KASPERSKY Administration Kit 8.0 User Manual

DEPLOYMENT GUIDE
P R O GR A M V ER S IO N : 8 . 0 C R I T I CA L F I X 1
Kaspersky Administration
Kit 8.0
Dear User!
Thank you for choosing our product. We hope that this documentation will help you in your work and will provide answers regarding this software product.
Reproduction or distribution of any materials in any format, including translations, is allowed only with the written permission of Kaspersky Lab.
This document, and graphic images related to it, may only be used for informational, non-commercial, and personal purposes.
Kaspersky Lab reserves the right to amend this document without additional notification. You can find the latest version of this document at the Kaspersky Lab website, at http://www.kaspersky.com/docs.
Kaspersky Lab shall not be liable for the content, quality, relevance, or accuracy of any materials used in this document for which the rights are held by third parties, or for any potential or actual losses associated with the use of these materials.
This document uses registered trademarks and service marks which are the property of their respective owners.
Revision date: 2/2/10
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
http://www.kaspersky.com
http://support.kaspersky.com
CONTENTS
KASPERSKY ADMINISTRATION KIT ........................................................................................................................... 5
Distribution package ................................................................................................................................................ 5
Services for registered users ................................................................................................................................... 5
Obtaining information about the application ............................................................................................................. 6
Information sources for further research ............................................................................................................ 6
Contacting the Technical Support Service ......................................................................................................... 7
Discussing Kaspersky Lab's applications on the web forum .............................................................................. 8
Purpose of the document ......................................................................................................................................... 8
Application features ................................................................................................................................................. 8
Application structure ................................................................................................................................................ 9
Hardware and software requirements ...................................................................................................................... 9
TYPICAL SCHEMES FOR DEPLOYMENT OF ANTI-VIRUS PROTECTION ............................................................. 12
RECOMMENDATIONS FOR CREATION OF CENTRALIZED MANAGEMENT OF ANTI-VIRUS PROTECTION ..... 13
INSTALLING KASPERSKY ADMINISTRATION KIT ................................................................................................... 15
Installation of Kaspersky Administration Kit components on a local computer....................................................... 16
Standard installation ......................................................................................................................................... 16
Custom installation ........................................................................................................................................... 17
Removal of Kaspersky Administration Kit components .......................................................................................... 31
Upgrading the application ...................................................................................................................................... 31
REMOTE DEPLOYMENT AND REMOVAL OF APPLICATIONS ............................................................................... 33
Creating a deployment task ................................................................................................................................... 35
Push install ....................................................................................................................................................... 36
Login script-based installation .......................................................................................................................... 49
Installing using Active Directory group policies ...................................................................................................... 54
Installing applications on slave Administration Servers.......................................................................................... 55
Step 1. Defining the task name ........................................................................................................................ 56
Step 2. Selecting the task type ................................................................................................ ......................... 56
Step 3. Selecting the installation package ........................................................................................................ 56
Step 4. Configuring the installation settings ..................................................................................................... 57
Step 5. Creating a set of Administration Servers .............................................................................................. 58
Step 6. Scheduling the task launch .................................................................................................................. 58
Step 7. Competing task creation ...................................................................................................................... 58
Configuring a remote deployment task .................................................................................................................. 58
Remote Installation Wizard .................................................................................................................................... 61
Step 1. Selecting the application to be installed ............................................................................................... 62
Step 2. Selecting the target computers ............................................................................................................ 63
Step 3. Selecting the group .............................................................................................................................. 64
Step 4. Selecting the method of loading the installation package .................................................................... 64
Step 5. Selecting the license ............................................................................................................................ 66
Step 6. Configuring the restart settings ............................................................................................................ 66
Step 7. Configuring removal of incompatible applications ................................................................................ 67
Step 8. Selecting account................................................................................................................................. 67
Step 9. Completing set up ................................................................................................................................ 68
Deployment report ................................................................................................................................................. 68
D E P L O Y M E N T G U I D E
Remote software removal ...................................................................................................................................... 69
Work with installation packages ............................................................................................................................. 70
Creating an installation package ...................................................................................................................... 71
Configuring the application description file manually ........................................................................................ 73
Viewing and configuring the properties of an installation package ................................................................... 74
Creating and configuring an installation package for the Network Agent ......................................................... 79
Creating and configuring an installation package for the Administration Server............................................... 82
Creating a task for installation package distribution to slave Administration Servers ....................................... 83
Distribution of installation packages within a group using Update Agents ........................................................ 84
Computer preparation for remote installation. The riprep utility ............................................................................. 87
Interactive mode ............................................................................................................................................... 88
Non-interactive mode ....................................................................................................................................... 89
LOCAL INSTALLATION OF SOFTWARE ................................................................................................................... 90
Local installation of the Network Agent .................................................................................................................. 91
Local installation of the application management plug-in ....................................................................................... 95
Installing applications in non-interactive mode ....................................................................................................... 96
Installation using a standalone package ................................................................................................................ 97
Step 1. Selecting the license ............................................................................................................................ 98
Step 2. Selecting the action .............................................................................................................................. 98
Step 3. Selecting the Network Agent installation package ............................................................................... 99
Step 4. Configuring computer relocation ........................................................................................................ 100
Step 5. Completion of creation of a standalone installation package ............................................................. 100
INFORMATION ABOUT STRESS TESTING ............................................................................................................ 102
Stress testing results............................................................................................................................................ 102
Connection of client to Administration Server without synchronization .......................................................... 103
Connection of client to Administration Server with synchronization ............................................................... 103
Regular database updates ............................................................................................................................. 104
Processing of events on client computers by the Administration Server ........................................................ 105
Network load ................................ ................................................................ ........................................................ 105
Initial deployment of anti-virus protection ....................................................................................................... 106
Initial update of the anti-virus databases ........................................................................................................ 107
Connection of client to Administration Server without synchronization .......................................................... 107
Connection of client to Administration Server with synchronization ............................................................... 107
Regular database updates ............................................................................................................................. 108
Processing of events from clients by Administration Server ........................................................................... 108
GLOSSARY ............................................................................................................................................................... 109
KASPERSKY LAB ..................................................................................................................................................... 114
INDEX ....................................................................................................................................................................... 115
IN THIS SECTION
Distribution package .......................................................................................................................................................... 5
Services for registered users ............................................................................................................................................. 5
Obtaining information about the application ...................................................................................................................... 6
Purpose of the document .................................................................................................................................................. 8
Application features ........................................................................................................................................................... 8
Application structure .......................................................................................................................................................... 9
Hardware and software requirements................................................................................................................................ 9

