the polling scope:
      • Active Directory domain to which the Kaspersky Security Center belongs
      • Domain forest to which the Kaspersky Security Center belongs
      • Specified list of Active Directory domains

      To add a domain to the polling scope, select a domain option, click the Add button, and then specify the address of the domain controller and the name and password of the account for accessing it.

4. To apply the new settings, click the Save button.

The new settings are applied to the Active Directory polling.

Running the poll manually

To run the poll immediately,

click Start poll.

Viewing the results of Active Directory polling

To view the results of Active Directory polling:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → ACTIVE DIRECTORY.

   The list of discovered organizational units is displayed.

2. If you want, select an organizational unit, and then click the Devices button.

   The list of devices in the organizational unit is displayed.

You can search the list and filter the results.

IP range polling

Expand all | Collapse all

Initially, Kaspersky Security Center gets IP ranges for polling from the network settings of the device on which it is installed. If the device address is 192.168.0.1 and the subnet mask is 255.255.255.0, Kaspersky Security Center includes the network 192.168.0.0/24 in the list of polling address automatically. Kaspersky Security Center polls all addresses from 192.168.0.1 to 192.168.0.254.

It is not recommended to use IP range polling if you use Windows network polling and/or Active Directory polling.

Kaspersky Security Center can poll IP ranges by reverse DNS lookup or by using the NBNS protocol:

• Reverse DNS lookup

  Kaspersky Security Center attempts to perform reverse name resolution for every IP address from the specified range to a DNS name using standard DNS requests. If this operation succeeds, the server sends an ICMP ECHO REQUEST (the same as the ping command) to the received name. If the device responds, the information about it is added to the Kaspersky Security Center database. The reverse name resolution is necessary to exclude the network devices that can have an IP address but are not computers, for example, network printers or routers.

  This polling method relies upon a correctly configured local DNS service. It must have a reverse lookup zone. In the networks where Active Directory is used, such a zone is maintained automatically. But in these networks, IP subnet polling does not provide more information than Active Directory polling. Moreover, administrators of small networks often do not configure the reverse lookup zone because it is not necessary for the work of many network services. For these reasons, IP subnet polling is disabled by default.

• NBNS protocol

  If the reverse name resolution is not possible in your network for some reason, Kaspersky Security Center uses the NBNS protocol to poll the IP ranges. If a request to an IP address returns a NetBIOS name, the information about this device is added to the Kaspersky Security Center database.

Viewing and modifying the settings for IP range polling

To view and modify the properties of IP range polling:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → IP RANGES.
2. Click the Properties button.

   The IP polling properties window opens.

3. Enable or disable IP polling by using the Allow polling toggle button.
4. Configure the poll schedule. By default, IP polling runs every 420 minutes (seven hours).

   When specifying the polling interval, make sure that this setting does not exceed the value of the IP address lifetime parameter. If an IP address is not verified by polling during the IP address lifetime, this IP address is automatically removed from the polling results. By default, the life span of the polling results is 24 hours, because dynamic IP addresses (assigned using Dynamic Host Configuration Protocol (DHCP)) change every 24 hours.

   Polling schedule options:

   • Every N days

     The polling runs regularly, with the specified interval in days, starting from the specified date and time.

     By default, the polling runs every day, starting from the current system date and time.

   • Every N minutes

     The polling runs regularly, with the specified interval in minutes, starting from the specified time.

   • By days of week

     The polling runs regularly, on the specified days of week, and at the specified time.

   • Every month on specified days of selected weeks

     The polling runs regularly, on the specified days of each month, and at the specified time.

   • Run missed tasks

     If the Administration Server is switched off or unavailable during the time for which the poll is scheduled, the Administration Server can either start the poll immediately after it is switched on, or wait for the next time for which the poll scheduled.

     If this option is enabled, the Administration Server starts polling immediately after it is switched on.

     If this option is disabled, the Administration Server waits for the next time for which the polling is scheduled.

     By default, this option is disabled.

5. Click the Save button.

The properties are saved and applied to all IP ranges.

Running the poll manually

To run the poll immediately,

click Start poll.

