Before performing the below steps, create a Kaspersky Security Center Linux Administration Server backup copy using the Backup of Administration Server data task or klbackup utility and save it in a safe location.
Using two-step verification with Administration Server
Kaspersky Security Center Linux provides two-step verification for users of Kaspersky Security Center Web Console, based on the RFC 6238 standard (TOTP: Time-Based One-Time Password algorithm).
When two-step verification is enabled for your own account, every time you log in to Kaspersky Security Center Web Console, you enter your user name, password, and an additional single-use security code. To receive a single-use security code, you must install an authenticator app on your computer or your mobile device.
There are both software and hardware authenticators (tokens) that support the RFC 6238 standard. For example, software authenticators include Google Authenticator, Microsoft Authenticator, FreeOTP.
We strongly do not recommend installing the authenticator app on the same device from which the connection to Administration Server is established. You can install an authenticator app on your mobile device.
Restricting new users from setting up two-step verification for themselves
In order to further improve Kaspersky Security Center Web Console access security, you can
prohibit new users from setting up two-step verification for themselves.
If this option is enabled, a user with disabled two-step verification, for example a new domain administrator, cannot configure two-step verification for themselves. Therefore, such a user cannot be authenticated on Administration Server and cannot sign in to Kaspersky Security Center Web Console without approval from another Kaspersky Security Center Linux administrator who already has two-step verification enabled.
Using two-factor authentication for an operating system
We recommend using multi-factor authentication (MFA) for authentication on the Administration Server device by using a token, a smart card, or other method (if possible).
Restricting saving the administrator password
If you use Kaspersky Security Center Web Console, we do not recommend saving the administrator password in the browser installed on the user device.
Authentication of an internal user account
By default, the password of an internal user account of Administration Server must comply with the following rules:
The password must be 8 to 256 characters long.
The password must contain characters from at least three of the groups listed below:
Uppercase letters (A-Z)
Lowercase letters (a-z)
Numbers (0-9)
Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".
By default, the maximum number of allowed attempts to enter a password is 10. You can change the number of allowed password entry attempts.
The Kaspersky Security Center Linux user can enter an invalid password a limited number of times. After the limit is reached, the user account is blocked for one hour.
Configuring the options for changing the password of an internal user account
We recommend configuring the following options for changing the password of an internal user account:
Account protection from unauthorized modification
We recommend enabling an additional option to protect an internal user account of Administration Server from unauthorized modification. This protection must be configured separately for each internal user.
Dedicated administration group for Administration Server
We recommend creating a dedicated administration group for Administration Server. Grant this group special access rights and create a special security policy for it.
To avoid intentionally lowering the security level of Administration Server, we recommend restricting the list of accounts that can manage the dedicated administration group.
Restricting the assignment of the Main Administrator role
The user created by the kladduser utility is assigned the Main Administrator role in the access control list (ACL) of Administration Server or virtual Administration Server. We recommend avoiding the assignment of the Main Administrator role to a large number of users.
Configuring access rights to application features
We recommend using flexible configuration of access rights to the features of Kaspersky Security Center Linux for each user or group of users.
Role-based access control allows the creation of standard user roles with a predefined set of rights and the assignment of those roles to users depending on their scope of duties.
The main advantages of the role-based access control model:
You can assign built-in roles to certain employees based on their positions, or create completely new roles.
While configuring roles, pay attention to the privileges associated with changing the protection state of Administration Server device and remote installation of third-party software:
This privilege allows you to set notifications that run a script or an executable module on the Administration Server device when an event occurs.
Separate account for remote installation of applications
In addition to the basic differentiation of access rights, we recommend restricting the remote installation of applications for all accounts (except for the Main Administrator or another specialized account).
We recommend using a separate account for remote installation of applications. You can assign a role or permissions to the separate account.
Regular audit of all users and users' actions
We recommend conducting a regular audit of all users on the Administration Server device. This allows you to respond to certain types of security threats associated with possible compromise of the device.
Also, you can track the users' actions, such as connecting to and disconnecting from Administration Server, connecting to Administration Server with an error, and objects modification (for objects that support revision management).
Page top