KASPERSKY ADMINISTRATION KIT

Kaspersky Administration Kit provides a centralized solution for managing corporate network anti-virus security systems based on Kaspersky Lab applications included in Kaspersky Open Space Security products. Kaspersky Administration Kit supports all network configurations that use the TCP/IP protocol.
The application is a tool for corporate network administrators and anti-virus security officers.

DISTRIBUTION PACKAGE

The product is provided free of charge with all Kaspersky Lab applications included in the Kaspersky Open Space Security kit (retail). It is also available for download from the Kaspersky Lab website (http://www.kaspersky.com).

SERVICES FOR REGISTERED USERS

Kaspersky Lab offers a large service package, enabling its legal users to enjoy all available features of the application.
If you purchase licenses for a Kaspersky Lab product included in Kaspersky Open Space Security, you become a registered user of Kaspersky Administration Kit. During the license validity period, you are entitled to:
hourly updates of the application database and program modules of that software product;
phone or email consultation on matters related to the installation, configuration and operation of the anti-virus
application;
When you contact the Technical Support Service, please provide information about your license for the Kaspersky Lab application with which Kaspersky Administration Kit is being used.
notifications about releases of new Kaspersky Lab software products and about new viruses that appear
worldwide. This service is provided to users who subscribe to the Kaspersky Lab newsletter at the web site of the Technical Support Service at http://support.kaspersky.com/subscribe/.
Kaspersky Lab does not provide support on issues related to the operation and use of your operating system or other technologies.
D E P L O Y M E N T G U I D E
IN THIS SECTION
Information sources for further research............................................................................................................................ 6
Contacting the Technical Support Service ......................................................................................................................... 7
Discussing Kaspersky Lab's applications on the web forum ............................................................................................. 8

OBTAINING INFORMATION ABOUT THE APPLICATION

If you have any questions regarding purchasing, installing or using Kaspersky Administration Kit, answers are readily available.
Kaspersky Lab provides various sources of information about the application. You can choose the most suitable, according to the importance and urgency of your question.

INFORMATION SOURCES FOR FURTHER RESEARCH

You can view the following sources of information about the application:
the application's page on Kaspersky Lab's website;
the application's Knowledge Base page on the Technical Support Service website;
electronic help system;
documentation.
The application's page at the Kaspersky Lab website
http://www.kaspersky.com/administration_kit
This page will provide you with general information about the application's features and options.
The application's Knowledge Base page at the Technical Support Service website
http://support.kaspersky.com/remote_adm
This page contains articles by the Technical Support Service.
These articles contain useful information, recommendations, and the Frequently Asked Questions (FAQ) page, and cover purchasing, installing and using the application. The articles are sorted by subject, such as "License management", "Database updates", and "Troubleshooting". The articles aim to answer questions about not only this application but other Kaspersky Lab products as well. They may also contain news from the Technical Support Service.
The electronic help system
The application installation package includes full help files, which contain step by step descriptions of the application's features.
To open the help file, select Kaspersky Administration Kit help system in the console Help menu.
If you have a question about a specific application window, you can use context-sensitive help. To open context-sensitive help, in the corresponding window, press the Help button or the F1 key.
Documentation
K A S P E R S K Y AD MI N I S T R A T I ON KIT
The documentation supplied with the application aims to provide all the information you will require. It includes the following documents:
Administrator's Guide describes the purpose, basic concepts, features and general schemes for using
Kaspersky Administration Kit.
Deployment Guide contains a description of the installation procedures for the components of Kaspersky
Administration Kit as well as remote installation of applications in computer networks using simple configuration.
Getting Started guide gives a step by step guide to anti-virus security administrators, enabling them to start
using Kaspersky Administration Kit quickly, and to deploy Kaspersky Lab's anti-virus applications across a managed network.
Reference Guide contains an overview of Kaspersky Administration Kit, and step by step descriptions of its
features.
The documents are supplied in PDF format in Kaspersky Administration Kit's distribution package (installation CD).
You can download the documentation files from the application's page at Kaspersky Lab's website.

