Kaspersky Lab Whiteboard Accessories 6 User Manual
KASPERSKY LAB
Kaspersky® Administration Kit
version 6.0
Administrator’s manual
KASPERSKY® ADMINISTRATION KIT
VERSION 6.0
Administrator’s manual
© Kaspersky Lab
Visit our website: http://www.kaspersky.com/
Revision date: September, 2006
Contents
CHAPTER 1. KASPERSKY ADMINISTRATION KIT.................................................... 6
1.1. About Kaspersky Administration Kit......................................................................6
1.2. Hardware and software requirements.................................................................. 7
1.3. Distribution kit ........................................................................................................ 9
1.4. Help desk for registered users.............................................................................. 9
1.5. The purpose of the document...............................................................................9
1.6. Conventions......................................................................................................... 10
CHAPTER 2. UNDERSTANDING KASPERSKY ADMINISTRATION KIT................11
2.1. Logical network.................................................................................................... 11
2.1.1. Logical network. Administration Server........................................................11
2.1.2. Hierarchy of the Administration servers.......................................................12
2.1.3. Client computer. Group................................................................................ 12
2.1.4. Administrator's workstations......................................................................... 14
2.1.5. Application administration plug-in.................................................................14
2.1.6. Policies, settings, and tasks......................................................................... 14
2.1.7. Relationship between the policies and the local application settings .........17
2.2. Connecting clients to the Administration server................................................. 18
2.3. Secure connection to the Administration Server................................................19
2.3.1. Administration Server certificate...................................................................19
2.3.2. Administration Server authentication (when the Administration Console
connects to the server).................................................................................20
2.3.3. Administration Server authentication when establishing connection with
a client...........................................................................................................20
2.4. Identification of computers on the logical network..............................................20
2.5. Logical network access rights.............................................................................21
2.6. Deployment of anti-virus protection over logical network computers................23
2.7. Building a centralized anti-virus protection administration system ....................23
2.8. Maintaining a logical network..............................................................................25
2.9. Coordinating joint operation of administrators....................................................25
2.10. User interface.................................................................................................... 25
2.10.1. Launching the application........................................................................... 26
4 Kaspersky Administration Kit
2.10.2. Main window...............................................................................................26
2.10.3. Console tree................................................................................................27
2.10.4. Shortcut menu............................................................................................ 29
CHAPTER 3. USING THE APPLICATION................................................................... 33
3.1. Connecting to the administration server............................................................. 33
3.2. Granting rights..................................................................................................... 34
3.3. Viewing information about the computer network IP subnetworks....................35
3.4. Quick Start Wizard...............................................................................................36
3.5. Viewing, creating, and configuring a logical network .........................................37
3.5.1. Groups ..........................................................................................................40
3.5.2. Client computers........................................................................................... 41
3.5.3. Slave Administration servers........................................................................ 44
CHAPTER 4. REMOTE POLICY MANAGEMENT......................................................47
4.1. Configuring the application settings....................................................................47
4.1.1. Managing policies.........................................................................................47
4.1.2. Local application settings .............................................................................51
4.2. Managing the application.................................................................................... 52
CHAPTER 5. UPDATING THE ANTI-VIRUS DATABASE AND PROGRAM
MODULES..................................................................................................................59
5.1. Receiving updates by the Administration server................................................59
5.2. Distribution of updates to the client computers...................................................62
5.2.1. Updates using the application tools .............................................................62
5.2.2. Automatic distribution of the updates by the Administration server............63
5.3. Updating of the slave Servers and their client computers..................................65
5.4. Updates distribution using the updating agents .................................................66
CHAPTER 6. MAINTENANCE......................................................................................68
6.1. Renewing your license........................................................................................68
6.2. Quarantine and backup storage .........................................................................69
6.3. Event logs. Event filters.......................................................................................72
6.4. Reports ................................................................................................................75
6.5. Finding computers...............................................................................................77
6.6. Computers filters..................................................................................................79
6.7. Virus outbreaks monitoring .................................................................................82
6.8. Backup copying and restoration of the Administration server data................... 85
Table of Contents 5
APPENDIX A. GLOSSARY...........................................................................................87
APPENDIX B. KASPERSKY LAB................................................................................. 93
B.1. Other Kaspersky Lab Products ..........................................................................94
B.2. Contact Us...........................................................................................................98
APPENDIX C. LICENSE AGREEMENT ....................................................................100
CHAPTER 1. KASPERSKY
ADMINISTRATION KIT
1.1. About Kaspersky Administration
Kit
Kaspersky® Administration Kit is designed for centralized performance of key
administrative tasks. It gives you complete control over your enterprise antivirus
policy, built on the Kaspersky Anti-Virus Business Optimal and Kaspersky AntiVirus Corporate Suite applications. Kaspersky Administration Kit supports all
network configurations that use TCP/IP protocol.
Kaspersky Administration Kit is a tool for corporate network administrators and
anti-virus security officers.
The application enables administrators to:
• Deploy and remotely remove Kaspersky Lab applications
network computers. You can create a custom set of Kaspersky Lab
applications on a dedicated computer and then install these multiple
applications at once on networked computers on any number of
networked computers.
