Forced deployment through the remote installation task of Kaspersky Security Center
To perform the initial deployment of Network Agents or other applications, you can force installation of selected installation packages by using the remote installation task of Kaspersky Security Center—provided that each device has a user account(s) with local administrator rights.
During initial deployment, Network Agent is not installed. This is why the Using Network Agent option is not applicable and you must choose between the following options:
- Using operating system resources through Administration Server.
- Using operating system resources through distribution points.
The Administration Server service must run under an account that has administrative privileges on the target devices.
Alternatively, you can specify an account that has access to the admin$ share in the General settings of the remote installation task.
Keep in mind that, by default, the remote installation task connects to devices by using the credentials of the account under which the Administration Server is running. It is important to clarify that this is the account used for accessing the admin$ share, rather than the account under which the remote installation task runs. Installation will be carried out under the LocalSystem account.
You can specify target devices either explicitly (with a list), by selecting the Kaspersky Security Center administration group to which they belong; or by creating a selection of devices based upon a specific criterion. The installation start time is defined by the task schedule. If the Run missed tasks setting is enabled in the task properties, the task can be run either immediately after target devices are turned on or when they are moved to the target administration group. For more details on the remote installation task settings, refer to Step 5 of the Protection deployment wizard.
Forced installation consists of delivering installation packages to target devices, subsequent copying of files to the admin$ resource on each of the target devices, and remote registration of supporting services on those devices. Delivery of installation packages to target devices is performed through a Kaspersky Security Center feature that ensures network interaction. The following conditions must be met in this case:
- Target devices are accessible from the Administration Server side or from the distribution point side.
- Name resolution for target devices functions properly on the network.
- The administrative shares (admin$) remain enabled on target devices.
- The following system services are running on target devices:
- Server (LanmanServer)
By default, this service is running.
- DCOM Server Process Launcher (DcomLaunch)
- RPC Endpoint Mapper (RpcEptMapper)
- Remote Procedure Call (RpcSs)
- Server (LanmanServer)
- Port TCP 445 is open on target devices to enable remote access through Windows tools.
TCP 139, UDP 137, and UDP 138 are used by older protocols and are no longer necessary for current applications.
Dynamic outbound access ports must be allowed on the firewall for connections from the Administration Server and distribution points to target devices.
- The Active Directory domain policy security settings are allowed to provide the operation of the NTLM protocol during the deployment of Network Agent.
- On target devices running Microsoft Windows XP, Simple File Sharing mode is disabled.
- On target devices, the access sharing and security model are set as Classic – local users authenticate as themselves; it can in no way be Guest only – local users authenticate as Guest.
- Target devices are members of the domain, or uniform accounts with administrator rights are created on target devices in advance.
Devices in workgroups can be adjusted in accordance with the above requirements by using the riprep.exe utility, which is described on the Kaspersky Technical Support website. Keep in mind that the riprep.exe utility is not recommended for use on Windows versions higher than Windows XP and Windows Server 2003 R2.
To successfully deploy Network Agent or other applications to a device that is not joined to a Windows Server 2003 or later Active Directory domain, you must disable remote UAC on that device. Remote UAC is one of the reasons that prevent local administrative accounts from accessing admin$, which is necessary for forced deployment of Network Agent or other applications. Disabling remote UAC does not affect local UAC.
During installation on new devices that have not yet been allocated to any of the Kaspersky Security Center administration groups, you can open the remote installation task properties and specify the administration group to which devices will be moved after Network Agent installation.
When creating a group task, keep in mind that each group task affects all devices in all nested groups within a selected group. Therefore, you must avoid duplicating installation tasks in subgroups.
Automatic installation is a simplified way to create tasks for forced installation of applications. To do this, open the administration group properties, open the list of installation packages, and then select the ones that must be installed on devices in this group. As a result, the selected installation packages will be automatically installed on all devices in this group and all of its subgroups. The time interval over which the packages will be installed depends on the network throughput and the total number of networked devices.
To reduce the load on Administration Server during the delivery of installation packages to target devices, you can select installation via distribution points in the installation task. Note that this installation method places a significant load on devices acting as distribution points. Therefore, it is recommended that you select devices that meet the requirements for distribution points. If you use distribution points, you have to make sure that they are present in each of the isolated subnets hosting target devices.
The free disk space in the partition with the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit folder must exceed, by many times, the total size of the distribution packages of installed applications.