CONTACTING THE TECHNICAL SUPPORT SERVICE

You can obtain information about the application from the Technical Support Service, by phone or on the Internet. When contacting the Technical Support Service, you will need to provide information about the license for the Kaspersky Lab product with which you are using the application.
The Technical Support Service will answer any questions related to the installation and use of the application that are not covered in help topics. If your computer has been infected, they will help you to neutralize the consequences of malware activity.
Before contacting the Technical Support Service, please read the support rules for Kaspersky Lab's products
http://support.kaspersky.com/support/rules.
Technical Support by email
You can send your question to the Technical Support Service by filling out a Helpdesk web form for client questions at http://support.kaspersky.com/helpdesk.html.
You can ask your question in Russian, English, German, French or Spanish. To send an email request, you should specify your customer ID, which you received while registering at the
Technical Support Service's website, and the corresponding password.
If you are not yet a registered user of Kaspersky Lab's applications, you can fill out a registration form (https://support.kaspersky.com/en/personalcabinet/registration/form/). During registration you will need to enter either your application's activation code, or the key file.
The Technical Support service will respond to your request in your Personal Cabinet
https://support.kaspersky.com/en/PersonalCabinet), and to the email address you specified in your request.
In the website's request form, please describe the problem you have encountered. In the mandatory fields, specify:
Request type. Questions which users often ask divided into separate topics, for example: "Problems with
Setup / Remove application" or "Virus disinfection". If you do not find an appropriate topic, select "General question".
Application name and version number.
Request description. Describe the problem you encountered in as much detail as possible.
D E P L O Y M E N T G U I D E
Customer ID and password. Enter the client number and the password you received when you registered at
the Technical Support Service's website.
Email address. The Technical Support Service will reply to your question at this email address.
Technical support by phone
If you have an urgent problem, you can call your local Technical Support Service. Before contacting Russian­speaking (http://support.kaspersky.ru/support/support_local) or international (http://support.kaspersky.com/support/international) Technical Support, please have the necessary information (listed at http://support.kaspersky.com/support/details) about your computer to hand. This will let our specialists help you more quickly.

DISCUSSING KASPERSKY LAB'S APPLICATIONS ON THE WEB FORUM

If your question does not require an immediate answer, you can discuss it with Kaspersky Lab's experts and other users in our forum at http://forum.kaspersky.com.
In this forum you can view existing topics, leave your comments, create new topics and use the search engine.

PURPOSE OF THE DOCUMENT

This Guide contains a description of installation procedures for the components of Kaspersky Administration Kit and remote installation of applications in computer networks using simple configuration.

APPLICATION FEATURES

The application enables the corporate network administrator to:
Perform remote installation and removal of Kaspersky Lab applications across the network in a centralized
manner. This feature enables the administrator to copy the required set of Kaspersky Lab applications to a selected computer, and then install these applications remotely on the network computers.
Remotely manage Kaspersky Lab applications in a centralized manner. The administrator can create a multi-
level anti-virus protection system, and manage the operation of all applications from his workstation. This is particularly important for larger companies whose local network consists of a large number of computers that may be located in several separate buildings or offices. This feature includes:
creating the hierarchy of Administration Servers;
joining hosts into administration groups based on the functions performed by the computers and on the set
of applications installed on them;
configuring the application settings in a centralized way by creating and applying policies;
configuring the application settings for particular individual computers;
managing the operation of applications in a centralized manner by creating and running group tasks and
building individual schemes for the application's operation by creating and running tasks for a set of
Automatically update the anti-virus database and application modules on computers. This feature can update
the anti-virus databases for all installed Kaspersky Lab applications in a centralized manner, rather than each computer accessing Kaspersky Lab's Internet updates server for each individual update. Updating can be
tasks for sets of computers and the Administration Server;
computers from different administration groups.
K A S P E R S K Y AD MI N I S T R A T I O N K IT
performed automatically according to the schedule set up by the administrator. The administrator can monitor distribution of updates to client computers.
Receive reports using a dedicated system. This feature can collect statistics about the operation of all installed
Kaspersky Lab applications in a centralized manner, and create reports based on the statistics. The administrator can create a cumulative network report about application operation, or reports about the operation of all applications installed on individual computers.
Use events notification system. Delivery of notifications. The administrator can create a list of events which
occur when applications are running about which he or she wants to be notified. The list of such events may include, for example, detection of a new virus, an error that occurred due to incorrect termination of the database updating on a computer, or detection of a new computer on the network.
Manage licenses. This feature allows the administrator to install licenses for all installed Kaspersky Lab
applications in a centralized manner, to monitor the observance of the license agreement (that is, that the number of applications operating in the network is less than or equal to the number of licenses) and the expiration date.

APPLICATION STRUCTURE

Kaspersky Administration Kit includes three major components:
Administration Server (hereinafter also referred to as the Server) performs the functions of centralized storage of
information about Kaspersky Lab applications installed in the corporate network and about the management of these applications.
Network Agent (hereinafter also referred to as the Agent) coordinates interaction between the Administration
Server and Kaspersky Lab applications installed on a specific network node (a workstation or a server). This component supports all Windows applications included in Kaspersky Open Space Security products. Separate versions of Network Agent exist for Kaspersky Lab's Novell and Unix applications.
Administration Console (hereinafter also referred to as the Console) provides a user interface to the
administration services of the Administration Server and Network Agent. The management module is implemented as a snap-in for the Microsoft Management Console (MMC). The Administration Console allows connection to the remote Administration Server via Internet.

