Kaspersky Lab KASPERSKY ANTI-VIRUS-ADMINISTRATION KIT 5.0 ADMINISTRATOR GUIDE
KASPERSKY LAB
Kaspersky® Administration Kit
version 5.0
Administrator’s manual
KASPERSKY® ADMINISTRATION KIT
VERSION 5.0
Administrator’s manual
© Kaspersky Lab
Visit our website: http://www.kaspersky.com/
Revision date: December, 2005
Contents
CHAPTER 1. KASPERSKY ADMINISTRATION KIT....................................................5
1.1. About Kaspersky Administration Kit......................................................................5
1.2. What’s new in version 5.0?...................................................................................7
1.3. Hardware and software requirements.................................................................. 7
1.4. Distribution kit ........................................................................................................ 8
1.4.1. License Agreement......................................................................................... 9
1.5. Help desk for registered users..............................................................................9
1.6. The purpose of the document.............................................................................10
1.7. Conventions......................................................................................................... 10
CHAPTER 2. UNDERSTANDING KASPERSKY ADMINISTRATION KIT................12
2.1. Logical network.................................................................................................... 12
2.2. Policies, settings, and tasks................................................................................14
2.3. Connecting clients to the Administration server.................................................16
2.4. Secure connection to the Administration Server................................................17
2.4.1. Administration Server certificate...................................................................17
2.4.2. Administration Server authentication (when the Administration Console
connects to the server)................................................................................. 18
2.4.3. Administration Server authentication when establishing connection with
a client........................................................................................................... 18
2.5. Identification of computers on the logical network..............................................19
2.6. Logical network administrators and operators....................................................19
2.7. Rolling out anti-virus protection over logical network......................................... 21
2.8. Building a centralized management system....................................................... 22
2.9. Maintaining a logical network..............................................................................23
2.10. Coordinating joint operation of administrators..................................................24
2.11. User interface.................................................................................................... 24
2.11.1. Main window...............................................................................................24
2.11.2. Console tree................................................................................................25
2.11.3. Shortcut menu............................................................................................ 29
CHAPTER 3. INSTALLING KASPERSKY ADMINISTRATION KIT............................ 33
4 Kaspersky Administration Kit
3.1. Installing MSDE using the Kaspersky
Administration Kit installation package..33
3.2. Installing the Administration Server and the Administration Console................35
3.3. Uninstalling Kaspersky Administration Kit components.....................................45
3.4. Upgrading to a newer application version.......................................................... 45
CHAPTER 4. USING THE APPLICATION................................................................... 47
4.1. Starting the program and connecting to the administration server....................47
4.2. Granting rights..................................................................................................... 48
4.3. Quick Start Wizard...............................................................................................49
4.4. Viewing, creating, and configuring a logical network .........................................50
4.5. Hierarchy of Administration Servers...................................................................52
4.6. Installing and uninstalling applications on client computers............................... 53
4.6.1. Remote installation (deployment) and uninstallation of software................54
4.6.1.1. Creating installation packages...............................................................55
4.6.1.2. Creating an application deployment task..............................................56
4.6.2. Application Deploy Wizard........................................................................... 57
4.6.3. Local installation of applications...................................................................58
4.7. Policy management............................................................................................. 58
4.8. Task management ..............................................................................................60
4.9. Managing application settings............................................................................. 61
4.10. Updating the Anti-Virus database and program modules................................ 62
4.11. Working with the quarantine .............................................................................63
4.12. Event logs, reports and notifications.................................................................63
4.13. Managing license keys...................................................................................... 66
4.14. Backing up and restoring data from the Administration Server.......................67
APPENDIX A. FAQ........................................................................................................69
APPENDIX B. GLOSSARY...........................................................................................72
APPENDIX C. KASPERSKY LAB.................................................................................78
C.1. Other Kaspersky Lab Products..........................................................................79
C.2. Contact Us ..........................................................................................................84
APPENDIX D. LICENSE AGREEMENT ...................................................................... 85
CHAPTER 1. KASPERSKY
ADMINISTRATION KIT
1.1. About Kaspersky Administration
Kit
Kaspersky® Administration Kit is designed for centralized performance of key
administrative tasks. It gives you complete control over your enterprise antivirus
policy, built on the Kaspersky Anti-Virus Business Optimal and Kaspersky AntiVirus Corporate Suite applications. Kaspersky Administration Kit supports all
network configurations that use TCP/IP protocol.
Kaspersky Administration Kit is a tool for corporate network administrators and
anti-virus security officers.