• Efficiently manage license keys
can centrally install license keys for all Kaspersky Lab applications,
monitor the correspondence between the numbers of licenses and
Kaspersky Lab applications installed across your network, and track
license expiration dates.
• Remotely manage
With Kaspersky Administration Kit, you can build a multitiered anti-virus
protection system managed from one single administrator’s workstation.
This is particularly important for enterprises with a multiplayer local
spread over remote offices. This feature enables the administrators to:
Create administration groups of computers with similar functions and applications;
Configure application settings simultaneously by applying group policies;
Tailor installations to fit the requirements for individual computers by using appli-
cation settings;
Manage multiple applications by assigning group and global tasks;
Schedule tasks for applications installed on computers from different administra-
tion groups.
• Automatically update the anti-virus database
the anti-virus database for all applications without having each computer
Kaspersky Lab applications from a single location.
. With Kaspersky Administration Kit, you
. You can centrally update
on and from the
Kaspersky Administration Kit 7
directly connect to Kaspersky Lab update servers. You can schedule
updating to run automatically at a specified time to constantly keep your
protection current and monitor the update process on client computers.
• Gather reports
capabilities of Kaspersky Administration Kit, you can collect statistics
about the operation of all installations and create reports based on the
most recent statistics. The program allows you to create a cumulative
network report for a single Kaspersky Lab application (application-specific
reports) or a report about all Kaspersky Lab applications installed on an
individual computer (computer-specific report).
• Using mechanism of notifications about specific events in application's
operation and notifications sending mechanism. You can specify a set of
events which require notification. Such events that may occur during
application performance could be, for example, detecti on of a virus, failure
to update, or a new computer appearing on the network.
Kaspersky Administration Kit has three main components:
• Administration Server is a centralized storage of information about
Kaspersky Lab applications installed on the l ocal company net work and a
tool for efficiently managing them.
• Network Agent coordi nates the Administration Server and the Kaspersky
Lab applications installed on a particu lar net work node (a workstation or a
server). This component supports all applications included in Kaspersky
Anti-Virus
• Administration Console, a user interface for Server and Agent
Administration services, plugs into the Microsoft Management Console
(MMC).
from all installations. Using the enhanced reporting
Business Optimal and Kaspersky Anti-Virus Corporate Suite.
1.2. Hardware and software
requirements
Administration Server
• Software requirements:
• Microsoft Data Access Components (MDAC) version 2.8 and
above
• MSDE 2000 SP 3 or MS SQL Server 2000 SP 3
MySQL version 5.0.22 (default code page UTF-8) or MS SQL 2-
-5 or higher or MS SQL 2005 Express and higher;
1
You can install MSDE from the distribution package included in the Kaspersky Ad-
ministration Kit distribution kit.
1
or higher or
8 Kaspersky Administration Kit
• Microsoft Windows 2000 SP 1 or higher; Microsoft Windows XP
Professional SP 1 or higher; Microsoft Windows XP
Professional x64 and higher, Microsoft Windows Server 2003 or
higher; Microsoft Windows Server 2003x64 or higher Microsoft
Windows NT4 SP 6a or higher, MDAC 2.8 or higher.
• Hardware requirements:
• Intel Pentium III processor, 800 MHz or faster
• 128 MB RAM
• 400 MB available space on hard drive
Administration Console
• Software requirements:
• Microsoft Windows 2000 SP 1 or higher; Microsoft Windows
NT4 SP 6a; Microsoft Windows XP Professional SP 1 or higher;
Microsoft Windows XP Home Edition SP1 or higher;
Microsoft Windows XP Professional x64 or higher.
Microsoft Windows Server 2003 or higher; Microsoft Windows
Server 2003 x64 and above,
or higher;
• Microsoft Management Console version 1.2 or higher
• Hardware requirements:
• Intel Pentium II processor, 400 MHz or faster
• At least 64 MB RAM
• 10 MB of available hard drive space
Network Agent
• Software requirements:
• Microsoft Windows 98; Microsoft Windows ME; Microsoft
Windows 2000 SP 1 or higher; Microsoft Windows NT4 SP 6a
or higher;
higher
, Microsoft Windows XP Professional SP 1 or higher, and
Windows Server 2003 or higher; Microsoft W indows Server
Microsoft Windows XP Professional x64 or
Microsoft Windows NT 4 SP 6a
2003 x64 or higher
• Hardware requirements:
• Intel Pentium processor, 233 MHz or faster
• 32 MB RAM
• 10 MB available space on hard drive
Kaspersky Administration Kit 9
1.3. Distribution kit
This software product is supplied free-of-charge with any Kaspersky Lab's
application included into the package of Kaspersky Anti-Virus Business Optimal
and Kaspersky Corporate Suite (retail box version) and also available for
download from Kaspersky Lab's corporate website at www.kaspersky.com
.
1.4. Help desk for registered users
Kaspersky Lab offers a large service package, enabling its legal users to enjoy
all available features of Kaspersky Lab's products .