HARDWARE AND SOFTWARE REQUIREMENTS

Administration Server
Software requirements:
Microsoft Data Access Components (MDAC) 2.8 or higher.
MSDE 2000 with installed Service Pack 3, or Microsoft SQL Server 2000 with installed Service Pack 3 or
higher, or MySQL Enterprise 5.0.32 and 5.0.70, or Microsoft SQL 2005 or higher; or Microsoft SQL Express 2005 or higher, Microsoft SQL Express 2008, Microsoft SQL 2008.
It is recommended to use Microsoft SQL 2005 with Service Pack 2, Microsoft SQL Express 2005 with Service Pack 2 and later versions.
Microsoft Windows 2000 with installed Service Pack 4 or higher; Microsoft Windows XP Professional with
installed Service Pack 2 or higher; Microsoft Windows XP Professional x64 or higher; Microsoft Windows Server 2003 or higher; Microsoft Windows Server 2003 x64 or higher; Microsoft Windows Vista with installed Service Pack 1 or higher, Microsoft Windows Vista x64 with installed Service Pack 1 and all current updates, for Microsoft Windows Vista x64 the Microsoft Windows Installer 4.5 should be installed; Microsoft Windows Server 2008; Microsoft Windows Server 2008 deployed in the Server Core mode; Microsoft
D E P L O Y M E N T G U I D E
Windows Server 2008 x64 with installed Service Pack 1 and all current updates, for Microsoft Windows Server 2008 x64 the Microsoft Windows Installer 4.5 should be installed; Microsoft Windows 7.
When using Microsoft Windows 2000 with Service Pack 4 installed, it is necessary to install the following updates for Microsoft Windows before deploying Administration Server: 1) Update Rollup 1 for Windows 2000 SP4 (KB891861); 2) Security Update for Windows 2000 (KB835732).
Hardware requirements:
Intel Pentium III 800 MHz or higher;
256 MB RAM;
1GB of available disk space.
Administration Console
Software requirements:
Microsoft Windows 2000 with installed Service Pack 4 or higher; Microsoft Windows XP Professional with
installed Service Pack 2 or higher; Microsoft Windows XP Home Edition with installed Service Pack 2 or higher; Microsoft Windows XP Professional x64 or higher; Microsoft Windows Server 2003 or higher; Microsoft Windows Server 2003 x64 or higher; Microsoft Windows Vista with installed Service Pack 1 or higher, Microsoft Windows Vista x64, Microsoft Windows Vista x64 with installed Service Pack 1 and all current updates, for Microsoft Windows Vista x64 the Microsoft Windows Installer 4.5 should be installed; Microsoft Windows Server 2008; Microsoft Windows Server 2008 x64 with installed Service Pack 1 and all current updates, for Microsoft Windows Server 2008 x64 the Microsoft Windows Installer 4.5 should be installed; Microsoft Windows 7.
Microsoft Management Console 1.2 or higher.
Work with Microsoft Windows 2000 requires Microsoft Internet Explorer 6.0.
Work with Microsoft Windows 7 E Edition and Microsoft Windows 7 N Edition requires Microsoft Internet
Explorer 8.0 or higher.
Hardware requirements:
Intel Pentium III 800 MHz or higher;
256 MB RAM;
70 MB of available disk space.
Network Agent
Software requirements:
For Windows systems:
Microsoft Windows 2000 with installed Service Pack 4 or higher; Microsoft Windows XP Professional with installed Service Pack 2 or higher; Microsoft Windows XP Professional x64 or higher; Microsoft Windows Server 2003 or higher; Microsoft Windows Server 2003 x64 or higher; Microsoft Windows Vista with installed Service Pack 1 or higher, Microsoft Windows Vista x64 with installed Service Pack 1 and all current updates, for Microsoft Windows Vista x64 the Microsoft Windows Installer 4.5 should be installed; Microsoft Windows Server 2008; Microsoft Windows Server 2008 deployed in the Server Core mode; Microsoft Windows Server 2008 x64 with installed Service Pack 1 and all current updates, for Microsoft Windows Server 2008 x64 the Microsoft Windows Installer 4.5 should be installed; Microsoft Windows 7.
For Novell systems:
K A S P E R S K Y AD MI N I S T R A T I O N K IT
Novell NetWare 6 SP5 or higher; Novell NetWare 6.5 SP7 or higher.
For Linux systems:
The supported version of the operating system is determined by the requirement of the compatible Kaspersky Lab application installed on the client computer.
Hardware requirements:
For Windows systems:
Intel Pentium 233 MHz or higher;
RAM size - 32 MB;
20 MB of available disk space.
For Novell systems:
Intel Pentium 233 MHz or higher;
RAM size - 32 MB;
Available disk space - 32 MB.
For Linux systems:
Intel Pentium® 133 MHz or higher;
RAM size - 64 MB;
100 MB of available disk space.
Update Agent
Software requirements for Windows systems:
Microsoft Windows 2000 with installed Service Pack 4 or higher; Microsoft Windows XP Professional with installed Service Pack 2 or higher; Microsoft Windows XP Professional x64 or higher; Microsoft Windows Server 2003 or higher; Microsoft Windows Server 2003 x64 or higher; Microsoft Windows Vista with installed Service Pack 1 or higher, Microsoft Windows Vista x64 with installed Service Pack 1 and all current updates, for Microsoft Windows Vista x64 the Microsoft Windows Installer 4.5 should be installed; Microsoft Windows Server 2008; Microsoft Windows Server 2008 x64 with installed Service Pack 1 and all current updates, for Microsoft Windows Server 2008 x64 the Microsoft Windows Installer 4.5 should be installed; Microsoft Windows 7.
Hardware requirements for Windows systems:
Intel Pentium III 800 MHz or higher;
256 MB RAM;
500 MB of available disk space.

