Kaspersky Security for Windows Server: Release Notes

================================================================================
Version released: 30.08.2020
Build number: 11.0.0.480

Contents:
* Application description
* What’s new in Kaspersky Security 11 for Windows Server
* System requirements for Kaspersky Security 11 for Windows Server
* Migration from previous versions
* Known issues and limitations
* Contact information and application support

APPLICATION DESCRIPTION
--------------------------------------------------------------------------------
Kaspersky Security for Windows Server is a software solution for protecting
corporate servers and data storage systems. The protection scope available in the
application (servers running Windows, data storage systems) and the set of
functional components depend on the type of the purchased license.

Kaspersky Security 11 for Windows Server completely preserves functionalities of

the previous application version and incorporates new protection capabilities. The
new version also includes critical fixes, issued for the previous application
versions, and closes the vulnerabilities discovered in the previous application
versions.

WHAT’S NEW IN KASPERSKY SECURITY 11 FOR WINDOWS SERVER

--------------------------------------------------------------------------------
The new version of Kaspersky Security for Windows Server introduces the following
capabilities:
* Integration with the Kaspersky Endpoint Agent application is implemented in
order to enable joint operation of Kaspersky Security and Kaspersky advanced threat
protection solutions (EDR). Kaspersky Security 11 for Windows Server distribution
package includes installation files of Kaspersky Endpoint Agent version 3.9, which
supports integration with Kaspersky Sandbox solution. Detailed information on
Kaspersky Endpoint Agent, Kaspersky Sandbox and other Kaspersky EDR solutions is
provided in the Guides for these solutions.
* Network Threat Protection: a component that provides analysis of incoming
traffic for the signs of network attacks is implemented. If a threat is detected,
the Network Threat Protection component blocks the compromised IP address.
* Kaspersky Security Center policy profiles for the Trusted Zone lists: now you
can create policy profiles for the lists of trusted processes and for the Trusted
Zone exclusion lists using the Management Plug-in version 11.
* Monitoring of on-demand file changes based on cryptography: the application
allows generating baseline lists of files and running checks on the compliance of
files on the disk with the baseline parameters. The application detects the
following mismatches with the baseline: creation of new files in the monitored
areas, deletion of files from the monitored areas, changes of the monitored file
checksum.
* Control of the network cards and modems connection: the Device Control and
Automatic Rule Generator for Device Control tasks support creation and application
of rules that block connection of untrusted network cards and modems via USB.
* Information about the checksum of the object being processed in detection
events, which are published in Kaspersky Security Center reports, is added.
* Administration Web-Plug-in is implemented: now you can manage the application
using Kaspersky Security Center Web Console.
* Blocking changes of the important parameters in the USN (Update Sequence Number)
log: the application uses USN log entries to monitor file operations. You can
prevent deletion of USN log entries and change the threshold for the maximum USN
log size.
* Notification on changes of the important parameters in the USN (Update Sequence
Number) log: if you have not prohibited changes to the important parameters in the
USN log, the application will report attempts to delete entries from the USN log by
publishing the events in application reports.
* Methods of protection against active threats are optimized: now the application
notifies you if the signs of active infection are detected during the Real-Time
Protection tasks execution. The application marks the detected objects for deletion
and deletes such objects from the server after reboot.
* The Real-time protection task settings now allow you to enable the launch of the
Critical Areas Scan task if signs of active infection are detected. If this option
is enabled, the application automatically creates and starts a temporary Critical
Areas Scan task on the server where an active infection was detected.
* Anti-virus scan of the tasks created in the System Planner is implemented.
Monitoring of tasks created by the System Planner is performed as part of the on-
demand scan tasks with the "Startup Objects" scan area enabled.
* Processing of persistent WMI subscriptions is implemented: now the application
detects suspicious WMI subscriptions in the WMI namespace on the server with
Kaspersky Security installed and deletes them. Monitoring of persistent WMI
subscriptions is performed as part of the on-demand scan tasks with the "Startup
Objects" scan area enabled.
* Triggering criteria for custom rules of the Log Analysis component are enhanced:
now you can set the rules for the value of the "Source" parameter in the Windows
Event Log entry.
* The capability is added to configure the triggering criteria for the
applications launch control rule when creating rules based on events of blocked
launches in the Kaspersky Security Center Console.
* Trace log files rotation options are extended.
* The list of supported operating systems is extended.
* The list of compatible applications for the Mail Control component is extended:
now the Kaspersky Security extension for mail control can work together with the
Microsoft Outlook application included in the Microsoft Office 2019 and Microsoft
Office 365 packages.
* The application interface is aligned with the new brand policy of the company.
* Bugs from the previous versions are fixed: the application includes the bug-
fixes, issued for the previous versions.