The application enables administrators to:
• Deploy Kaspersky Lab applications
remote computers running Windows. You can create a custom set
of Kaspersky Lab applications on a dedicated computer and then
install these multiple applications at once on networked computers
on any number of networked computers.
• Efficiently manage license keys. With Kaspersky Administration Kit,
you can centrally install license keys for all Kaspersky Lab
applications, monitor the correspondence between the numbers of
licenses and Kaspersky Lab applications installed across your
network, and track license expiration dates.
• Remotely manage
Windows-based computers from a single location. With Kaspersk y
Administration Kit, you can build a multitiere anti-virus protection
system managed from one single administrator’s workstation. This
is particularly important for enterprises with a multiplayer local
spread over remote offices. This feature enables the admin istrators
to:
• Create administration groups of computers with similar
functions and applications;
• Configure a ppl ic ation settin gs simulta neo usly by ap pl yi ng group
policies;
multiple Kaspersky Lab applications installed on
across a network connection to
6 Kaspersky Administration Kit
• Tailor installations to fit the requirements for individual
computers by using application settings;
• Manage multiple applications by assigning group and global
tasks;
• Schedule tasks for applications installed on computers from
different administration groups.
• Automatically update the anti-virus database
. You can centrally
update the anti-virus database for all applications without having
each computer directly connect to Kaspersky Lab update servers.
You can schedule updating to run automatically at a specified time
to constantly keep your protection current and m onitor the update
process on client computers.
• Gather reports
from all installations. Using the enhanced reporting
capabilities of Kaspersky Administration Kit, you can collect
statistics about the operation of all installations and create reports
based on the most recent statistics. The program allows you to
create a cumulative network report for a single Kaspersky Lab
application (application-specific reports) or a report about all
Kaspersky Lab applications installed on an individual computer
(computer-specific report).
• Receive notifications about specific events by e-mail.
You can
specify a set of events which require notification. Such events that
may occur during application performance could be, for example,
detection of a virus, failure to update, or a new computer appearing
on the network.
Kaspersky Administration Kit has three main components:
• Administration Server is a centralized storage of information about
Kaspersky Lab applications installed on the local company network
and a tool for efficiently managing them.
• Network Agent coordinates the Administration Server and the
Kaspersky Lab applications installed on a particular net work node
(a workstation or a server). This component supports all
applications included in Kaspersky Anti-Virus
Business Optimal and
Kaspersky Anti-Virus Corporate Suite.
• Administration Console, a user interface for Server and Agent
Administration services, plugs into the Microsoft Management
Console (MMC).
Kaspersky Administration Kit 7
1.2. What’s new in version 5.0?
The following features are new to Kaspersky Administration Kit version 5.0:
• Ability to manage all Kaspersky Lab applications installed on
Windows-based computers.
• Ability to manage the anti-virus protection system, even for large
networks (up to tens of thousands of PCs).
• Integration of the standard Windows user interface with the
Microsoft Management Console (MMC).
• Management of anti-virus protection through specific tasks.
• Centralized assignment of general application settings for a bunch
of computers from the same administration group.
• Ability to create anti-virus protection policies by assigning group
tasks, to enforce these policies, and to monitor their performance.
• Enhanced reporting capabilities.
• Improved logging and reporting system. You ca n view general data
on the anti-virus status of the entire network or view reports on each
managed application available for every single computer on your
network.
• Centralized License Key Management system. This allows you to
control the correspondence between the number of licenses and the
number of Kaspersky Lab applications currently installed, track
license expiration dates, and update license keys in a timely
manner.
1.3. Hardware and software
requirements
Administration Server
• Software requirements:
• MSDE 2000 SP 3 or MS SQL Server 200 0 SP 3
1
You can install MSDE from the distribution package included in the Kaspersky Admini-
stration Kit distribution kit.
1
8 Kaspersky Administration Kit
• Windows 2000 SP 1 or higher; Windows XP SP 1 or higher;
Windows 2003 Server; Windows NT4 SP 6.a
• Hardware requirements:
• Intel Pentium III processor, 800 MHz or faster
• 128 MB RAM
• 400 MB available space on hard drive
Administration Console
• Software requirements:
• Windows 2000 SP 1 or higher; Windows NT4 SP 6 a; Windows
XP SP 1 or higher; Windows 2003 Server; Microsoft
Management Console version 1.2 or higher
• Hardware requirements:
• Intel Pentium II processor, 400 MHz or faster
• At least 64 MB RAM
• 10 MB of available hard drive space
Network Agent
• Software requirements:
• Windows 98; Windows ME; Windows 2000 SP 1 or higher;
Windows NT4 SP 6a; Windows XP SP 1 or higher, and
Windows 2003 Server
• Hardware requirements:
• Intel Pentium processor, 233 MHz or faster
• 32 MB RAM
• 10 MB available space on hard drive
1.4. Distribution kit
You can purchase this software product from our dealers (retail box) only as a
part of Kaspersky Anti-Virus Business Optimal and Kaspersky Corporate Suite
for protection of Microsoft Windows-based workstations and servers or online (for
example, visit www.kaspersky.com
The retail box package includes:
and follow the E-Store link.