TYPICAL SCHEMES FOR DEPLOYMENT OF ANTI-VIRUS PROTECTION

There are several options available for deployment of anti-virus protection system managed by Kaspersky Administration Kit on network computers:
Centralized remote installation of applications on client computers. In that case installation of applications and
connection to the centralized remote management system are performed automatically, requiring no administrator participation, and allow deployment of anti-virus software on any number of client computers.
By means of local installation of applications on each client computer. In that case the necessary components
are installed on client computers and the administrator's workstation manually, and the settings for client connection to the Server are defined during Network Agent setup. This installation method may be recommended for cases when centralized remote deployment is impossible.
Remote deployment can be used to install any administrator-defined applications. However, remember that Kaspersky Administration Kit only supports management of Kaspersky Lab's applications installed from distribution packages including a specialized component – the application management plug-in.
Kaspersky Lab applications can also be installed on computers as part of drive images. The Network Agent recognizes such installation type properly using the identifiers of hard disk drives and MAC addresses and connects correctly to the Administration Server.
RECOMMENDATIONS FOR CREATION OF CENTRALIZED MANAGEMENT OF ANTI­VIRUS PROTECTION
Selection of a deployment scheme is determined by the following main factors:
Corporate network structure: the speed of communication channels in various segments of the network and the
number of client computers in each segment.
Organizational corporate structure.
Number of employees in the IT department who will provide for the maintenance of anti-virus protection and the
tasks of division of responsibility between employees.
Existing hardware resources which can be allocated for the installation of components of anti-virus protection
management (Administration Servers, Update Agents).
Capacity of communication channels which is allocated for the functionality of components of anti-virus
protection within the corporate network.
Maximum allowed time for the execution of key administrative operations within the corporate network, such as
distribution of database updates and changes in policies for client computers.
The schemes for deployment of anti-virus protection most often resolve into one of the following options:
One Administration Server.
One Administration Server with Update Agents.
Administration Server Hierarchy.
Administration Server Hierarchy with Update Agents.
When selecting the optimal anti-virus protection scheme, it is recommended first to determine the existing network and hardware resources which can be used for the operation of a centralized anti-virus protection system. This analysis can determine the set of possible deployment schemes and exclude those of them which cannot be implemented within existing hardware resources and network infrastructure.
To analyze the network and hardware infrastructure, the following procedure is recommended:
1. Determine the settings of the network in which anti-virus protection will be deployed. The main settings among which are:
number of segments in the network;
number of managed computers in each network segment;
the speed of communication channels between individual network segments;
capacity of each communication channel which is used for the functionality of anti-virus protection.
2. Determine the maximum allowed time for the execution of key administrative operations for all managed computers.
3. Using collected information and the data of administration system stress testing (see section "Information about stress testing" on page 102) make a decision on the following issues:
D E P L O Y M E N T G U I D E
How many Administration Servers are required for work with all client computers? Is the Administration
Server Hierarchy required?
What hardware requirements must the Administration Servers comply with for maintenance of all client
computers within the allowed time?
Are intermediate centers for distributing updates and installation packages (Update Agents) required to
reduce the load on communication channels?
After answering the questions listed above, the administrator can create a set of allowed deployment schemes and select the most optimal one from them.
During the next step the administrator must create a centralized management of anti-virus protection by installing the corresponding Kaspersky Administration Kit components to the network computers, namely:
1. Install the Administration Server on a computer included into the corporate network.
2. Install Kaspersky Administration Console on computers that will be used for management purposes.
3. Using the Quick Start Wizard configure the centralized management of anti-virus protection.
4. Decide who the network administrators will be, determine other categories of users allowed to work with the system and assign a list of performed functions to each category.
5. Create user groups and provide to each group the access rights needed by its users for performance of their responsibilities.
6. If necessary, create the Administration Server Hierarchy.
7. For each Administration Server create the structure of administration groups and distribute computers into appropriate groups.
8. Install the required Kaspersky Lab applications on the client computers.
9. If necessary, create customized settings for the installed applications using policies and tasks.
PORT NUMBER
PROTOCOL
DESCRIPTION
Computer on which the Administration Server is installed
13000
TCP
It is used to:
retrieve data from client computers; connect to Update Agents; connect to slave Administration Servers.
SSL protection is used for these connections.
14000
TCP
It is used to:
retrieve data from client computers; connect to Update Agents; connect to slave Administration Servers.
SSL protection is not used for these connections.
13000
UDP
SSL connection is used to transmit information about computer shutdown.
13292
TCP
The port is used for connection of mobile devices. (A mobile device here means a device with the Kaspersky Mobile Security
Enterprise Edition installed.)
18000
HTTP
The Administration Server uses this port to receive data from the Cisco NAC authentication server.
Computer assigned to function as Update Agent
13000
TCP
The port is used by client computers to connect to the Update Agent.
13001
TCP
The port is used by client computers to connect to the Update Agent if a computer with the installed Administration Server functions as an Update Agent.
14000
TCP
The port is used by client computers to connect to the Update Agent.
14001
TCP
The port is used by client computers to connect to the Update Agent if a

