Configuring Kaspersky Endpoint Agent security settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To ensure maximum security of the IT infrastructure in your organization, you can configure access of users and third-party processes to Kaspersky Endpoint Agent. To do so, you can:

• Restrict user permissions to manage the application settings and services.
• Password protect actions in the application.
• Enable the application self-defense mechanism.

Configuring user permissions

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can grant access to Kaspersky Endpoint Agent to individual users or groups of users. As a result, only specified users will be able to manage settings or services of the application.

To configure user permissions:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the User permissions for application service management group of settings, click the Configure button next to the name of the required setting (User permissions for application management or Configure user permissions for application management).

   To add users and user groups, specify the security descriptor strings using the

   Security Descriptor Description Language (SDDL)

   Example: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) Access Type: Access Granted Access permissions: Create all child objects|Delete all child objects|Display contents|All validated write operations|Read all properties|Write all properties|Delete subtree|Display objects|All extended permissions|Delete|Read permissions|Change permissions|Change owner Trusted user: Local System Account

   For more information about Security Descriptor Description Language (SDDL), refer to Microsoft Knowledge Base.

   .

4. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
5. Click OK.
6. Click the Save button.

Enabling Password protection

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Unrestricted user access to the application and its settings can reduce the security level of the device. Password protection is a means to limit user access to the application.

To enable password protection:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the Password protection group of settings select the Apply password protection check box.
4. Enter a password and confirm it.

   It is recommended to select a password that meets the following requirements:

   • The password must be at least 8 characters long.
   • The password must not contain the user's account name.
   • The password must not match the name of the device on which Kaspersky Endpoint Agent is installed.
   • The password must contain characters from at least three of the following groups:
     • uppercase characters (A-Z);
     • lowercase characters (a-z);
     • numbers (0-9);
     • special characters (!$#%).
5. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
6. Click OK.
7. Click the Save button.

Password protection is now enabled. If a user attempts to perform a password protected action, the application will prompt the user to enter the password.

The application does not check the strength of the specified password. We recommend that you use third-party tools to verify the strength of the password. The password is considered strong enough if verification results confirm that the password cannot be guessed for at least 6 months.

The application does not prohibit login attempts after many attempts of entering an incorrect password.

Enabling and disabling Self-Defense

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The Self-Defense mechanism of Kaspersky Endpoint Agent provides protection from malware that tries to lock or delete the application. The Self-Defense mechanism prevents the alteration or deletion of application files on the hard drive, memory processes, and entries in the system registry.

To enable or disable Self-Defense:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the Self-defense group of settings, enable or disable the Enable self-defense for application modules in memory setting.
4. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
5. Click OK.
6. Click the Save button.

The Self-Defense mechanism is now enabled or disabled.