Once you purchase a license for any Kaspersky Lab's product included into
Kaspersky Anti-Virus Business Optimal or Kaspersky Corporate Suite, you
become a registered user of Kaspersky Administration Kit. After this you will
receive the following services during the term of your license:
• New versions of the anti-virus software application provided free of
charge;
• Phone or e-mail consultations on matters related to the installation,
configuration, and operation of the anti-virus application by phone or
based on requests sent using a web form;
When sending a request to the Technical support service, make sure
you specify information about the license for Kaspersky Lab's application used in conjunction with Kaspersky Administration Kit.
• Information about new Kaspersky Lab applications and about new
computer viruses (for those who subscribe to the Kaspersky Lab
newsletter).
Kaspersky Lab does not provide information related to operation and use of your
operating system or various other technologies.
1.5. The purpose of the document
This Guide describes the purpose, general concepts, functions and general
operation schemes of Kaspersky Administration Kit application. Step-by-step
description of actions is provided in the Kaspersky Administration Kit Reference
Book. Functions described in this book are underlined.
In order to review questions that our users often ask Kaspersky Lab's support
specialists visit our website and follow the Services ÆKnowledge base link.
This section contains information about installation, configuration and functioning
of Kaspersky Lab's applications and about removal of most commonly spread
viruses and disinfection of infected files.
10 Kaspersky Administration Kit
1.6. Conventions
Various formatting features and icons are used throughout this document depending on the purpose and the meaning of the text. The table below lists the
conventions used in the text.
Convention Meaning
Bold font Menu titles, commands, window titles,
dialog elements, etc.
Note
Attention
To perform an action:
1. Step 1.
2. …
Additional information, notes.
Critical information.
Description of the successive user's
steps and possible actions
[key] – modifier name
Information messages and
command line text
Command line modifier
Text of configuration files, information
messages and command line
CHAPTER 2. UNDERSTANDING
KASPERSKY
ADMINISTRATION KIT
2.1. Logical network
2.1.1. Logical network. Administration
Server.
Logical network is a hierarchical structure of administration groups consisting of client computers. Kaspersky Lab applications installed on client computers are
managed through Kaspersky Administration Kit.
Administration Server is a computer on which the Administration Server
component is installed.
The Administration server is installed as a service on a computer with the
following attributes:
• having name Kaspersky Administration Server;
• with the automatic startup at the operating system startup;
• with profile Local system or user's profile depending on the selection
made during the component's installation.
The functions of the Administration Server (or, more precisely, of the
administration server application installed on this computer) are as follo ws:
• Store information about the logical network structure (network
configuration);
• Store backup copies of the configuration inf ormation of the computers in
the logical network;
• Store distribution files for Kaspersky Lab applications;
• Remotely install and uninstall applications on the computers;
• Update anti-virus database and program modules;
• Manage policies and tasks on the computers in the logical network;
• Store information about events occurred on the comp uters in the logical
network;
• Generate reports on application performance across the logical network;
12 Kaspersky Administration Kit
• Distribute license keys across the computers in the logical network, store
information about license keys;
• Send alerts from tasks running on the computers in the logical network.
You can be notified, for example, about detection of a virus on a client
computer.
2.1.2. Hierarchy of the Administration
servers
The Administration servers may form hierarchy of type "main server - slave
server". Each Administration server may have several slave servers either on
one level of hierarchy or using nested hierarchal levels. In this case the structure
of the logical network of the main server will include the logical networks of all
slave servers. This way, individual independent from each other sections of the
computer network can be managed by different Administration servers that, in
turn, will be controlled by the main server (details see section 3.5.1 on page 40).
The ability to create a hierarchy of servers may be used:
• to restrict the load on the Administration server (compared with one
server installed in the network);
• to decrease the traffic within the network and simplify the interaction with
remote offices. There is no necessity to establish connection bet ween the
main server and all computers of the network that may be located, for example, in other regions. It is sufficient to install a slave Administration
server in each segment of the network, distribute the computers in the
logical networks of the slave servers and ensure connection between the
slave servers and the main server using fast communication channels;
• to ensure a more distinct division of responsibility between the anti-virus
security administrators. All features of centralized control and monitoring
of the corporate network anti-virus security status will be preserved.
Each computer included into the logical network structure can be connected
only to one Administration server.
The administrator must control the correctness of the computers' connection to
the Administration servers using the find computer by network attributes function to search for computers in the logical networks of various servers.
2.1.3. Client computer. Group
Interaction between the Administration server and the computers:
• delivery of information about the current status of the applications;
Understanding Kaspersky Administration Kit 13
• sending and receiving of control commands;
• synchronization of the configuration information;
• sending information about events in the applications' operation to the
Server;
• functioning of the updating agent;
is ensured by the Network agent. This component must be installed on all
computers where the control of the Kaspersky Lab's applications is perfor m ed
using Kaspersky Administration Kit.
The Network agent is installed on the computer as a service with a set of
attributes as follows:
• with name Kaspersky Network Agent;
• with automatic start at the operating system startup;
• with the Local system profile.
A computer, server or workstation on which the Network agent and the monitored
Kaspersky Lab's applications are installed will be called the Server
administration client (or simply the client computer).
Depending on the organizational or territorial structure of the company, functions
performed and the set of Kaspersky Lab's applications installed, client computers
may be organized in administration groups. This arrangement may be
implemented in order to ensure convenience of managing the computers in the
group as a single entity and when arranging computers in the group any
combination of the specified principles and other attributed at the administrator's
discretion may be used. For example, the top level can be comprised of groups
corresponding to the departments. On the next level, within each department,
computers will be grouped depending on the function they perform: one group of
computers may include all workstations, another all file servers, etc.