INSTALLING KASPERSKY ADMINISTRATION KIT

Before starting the setup process, make sure that the hardware and software of the host computer meet the requirements for the Administration Server and Administration Console (see section "Hardware and software requirements" on page 9).
Kaspersky Administration Kit stores its information in an SQL server database. Microsoft SQL Server 2005 Express Edition is installed for that purpose by default together with Kaspersky Administration Kit. Other SQL servers can also be used for data storage (see section "Hardware and software requirements" on page 9). In that case they must be installed on the network before Kaspersky Administration Kit setup.
Installation of Kaspersky Administration Kit requires administrator's privileges on the computer where the installation is performed.
To ensure that application components function correctly after setup, all the required ports must be open on the host computers. The ports that Kaspersky Administration Kit uses by default are listed in the table below.
Table 1. Ports used by Kaspersky Administration Kit
D E P L O Y M E N T G U I D E
PORT NUMBER
PROTOCOL
DESCRIPTION
computer with the installed Administration Server functions as an Update Agent.
Client computer with installed Network Agent.
15000
UDP
The port is used to receive requests for connection to the Administration Server, which can collect information about a host in real time.
60000
UDP
The port is used by the Wake On LAN feature.
IN THIS SECTION
Installation of Kaspersky Administration Kit components on a local computer ................................................................ 16
Removal of Kaspersky Administration Kit components ................................................................................................... 31
Upgrading the application ................................................................................................................................................ 31
For outbound connections of client computers to the Administration Server and Update Agents, the range of ports 1024– 5000 (TCP) is used. In Windows Vista and Windows Server 2008 the default range of ports for outbound connections is 49152–65535 (TCP).
INSTALLATION OF KASPERSKY ADMINISTRATION KIT
COMPONENTS ON A LOCAL COMPUTER
This section contains a description of local installation of the Kaspersky Administration Kit components. Two setup options are available:
Standard installation (see section "Standard installation" on page 16). A minimum required set of components
will be installed in that case. This type of installation is recommended for networks which include up to 200 computers.
Custom installation (see section "Custom installation" on page 17). In that case you can select individual
components for installation and configure additional settings. This installation type is recommended for experienced users.
Standard installation of the application is recommended. You can modify all application settings and install additional components later, if necessary.
If at least one Administration Server is installed in the network, additional Servers can be deployed remotely using push install (see section "Creating a deployment task" on page 35). During task creation, use the Administration Server installation package (see section "Creating and configuring an installation package for Administration Server" on page 82).

STANDARD INSTALLATION

To install Kaspersky Administration Kit locally on a computer:
1. Run the setup.exe. The Setup Wizard will invite you to configure the settings. Follow the wizard's instructions.
2. Select Standard installation.
3. During the next step of the wizard, select the size of the network in which the application is being installed.
I N S T A L L I N G KA S PE R S K Y A D M I N I S T R A T I O N KIT
4. Then the wizard extracts the necessary files from the distribution package and writes them to the hard drive of the computer.
In the last window the wizard invites you to start the Administration Console. The first time the Console is launched, you can perform the initial configuration of the application (for more details please see the Reference Guide).
When the wizard completes, the following application components will be installed on the system drive:
Administration Server (together with the server version of the Network Agent);
Administration Console;
All available management plug-ins for applications.
The following applications required for application operation will also be installed, if they were not installed earlier:
Microsoft Windows Installer 3.1;
Microsoft Data Access Component 2.8;
Microsoft .NET Framework 2.0;
During installation of Microsoft .NET Framework to Microsoft Windows 2000, an error may occur. This can be avoided by installing Security Update for Windows 2000 (KB835732).
Microsoft SQL Server 2005 Express Edition.

