Support

Support for business applications

Kaspersky Security Center 15 Linux

Deployment best practices

Hardening Guide

Accounts and authentication

Kaspersky Security Center
Нет результатов
Нет результатов
Online Help
FAQ Download Buy Renew Forum Contact support Recovery tools Product videos

Accounts and authentication

May 3, 2024

ID 245774

Get as PDF

Using two-step verification with Administration Server

Kaspersky Security Center Linux provides two-step verification for users of Kaspersky Security Center Web Console, based on the RFC 6238 standard (TOTP: Time-Based One-Time Password algorithm).

When two-step verification is enabled for your own account, every time you log in to Kaspersky Security Center Web Console, you enter your user name, password, and an additional single-use security code. To receive a single-use security code, you must install an authenticator application on your computer or your mobile device.

There are both software and hardware authenticators (tokens) that support the RFC 6238 standard. For example, software authenticators include Google Authenticator, Microsoft Authenticator, FreeOTP.

We strongly do not recommend installing the authenticator application on the same device from which the connection to Administration Server is established. You can install an authenticator application on your mobile device.

Using two-factor authentication for an operating system

We recommend using multi-factor authentication (MFA) for authentication on the Administration Server device by using a token, a smart card, or other method (if possible).

Prohibition on saving the administrator password

If you use Kaspersky Security Center Web Console, we do not recommend saving the administrator password in the browser installed on the user device.

Authentication of an internal user account

By default, the password of an internal user account of Administration Server must comply with the following rules:

  • The password must be 8 to 16 characters long.

  • The password must contain characters from at least three of the groups listed below:

    • Uppercase letters (A-Z)

    • Lowercase letters (a-z)

    • Numbers (0-9)

    • Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)

  • The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".

By default, the maximum number of allowed attempts to enter a password is 10. You can change the number of allowed password entry attempts.

The Kaspersky Security Center Linux user can enter an invalid password a limited number of times. After the limit is reached, the user account is blocked for one hour.

Dedicated administration group for Administration Server

We recommend creating a dedicated administration group for Administration Server. Grant this group special access rights and create a special security policy for it.

To avoid intentionally lowering the security level of Administration Server, we recommend restricting the list of accounts that can manage the dedicated administration group.

Restricting the assignment of the Main Administrator role

The user created by the kladduser utility is assigned the Main Administrator role in the access control list (ACL) of Administration Server. We recommend avoiding the assignment of the Main Administrator role to a large number of users.

Configuring access rights to application features

We recommend using flexible configuration of access rights to the features of Kaspersky Security Center Linux for each user or group of users.

Role-based access control allows the creation of standard user roles with a predefined set of rights and the assignment of those roles to users depending on their scope of duties.

The main advantages of the role-based access control model:

  • Ease of administration
  • Role hierarchy
  • Least privilege approach
  • Segregation of duties

You can assign built-in roles to certain employees based on their positions, or create completely new roles.

While configuring roles, pay attention to the privileges associated with changing the protection state of Administration Server device and remote installation of third-party software:

  • Managing administration groups.
  • Operations with Administration Server.
  • Remote installation.
  • Changing the parameters for storing events and sending notifications.

    This privilege allows you to set notifications that run a script or an executable module on the Administration Server device when an event occurs.

Separate account for remote installation of applications

In addition to the basic differentiation of access rights, we recommend restricting the remote installation of applications for all accounts (except for the Main Administrator or another specialized account).

We recommend using a separate account for remote installation of applications. You can assign a role or permissions to the separate account.

Regular audit of all users

We recommend conducting a regular audit of all users on the Administration Server device. This allows you to respond to certain types of security threats associated with possible compromise of the device.

Kaspersky Endpoint Security for Linux: High protection without performance compromising
Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.