Kaspersky Administration Kit 9
• a sealed envelope with the installation CD containing the application files;
• User's Guide
• a license key written on the installation CD;
• registration card for th e main software pro duct (containing the s erial num-
ber of the product);
• License Agreement
Before you open the envelope with the CD make sure that you have
carefully read the license agreement..
If you buy Kaspersky Anti-Virus online, you will download the applicatio n from the
Kaspersky Lab's website. In this case, the distribution kit will include this Guide
along with the application. The license key will be e-mailed to you upon the receipt of your payment.
1.4.1. License Agreement
License Agreement is a legal contract between you and Kaspersky Lab Ltd.,
which contains the terms and conditions, on which you may use the anti-virus
product you have purchased.
Read the License Agreement carefully!
If you do not agree with the terms of the license agreement, you can return
Kaspersky Anti-Virus t o your dealer for a full refund. In this case, the envelope with the installation CD must remain sealed.
By opening the sealed envelope containing the installation CD or by installing the
product on your computer you accept all terms and conditions of the License
Agreement.
1.5. Help desk for registered users
Kaspersky Lab offers a large service package, enabling its legal users to enjoy
all available features of Kaspersky Anti-Virus.
If you register and purchase a subscription, you will be provided with the following services for the period of your subscription:
• New versions of this anti-virus software application provi ded free of
charge;
10 Kaspersky Administration Kit
• Phone or e-mail counsel on matters related to the installation,
configuration, and operation of the anti-virus application;
• Information about new Kaspersky Lab app lications and about new
computer viruses (for those who subscribe to the Kaspersky Lab
newsletter).
Kaspersky Lab does not provide information related to operation and
use of your operating system or various other technologies.
1.6. The purpose of the document
This Guide describes the purpose, general concepts, functions and general operation schemes of Kaspersky Administration Kit application. Step-by-step description of actions is provided in the Kaspersky Administration Kit Reference
Book. Functions described in this book are underlined.
In order to review questions that our users often ask Kaspersky Lab's support
specialists visit our website and follow the Services ÆKnowledge base link.
This section contains information about installation, configuration and functioning
of Kaspersky Lab's applications and about removal of most commonly spread
viruses and disinfection of infected files.
1.7. Conventions
Various formatting features and icons are used throughout this document depending on the purpose and the meaning of the text. The table below lists the
conventions used in the text.
Convention Meaning
Bold font
Menu titles, commands, window titles,
dialog elements, etc.
Kaspersky Administration Kit 11
Convention Meaning
Additional information, notes.
Note
Critical information.
Attention
Description of the successive user's
To perform an action:
steps and possible actions
1. Step 1.
2. …
Statement of a problem, example of
Task, example
the demonstration of the application's
capabilities
Implementation of the task
Solution
[key] – modifier name Command line modifier
Information messages and
command line text
Text of configuration files, information
messages and command line
CHAPTER 2. UNDERSTANDING
KASPERSKY
ADMINISTRATION KIT
2.1. Logical network
Kaspersky Administration Kit provides enterprise management functions that
make it possible to manage thousands of computers from a single centralized
administrative interface. This entails computers on a corporate network being
organized in administration groups based on their functions and Kaspersky Lab
applications installed on them. This significantly facilitates management because
all computers in a group are treated as a single unit. For example, one group
includes all workstations, another group, only file servers, etc.
Logical network is a hierarchical structure of administration groups consisting of client computers. Kaspersky Lab applications installed on client computers are
managed through Kaspersky Administration Kit.
2
Administration Server Client (client computer
workstation subject to anti-virus protection. The Network Agent and Kaspersky
Lab applications being managed must be installed on each client computer.
Groups are logical groupings of clients administered by a single server. All computers in a group share:
• The same anti-virus policies specific to each application.
• The same tasks (application functions) and configuration settings.
This can be, for example, a custom installation package, updating
anti-virus database and program modules, on-demand scans, and
real-time protection.
