Scenario of application deployment with a limited set of access privileges
This deployment scenario is suitable for you if the security policy of your organization does not allow performing all application installation operations under your account and restricts access to the SQL server or Active Directory. For example, this can happen when the database at your organization is administered by a different specialist with full access to the SQL server.
Names of account groups must be unique within a single Active Directory domain forest.
To prepare for installation with a limited set of permissions to access the SQL server or Active Directory:
Make sure that the account intended for deploying the application is included in the local "Administrators" group on the Microsoft Exchange server on which you are deploying the application. If not, include the account in this group.
Create the following container in Active Directory:
Configure full access to this container and to all of its child objects for the account intended for the application installation.
Create a group of Kse Watchdog Service accounts. The type of group is "Universal". Include in this group the account intended for launching the application service. If a Local System account is used as this account, also include in the Kse Watchdog Service group the account of the computer on which installation is performed.
Add the Kse Watchdog Service group to the local "Administrators" group on the Microsoft Exchange server on which you are deploying the application.
If you previously removed the Debug Programs permission granted to the Administrators group by default, grant this permission to the Kse Watchdog Service group.
Provide the Kse Watchdog Service group with the rights to read data from the Active Directory container, which stores the configuration data of Microsoft Exchange:
(Only applicable for Microsoft Exchange 2013 and Microsoft Exchange 2016 servers). Provide the Kse Watchdog Services group with the ms-Exch-Store-Admin right. To do this, run the following command in the Exchange Management Shell console:
Add-ADPermission -Identity "<path to container with configuration of Microsoft Exchange>" -User "<domain name>\Kse Watchdog Service" -ExtendedRights ms-Exch-Store-Admin
(Applicable for Microsoft Exchange 2013 / 2016 servers). Provide the Kse Watchdog Service group with the right to run under a different name (impersonation). To do this, run the following command in the Exchange Management Shell console:
If you want to use on-demand scan for selected mailboxes on Microsoft Exchange 2010 servers, grant the Kse Watchdog Service group the right to run under a different name (impersonation). To do this, run the following command in the Exchange Management Shell console:
Create the following account groups: Kse Administrators, Kse Security Officers, Kse AV Security Officers, and Kse AV Operators. These groups can be created in any of the organization's domains. The type of groups is "Universal".
Perform replication of Active Directory data across the entire organization.
Assign the appropriate user roles to the accounts owned by users who perform the corresponding duties in your organization. To do this, add user accounts to the following account groups in Active Directory:
Add administrator accounts to the Kse Administrators group.
Add the accounts of security officers to the Kse Security Officers group.
Add the accounts of anti-virus security officers to the Kse AV Security Officers group.
Add the accounts of anti-virus security operators to the Kse AV Operators group.
Ensure creation of the application database. Perform this operation on your own or delegate it to an authorized specialist.
Create accounts for the following Active Directory groups on the SQL server: Kse Administrators, Kse AV Security Officers, and Kse Watchdog Service.
Ensure that the Kse Watchdog Service group of accounts is assigned the db_owner role on the application database level.
Ensure that the account intended for preparing the database is assigned the db_owner role on the application database level and the VIEW ANY DEFINITION permission on the SQL server level.
If you do not grant the VIEW ANY DEFINITION permission to the account, a message prompting you for the ALTER ANY LOGIN permission will appear on the screen when the Setup Wizard checks for roles and permissions of users to access the application database. The ALTER ANY LOGIN permission is required by the Setup Wizard to create SQL server users, assign roles to those users, and grant them permissions to use the database.
If you have not added user accounts of all computers on which you are installing Kaspersky Security into the KSE Administrators group in Active Directory, the screen will display a message containing information about how to ensure the capability to manage the application using Kaspersky Security Center.
Perform replication of Active Directory data across the entire organization. This is required in order for application settings saved in Active Directory to become available for subsequent installations of the application on other Microsoft Exchange servers at your organization.
If the application is installed with or works with an SQL database configured with AlwaysOn technology, you must synchronize the rights between all servers that belong to the database mirroring group.