Hardening checklist

Administration Server deployment

• Install Administration Server on a dedicated physical or virtual server.
• Do not use the dedicated server for running other services.
• Do not install Administration Server (hereinafter referred to as the Server) on a:
  • Domain controller
  • Terminal server
  • User device

Connection safety

• Configure a firewall to restrict access to the Server device on all ports and protocols except for the ports required by the Server. Allow access to the Server device only from trusted devices.
• Configure an allowlist of IP addresses for Server ports used to connect Kaspersky Security Center Web Console (also referred to as Web Console) to Server.
• Configure the firewall to allow access to Server through Web Console only from trusted devices.
• Configure the TLS protocol version 1.2 or higher on Server.
• Configure a firewall to restrict access to the device with the Server DBMS installed.
• Configure SSL authentication between Server and DBMS (MySQL or PostgreSQL).

Accounts and authorization

• Enable two-factor authentication (TOTP, RFC 6238) for Server access.
• Do not install the authenticator application on the same device from which the connection to Server through Web Console is established.
• Use multi-factor authentication (MFA) for access to the Server device by using a token, a smart card, or other method.
• Create a dedicated administration group for the Server device and create a special security policy for it.
• Restrict the number of users who have the Main Administrator role.
• Configure access rights to Server features based on roles of users and groups.
• Allow remote installation of applications only for a separate user account.
• Conduct a regular audit of all users on the Server device.

Managing protection of Administration Server

• Install a security application on the Server device:
  • For a physical server – Kaspersky Endpoint Security
  • For a virtual server – Kaspersky Security for Virtualization
• Create and apply a separate policy for Server protection (different from the security policies for other managed devices).
• Enable all available protection modules in the security application.

Configuring policies and tasks for managed applications

• Create and apply policies to all managed devices or to the group with new managed devices for the following applications:
  • Network Agent
  • Kaspersky Endpoint Security for Windows/Linux/macOS
  • Kaspersky Endpoint Agent (or other Kaspersky applications)
• Enable password protection against disabling protection or uninstalling Kaspersky applications.
• Lock policy settings (close the "lock") to prevent the reassignment of these settings on managed devices.
• Create a scheduled full scan task of all devices.
• Enable the use of Kaspersky Security Network (KSN) and accept the latest KSN Statement.
• Configure device discovery and specify the default administration group for newly discovered devices.
• Restrict the use of automatic rules for moving devices between administration groups.
• Protect distribution points from unauthorized access.
• Avoid assigning distribution points automatically in small networks or high-importance networks.

Administration Server maintenance

• Do not delete or disable the following tasks:
  • Backup
  • Administration Server maintenance
• Regularly install OS and third-party software updates.

Event transfer to third-party systems

• Configure monitoring and reporting of security events.
• Configure event export to a SIEM system.
• Configure Server notifications for:
  • Audit events
  • Critical events
  • Failure events and warnings

Security recommendations for third-party information systems

• Apply CIS Benchmarks security recommendations to the used operating systems, DBMS, and hypervisors.
• For Astra Linux, follow the security recommendations from the corresponding Red Book version.
• For RED OS, follow the recommendations provided in the official RED OS documentation.

Page top