The administrator can create a hierarchy of nested administration gro ups to any
level of specificity in order to facilitate application administration. Both groups
and client computers can be located at the same hierarchical level. Each client
computer can be a member of only one group.
Administration Server is a computer on the corporate network running the Administration Server application. The administration server is a logical network
object.
2
Hereinafter, a client computer is an Administration Server Client.
) is a computer, a server or a
Understanding Kaspersky Administration Kit 13
Administration servers can form hierarchy of the type "master server – slave
server". Master Administration server can have several slave servers (see section 4.5 on page 52).
Administration Server (or more precisely the administration server applicati on) is
used to:
• Store information about the logical network structure (network
configuration)
• Store backups of client configurations
• Store distributi on files for Kaspersky Lab applications
• Remotely install and uninstall applications on client computers
• Update anti-virus database and program modules
• Manage policies and group tasks on client computers
• Store information about events which have occurred on client
computers
• Generate reports on application performance across the logical
network
• Distribute license keys across client computers
• Send alerts from tasks running on client computers. You can be
notified, for example, about a virus found on a client computer
The Network Agent maintains communication between the admi nistratio n server
and client computers. It provides information about the current status of applications, sends and receives commands, updates configuration information, and
notifies the server about specified events. See section 2.3 on page 16 on how to
attach the Network Agent to the administration server.
Corporate network computers running the administration console are referred to
as administrator workstations. From these workstations, administrators can
remotely manage all Kaspersky Anti-Virus components installed across the logical network.
Network Agent Console Plug-in, a special component providing the
management interface for each application, is included in all Kaspersky Lab
applications managed through Kaspersky Administration Kit. Each application
has its own plug-ins installed on the administrator workstation. The plug-ins
provide:
• Dialog boxes for creating and editing application policies
• Dialog boxes for creating and editing application settings
14 Kaspersky Administration Kit
• Dialog boxes for configuring task settings
• Information about tasks performed by an application
• Information about events generated by an application
• Information about events and statistics for each client computer
sent to the administration console.
The administrator workstation is not a logical network object. Ho wever, they can
be added to the logical network as client computers. The number of admi nistrator
workstations is potentially unlimited. Administrator workstations from different
Logical Networks can coincide – any l ogical network can be administered from
any administrator workstation available on your local network.
On a logical network, the same computer can act as a client computer, an administration server, and an administrator workstation.
2.2. Policies, settings, and tasks
A task is an action performed by a Kaspersky Lab application. T here are several
types of tasks, depending on task functions. Each task corresponds to specific
application settings.
For more information about task types, refer to the docum entation for
Kaspersky Lab applications.
The set of the operation parameters of the application common for all types of
tasks forms the application settings. The application operation parameters
specific to each type of task constitute the task settings. The application and
task settings are always different.
To have an application to perform an action, you should configure application
settings, create a corresponding task, define its settings and run it.
You can use policies to apply custom application settings to multiple client computers on a logical network. A policy is a set of application parameters shared by
all computers in a group. The application parameters are different for various
groups. The policy is specific to each application.
The policy for a specific application involves configuration of all ava ilable application settings. Thus, assigning a policy involves configuration of both application
settings and task settings specific to this application. The only exception is the
parameters which must be defined before task startups. For example, to assign a
policy for client computers that would involve real-time protection and on-demand
scanning means configuring settings for both tasks.
Understanding Kaspersky Administration Kit 15
Each policy has a checkbox that indicates whether a parameter related to this
policy can be redefined by changing the application settings or task settings or
configuring the policies for nested groups (at the lower hierarchical lev el).
Several policies with different settings values can be defined for the same application in a group. However, only one policy can be active for the application at
one time. There is a possibility to activate a policy that is not the active policy
based on an event, which allows, for example, establishing stricter anti-virus protection settings during the virus outbreaks.
In a group, only one policy can be defined for each application. In each group,
you can create a specific policy for an application. A nested (child) grou p inherits
the policy of the parent group if the child policy group is not defined.
Thus, you can force all computers in a group to share the same application settings by using policies. However, some application settings and task settings for
particular computers in a group can be modified, unless they are locked from
changes by the group policy.
Tasks can be created centrally and configured across a logical network. The task
assigned to an administration group is a group task; the task assigned to an
individual client computer is referred to as a local task; and that assigned to
multiple client computers from different groups on the logical network is a global
task.
The group task can be assigned to a group even if the application is only installed on some of the client computers in this group. In this case, the group task
will be executed only on the computers that have this application installed.
