Configuring isolated Administration Servers to fix vulnerabilities in an isolated network

After you finished configuring the Administration Server with internet access, prepare every isolated Administration Server in your network, so you can fix vulnerabilities and install updates on managed devices connected to isolated Administration Servers.

To configure isolated Administration Servers, perform the following actions on every Administration Server:

1. Activate a license key for the Vulnerability and patch management (VAPM) feature.
2. Create two folders on a disk where Administration Server is installed:
   • Folder where the list of required updates will appear
   • Folder for patches

   You can name these folders whatever you like.

3. Grant the Modify permission to the KLAdmins group in the created folders, by using the standard administrative tools of the operating system.
4. Use the klscflag utility to write the paths to the folders in the Administration Server properties.

   Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

5. Enter the following commands at the Windows command prompt:
   • To set the path to the folder for patches:

     klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v "<path to the folder>"

   • To set the path to the folder for the list of required updates:

     klscflag -fset -pv klserver -n VAPM_REQ_EXPORT_PATH -t s -v "<path to the folder>"

   Example: klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PATH -t s -v "C:\FolderForPatches"

6. [Optional] Use the klscflag utility to specify how often the isolated Administration Server should check for new patches:

   klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PERIOD_SEC -t d -v <value in seconds>

   The default value is 120 seconds.

   Example: klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_PERIOD_SEC -t d -v 150

7. [Optional] Use the klscflag utility to calculate the SHA-256 hashes of patches:

   klscflag -fset -pv klserver -n VAPM_DATA_IMPORT_VERIFY_HASH -t d -v 1

   If you enter this command, you can make sure that the patches have not been modified during their transfer to the isolated Administration Server and that you have received the correct patches containing the required updates.

   By default, Kaspersky Security Center does not calculate the SHA-256 hashes of patches. If you enable this option, after the isolated Administration Server receives patches, Kaspersky Security Center computes their hashes and compares the acquired values with the hashes stored in the Administration Server database. If the calculated hash does not match the hash in the database, an error occurs and you have to replace the incorrect patches.

8. Create the Find vulnerabilities and required updates task and set the task schedule. Run the task if you want it to run earlier than it is specified in the task schedule.
9. Restart the Administration Server service.

After configuring all Administration Servers, you can move patches and lists of required updates, and fix third-party software vulnerabilities on managed devices in the isolated network.