A group is a set of client computers combined by some attribute in order to
control a group computers as a single entity. All client computers in a group
share:
• common parameters of the application's operation using group policies;
• common application's operation mode - by creating group tasks (applica-
tion functions) with a specified set of parameters (for example, creation
and installation of a single installation package, updati ng of the anti-virus
database and application modules, on-demand computer scan a nd realtime protection).
A client computer may be included into one group only.
The administrator may create a hierarchy of servers and groups using any
number of nested levels if this simplifies his application administration tasks.
Slave Administration servers, groups and client computers may be located on the
same hierarchical level.
14 Kaspersky Administration Kit
2.1.4. Administrator's workstations
Corporate network computers running the administration console are referred to
as administrator workstations. From these workstations, administrators can
remotely manage all Kaspersky Anti-Virus components installed across the
logical network.
After the installation of the Administration Console an icon for this application will
appear in menu Start/Programs/Kaspersky Administration Kit.
The administrator workstation is not a logical network object. However, they can
be added to the logical network as client computers. The number of administrator
workstations is potentially unlimited. Administrator workstations from different
Logical Networks can coincide – any logical network can be administered from
any administrator workstation available on your local network.
On a logical network, the same computer can act as a client computer, an
administration server, and an administrator workstation.
2.1.5. Application administration plug-in
Network Agent Console Plug-in, a special component providing the
management interface for specific applications via the Administration Console, is
included in all Kaspersky Lab applications managed through Kaspersky
Administration Kit. Each application has its own plug-ins installed on the
administrator workstation. The plug-ins provide:
• Dialog boxes for creating and editing application policies
• Dialog boxes for creating and editing application settings
• Dialog boxes for configuring task settings
• Information about tasks performed by an application
• Information about events generated by an application
• Information about events and statistics for each client computer sent to
the administration console.
2.1.6. Policies, settings, and tasks
A task is an action performed by a Kaspersky Lab application. T here are several
types of tasks, depending on task functions. Each task corresponds to specific
application settings.
There is a set of application operating parameters assigned to its task and
applied during its execution. The set of parameters of the application, common
for all types of tasks, forms the application settings. Application operation
Understanding Kaspersky Administration Kit 15
parameters specific for each type of tasks form the task settings. The application
settings and task settings do not overlap.
For more information about task types, refer to the documentation for
Kaspersky Lab applications.
To have an application to perform an action, you should configure application
settings, create and configure a corresponding task and run it.
Application settings defined for each individual client computer via a local
interface or remotely via an Administration console will be called the local
application settings.
Centralized configuration of the application operation settings installed o n the
client computers in the logical network is performed by defining policies.
A Policy – is a set of parameters of an application in a group. A policy includes
settings for complete configuration of all functions of the application excluding
settings specific for individual tasks. An example of such settings are schedule
settings.
Therefore a policy includes the following settings:
• common settings for all types of tasks - application settings;
• common settings for all individual tasks of each type – most task settings.
This means that the policy for the anti-virus application (see Figure 1) that
includes the real-time protection and on-demand scan tasks, contains all
required settings of the application's configuration for execution of both types of
tasks, but does not contain, for example, the schedule for execution of these
tasks or settings that define the scan scope.
Figure 1. Policy
Each setting in a policy has an attribute, a "lock" that indicates whether changing
this setting is allowed in the nested policies in the hierarchal level (for nested
groups and slave Administration servers), in the task settings and local
application settings. If there is a "lock" attached to this setting, you will not be
able to redefine its value (see section 2.1.6 on page 14).
16 Kaspersky Administration Kit
In a group each application will have its own policy defined for it. Several policies
with different settings value may be defined for one application. However each
application may only have one active policy.
There is a provision that allows the user to activate an inactive policy based on
an event, which allows, for instance, to establish stricter anti-virus protection
settings during the periods of virus outbreaks.
You can also create policies for mobile users. Such policy will be applied when
the computer is disconnected from the corporate logical network.
For different groups the application's operating settings may be different. In each
group a separate policy for an application may be created.
Nested groups and slave Administration servers inherit policies of groups of
higher level in the hierarchy.
Creation and configuration of tasks across a logical network is centralized. A task
assigned to an administration group is a group task; a task assigned to an
individual client computer is referred to as a local task; and that assigned to
multiple client computers from different groups on the logical network is a global
task.
A group task can be assigned to a group even if the application is only installe d
on some of the client computers in this group. In this case, the group task will be
executed only on the computers that have this application installed.
Nested groups and slave Administration servers inherit tasks from their parent
groups. A task defined for a group will be shared by all client computers from this
group but also by client computers of all nested groups at the lower levels and by
slaves Servers on all subsequent levels of the hierarchy.
The tasks assigned locally to a particular client computer will only be executed
on this computer. Local tasks will be added to the list of current tasks for this
client computer during synchronization of this client with the administration
server.
