Kaspersky Security 9.x for Microsoft Exchange Servers

Scenario of application deployment with a limited set of access privileges

July 9, 2024

ID 89869

This deployment scenario is suitable for you if the security policy of your organization does not allow performing all application installation operations under your account and restricts access to the SQL server or Active Directory. For example, this can happen when the database at your organization is administered by a different specialist with full access to the SQL server.

To prepare for installation with a limited set of permissions to access the SQL server or Active Directory:

  1. Make sure that the account intended for deploying the application is included in the local "Administrators" group on the Microsoft Exchange server on which you are deploying the application. If not, include the account in this group.
  2. Create the following container in Active Directory:

    CN=KasperskyLab,CN=Services,CN=Configuration,DC=<root domain>

  3. Configure full access to this container and to all of its child objects for the account intended for the application installation.
  4. Create a group of Kse Watchdog Service accounts. The type of group is "Universal". Include in this group the account intended for launching the application service. If a Local System account is used as this account, also include in the Kse Watchdog Service group the account of the computer on which installation is performed.
  5. Add the Kse Watchdog Service group to the local "Administrators" group on the Microsoft Exchange server on which you are deploying the application.

    If you previously removed the Debug Programs permission granted to the Administrators group by default, grant this permission to the Kse Watchdog Service group.

  6. The Kse Watchdog Service and the account intended for application installation must be granted the permissions to read Microsoft Exchange configuration data from the following Active Directory container and all its child objects:

    CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

  7. Provide the Kse Watchdog Services group with the ms-Exch-Store-Admin right. To do this, run the following command in the Exchange Management Shell console:

    Add-ADPermission -Identity "<path to container with configuration of Microsoft Exchange>" -User "<domain name>\Kse Watchdog Service" -ExtendedRights ms-Exch-Store-Admin

    For example:

    Add-ADPermission -Identity "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>" -User "domain\Kse Watchdog Service" -ExtendedRights ms-Exch-Store-Admin

  8. Provide the Kse Watchdog Service group with the right to run under a different name (impersonation). To do this, run the following command in the Exchange Management Shell console:

    New-ManagementRoleAssignment -Name KSE_IMPERSONATION -Role applicationImpersonation -SecurityGroup "Kse Watchdog Service"

  9. Create the following account groups: Kse Administrators, Kse AV Security Officers, Kse AV Operators. These groups can be created in any of the organization's domains. The type of groups is "Universal".
  10. Perform replication of Active Directory data across the entire organization.
  11. Assign dedicated user roles to the accounts owned by users who perform corresponding duties in your company. To do this, add user accounts to the following account groups in Active Directory:
    • Add administrator accounts to the Kse Administrators group.
    • Add the accounts of anti-virus security officers to the Kse AV Security Officers group.
    • Add the accounts of anti-virus security operators to the Kse AV Operators group.

    If you plan to manage the application using Kaspersky Security Center, add the accounts of all computers on which you are installing Kaspersky Security to the KSE Administrators group in Active Directory.

    If you have not added user accounts of all computers on which you are installing Kaspersky Security into the KSE Administrators group in Active Directory, the screen will display a message containing information about how to ensure the capability to manage the application using Kaspersky Security Center.

  12. Make sure that the account intended for application installation is also included in the KSE Administrators group in Active Directory.

    If the application already has been installed on at least one computer on the enterprise LAN, all you need to install the application on other computers on the enterprise LAN is a local administrator account. In this case, the user account used for installing the application must be granted permissions to read the Microsoft Exchange configuration from the following Active Directory container and all its child objects:
    CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<root domain>

  13. Ensure creation of the application database. Perform this operation on your own or delegate it to an authorized specialist.
  14. On the SQL server, create an account for the following Active Directory group: Kse Watchdog Service.
  15. Assign the db_owner role at the application database level to the group of Kse Watchdog Service accounts.
  16. Assign the db_owner role at the application database level and the VIEW ANY DEFINITION permission at the SQL server level to the account intended for preparing the database.

    If you do not grant the VIEW ANY DEFINITION permission to the account, a message prompting you for the ALTER ANY LOGIN permission will appear on the screen when the Setup Wizard checks for roles and permissions of users to access the application database. The ALTER ANY LOGIN permission is required by the Setup Wizard to create SQL server users, assign roles to those users, and grant them permissions to use the database.

  17. Grant the Allow Logon Locally permissions to the account intended for preparing the database.
  18. Grant the Allow Logon Locally permissions to the account intended for running the application service.
  19. Perform the steps of the Application Installation Wizard and Application Configuration Wizard under the account intended for installing the application.

    If you plan to use the Kerberos network authentication protocol, make sure that the account intended for installing the application has permissions to register an SPN account. If such privileges are absent, you can register an SPN manually after installing the application.

  20. Perform replication of Active Directory data across the entire organization. This is required for the application settings saved in Active Directory to become available for subsequent installations of the application on other Microsoft Exchange servers at your organization.

When creating an SQL database, the server uses local collation rules. Take the Collation parameter into account when installing the application to avoid register-dependent behavior and errors when connecting to the database.

If the application is installed with or works with an SQL database configured with AlwaysOn technology, you must synchronize the rights between all servers that belong to the database mirroring group.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.