SYSTEM REQUIREMENTS FOR KASPERSKY SECURITY 11 FOR WINDOWS SERVER

--------------------------------------------------------------------------------
You can install Kaspersky Security 11 for Windows Server on a server running one of
the following Microsoft Windows operating systems:
* Windows Server 2003 Standard / Enterprise / Datacenter SP2 and later x32
* Windows Server 2003 R2 Standard / Enterprise / Datacenter SP2 and later x32
* Windows Server 2008 Standard / Enterprise / Datacenter SP1 and later x32
* Windows Server 2008 Core Standard / Enterprise / Datacenter SP1 and later x32
* Windows Server 2003 Standard / Enterprise / Datacenter SP2 and later x64
* Windows Server 2003 R2 Standard / Enterprise / Datacenter SP2 and later x64
* Windows Server 2008 Standard / Enterprise / Datacenter SP1 and later x64
* Windows Server 2008 Core Standard / Enterprise / Datacenter SP1 and later x64
* Microsoft Small Business Server 2008 Standard / Premium x64
* Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter SP1 and
later x64
* Windows Server 2008 R2 Core Standard / Enterprise / Datacenter SP1 and later x64
* Windows Hyper-V Server 2008 R2 SP1 and later x64
* Microsoft Small Business Server 2011 Essentials / Standard x64
* Microsoft Windows MultiPoint Server 2011 x64
 * Windows Server 2012 Foundation / Essentials / Standard / Datacenter / MultiPoint
Server x64
* Windows Server 2012 Core Standard / Datacenter x64
* Windows Storage Server 2012 x64
* Windows Hyper-V Server 2012 x64
* Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter x64
* Windows Server 2012 R2 Core Standard / Datacenter x64
* Windows Storage Server 2012 R2 x64
* Windows Hyper-V Server 2012 R2 x64
* Windows Server 2016 Essentials / Standard / Datacenter / MultiPoint Premium
Server x64
* Windows Server 2016 Core Standard / Datacenter x64
* Windows Storage Server 2016 x64
* Windows Hyper-V Server 2016 x64
* Windows Server 2019 all editions (including Core/Terminal/Hyper-V) x64

You can install Kaspersky Security 11 for Windows Server on terminal servers
running following operating systems:
* Windows 2008 Server Microsoft Remote Desktop Services
* Windows 2008 Server R2 Microsoft Remote Desktop Services
* Windows 2012 Server Microsoft Remote Desktop Services
* Windows 2012 Server R2 Microsoft Remote Desktop Services
* Windows 2016 Server Microsoft Remote Desktop Services
* Windows 2019 Server
* Citrix® XenApp® 6.0, 6.5, 7.0, 7.5 - 7.9, 7.15
* Citrix XenDesktop® 7.0, 7.1, 7.5 - 7.9, 7.15

Kaspersky specialists may offer limited technical support for the application
installed on servers running the Windows Server 2003 family of operating systems,
because Windows Server 2003 operating systems are no longer supported by Microsoft.