Because all application settings are governed by the policy, you can only
redefine settings that have been defined as modifiable by this policy or settings
specific to a particular task. For example, for an on-demand scan of a drive, you
should specify the disk name, file masks, etc.
You can schedule tasks to start automatically or run them on demand. Task
performance results are saved on the administration server. The administrator
can be notified of task results or can view detailed reports.
Information about policies, application settings, tasks, and task settings is stored
on the server and distributed to the client computers during synchronization.
From clients, the administration server receives data about local changes not
restricted by the policy, applications running on client computers, their status,
and assigned tasks.
Understanding Kaspersky Administration Kit 17
2.1.7. Relationship between the policies
and the local application settings
Using policies for all computers included into a group, you can set same va lues
for the application's operating settings.
Values of the settings set by a policy can be redefined for individual computers in
a group using local application's settings. However, you can set values only for
those settings changes to which are not prohibited by the policy: that is their
settings should not be "locked".
Which value will be used on the client computer (see Figure 2) is determined by
whether the setting is "locked" by the policy.
• if any changes to a setting are prohibited, all client computers will use the
same value specified in the policy;
• if changes to a setting are allowed, then each client computer uses a local value of the settings rather than the value specified in the pol icy. In
this case the value of the setting can be changed via the local application
settings.
Thus, when a task is being executed on a client computer, the application will
use values determined by:
• task settings and local application settings if the policy did not prohibit
changes to this setting;
• a group policy, if the policy did not prohibit changes to this setting.
Figure 2. Policy and local application settings
18 Kaspersky Administration Kit
How the local application settings will change after the first time the policy is
applied, will be determined in the application policy. If the Change optional
application settings after the policy is first enforced box (see Figure 12):
• is unchecked, then the settings that are not allowed to be edited will be
changed after the policy has been enforced; after the policy has be en removed the original values of these settings will not be restored.
The values of the settings that are allowed to be edited will not be modi-
fied after the policy has been enforced. Settings can be modified using
the local application settings. After the policy has been removed, the setting values will not be changed (that is, the original values will not be restored).
• is checked, then the settings that are not allowed to be edited will be
changed after the policy has been enforced; after the policy has been
removed the original values of these settings will not be resto red.
The values of the settings that are allowed to be edited w ill be changed
after the policy has been enforced. Settings can be modified using the
local application settings. After the policy has been removed, the settin g
values will not be changed (that is, the original values will not be restored).
2.2. Connecting clients to the
Administration server
To enable communication between the clients and the administration serve r, the
client computers must be connected to the server (see section 2.1 on page 11).
The Network Agent installed on clients provides this functionality.
The following operations require connection to the server:
• Refreshing the list of applications installed on client computers
• Synchronization of policies, application settings, tasks, and task settings
• Updating the information on applications and tasks running on client
computers
• Delivery of events to be processed on the server
In most cases, client computers are connected to the server. This connection is
used to automatically exchange data between the clients and the server and to
send information about application events to the server.
Automatic synchronization is performed at regular time intervals defined by the
Network Agent settings (for example, once every fifteen minutes). The time
interval is set by the administrator.
Information about an event is sent to the server immediately after the event
occurs.
Understanding Kaspersky Administration Kit 19
In the client settings, you can check/uncheck the Keep connection checkbox to
keep or terminate the client–server connection after the above operations are
over. Permanent connection is preferred if connecting to a client is impaired for
some reasons (the client is behind a firewall, client ports cannot be opened, the
client IP address is unknown, etc.) or you need to constantly monitor the
performance of Kaspersky Lab applications.
The administrator can force synchronization to start by clicking the Force
synchronization command on the shortcut menu of the client computer
(see section 2.10.4 on page 29). In this case, the connection is initiated by the
server. To enable connection, the UDP port is opened on the client computer.
The server sends a connection query to the client’s UDP port. In response, the
server rights to connect to the client are verified (based on a digital signature),
and, if the signature is valid, the connection is established.
A second type of connection is also used to retrieve data from client computers –
update the lists of applications and tasks running on the client and refresh
application statistics.
2.3. Secure connection to the
Administration Server
Data exchange between clients and the Administration Server and connections
of the console to the Administration Server are secured by SSL protocol (Secure
Socket Layer). SSL protocol is responsible for authentication of communicating
parities, encryption of the data being transferred and preventing modification of
data during the transfer. Data integrity ensures that the data has not been
corrupted or altered in transit. An SSL-enabled connection involves
authentication of both sides of a network communication session and encryption
of data using the open key method.
2.3.1. Administration Server certificate
Administration Server certificate is used to authenticate the Administration Console when it is connected to the Administration Server and is being established or data is being transferred from client computers.
The Administration Server certificate is created during the installation of the
Administration Server. The certificate is stored on the Administration Server, in
the Cert folder in the installation directory.
The Administration Server certificate can be created only once, during server
installation. To restore the certificate, you must reinstall the Administration Server
and restore the lost data from the Backup (about backup options, see 6.5 on
page 77).
20 Kaspersky Administration Kit
2.3.2. Administration Server authentication
(when the Administration Console
connects to the server)
When the Administration Console connects to the Administration Server for the
first time, it requests the certificate from the server and saves it locally, on the
administrator workstation. Upon subsequent connections of the Console to the
server with this name, the server will be authenticated using this certificate.
