Advanced settings after installation of the Application Console on another device

If the Application Console has been installed on any device in the network, other than a protected device, perform the following actions to allow users to manage Kaspersky Industrial CyberSecurity for Nodes remotely:

• Use a user account that has permission to connect remotely in the application settings. By default, all users in the Administrators and KICS Administrators groups have this permission.
• On the remote device, in the Windows Firewall settings, open the TCP 13032 port for connection by Windows system user accounts and TCP 13031 for connection by user accounts manually created in application settings. Also allow network connections for the executable file of the Kaspersky Industrial CyberSecurity for Nodes remote management process, avp.exe. You can manage this setting using the ADDWFEXCLUSION=1 option when installing the application on the command line.

If you need to run Kaspersky Industrial CyberSecurity for Nodes remotely, additionally do the following:

The user account that will remotely start the application must be part of the Administrators group. Make sure that this account has necessary permissions to manage Kaspersky Industrial CyberSecurity for Nodes as well as to manage Kaspersky Security Service.

• On the remote device, in the Windows Firewall settings, enable the File and Printer Sharing (SMB-In) rule (port TCP 445). We also recommend opening port TCP 135 to facilitate the connection to the device.
• For remote devices running Windows Vista or later that are not part of a domain or are managed by a local user account, disable remote control of user accounts (UAC).
  1. Open the registry editor on the computer.
  2. In the registry editor, open the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System key.
  3. Open the LocalAccountTokenFilterPolicy value.

     If the LocalAccountTokenFilterPolicy value is missing under this key, create a DWORD (32-bit) value with this name (for details, refer to the Microsoft Technical Support website).

  4. Set it to 1 and click OK.

     Disabling remote UAC does not affect local UAC.

• If the device on which the Application Console is installed or the protected device run Windows 8.1 or an earlier version of Windows, enable the support of shared access to SMB 1.0/CIFS files on devices running Windows 10 or later.
  • In the "Windows Features" application:
    1. Select Start → Control Panel → Programs and Features → Turn Windows features on or off.
    2. In the Windows Features window, select the SMB 1.0/CIFS File Sharing Support check box.
    3. Click OK.
  • In Windows PowerShell:
    1. Run Windows PowerShell as administrator.
    2. Run the following command:

       Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

The same steps should be applied to configure any other software or hardware firewall.

If the Application Console is open while you configure the connection between the protected device and the device on which the Application Console is installed:

1. Close the Application Console.
2. Wait until the Kaspersky Industrial CyberSecurity for Nodes remote management process avp.exe is finished.
3. Restart the Application Console.

   The new connection settings will be applied.

Page top