Dec 4, 2023
Usage of TLS
We recommend prohibiting insecure connections to Administration Server. For example, you can prohibit connections that use HTTP in the Administration Server settings.
Please note that by default, several HTTP ports of Administration Server are closed. The remaining port is used for the Administration Server Web Server (8060). This port can be limited by the firewall settings of the Administration Server device.
Strict TLS settings
We recommend using TLS protocol version 1.2 and later, and restricting or prohibiting insecure encryption algorithms.
You can configure encryption protocols (TLS) used by Administration Server. Please note that at the time of the release of a version of Administration Server, the encryption protocol settings are configured by default to ensure secure data transfer.
Restricting access to the Administration Server database
We recommend restricting access to the Administration Server database. For example, grant access only from the Administration Server device. This reduces the likelihood of the Administration Server database being compromised due to known vulnerabilities.
You can configure the parameters according to the operating instructions of the used database, as well as provide closed ports on firewalls.
Prohibition of remote authentication by using Windows accounts
You can use the LP_RestrictRemoteOsAuth flag to prohibit SSPI connections from remote addresses. This flag allows you to prohibit remote authentication on Administration Server by using local or domain Windows accounts.
To switch the LP_RestrictRemoteOsAuth flag to the mode of prohibiting connections from the remote addresses:
- Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
- Execute the following command in the command line to specify the value of the LP_RestrictRemoteOsAuth flag:
klscflag.exe -fset -pv .core/.independent -s KLLIM -n LP_RestrictRemoteOsAuth -t d -v 1
- Restart the Administration Server service.
The LP_RestrictRemoteOsAuth flag does not work if remote authentication is performed through Kaspersky Security Center Web Console or Administration Console that is installed on the Administration Server device.
Authenticating Microsoft SQL Server
If Kaspersky Security Center uses Microsoft SQL Server as a DBMS, it is necessary to protect Kaspersky Security Center data transferred to or from the database and data stored in the database from unauthorized access. To do this, you must secure communication between Kaspersky Security Center and SQL Server. The most reliable way to provide secure communication is to install Kaspersky Security Center and SQL Server on the same device and use the shared memory mechanism for both applications. In all other cases, we recommend that you use an SSL/TLS certificate to authenticate the SQL Server instance.
Configuring an allowlist of IP addresses to connect to Administration Server
By default, users can log in to Kaspersky Security Center from any device where they can open Kaspersky Security Center Web Console or where MMC-based Administration Console is installed. However, you can configure Administration Server so that users can connect to it only from devices with allowed IP addresses. In this case, even if an intruder steals a Kaspersky Security Center account, he or she will be able to log in to Kaspersky Security Center only from IP addresses that are in the allowlist.