Usage of TLS
We recommend prohibiting insecure connections to Administration Server. For example, you can prohibit connections that use HTTP in the Administration Server settings.
Please note that by default, several HTTP ports of Administration Server are closed. The remaining port is used for the Administration Server Web Server (8060). This port can be limited by the firewall settings of the Administration Server device.
Strict TLS settings
We recommend using TLS protocol version 1.2 and later, and restricting or prohibiting insecure encryption algorithms.
You can configure the encryption protocols (TLS) used by Administration Server. Please note that at the time of the release of a version of Administration Server, by default the encryption protocol settings are configured to ensure secure data transfer.
Restricting access to the Administration Server database
We recommend restricting access to the Administration Server database. For example, grant access only from the Administration Server device. This reduces the likelihood of the Administration Server database being compromised due to known vulnerabilities.
You can configure the parameters according to the operating instructions of the used database, as well as provide closed ports on firewalls.
Security interaction with an external DBMS
If the DBMS is installed on a separate device during the installation of Administration Server (external DBMS), we recommend configuring the parameters for secure interaction and authentication with this DBMS. For more information about configuring SSL authentication, refer to Authenticating PostgreSQL Server and Scenario: Authenticating MySQL Server.
Configuring an allowlist of IP addresses to connect to Administration Server
By default, Kaspersky Security Center Linux users can log in to Kaspersky Security Center Linux from any device where Kaspersky Security Center Web Console or OpenAPI applications are installed. You can configure Administration Server so that users can connect to it only from devices with allowed IP addresses. For example, if an intruder tries to connect to Kaspersky Security Center Linux through Kaspersky Security Center Web Console Server installed on a device that is not included in the allowlist, he or she will not be able to log in to Kaspersky Security Center Linux.
Configuring an allowlist of IP addresses to connect to Kaspersky Security Center Web Console
By default, Kaspersky Security Center Linux users can connect to Kaspersky Security Center Web Console from any device. On a device with Kaspersky Security Center Web Console, you must configure the firewall (built into the operating system or a third-party one) so that users can connect to Kaspersky Security Center Web Console only from allowed IP addresses.
Security of connection to the domain controller during the polling
To poll the domain controller, Administration Server or a Linux distribution point tries to connect to this domain over LDAPS. By default, certificate verification is not required when connecting. To enforce certificate verification, set the KLNAG_LDAP_TLS_REQCERT flag to 1. Also, you can specify a custom path to the certificate authority (CA) to access the certificate chain by using the KLNAG_LDAP_SSL_CACERT flag.