About permissions to manage the Kaspersky Security Service
During installation, Kaspersky Security for Windows Server registers Kaspersky Security Service (KAVFS) in Windows, and internally enables functional components started at operating system startup. To reduce the risk of third-party access to application functions and security settings on the protected device through management of the Kaspersky Security Service, you can restrict permissions for managing the Kaspersky Security Service from the Application Console or the Administration Plug-in.
By default, access permissions for managing the Kaspersky Security Service are granted to users in the "Administrators" group on the protected device as well as to the SERVICE and INTERACTIVE groups with read permissions and to the SYSTEM group with read and execute permissions.
You cannot delete the SYSTEM account or edit permissions for this account. If the SYSTEM account permissions are edited, the maximum privileges are restored for this account when you save the changes.
Users who have access to functions of the Edit permissions level can grant access permissions for managing Kaspersky Security Service to other users registered on the protected device or included in the domain.
You can choose one of the following preset levels of access permissions for a user or group of users of Kaspersky Security for Windows Server for managing the Kaspersky Security Service:
- Full control: ability to view and edit general settings and user permissions for the Kaspersky Security Service, and to start and stop the Kaspersky Security Service.
- Read: ability to view Kaspersky Security Service general settings and user permissions.
- Modification: ability to view and edit Kaspersky Security Service general settings and user permissions.
- Execution: ability to start and stop the Kaspersky Security Service.
You can also configure advanced access permissions: allow or deny access to specific Kaspersky Security for Windows Server functions (see the table below).
If you have manually configured access permissions for a user or group, then the Special permissions access level is set for this user or group.
Delimitation of access permissions for Kaspersky Security for Windows Server functions
Feature | Description |
|---|---|
View service configurations | Ability to view Kaspersky Security Service general settings and user permissions. |
Request service status from Service Control Manager | Ability to request the execution status of the Kaspersky Security Service from the Microsoft Windows Service Control Manager. |
Request status from service | Ability to request the service status from the Kaspersky Security Service. |
Read list of dependent services | Ability to view a list of services which the Kaspersky Security Service depends on and which depend on the Kaspersky Security Service. |
Editing service settings | Ability to view and edit Kaspersky Security Service general settings and user permissions. |
Start the service | Ability to start the Kaspersky Security Service. |
Stop the service | Ability to stop the Kaspersky Security Service. |
Pause / Resume the service | Ability to pause and resume the Kaspersky Security Service. |
Read permissions | Ability to view the list of Kaspersky Security Service users and each user's access privileges. |
Edit permissions | Ability to:
|
Delete the service | Ability to unregister the Kaspersky Security Service in the Microsoft Windows Service Control Manager. |
User defined requests to service | Ability to create and send user requests to the Kaspersky Security Service. |