Nested groups inherit tasks from their parent groups. A task defined for a group
will be shared by all client computers from this group but also by client computers
of all nested groups at the lower levels.
The tasks assigned locally to a particular client computer will only be
executed on this computer. Local tasks will be added to the list of
current tasks for this client computer during synchronization of this
client with the administration server.
Because all application settings are governed by a policy, you can onl y ch ange
settings that are defined as modifiable by this policy or settings specific to a particular task. For example, for on-demand scanning of a drive, you should specify
the disk name, file masks, etc.
Information about policies, application settings, tasks, and task settings is stored
on the server and distributed to the client computers during synchronization.
From clients, the administration server receives data about local changes not
restricted by the policy, applications running on client computers, their status,
and assigned tasks.
16 Kaspersky Administration Kit
When a task is running on a client computer, the application settings are determined by:
• Modified task settings and application settings (if they have not
been protected from changes under the current policy).
• The group policy if the settings were protected from changes or not
modified.
• The parent policy if the group polic y for an applicatio n has not been
defined.
You can schedule tasks to start automatically or run them on demand. Task performance results are saved on the administration server. The administrator can
be notified of task results or can view detailed reports.
2.3. Connecting clients to the
Administration server
To enable communication between the clients and the administration serve r, the
client computers must be connected to the server (see section 2.1 on page 12).
The Network Agent installed on clients provides this functionality.
The following operations require connection to the server:
• Refreshing th e list of applications installed on client computers
• Synchronization of policies, application settings, tasks, and task
settings
• Updating the information on applicatio ns and tasks running on cli ent
computers
• Deliv ery of events to be processed on the server
In most cases, client computers are connected to the server. This connection is
used to automatically exchange data between the clients and the server and to
send information about application events to the server.
Automatic synchronization is performed at regular time intervals defined by the
Network Agent settings (for example, once every fifteen minutes). The time interval is set by the administrator.
Information about an event is sent to the server immediately after the event occurs.
In the client settings, you can check/uncheck the Keep connection checkbox to
keep or terminate the client–server connection after the above operations are
Understanding Kaspersky Administration Kit 17
over. Permanent connection is preferred if connecting to a client is impaired for
some reasons (the client is behind a firewall, client ports cannot be opened, the
client IP address is unknown, etc.) or you need to constantly monitor the performance of Kaspersky Lab applications.
The administrator can force synchronization to start by clicking the Force syn-
chronization command on the shortcut menu (see section 2.11.3 on page 29).
In this case, the connection is initiated by the server. To enable connection, the
UDP port is opened on the client computer. The server sends a connection query
to the client’s UDP port. In response, the server rights to connect to the client are
verified (based on a digital signature), and, if the signature is valid, the connection is established.
A second type of connection is also used to retrieve data from client computers –
update the lists of applications and tasks running on the client and refresh application statistics.
All transactions between client computers and the administration server are secured by SSL (Secure Socket Layer). SSL protocol uses electronic certificates
for server and client authentication and provides transmitted data encryption and
message integrity.
2.4. Secure connection to the
Administration Server
Data exchange between clients and the Administration Server and connections
of the console to the Administration Server are secured by SSL protocol (Secure
Socket Layer). SSL protocol is responsible for authentication of communicating
parities, encryption of the data being transferred, and verification of data integrity.
Data integrity ensures that the data has not been corrupted or altered in transit.
An SSL-enabled connection involves authentication of both sides of a network
communication session and encryption of data using the closed key method.
2.4.1. Administration Server certificate
Administration Server certificate is used to authenticate the Administration Console when it is connected to the Administration Server and is being established or data is being transferred from client computers.
The Administration Server certificate is created during the installation of the Administration Server. The certificate is stored on the Administration Server, in the
Cert folder in the installation directory.
18 Kaspersky Administration Kit
The Administration Server certificate can be created only once, during server
installation. To restore the certificate, you must reinstall the Administration Server
and restore the lost data from the Backup (about backup options, see 4.14 on
page 67).
2.4.2. Administration Server authentication
(when the Administration Console
connects to the server)
When the Administration Console connects to the Administration Server for the
first time, it requests the certificate from the server and saves it locally, on the
administrator workstation. Upon subsequent connections of the Console to the
server with this name, the server will be authenticated using this certificate.
If the server does not pass authentication (i.e., the current certificate differs from
that stored on the administrator workstation), the Console informs the user about
this and requests the Server for a new certificate. If the connection is confirmed
and another certificate is received, the Administration Console will save the new
certificate to the hard disk so that it can be used to authenticate the server in
future sessions.
