Administration Server deployment
Dec 4, 2023
Administration Server architecture
In general, the choice of a centralized management architecture depends on the location of protected devices, access from adjacent networks, delivery schemes of database updates, and so on.
At the initial stage of architecture development, we recommend getting acquainted with the Kaspersky Security Center components and their interaction with each other, as well as with schemas for data traffic and port usage.
Based on this information, you can form an architecture that specifies:
- The Administration Server location and network connections
- Organization of the administrator's workspaces, and methods of connecting to Administration Server
- Deployment methods for Network Agent and protection software
- Using distribution points
- Using virtual Administration Servers
- Using a hierarchy of Administration Servers
- Anti-virus database update scheme
- Other information flows
Selecting a device for the Administration Server installation
We recommend that you install Administration Server on a dedicated server in the organization infrastructure. If there is no other third-party software installed on the server, you can configure the security settings based on the requirements of Kaspersky Security Center, without depending on the requirements of third-party software.
You can deploy Administration Server on a physical server or on a virtual server. Please make sure that the selected device meets the hardware and software requirements.
Administration Server location
Devices managed by Administration Server can be located as follows:
On a local area network (LAN)
On the internet
In the demilitarized zone (DMZ)
At the same time, Administration Server can also be located in different segments: industrial, corporate, and DMZ segments.
If you use Kaspersky Security Center to manage protection of an isolated network segment, we recommend deploying Administration Server in a segment of the demilitarized zone (DMZ). This allows you to organize a proper network segmentation and minimize traffic flow to the protected segment, while maintaining full management capabilities and update delivery.
Restriction of deploying Administration Server on a domain controller, a terminal server, or a user device
We strongly do not recommend installing Administration Server on a domain controller, a terminal server, or a user device.
We recommend that you provide functional separation of the network key nodes. This approach allows you to maintain the operability of different systems when a node fails or is compromised. At the same time, you can create different security policies for each node.
For example, security restrictions usually applied to a domain controller can significantly reduce the performance of Administration Server and make it impossible to use some features of Administration Server. If an intruder gains privileged access to the domain controller, Active Directory Domain Services (AD DS) database can be modified, damaged, or destroyed. Also, all systems and accounts managed by Active Directory can be compromised.
Accounts for installing and running Administration Server
We recommend running the Administration Server installation under a local administrator account to avoid using domain accounts to access the Administration Server database. A set of the required accounts and their rights depends on the selected DBMS type, DBMS location and method of the Administration Server database creation.
The KLAdmins and KLOperators groups are created automatically during Kaspersky Security Center installation. These groups are granted permissions to connect to the Administration Server and to process Administration Server objects.
Depending on the type of account that is used for installation of Kaspersky Security Center, the KLAdmins and KLOperators groups are created as follows:
- If the application is installed under a user account included in a domain, the groups are created on the Administration Server device and in the domain that includes Administration Server.
- If the application is installed under a system account, the groups are created on the Administration Server device only.
In order to avoid creating the KLAdmins and KLOperators groups in the domain and, as a result, providing privileges to manage Administration Server to an account outside the Administration Server device, we recommend installing Kaspersky Security Center under a local account.
During Administration Server installation, select the account that will be used to start Administration Server as a service. By default, the application creates a local account named KL-AK-*, under which the Administration Server service (the klserver service) will run.
If necessary, the Administration Server service can be run under the selected account. This account must be granted the required rights to access the DBMS. For security reasons, use a non-privilege account to run the Administration Server service.
To avoid the use of incorrect account settings, we recommend generating the account automatically.
Excluding Administration Server from a domain
If you use Administration Server to protect device groups of high-importance systems, we do not recommend including the Administration Server device in the domain (if it is used). This allows you to differentiate Kaspersky Security Center management rights and prevent access to Administration Server in case the domain account is compromised.
Take into account that if you install Administration Server on a device included in the workgroup, the following scenarios of working with Administration Server will not be available:
- Using a Kaspersky Security Center failover cluster
- Using a Windows Server failover cluster
- Using SQL Server on a separate device
You can use SQL Server on a separate device only if Administration Server and SQL Server are included in the domain.
- Remote installation with Administration Server tools through Active Directory group policies
If it is necessary to install Administration Server on a device included in the workgroup, you can use Kaspersky Security Center Linux instead of Kaspersky Security Center Windows to avoid this.