Accounts and authentication
Using two-step verification with Administration Server
Kaspersky Security Center provides two-step verification for users of Kaspersky Security Center Web Console and Administration Console, based on the RFC 6238 standard (TOTP: Time-Based One-Time Password algorithm).
When two-step verification is enabled for your own account, every time you log in to Kaspersky Security Center Web Console or Administration Console, you enter your user name, password, and an additional single-use security code. If you use domain authentication for your account, you only have to enter an additional single-use security code. To receive a single-use security code, you must install an authenticator application on your computer or your mobile device.
There are both software and hardware authenticators (tokens) that support the RFC 6238 standard. For example, software authenticators include Google Authenticator, Microsoft Authenticator, FreeOTP.
We strongly do not recommend installing the authenticator application on the same device from which the connection to Administration Server is established. You can install an authenticator application on your mobile device.
Using two-factor authentication for an operating system
We recommend using multi-factor authentication (MFA) for authentication on the Administration Server device by using a token, a smart card, or other method (if possible).
Prohibition on saving the administrator password
If you use Administration Console, we do not recommend saving the administrator password in the Administration Server connection dialog box.
If you use Kaspersky Security Center Web Console, we do not recommend saving the administrator password in the browser installed on the user device.
Authentication of an internal user account
By default, the password of an internal user account of Administration Server must comply with the following rules:
The password must be 8 to 16 characters long.
The password must contain characters from at least three of the groups listed below:
Uppercase letters (A-Z)
Lowercase letters (a-z)
Numbers (0-9)
Special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;)
The password must not contain any whitespaces, Unicode characters, or the combination of "." and "@", when "." is placed before "@".
By default, the maximum number of allowed attempts to enter a password is 10. You can change the number of allowed password entry attempts.
The Kaspersky Security Center user can enter an invalid password a limited number of times. After the limit is reached, the user account is blocked for one hour.
Dedicated administration group for Administration Server
We recommend creating a dedicated administration group for Administration Server. Grant this group special access rights and create a special security policy for it.
To avoid intentionally lowering the security level of Administration Server, we recommend restricting the list of accounts that can manage the dedicated administration group.
The KLAdmins and KLOperators groups
The KLAdmins and KLOperators groups are created automatically during Kaspersky Security Center installation. The KLAdmins group is granted all access rights. The KLOperators group is granted only Read and Execute rights. The rights granted to the KLAdmins group are locked.
You can view the KLAdmins and KLOperators groups, and make changes to these groups, by using the standard administrative tools of the operating system.
When developing regulations for working with Administration Server, it is necessary to determine whether the information security specialist needs full access (and inclusion in the KLAdmins group) to perform standard tasks.
Most of the basic administration tasks can be distributed between company departments (or different employees of the same department) and consequently between different accounts. You can also set up administration groups access differentiation in Kaspersky Security Center. As a result, it is possible to implement a scenario in which authorization under accounts from the KLAdmins group will be anomalous and could be considered an incident.
If Kaspersky Security Center was installed under a system account, groups are created only on the Administration Server device. In this case, we recommend making sure that only entries created during the installation of Kaspersky Security Center are included in the group. We do not recommend adding any groups to the KLAdmins group (local and/or domain) that is created automatically during the Kaspersky Security Center installation. The KLAdmins group must include only single unprivileged accounts.
If the installation was performed under a domain user account, groups KLAdmins and KLOperators are created both on Administration Server and in the domain that includes Administration Server. A similar approach such as local account installation is recommended.
Restricting the Main Administrator role membership
We recommend restricting the Main Administrator role membership.
By default, after the Administration Server installation, the Main Administrator role is assigned to the local administrators group and the created KLAdmins group. It is useful for management, but it is critical from a security point of view, because the Main Administrator role has an extensive range of privileges, the assignment of this role to users should be strictly regulated.
Local administrators can be excluded from the list of users with administrator privileges of Kaspersky Security Center. The Main Administrator role cannot be removed from the KLAdmins group. You can include in the KLAdmins group the accounts that will be used to manage Administration Server.
If you use domain authentication, we recommend restricting the privileges of domain administrator accounts in Kaspersky Security Center. By default, these accounts have the Main Administrator role. Also, a domain administrator can include its account in the KLAdmins group to obtain the Main Administrator role. To avoid this, in the Kaspersky Security Center security settings you can add the Domain Admins group, and then define prohibiting rules for it. These rules must take precedence over the allowing ones.
You can also use the predefined user roles with an already configured set of rights.
Configuring access rights to application features
We recommend using flexible configuration of access rights to the features of Kaspersky Security Center for each user or group of users.
Role-based access control allows the creation of standard user roles with a predefined set of rights and the assignment of those roles to users depending on their scope of duties.
The main advantages of the role-based access control model:
- Ease of administration
- Role hierarchy
- Least privilege approach
- Segregation of duties
You can assign built-in roles to certain employees based on their positions, or create completely new roles.
While configuring roles, pay attention to the privileges associated with changing the protection state of Administration Server device and remote installation of third-party software:
- Managing administration groups.
- Operations with Administration Server.
- Remote installation.
- Changing the parameters for storing events and sending notifications.
This privilege allows you to set notifications that run a script or an executable module on the Administration Server device when an event occurs.
Separate account for remote installation of applications
In addition to the basic differentiation of access rights, we recommend restricting the remote installation of applications for all accounts (except for the Main Administrator or another specialized account).
We recommend using a separate account for remote installation of applications. You can assign a role or permissions to the separate account.
Securing Windows Privileged Access
We recommend taking into account Microsoft's recommendations for providing privileged access security. To view these recommendations, go to the Securing privileged access article.
One of the key points of recommendations is the implementation of Privileged Access Workstations (PAW).Using a managed service account (MSA) or a group managed service accounts (gMSA) to run the Administration Server service
Active Directory has a special type of accounts for securely running services, called group Managed Service Account (MSA/gMSA). Kaspersky Security Center supports managed service accounts (MSA) and group managed service accounts (gMSA). If these types of accounts are used in your domain, you can select one of them as the account for the Administration Server service.
Regular audit of all users
We recommend conducting a regular audit of all users on the Administration Server device. This allows you to respond to certain types of security threats associated with possible compromise of the device.