MIGRATION FROM PREVIOUS VERSIONS

--------------------------------------------------------------------------------
Migration from previous versions of the application is described in migration.txt.

KNOWN ISSUES AND LIMITATIONS

--------------------------------------------------------------------------------
Interaction with Kaspersky Endpoint Agent:
- If the Interaction with Kaspersky Endpoint Agent component is selected for
installation, and the server restart is required at the last stage of Kaspersky
Security installation, Kaspersky Endpoint Agent will not be installed on the server
until it is restarted. In this case, Kaspersky Security Installer plans startup of
Kaspersky Endpoint Agent installation in the System Planner.

Traffic Security:
- We do not recommend including the VPN traffic (port 1723) in the protection scope
of the task.
- The Opera Presto Engine web browser reports an attempt to connect using an
untrusted certificate if Kaspersky Security for Windows Server is used to protect
HTTPS traffic.
- IPv6 traffic is not scanned.
- The Traffic Security component is available only on Microsoft Windows Server 2008
R2 and later.
- The application supports only TCP traffic.
- The Administration Server Network Agent detects the Traffic Security component
when attempting to connect to the Administration Server, so we recommend you to
install the Network Agent before deploying the Traffic Security component. If the
component was installed and the Traffic Security task was started before
installation of Network Agent, restart the Traffic Security task.

On-Demand Scan, Real-Time File Protection, Anti-Cryptor, Exploit Prevention:

- Anti-virus scan of MTP devices upon connection is not available.
- Scan of archive objects is not available without scan of SFX archives: if the
archive scanning mode is applied by Kaspersky Security for Windows Server security
settings, the application automatically scans both objects in archives and objects
in SFX archives. Scanning of SFX archives is available without scanning archives.
- Exclusions from the Trusted Zone are not applied when scanning Windows Server
2016 containers.
- iSwift technology is not applied when scanning Windows Server 2016 containers.
- The Exploit Prevention component does not protect applications installed via the
Microsoft Store on Windows Server 2012 and Windows Server 2012 R2.
- Protecting the firefox.exe process using the Exploit Prevention component in the
"Terminate on exploit" mode blocks the launch of the Firefox web browser. If you
are using the Firefox web browser, remove the firefox.exe process from the
protection scope. However, please keep in mind that this may lower the protection
level. The limitation applies to Firefox 80.0 or higher on devices running Windows
Server 2016 or higher.
- Simultaneous usage of DEP mitigation technique with switched-off system DEP may
lead to operation errors of the protected processes and the operating system as a
whole. If problems occur while using DEP mitigation technique for protection of
processes, contact Technical Support.

Server control and diagnostics:

- The Log Inspection task detects potential Kerberos (MS14-068) attack patterns
only on servers running Windows Server 2008 and higher as a domain controller with
installed updates.
- The Device Control task blocks any connections of MTP devices when running in the
Active mode.