If the server does not pass authentication (i.e., the current certificate differs from
that stored on the administrator workstation), the Console informs the user about
this and requests the Server for a new certificate. If the connection is successful
and another certificate is received, the Administration Console will save the new
certificate to the hard disk so that it can be used to authenticate the server in
future sessions.
2.3.3. Administration Server authentication
when establishing connection with
a client
When a client connects to the Administration Server for the first time, it requests
the certificate from the server and saves it locally.
If the Network Agent has been installed on a client locally, the a dministrat or can
manually select an Administration Server certificate.
When the client connects to the server next time, the Network Agent will request
the certificate from the Administration Server and compare it with the local
certificate. If the certificates differ, access to the Administration Server is denied.
If the Administration Server initiates connection, the Network Agent verifies the
server’s request for a UDP-enabled connection in a similar manner.
2.4. Identification of computers on
the logical network
Client computers on the logical network are identified by their host names. A
host name must be unique among other names connected to this Administration
Server.
The name of the client computer is transferred to the Administration Server when
a new computer is detected on the Windows network or when the Network Agent
Understanding Kaspersky Administration Kit 21
installed on a client connects to the Server for the first time after the installation.
By default, the host name coincides with the name of this computer on the
Windows network (NetBIOS name). If a host with this name already exists, the
Server will assign to this host a name ending in a numeral, for example, Name-1,
Name-2, etc. This host name will be used to identify the computer on the logical
network.
The Administration Server refers to the client computers by their IP addresses. If
a client has an installation of the Network Agent, the IP address of this client is
automatically transferred to the Server upon each connection of the client. If the
Network Agent is not installed, or this client has not connected to the
Administration Server yet (for example, if the Network Agent was locally
installed), the Administration Server determines the IP address of this computer
by its NetBIOS or DNS name.
2.5. Logical network access rights
Kaspersky Administration Kit provides for the following types of authorization for
the access to the application's functionality:
• Reading:
• connecting to the Administration Server;
• viewing the structure of the logical network (or administration
group);
• viewing the values of the application's policies, tasks, and
settings.
• Execution: launching and stopping the existing group or global tasks; re-
ceiving reports about the applications installed on the client computers.
• Writing:
• creating a logical net work, adding groups and client computers
to this logical network (or to an administration group);
• installation of the Network Agent component to the client
computer;
• creating required installation packages for the Kaspersky Lab's
anti-virus applications and installing them (along with licenses
keys to such applications) on the client computers;
• updating the version of applications installed on the client
computers;
• creating policies, tasks for groups and individual computers,
configuring application settings;
• centralized administration of applications using services
provided by the Administration Server, the Network Agent and
the Administration Console components;
22 Kaspersky Administration Kit
• granting to users and groups of users access rights to access the
functionality of Kaspersky Administration Kit.
After installation of the Administration server, users included into groups
KLAdmins and KLOperators will be by default granted rights to connect to the
Server and to work with the logical network.
Group data will be created during the installation of the Administration serve r
component irrespective of the account selected to launch the Administration
server service:
• in the domain t hat includes the Administration server and on the Administration server computer, if the Administration server is launched under an
account of a user included into this domain;
• only on the Administration server computer if this Sever is la unch ed und er
the system account.
Group KLAdmins will be granted all rights: Reading, Execution, Writing.
Group KLOperators will be granted rights Reading. The set of rights granted to
KLAdmins cannot be modified.
Users included into group KLAdmins will be called logical network
administrators, users included into group KLOperators – logical network
operators.
Groups KLAdmins and KLOperators can be viewed and required changes can
be made using standard Windows OS administration tools – Administration /
Local users and groups.
In addition to users included into group KLAdmins the logical network
administrator's rights will be granted to:
• domain administrators, computers of which are included into the structure
of this logical network;
• local administrators of computers on which the Administration server is
installed.
All operations initiated by the logical network administrators will be performed
with the rights of the Administration server account. For each Administration
server a KLAdmins group of its own can be created that will have rights applied
within this particular logical network only.
If computers related to one domain create several logical networks, the domain
administrator will be the administrator of each logical network formed this way. In
this case such logical network will share the same group KLAdmins that will be
created during the installation of the first Administration server. New members
can be added to this group using the operating system's administration tools.
Operations initiated by the logical network administrators will be performed with
the rights of the corresponding Administration server.
The rights of users in Kaspersky Administration Kit application are determined
based on the user Windows authentication in the network.
Understanding Kaspersky Administration Kit 23
After the installation of the application, the logical network administrator can (see
section 3.2 on page 34):
• change rights
• grant rights to access
application to other groups of users and to individual users registered on
the computer on which the Administration Console is installed;
grant various access rights for working with each administration group.
, granted to groups KLOperators;
the functionality of Kaspersky Administration Kit
2.6. Deployment of anti-virus
protection over logical network
computers
There are two common scenarios that show how you can roll out reliable antivirus protection using Kaspersky Administration Kit:
• You can remotely install applications on client computers across the
logical network from a single workstation. The installation and connectio n
to the remote management system proceed automatically, requiring no
interaction from the administrator and allowing to install the anti-virus
software on any number of client computers.