Adding and modifying an IP range

Expand all | Collapse all

Initially, Kaspersky Security Center gets IP ranges for polling from the network settings of the device on which it is installed. If the device address is 192.168.0.1 and the subnet mask is 255.255.255.0, Kaspersky Security Center includes the network 192.168.0.0/24 in the list of polling address automatically. Kaspersky Security Center polls all addresses from 192.168.0.1 to 192.168.0.254. You can modify the automatically defined IP ranges or add custom IP ranges.

To add a new IP range:

1. Go to DISCOVERY & DEPLOYMENT → DISCOVERY → IP RANGES.
2. To add a new IP range, click the Add button.
3. In the window that opens, specify the following settings:
   • IP range name

     A name of the IP range. You might want to specify the IP range itself as its name, for example, "192.168.0.0/24".

   • IP interval or subnet address and mask

     Set the IP range by specifying either the start and end IP addresses or the subnet address and subnet mask. You can also select one of the already existing IP ranges by clicking the Browse button.

   • IP address lifetime (hours)

     When specifying this parameter make sure that it exceeds the polling interval set in the polling schedule. If an IP address is not verified by polling during the IP address lifetime, this IP address is automatically removed from the polling results. By default, the life span of the polling results is 24 hours, because dynamic IP addresses (assigned using Dynamic Host Configuration Protocol—DHCP) change every 24 hours.

4. Select Enable IP range polling if you want to poll the subnet or interval that you have added. Otherwise, the subnet or interval that you have added will not be polled.
5. Click the Save button.

The new IP range is added to the list of IP ranges.

You can run polling of each IP range separately by using the Start poll button. When the polling is complete, you can view the list of discovered devices by using the Devices button. By default, the life span of the polling results is 24 hours and it is equal to the IP address lifetime setting.

To add a subnet to an existing IP range:

1. Go to DISCOVERY & DEPLOYMENT → DISCOVERY → IP RANGES.
2. Click the name of the IP range to which you want to add a subnet.
3. In the window that opens, click the Add button.
4. Specify a subnet by using either its address and mask, or by using the first and last IP address in the IP range. Or, add an existing subnet by clicking the Browse button.
5. Click the Save button.

   The new subnet is added to the IP range.

6. Click the Save button.

The new settings of the IP range are saved.

You can add as many subnets as you need. Named IP ranges are not allowed to overlap, but unnamed subnets inside an IP range have no such restrictions. You can enable and disable polling independently for every IP range.

Configuring retention rules for unassigned devices

Expand all | Collapse all

After Windows network polling is complete, the found devices are placed into subgroups of the Unassigned devices administration group. This administration group can be found at DISCOVERY & DEPLOYMENT → DISCOVERY → WINDOWS DOMAINS. The WINDOWS DOMAINS folder is the parent group. It contains child groups named after the corresponding domains and workgroups that have been found during the poll. The parent group may also contain the administration group of mobile devices. You can configure the retention rules of the unassigned devices for the parent group and for each of the child groups. The retention rules do not depend on the device discovery settings and work even if the device discovery is disabled.

To configure retention rules for unassigned devices:

1. In the main menu, go to DISCOVERY & DEPLOYMENT → DISCOVERY → WINDOWS DOMAINS.
2. Do one of the following:
   • To configure settings of the parent group, click the Properties button.

     The Windows domain properties window opens.

   • To configure settings of a child group, click its name.

     The child group properties window opens.

3. Define the following settings:
   • Remove the device from the group if it has been inactive for longer than (days)

     If this option is enabled, you can specify the time interval after which the device is automatically removed from the group. By default, this option is also distributed to the child groups. The default time interval is 7 days.

     By default, this option is enabled.

   • Inherit from parent group

     If this option is enabled, the retention period for the devices in the current group is inherited from the parent group and cannot be changed.

     This option is available only for child groups.

     By default, this option is enabled.

   • Force inheritance in child groups

     The setting values will be distributed to child groups but in the properties of the child groups these settings are locked.

     By default, this option is disabled.

4. Click the Accept button.

Your changes are saved and applied.