CUSTOM INSTALLATION

To perform custom installation of Kaspersky Administration Kit locally on a computer, run the setup.exe file from the CD containing the distribution package. The Setup Wizard will invite you to configure the settings. Follow the wizard's instructions.
D E P L O Y M E N T G U I D E
THE WIZARD'S STEPS
Step 1. Selecting the destination folder ........................................................................................................................... 18
Step 2. Selecting the components to be installed ............................................................................................................ 18
Step 3. Selecting the network size .................................................................................................................................. 20
Step 4. Selecting account ................................................................................................................................................ 21
Step 5. Selecting database .............................................................................................................................................. 22
Step 6. Configuring SQL server ....................................................................................................................................... 22
Step 7. Selecting the authentication mode ...................................................................................................................... 24
Step 8. Selecting a shared folder .................................................................................................................................... 26
Step 9. Configuring connection to Administration Server ................................................................................................ 27
Step 10. Defining the Administration Server address ...................................................................................................... 28
Step 11. Configuring the settings for mobile devices ....................................................................................................... 30
Step 12. Completing set up ............................................................................................................................................. 30
STEP 1. SELECTING THE DESTINATION FOLDER
Define the folder where product components will be installed. By default, it will be <Drive>:\Program Files\Kaspersky Lab\Kaspersky Administration Kit. If this folder does not exist, it will be created automatically. You can change the destination folder using the Browse button.
STEP 2. SELECTING THE COMPONENTS TO BE INSTALLED
In the next wizard window, select the components of Kaspersky Administration Kit, which you wish to install (see the figure below):
Administration Server. The Administration Agent component is installed automatically.
You can also indicate if any additional components should be installed:
Kaspersky Lab Cisco NAC Posture Validation Server. This is a standard Kaspersky Lab component
authorizing a set of credentials for common operation with Cisco NAC. The settings of interaction with Cisco NAC can be configured in the Administration Server properties or policy (for details please refer to Kaspersky Administration Kit Reference Guide).
SNMP agent. This component supports collection of statistical information for the Administration Server via
SNMP. It is only available when the application is installed on a computer with SNMP installed.
After Kaspersky Administration Kit installation, the mib-files required for monitoring will be located in the SNMP nested folder of the application installation folder.
Mobile devices support. This component provides for common product operation with Kaspersky Mobile
Security Enterprise Edition.
I N S T A L L I N G KA S PE R S K Y A D M I N I S T R A T I O N KIT
Kaspersky Lab System Health Validator. It is a Kaspersky Lab tool checking normal system functioning
(System Health Validator) and interacting with Microsoft NAP. This component is only available during setup on a computer with the Microsoft Windows Server 2008 installed.
Administration Console.
Figure 1. Selecting the components to be installed
Network Agent setup cannot be cancelled, the component is always installed.
Server version of the Network Agent will be installed on the computer together with the Administration Server. Administration Server cannot be installed together with the regular version of the Network Agent. If that component is already installed on the target computer, remove it and run the Administration Server installation again.
Please note that the wizard dialog contains reference information:
on the selected component in the Description field in the right part of the window;
on the disk space required to install the selected components and available free space on the selected
destination drive, in the lower part of the window.
If you have selected the Administration Console only, there will be no further configuration steps; the wizard will proceed to the list of setup settings and the actual installation start.
If you have selected the Administration Server installation, proceed to the next step.
D E P L O Y M E N T G U I D E
SETTINGS
1–100 COMPUTERS
100–1000 COMPUTERS
MORE THAN 1000
COMPUTERS
Display of the slave Administration Servers node and all corresponding settings
– – +
Display of the security settings
– – +
Display of the applications registry and all corresponding settings
+ +
Creation of a Network Agent policy using the Quick Start Wizard
– – +
Enable randomization of the update task launch time on client computers
5 minutes
10 minutes
STEP 3. SELECTING THE NETWORK SIZE
Specify the size of the network where you are installing Kaspersky Administration Kit (see the figure below). This information will help to ensure optimal configuration of the application interface and settings. You can modify these settings later (for details please refer to the Kaspersky Administration Kit Administrator's Guide).
Figure 2. Selecting the network size
The table below contains the main differences in the setup depending upon various selected network sizes.
Table 2. Relation between the setup settings and the network size
I N S T A L L I N G KA S PE R S K Y A D M I N I S T R A T I O N KIT
STEP 4. SELECTING ACCOUNT
Define the account that will be used to start the Administration Server as a service on a given computer (see the figure below).
Figure 3. Selecting account
The two following options are available:
Local System account – the Administration Server will start using the Local System account and its
credentials.
Correct operation of Kaspersky Administration Kit requires that the account used to start the Administration Server should have the administrator's rights on the resource where the Administration Server database is hosted.
In Microsoft Windows Vista and later versions of Windows, the Administration Server cannot be configured to use the local system account. Therefore, the Automatically created account (<Name of account>) option is available on computers running the specified operating systems.
Specified account – the Administration Server will start using the account included into a domain. In this case
the Administration Server will initiate all operations using the credentials of that account. Use the Browse button to select the user whose account will be used and enter the password.
If you have selected a specified user account to launch the Administration Server, you will be offered to specify that user.
If later you decide to change the Administration Server account, you will need to use the utility for Administration Server account switching (klsrvswch). For details please see the Kaspersky Administration Kit Reference Guide.
D E P L O Y M E N T G U I D E
STEP 5. SELECTING DATABASE
During the next step you will be offered to select the resource: Microsoft SQL Server (SQL Express) or MySQL (see the figure below), which will be used for storage of the Administration Server information database.
Figure 4. Selecting database
STEP 6. CONFIGURING SQL SERVER