2.4.3. Administration Server authentication
when establishing connection with
a client
When a client connects to the Administration Server for the first time, it requests
the certificate from the server and saves it locally.
If the Network Agent has been installed on a client locally, the
administrator can manually select an Administration Server certificate.
When the client connects to the server next time, the Network Agent will request
the certificate from the Administration Server and compare it with the local certificate. If the certificates differ, access to the Administration Server is denied.
If the Administration Server initiates connection, the Network Agent verifies the
server’s request for a UDP-enabled connection in a similar manner.
Understanding Kaspersky Administration Kit 19
2.5. Identification of computers on
the logical network
Client computers on the logical network are identified by their host names. A
host name must be unique among other names connected to this Administration
Server.
A host name is assigned by the Administration Server when a new computer is
detected on the Windows network or when the Network Agent installed on a client connects to the Server for the first time after the installation. By default, the
host name coincides with the name of this computer on the Windows network
(NetBIOS name). If a host with this name already exists, the Server will assign to
this host a name ending in a numeral, for example, Name-1, Name-2, etc. This
host name will be used to identify the computer on the logical network.
The Administration Server refers to the client computers by their IP addresses. If
a client has an installation of the Network Agent, the IP address of this client is
automatically determined on the Server upon each connection of the client. If the
Network Agent is not installed, or this client has not connected to the Administration Server yet (for example, if the Network Agent was locally installed), the Administration Server determines the IP address of this computer by its NetBIOS or
DNS name.
2.6. Logical network administrators
and operators
By default, only two groups of users, logical network administrators and logical network operators, have rights to administer applications through Kasper-
sky Administration Kit.
The Logical network administrator is a user who installs and configures the
Kaspersky Administration Kit software package on network computers and manages Kaspersky Lab applications on remote computers on a logical network.
The logical network administrator has full control over all available functions of
Kaspersky Administration Kit. He/she can:
• Connect to the administration server
• Create a logical network and add groups and client computers from
the enterprise local network to the logical network
• Install the Net work Agent component on cl ient computers
20 Kaspersky Administration Kit
• Create and install packag es of Kaspersky Lab applications on client
computers and manage their license keys
• Update versio ns of applications installed on client computers
• Create policies and assign tasks to groups and individual
computers, modify application settings
• Manage the applications installed on clie nt computers of this logical
network centrally and view reports by using services provided by
the Administration Server, Network Agent and the Administration
Console
• Grant to users and group of users the rights to access the
application’ functionality both for the entire logical network and for a
separate administration groups.
The Logical network operator is a user who monitors the performance of the
anti-virus protection system managed through Kaspersky Administration Kit.
The logical network operator has limited rights to the Kaspersky Administr ation
Kit functionality. He/she can:
• Connect to the administration server
• View the l ogical network structure
• View p olicy settings, current tasks, and application properties
• Run and stop existing group and global tasks
• Receive reports and notifications about events that occur across the
logical network
The logical network administrator rights are granted to:
• Domain administrators whose comput ers are incorporated into the
logical network
• Local a dmin istrators of computers running the Administration Server
application
• Users from the Kaspersky Lab Administrators group.
The logical network operator rights are granted to users from the KLOperators
group.
The KLAdmins and KLOperators groups are created during the installation of
the Administration Server component. The administrator can optionally create
these groups either on the domain to which the administration server belongs or
directly on the computer running the administration server. You can view the
Understanding Kaspersky Administration Kit 21
KLAdmins and KLOperators groups and make changes by using standard
Windows administration tools (Local Users and Groups).
All operations initiated by logical network administrators inherit the rights of the
administration server service account. A Kaspersky Lab Administrators group
can be created for each administration server. This group will only have administrator rights within this logical network.
If several computers on the same domain are included in several logical networks, the administrator of this domain is the logical network administrator for all
these logical networks. Only one Kaspersky Lab Administrators group can be
created for these logical networks during the installation of the first administration
server. New members can be added to this group by using standard Windows
administration tools. All operations initiated by logical network administrato r s wi ll
inherit rights of the corresponding administration server.
The domain administrator configures and manages Kaspersky Lab applications
only on the computers of this domain. If this logical network includes computers
from various domains, do the following to grant the logical network administrator
rights to a domain administrator:
• Enable trust relationships between the domains
• Add this administrator to the administrators group on every domain
included in the logical network.
In Kaspersky Administration Kit, user rights are assigned in accordance with the
Windows user authentication on the local network.