• You c an locally install applications on every net worked computer. In this
case, all required components and the administrator workstation are
manually installed. Connection settings are set during the installation of
the Network Agent. This deployment scenario is used only if centraliz ed
deployment is impossible.
Remote installation can be used for installation of any applications selected by
the user.
However, bear in mind that Kaspersky Administration Kit supports administration of only Kaspersky Lab's application the distribution package of which includes a specialized component - the application administration plugin.
2.7. Building a centralized anti-virus
protection administration
system
The first step to building a system of centralized management over an enterprise
network through Kaspersky Administration Kit is to design a logical network. At
this stage, you should make the following decisions:
24 Kaspersky Administration Kit
Select isolated sections within the network and determine the number of
Administration servers that must be installed. It is recommended to ensure
interaction between the main and the slave Administration servers using fast
communication channels that will allow to considerably decrease the load on the
communication channels and increase the system reliability.
Which computers in the corporate network structure will function as the main
Administration server, the slave servers administrator workstations, and client
computers? Note that all computers on which Kaspersky Lab applications are
installed will act as client computers.
What criteria will be used to organize client computers in groups? What will be
the group hierarchy?
What deployment scenario will be used: remote or local installation?
In the next stage, the administrator has to build a logical network, i.e., install the
following Kaspersky Administration Kit components on networked computers:
Install the Administration Server on computers within the corporate network.
Install the Administration Console on computers from which the administration
will be provided.
Make decision regarding assigning of the logical network administrators,
determine which other user categories will interact with the system and assign a
list of functions to be performed to each category.
Create lists of users and grant to each group access rights required to perform
access rights functions assigned to this group.
After this, it is required to create a hierarchy of the Administration servers and for
each Server create a logical network structure as follows: create a hierarchy of
the administration groups and distribute computers among the corresponding
groups.
In the next stage, you should install the Network Agent and selected Kaspersky
Lab applications on client computers and install the corresponding Console Plugins on the administrator workstation
If you use the remote installation option, the Network agent may be installed
together with any application, in this case no separate installation of the Network
agent is required.
Finally, you should configure the installed applicati ons by assigning and applying
group policies (see section Chapter 4 on page 47) and creating tasks (see
section 4.1.2 on page 51).
Using Initial Configuration Wizard, the administrator can easily build an anti-virus
protection system for his/her network and briefly configure it (for the detailed
description of the wizard, see 3.2 on page 34). Briefly configuring the anti-virus
protection system means creating a logical network identical to the domain
structure of the Windows network and rolling out the protection system based on
Versions 5.0 and 6.0 of Kaspersky Anti-Virus 5.0 for Windows Workstations.
Understanding Kaspersky Administration Kit 25
2.8. Maintaining a logical network
After you have created a logical network and installed and configured antivirus
applications, it is recommended that you regularly perform the following
operations:
• View reports on the results of application performance on client
computers.
• Read alerts sent from client computers and the administration server to
the administrator’s mailbox.
A complete list of notifications sent by the Kaspersky Anti-Virus applications is available in the documentation to these applications.
• If a situation developed on one of the client computers into which the
administrator decided to involve, he or she can do it from his own
workstation, for example, disinfect infected files on this computer.
• Timely update the anti-virus database on client computers (see Chapter 5
on page 59) and software modules of applications installed on client
computers (see Chapter 5 on page 59).
• Keep track of the space available on th e server for storing submissions
from clients and the availability of free memory on the ser ver to process
the submitted data.
• Add new computers that appear on the local network to the logical
network and install required anti-virus applications on them in a timely
manner.
• Regularly back up the administration s ystem data (see 6.5 on page 77).
2.9. Coordinating joint operation of
administrators
The system allows multiple administrators to work simultaneously with the same
resources. The latest changes will overwrite previously saved settings. For this
reason, joint work of multiple administrators must be coordinated to prevent
misunderstanding.
2.10. User interface
From the administrator workstation, you can view, create, modify, and configure
the logical network and manage all Kaspersky Lab applications i nstalled on
clients. The administration interface is provided by the Administration Console
component, which is an administration plug-in integrated into the Microsoft
26 Kaspersky Administration Kit
Management Console (MMC). The Kaspersky Administration Kit interface
complies with MMC standards.
In order to ensure local interaction with the client computers, the application
includes the ability to establish remote connection with the computer via the
Administration Console suing the standard Connect to the remote desktop
Microsoft Windows utility.
In order to use this possibility, you have to allow remote connection to the
desktop on client computer.
2.10.1. Launching the application
Kaspersky Administration Kit is launched by selecting item Kaspersky
Administration Kit in program group Kaspersky Administration Kit of the
standard menu Start \ Programs. This programs group is created only on the
administrator's workstations at the time when the Administration Console is
installed.
The logical network Administration server must be launched in order for you t o
be able to access the functionality of Kaspersky Administration Kit.
2.10.2. Main window
The program main window (see Figure 3) has a menu, a toolbar, a control panel,
a view panel, a details panel and a task panel. The menu is used to manage files
and dialog boxes and provides access to Help topics. Toolbar buttons provide
quick access to most frequently used menu options. The view panel displays the
hierarchical Kaspersky Administration Kit namespace as a console tree. T he
details panel shows details of the object selected in the console tree. The details
panel provides a quick access to the main operations assigned to the console
selected in the tree or in the object’s details panel, by a hyperlink.
