Selecting an Administration Server protection software
Depending on the type of the Administration Server deployment and the general protection strategy, select the application to protect the Administration Server device.
If you deploy Administration Server on a dedicated device, we recommend selecting the Kaspersky Endpoint Security application to protect the Administration Server device. This allows applying all available technologies to protect the Administration Server device, including behavioral analysis modules.
If Administration Server is installed on a device that exists in the infrastructure and has previously been used for other tasks, we recommend considering the following protection software:
Creating a separate security policy for the protection application
We recommend that you create a separate security policy for the application that protects the Administration Server device. This policy must be different from the security policy for client devices. This allows specifying the most appropriate security settings for Administration Server, without affecting the protection level of other devices.
We recommend dividing devices into groups, and then placing the Administration Server device into a separate group for which you can create a special security policy.
Protection modules
If there are no special recommendations from the vendor of the third-party software installed on the same device as Administration Server, we recommend activating and configuring all available protection modules (after checking the operation of these protection modules for a certain time).
Configuring the firewall of the Administration Server device
On the Administration Server device, we recommend configuring the firewall to restrict the number of devices from which administrators can connect to Administration Server through Administration Console or Kaspersky Security Center Web Console.
By default, Administration Server uses port 13291 to receive connections from Administration Console and port 13299 to receive connections from Kaspersky Security Center Web Console. We recommend restricting the number of devices from which Administration Server can be managed by using these ports.
Prohibition of launching the control panel
If you install Administration Server on a device running Microsoft Windows and use the protection application with the Application Launch Control module, you can prohibit the launch of the control panel (control.exe) for unprivileged users, for example, the Administrators group.
After creating the specified prohibiting control rules of the application launch, users with the privileges of the pre-defined Administrator role lose the ability to control other network accounts, including changing their logins and passwords.
Page top