After the installation of the application, the logical network administrator can
make any changes to the set of rights
erators, grant the access rights
Administration Kit to other users and groups of users, registered at the computer
where the Management Console was installed. Various access rights can be
assigned for work in each administration group (see section 4.2, page 48).
granted to groups KLAdmins and KLop-
to the application’s functionality to Kaspersky
2.7. Rolling out anti-virus protection
over logical network
There are two common scenarios that show how you can roll out reliable antivirus protection using Kaspersky Administration Kit:
• You can remotely install Kaspersky Lab applications on client
computers across the logical network from a single workstation. The
installation and connection to the remote management system
proceed automatically, requiring no interaction from the
22 Kaspersky Administration Kit
administrator. You can install the anti-virus software on any number
of clients running the Windows operating system.
• You can locally install Kaspersky Lab applications on every
networked computer. In this case, all required component s and the
administrator workstation are manually installed. Connection
settings are set during the installation of the Network Agent. This
deployment scenario is recommended if centraliz ed deployment is
impossible.
2.8. Building a centralized
management system
The first step to building a system of centralized management over an enterprise
network through Kaspersky Administration Kit is to design a logical network. At
this stage, you should make the following decisions:
1. What deployment scenario will you choose: remote installation or
local installation? Your decision will depend on the presence of
Windows domain structures on your corporate network.
2. What computers on your local network will function as an administration server, administrator workstations, and client computers?
Note that all computers on which Kaspersky Lab applications are
installed will act as client computers.
3. What criteria will be used to organize client computers in groups?
What will be the group hierarchy?
In the next stage, the administrator has to build a logical network, i.e., install the
following Kaspersky Administration Kit components on networked computers:
1. Install the Administration Server on a networked computer (see
section 3.2 on page 35).
2. Install the Administration Console on a networked computer from
which the administrator will manage Kaspersky Lab applications
(see section 3.2 on page 35).
After this, you should create a logical network structure, define the hierarchy of
administration groups, and assign computers to various groups.
In the next stage, you should install the Network Agent and selected Kaspersky
Lab applications on client computers and install the corresponding Console Plugins on the administrator workstation (see Chapter 3 on page 33).
Understanding Kaspersky Administration Kit 23
Finally, you should configure the installed applicati ons by assigning and applying
group policies (see section 4.7 on page 58) and creating tasks (see section 0 on
page 59).
Using Initial Configuration Wizard, the administrator can easily build an anti-virus
protection system for his/her network and briefly configure it (for the detailed description of the wizard, see 4.2 on page 48). Briefly configuring the anti-virus protection system means creating a logical network similar to the domain structure
of the Windows network and rolling out the protection system based on Kaspersky Anti-Virus 5.0 for Windows Workstations.
2.9. Maintaining a logical network
After you have created a logical network and installed and configured antivirus
applications, it is recommended that you regularly perform the following operations:
• View reports on the results of application performance on client
computers.
• Check your mailbox and read alerts sent from client computers and
the administration server to the administrator’s mailbox.
A complete list of notifications sent by the Kaspersky Anti-Virus
applications is available in the documentation to these applications.
• Remotely perform the required tasks on clients from the
administrator workstation. For example, in case of a virus-related
event on a client, you can, for example, dis infect files on the remote
client from the administrator workstation.
• Update the anti-virus database on client computers in a timely
manner (see section 4.10 on page 62).
• Update program modules installed on cli ent computers in a timely
manner (see section 4.10 on page 62).
• Keep track of the space available on the server for storing
submissions from clients and the availability of free memory on the
server to process the submitted data.
• Add new computers that appear on the local network to the logical
network and install required anti-virus applications on them in a
timely manner.
• Regularly back up the administration system data (see 4.14 on
page 67).
24 Kaspersky Administration Kit
2.10. Coordinating joint operation of
administrators
The system allows multiple administrators to work simultaneously with the same
resources. The latest changes will overwrite previously saved settings. For this
reason, joint work of multiple administrators must be coordinated to prevent misunderstanding.
2.11. User interface
From the administrator workstation, you can view, create, modify, and configure
the logical network and manage all Kaspersky Lab applications i nstalled on clients. The administration interface is provided by the Administration Console
component, which is an administration plug-in integrated into the Microsoft Management Console (MMC). The Kaspersky Administration Kit interface complies
with MMC standards.
In order to ensure local interaction with the client computers, the application includes the ability to establish remote connection with the computer via the Management Console suing the standard Connect to the remote desktop Microsoft
Windows utility.
