Usage of TLS
We recommend prohibiting insecure connections to Administration Server. For example, you can prohibit connections that use HTTP in the Administration Server settings.
Please note that by default, several HTTP ports of Administration Server are closed. The remaining port is used for the Administration Server Web Server (8060). This port can be limited by the firewall settings of the Administration Server device.
Strict TLS settings
We recommend using TLS protocol version 1.2 and later, and restricting or prohibiting insecure encryption algorithms.
You can configure the encryption protocols (TLS) used by Administration Server. Please note that at the time of the release of a version of Administration Server, the encryption protocol settings are configured by default to ensure secure data transfer.
Prohibition of remote authentication by using Windows accounts
You can use the LP_RestrictRemoteOsAuth flag to prohibit SSPI connections from remote addresses. This flag allows you to prohibit remote authentication on Administration Server by using local or domain Windows accounts.
To switch the LP_RestrictRemoteOsAuth flag to the mode of prohibiting connections from the remote addresses:
klscflag.exe -fset -pv .core/.independent -s KLLIM -n LP_RestrictRemoteOsAuth -t d -v 1
The LP_RestrictRemoteOsAuth flag does not work if remote authentication is performed through Kaspersky Security Center Web Console or Administration Console that is installed on the Administration Server device.
Restricting access to the Administration Server database
We recommend restricting access to the Administration Server database. For example, grant access only from the Administration Server device. This reduces the likelihood of the Administration Server database being compromised due to known vulnerabilities.
You can configure the parameters according to the operating instructions of the used database, as well as provide closed ports on firewalls.
Authenticating Microsoft SQL Server
If Kaspersky Security Center uses Microsoft SQL Server as a DBMS, it is necessary to protect Kaspersky Security Center data transferred to or from the database and data stored in the database from unauthorized access. To do this, you must provide secure communication between Kaspersky Security Center and SQL Server. The most reliable way to provide secure communication is to install Kaspersky Security Center and SQL Server on the same device and use the shared memory mechanism for both applications. In all other cases, we recommend that you use an SSL/TLS certificate to authenticate the SQL Server instance.
Generally, Administration Server can address SQL Server through the following providers:
This provider is installed into Windows operating system and used by default.
If you want to use this provider, you have to install it on the device with Administration Server, and then set value 1 to the global environment variable KLDBADO_UseMSOLEDBSQL.
If you want to use this provider, you have to install it on the device with Administration Server, and then set value 1 to the global environment variable KLDBADO_UseMSOLEDBSQL, and value MSOLEDBSQL19 to the global environment variable KLDBADO_ProviderName.
Also, before using TCP/IP, Named Pipes, or Shared memory, make sure that the required protocol is enabled.
Security interaction with an external DBMS
If the DBMS is installed on a separate device during the installation of Administration Server (external DBMS), we recommend configuring the parameters for secure interaction and authentication with this DBMS. For more information about configuring SSL authentication, refer to Authenticating PostgreSQL Server and Scenario: Authenticating MySQL Server.
Configuring an allowlist of IP addresses to connect to Administration Server
By default, Kaspersky Security Center users can log in to Kaspersky Security Center from any device where the MMC-based Administration Console, Kaspersky Security Center Web Console or OpenAPI applications are installed. You can configure Administration Server so that users can connect to it only from devices with allowed IP addresses. For example, if an intruder tries to connect to Kaspersky Security Center through Kaspersky Security Center Web Console Server installed on a device that is not included in the allowlist, he or she will not be able to log in to Kaspersky Security Center.
Configuring an allowlist of IP addresses to connect to Kaspersky Security Center Web Console
By default, Kaspersky Security Center users can connect to Kaspersky Security Center Web Console from any device. On a device with Kaspersky Security Center Web Console installed, you must configure the firewall (built into the operating system or a third-party one) so that users can connect to Kaspersky Security Center Web Console only from allowed IP addresses.
Security of connection to the domain controller during the polling
Administration Server or a Linux distribution point connect to the domain controller over LDAPS to poll the domain. By default, certificate verification is not required when connecting. To enforce certificate verification, set the KLNAG_LDAP_TLS_REQCERT flag to 1. Also, you can specify a custom path to the certificate authority (CA) to access the certificate chain by using the KLNAG_LDAP_SSL_CACERT flag.