Firewall Management:
- IPv6 addresses are not supported when the rule usage scope consists of only one
address.
- When starting the Firewall Management task in the operating system's firewall
settings, the following types of rules are automatically deleted: denying rules,
outgoing network traffic control rules.
- The standard Firewall Management policy rules ensure performance of the main
scenarios for interaction of local servers with the Administration Server. To use
the full functionality of Kaspersky Security Center, manually set the rules for
allowing ports. Information about port numbers, protocols, and their functions is
provided in Kaspersky Security Center Knowledge Base (Article ID: 9297).
- The application does not monitor changes to Windows Firewall rules and rule
groups during polling of the Firewall Management task, if these rules and groups
were added to the task settings during installation of the application. To update
the status and presence of such rules, you must restart the Firewall Management
task.
- For Microsoft Windows Server 2008 and later family of operating systems: before
installation of the Firewall Management component, you must start the Windows
Firewall service (started by default).
- For Microsoft Windows Server 2003 family of operating systems: the SharedAccess
service must run for Windows Firewall to work. By default, the service is stopped
and can be started only with Administrator rights. If the Firewall Management
component is started when the SharedAccess service is stopped, the application
displays the component status as inactive: visually, the task is active and
running, but Windows Firewall is not started and the network rules are not applied.
To allow the Firewall Management component to work correctly, start the
SharedAccess service.
Installation:
- During installation of the application, a warning is displayed about the path
being too long if the full path to the installation folder of Kaspersky Security
for Windows Server contains more than 150 characters. The warning does not affect
the installation process: Kaspersky Security for Windows Server installation
completes successfully and the application operates normally.
- Installation of the SNMP Protocol Support component requires the SNMP service on
the protected server.
- To install the SNMP Protocol Support component, restart the SNMP service if this
service is running.
- Kaspersky Security for Windows Server Administration Tools cannot be installed
through Microsoft Active Directory group policies.
- When installing the application on the servers running operating systems with
discontinued support, that are unable to receive regular updates, you must check
for the following root certificates: DigiCert Assured ID Root CA,
DigiCert_High_Assurance_EV_Root_CA, DigiCertAssuredIDRootCA. Absence of these
certificates may cause the application to work incorrectly. We recommend that you
install the specified certificates using any available means. You can find
instructions on how to download and apply up-to-date certificates in the Knowledge
Base (Article ID: 13727).

Licensing:
- The application cannot be activated using a key file specified in the
installation wizard if the key file is located on a disk created using the SUBST
command or the specified path to the key file is a network path.

Updates:
- After installation of critical updates of Kaspersky Security for Windows Server
modules, the Kaspersky Security for Windows Server icon is hidden by default.

Interface:
- In Kaspersky Security for Windows Server Console, filters in the Quarantine,
Backup, System Audit Log, and Task Logs nodes are case sensitive.
- When configuring the protection and scan scope in Kaspersky Security Console, you
can use only one mask in a path and only at the end of the path. Correct mask
examples: "C:\Temp\Temp*", or "C:\Temp\Temp???.doc", or "C:\Temp\Temp*.doc". This
limitation does not apply to the Trusted Zone settings.

Integration with Kaspersky Security Center:

- Administration Server checks the correctness of application database updates as
they are received and before they are deployed to the network servers. Correctness
of the application module updates is not checked by Administration Server.
- When working with components that pass dynamically changing data to Kaspersky
Security Center using the network lists (Quarantine, Backup, Blocked host storage),
be sure that the corresponding check boxes are selected in the settings for
interaction with Administration Server.

Other functions:
- The application partially supports CaseSensitive directories; there are known
scenarios in which CaseSensitive directories are not supported:
- exclusions specified in the settings of protection and scan tasks;
- Trusted Zone exclusions;
- Applications Launch Control rules.
- When using a command line utility, special characters are displayed if the
operating system’s regional settings match the locale of Kaspersky Security for
Windows Server.
- When using the basic authentication on a proxy server, authentication errors may
occur if the user name or password is specified using multibyte encoding.
- When a file is restored from Quarantine or Backup, the file's Encrypted attribute
is not restored.
- A mirror server cannot be used when connecting to a syslog server via UDP.
- The device type may not be recognized when a USB connection event is generated.
In this case, the event will only contain the device GUID.
- Values of Device Instance Path are specified in different formats for the Device
Control component and the USB-connection tracking function.

CONTACT INFORMATION AND APPLICATION SUPPORT

--------------------------------------------------------------------------------
* You can find the general application information on the
https://www.kaspersky.com/small-to-medium-business-security/windows-server-security
page.
* You can send your request to Kaspersky Technical Support on the
https://companyaccount.kaspersky.com/ page.
* You can read the Knowledge Base articles for the current application version as
well as download the accompanying artifacts and documents on the
https://support.kaspersky.com/ksws11 page.
* You can discuss questions related to usage of the application on the
https://forum.kaspersky.com/ page.

© 2020 AO Kaspersky Lab.