If you have selected SQL Express or Microsoft SQL Server during the previous step, and you plan to use Kaspersky Administration Kit with a server installed in the corporate network, enter its name in the SQL Server name field. In the Database name field (see the figure below), specify the name of the database, which will be created for the Administration Server information. The default name for the database will be KAV.
If you plan to manage fewer than 5,000 computers with Kaspersky Administration Kit, Microsoft SQL Express 2005 / 2008 can be used. If the planned number of computers managed with Kaspersky Administration Kit exceeds 5, 000, Microsoft SQL 2005 / 2008 is recommended.
I N S T A L L I N G KA S PE R S K Y A D M I N I S T R A T I O N KIT
If no SQL server is installed in the network yet, select the option to Install Microsoft SQL Server 2005 Express Edition. All the necessary settings will be configured automatically.
Figure 5. Selecting database
The name of an SQL server will appear in the SQL Server name field automatically, if the installer finds it on the computer where Kaspersky Administration Kit is being installed. The Browse button displays the list of all Microsoft SQL servers installed in the network.
If the Administration Server will start using the local administrator or local system account, the Browse button is not available.
D E P L O Y M E N T G U I D E
If a MySQL Enterprise server has been selected during the previous step, use this window (see the figure below) to specify its name in the MySQL Server name field (by default, the system uses the IP address of the computer where Kaspersky Administration Kit is being installed) and the port for connection in the Port field (the default port number is
3306). In the MySQL Database name field enter the name of the database, which will be created for storage of the Administration Server data (the default database name is KAV).
Figure 6. Selecting MySQL Enterprise server
If the network contains no SQL servers or you cannot use the existing servers, you should install a server. The supported SQL servers are listed in the system requirements (see section "Hardware and software requirements" on page 9).
If you wish to install an SQL server on the computer from which you have initiated installation of the Kaspersky Administration Kit, you will need to abort the installation procedure and restart it after the SQL server is installed.
If you are installing the server on a remote computer, there is no need to interrupt the setup wizard of the Kaspersky Administration Kit. Install an SQL server and return to the Kaspersky Administration Kit setup.
STEP 7. SELECTING THE AUTHENTICATION MODE
Determine the authentication mode that will be used during the Administration Server connection to the SQL server.
For SQL Express or Microsoft SQL Server you can select one of the following two options (see the figure below):
Microsoft Windows Authentication Mode – in that case the account used to start the Administration Server
will be employed to verify the credentials;
SQL Server Authentication Mode – if you select that option, the account specified below will be used to verify
the credentials. Fill in the Account, Password and Confirm password fields.
I N S T A L L I N G KA S PE R S K Y A D M I N I S T R A T I O N KIT
If the Administration Server database is stored on another computer, then, during installation or upgrade of the Administration Server, you should use the SQL server authentication mode for cases when the Administration Server account has no access to the database server. That is possible if one of the computers is outside the domain or the Administration Server is configured to use the Local system account.
Figure 7. SQL Server Authentication Mode
D E P L O Y M E N T G U I D E
Specify the user account and password for MySQL Enterprise server (see the figure below).
Figure 8. Authentication mode on MySQL Enterprise server
STEP 8. SELECTING A SHARED FOLDER
Define the location and name of the shared folder (see the figure below) that will be used to:
store the files necessary for remote deployment of applications (the files are copied to the Administration Server
during creation of installation packages);
I N S T A L L I N G KA S PE R S K Y A D M I N I S T R A T I O N KIT
store updates downloaded from an updates source to the Administration Server.
Figure 9. Creating a shared folder
File sharing (read only) will be enabled for all users.
The two following options are available:
Create new shared folder to make a new folder; specify the folder path in the field below in that case.
Select existing shared folder to choose a shared folder among the directories that already exist.
The shared folder can be a local folder on the computer running the installer or remote directory on any computer within the corporate LAN. You can use the Browse button to select the shared folder or specify it manually by entering its UNC path (for example, \\server\KLShare) in the corresponding field.
By default, the installer creates a local KLShare subfolder in the program folder containing the components of Kaspersky Administration Kit.
STEP 9. CONFIGURING CONNECTION TO ADMINISTRATION SERVER
Define the settings for connection to the Administration Server (see the figure below):
The number of the port used to connect to the Administration Server. By default, port 14000 will be used.
SSL port number that will be used for secure connection to the Administration Server. By default, port 13000 will
be used.
D E P L O Y M E N T G U I D E
If the Administration Server is installed on a computer running Microsoft Windows XP with Service Pack 2, then the built­in system firewall blocks TCP ports 13000 and 14000. Therefore, to allow access to the computer with the installed Administration Server, these ports must be opened manually.
Figure 10. Settings for connection to the Administration Server
STEP 10. DEFINING THE ADMINISTRATION SERVER ADDRESS
Specify the Administration Server address (see the figure below) using:
DNS name. This method is helpful in cases when the network includes a DNS server and client computers can
use it to obtain the Administration Server address.
NetBIOS name. This method is used when client computers obtain the Administration Server address via the
NetBIOS protocol or there is an available WINS server in the network.
I N S T A L L I N G KA S PE R S K Y A D M I N I S T R A T I O N KIT
IP address. This option is used if the Administration Server has a static IP address, which will not be changed in
the future.
Figure 11. Administration Server address
D E P L O Y M E N T G U I D E
PROPERTY
ADMINISTRATION SERVER
KASPERSKY LAB CISCO NAC POSTURE VALIDATION SERVER
NETWORK AGENT
Service name
CSAdminServer
nacserver
klnagent
Displayed service name
Kaspersky Administration Server
Kaspersky Lab Cisco NAC Posture Validation Server
Kaspersky Network Agent Startup type
Automatic at the operating system start.
Account
Local System or user-defined.
STEP 11. CONFIGURING THE SETTINGS FOR MOBILE DEVICES
If the Mobile devices support component was selected for installation, specify the Administration Server name for connection of mobile devices (see the figure below).
Figure 12. Administration Server address for connection of mobile devices
STEP 12. COMPLETING SET UP
Once the installation settings for the components of Kaspersky Administration Kit are defined, you can check them and begin actual installation.
After the Administration Console is installed on your computer, its icon appears in the Start Programs Kaspersky Administration Kit menu and can be used to start the Console.
The Administration Server and Network Agent will be installed on the computer as services with the properties listed below. The table also contains the properties of the Kaspersky Lab Posture Validation Server for Cisco NAC, which will be running on the computer if the corresponding component has been installed together with the Administration Server.
Table 3. Administration Server and Network Agent properties
The server version of the Network Agent will be installed on the computer together with the Administration Server. It is part of the Administration Server which is installed and removed together with the server; it can only interact with a locally
Loading...
+ 87 hidden pages