2.11.1. Main window
The program main window has a menu, a toolbar, a control panel, a view panel,
a details panel and a task panel. The menu is used to manage files and dialog
boxes and provides access to Help topics. Toolbar buttons provide quick access
to most frequently used menu options. The view panel displays the hierarchical
Kaspersky Administration Kit namespace as a console tree. The details panel
shows details of the object selected in the console tree. The details panel provides a quick access to the main operations assigned to the console selected in
the tree or in the object’s details panel, by a hyperlink.
Understanding Kaspersky Administration Kit 25
Figure 1. Kaspersky Administration Kit main window
2.11.2. Console tree
The console tree displays logical networks created within a corporate network
and properties of a local computer where the Administration Console is installed.
The Kaspersky Administration Kit namespace can have several nodes: the
Kaspersky Administration Server (<Server Name>) (by the number of Administration Servers) and the Local computer object.
Using the Local Computer object, you can locally administer Kaspersky Lab
applications installed on the administrator workstation.
The Kaspersky Administration Server (<Server name>) node is a container
that displays the structure and settings of the selected Administration Server.
The Kaspersky Administration Server (<Server name>) KAV Server node
has the following folders:
• Protection status
• Network
• Groups
• Updates
• Remote install
• Computers queries
26 Kaspersky Administration Kit
• Events
• Tasks
• Licenses
• Quarantine
The Protection status folder is used for providing information about the antivirus protection state both at the client computers and in the computer network
as a whole. This folder contains nested subfolders that ensure information structure as follows:
• Network – information about computers that are not included into the
logical network structures and the results of the current of the last polling
of the computer network by the Administration server.
• Administration groups – the status of the anti-virus protection on the
client computers of the logical network.
• Anti-virus protection – statistical information about the virus activities
and the status of the real-time protection task on the client computers of
the logical network.
• Updates – the stat of the anti-virus database used by the applications
After the installation of Kaspersky Administration Kit, the Unassigned item
shows the hierarchy of the domain and work groups on your Windows net work.
The folders on each upper level display computers of this domain or workgroup
that have not been assigned to the logical network. After a computer is assigned
to a group, information about this computer is deleted from the Unassigned
node. Conversely, when a computer is removed from the logical network, information about this computer again appears in the corresponding folder of the Un-
assigned node.
Description of the hierarchy of the folders in the Network node and distribution of
computers in them can be provided based on the Active Directory structure or of
the IP sub-networks created in the network. In order to do this, select
View/Active Directory or View/IP sub-networks in from the shortcut menu of
the Network node.
If the Network node is presented as IP sub-networks, its structure can be cre-
ated by the administrator by creating IP sub-networks
and changing the settings
of the existing sub-networks.
When you highlight a folder in the console tree, the following information about
this folder is displayed in the details pane:
• Name –Computer name in the logical network (NetBios name or IP
address of the computer (depending on the presentation method)
Understanding Kaspersky Administration Kit 27
• Operatin g system type – type of the operating system installed on
the client computer (Server/ Workstation).
Depending on the operating system type, the following icon is
displayed near the computer name:
refers to a workstation.
indicates a server and
• Domain – Windows domain or workgroup to which the computer
belongs
• Last visible – Date when this computer was last identified by the
server on the logical network
• Last update – Date when the anti-virus database or application
modules on this computer were last updated
• Status – Current status of the computer (OK/ Warning/ Critical)
based on criteria set by Administrator.
• Last info update – Date when information about this computer was
last updated
• DNS domain – The DNS domain to which this computer belongs
• DNS name – DNS computer name
• IP – IP address of the computer
• Connection to the server – IP address of the connection of the
client computer to the Administration server.
The Network folder displays the contents of the Network group. The Administration server creates and updates the data in the Network group. The server regularly requests data about new computers added to the Windows network and
those removed from the network. Based on this information, the server then refreshes the Network group and the Network folder. New computers that appear
on the network are automatically included in a specified folder in the Network
group or in the specified group of the logical network. There is a feature that allows disabling polling the computers included in the Network group and in any
nested subgroup.
The Groups node is used to store, display, configure, and change the logical
network structure, group policies, and group tasks.
Root objects in the Groups folder correspond to the highest level of the logical
network hierarchy. The Servers, Policies and Tasks folders are mandatory for
each group item. These folders are used to operate Administration servers, policies and tasks of the upper hierarchical level.
After the installation of Kaspersky Administration Kit, the Groups folder stores no
items and the Servers, Policies and Tasks folders are empty. The administrator
Loading...