Managing protection of client devices

Restricting of adding license keys to installation packages

Installation packages are stored in the Administration Server shared folder, in the Packages subfolder. If you add a license key to an installation package, the license key can be accessed by all users with read rights to this folder (directly or via the Web server embedded in Administration Server).

To avoid compromising the license key, we do not recommend adding license keys to installation packages.

We recommend using automatic distribution of license keys to managed devices, deployment through the Add license key task for a managed application, and adding an activation code or a key file manually to the devices.

Automatic rules for moving devices between administration groups

We recommend restricting the use of automatic rules for moving devices between administration groups.

If you use automatic rules for moving devices, this may lead to propagation of policies that provide more privileges to the moved device than the device has before relocation.

Also, moving a client device to another administration group may lead to propagation of policy settings. These policy settings may be undesirable for distribution to guest and untrusted devices.

This recommendation does not apply for one-time initial allocation of devices to administration groups.

Security requirements for distribution points and connection gateways

Devices with Network Agent installed can act as a distribution point and perform the following functions:

• Distribute updates and installation packages received from Administration Server to client devices within the group.
• Perform remote installation of third-party software and Kaspersky applications on client devices.
• Poll the network to detect new devices and update information about existing ones. The distribution point can use the same methods of device detection as Administration Server.

Placing distribution points on the organization's network used for:

• Reducing the load on Administration Server
• Traffic optimization
• Providing Administration Server with access to devices in hard-to-reach parts of the network

Taking into account the available capabilities, we recommend protecting devices that act as distribution points from any type of unauthorized access (including physically).

Restricting automatic assignment of distribution points

To simplify administration and keep the network operability, we recommend using automatic assignment of distribution points. However, for industrial networks and small networks, we recommend that you avoid assigning distribution points automatically, since, for example, the private information of the accounts used for pushing remote installation tasks, can be transferred to distribution points by means of the operating system.

For industrial networks and small networks, you can manually assign devices to act as distribution points.

You can also view the Report on activity of distribution points.

Security requirements for devices of Kaspersky Security Center Linux users

Special security requirements must be applied to Kaspersky Security Center Linux users' devices. We recommend protecting these devices against any type of unauthorized access (including physically).

Kaspersky Security Center Linux user devices include the following:

• Devices from which Kaspersky Security Center Linux users connect to Kaspersky Security Center Web Console by using a browser.
• Devices from which applications that interact with Administration Server via OpenAPI are connected to Kaspersky Security Center Linux.

Security requirements for devices with Kaspersky Security Center Web Console installed

Devices with Kaspersky Security Center Web Console installed are used to manage Kaspersky Security Center Linux, so special requirements must apply to the security of these devices. We recommend protecting these devices against any type of unauthorized access (including physically).

Page top