Understanding Kaspersky Administration Kit 27
Figure 3. Kaspersky Administration Kit main window
2.10.3. Console tree
The console tree displays logical networks created within a corporate network
and provides access to the logical network settings and properties of the local
computer where the Administration Console is installed.
The Kaspersky Administration Kit namespace can have several nodes: the
Kaspersky Administration Server (<Server Name>) (by the number of
Administration Servers) and the Local computer object.
Using the Local Computer object, you can locally administer Kaspersky Lab
applications installed on the administrator workstation.
The Kaspersky Administration Server (<Server name>) node is a container
that displays the structure and settings of the selected Administration Server.
The Kaspersky Administration Server (<Server name>) KAV Server node
has the following folders:
• Protection status
• Network
• Groups
• Updates
• Remote install
• Computers selections
28 Kaspersky Administration Kit
• Events
• Tasks
• Licenses
• Storages
The Protection status folder is used for providing information about the antivirus protection state both at the client computers and in the computer network
as a whole. This folder contains nested report pages that ensure information
structure as follows:
• Network – information about computers that are not included into the
logical network structures and the results of the current of the last polling
of the computer network by the Administration server.
• Administration groups – the status of the anti-virus protection on the
client computers of the logical network.
• Anti-virus protection statistics – statistical information about the virus
activities on the client computers of the logical network.
• Updates – the stat of the anti-virus database used by the applications
The Network folder displays the contents of the computer network in which the
Administration server is installed. The Administration server creates and updates
the information about the network structure and computers included in this
network by regularly polling the Windows network and IP subnetworks created in
the corporate computer network. The contents of the Network folder will be
updated based on this polling.
The Groups node is used to store, display, configure, and change the logical
network structure, group policies, and group tasks.
Root objects in the Groups folder correspond to the highest level of the logical
network hierarchy. The Servers, Policies and Tasks folders are mandatory for
each group item. These folders are used to operate Administration servers,
policies and tasks of the upper hierarchical level.
The Updates folder contains the list of updates received by the Administration
server that can be delivered to clients.
The Remote install folder contains the list of installation packages that can be
used to deploy applications to client computers of the logical network.
The Reports folder displays templates of reports on the status of logical network
protection.
The Computers selections folder is used for search for client computers using
specified search criteria, saving the search results and displaying it in individual
folders of the console tree.
The Events folder displays a list and information about events registered during
the operation of the application and about results of the tasks execution.
The Global tasks folder has a list of global tasks assigned to a bunch of logical
network computers.
Understanding Kaspersky Administration Kit 29
The Licenses folder shows licenses installed on client computers.
The Storages folder is used to manage objects placed by the anti-virus
applications into the quarantine folders on the client computers and backup
copies of objects placed into the backup storage. However, the objects
themselves are not copied to the Administration server.
Information presented in the Administration Console is updated automatically
only for nodes.
In order to update the information in the results pane use F5 key or the Update
command in the menu, shortcut menu or the Update link in the task pane.
2.10.4. Shortcut menu
Every type of object in the Kaspersky Administration Server namespace of the
console tree has a specific shortcut menu. In addition to the standard MMC
commands, these menus contain specific options for treating objects. Additional
commands for specific objects are listed in the table below.
Table 1
Object Command Action
Kaspersky
Administrati
on Kit
<Server
name>
Network
New/Kaspersky
Administration
Server
Logon server
Disconnect Disconnect from the Administration
Quick Start Wizard
Application Deploy Wizard
Find computer
Properties Display the Administration Server
All tasks/Virus
attacks detection
settings
Find computer Open a find computer window in the
Application Deploy Wizard
Add an Administration Server to the
console tree
Connect to the administration server
Server
Launch Quick Start Wizard
Create and run a deployment task
Open a find computer window
Properties dialog box
Configure settings of the virus attack
detection on the logical network
computers
Network folder
Create and run a deployment task
30 Kaspersky Administration Kit
Object Command Action
View/Domains Display the computer network structure
as the hierarchy of Windows domains
and workgroups
View/Active Directory
Display the computer network structure
according to the Active Directory
structure
New/IP subnetwork
View/Administrati
on server
New/IP subnetwork
All
tasks/computer
activity
Create an IP sub-network to display
computers
Switch to the Administration server
node that includes the Network folder
Create an IP sub-network to display
computers
Configure the Administration server
settings response to the absence of
computer activities in the network
Install application Create and run a deployment task for
the group
Update applica-
Start remote update wizard
tion
New/Report tem-
plate
Create a new report template for the
selected group
Find computer Open a find computer window in the
group
Groups
Reset virus
counter
Force synchronization
Reset virus detection counters on all
clients in this group
Perform synchronization of data on all
computers in the group
New/Group Add a new group to the logical network
structure
New/Computer Adding a new client computer to the
group
All
tasks/computer
activity
All tasks / Safety
All tasks / Policies
Configure the Administration server
settings response to the absence of
computer activities in the network
Configure access rights to the group
Switch to folder Policies for the
selected group
Loading...