Kaspersky Security for Windows Server: Release Notes

================================================================================
Version released: 05.05.2021
Build number: 11.0.1.897

Contents:
* Application description
* What’s new in Kaspersky Security 11.0.1 for Windows Server
* System requirements for Kaspersky Security 11.0.1 for Windows Server
* Migration from previous versions
* Known issues and limitations of Kaspersky Security 11.0.1 for Windows Server
* Contact information and application support

APPLICATION DESCRIPTION
--------------------------------------------------------------------------------
Kaspersky Security for Windows Server is a software solution for protecting
corporate servers and data storage systems. The protection scope available in the
application (servers running Windows, data storage systems) and the set of
functional components depend on the type of the purchased license.

Kaspersky Security 11.0.1 for Windows Server completely preserves functionalities

of the previous application version and incorporates new protection capabilities.
The new version also includes critical fixes, issued for the previous application
versions, and closes the vulnerabilities discovered in the previous application
versions.

WHAT’S NEW IN KASPERSKY SECURITY 11.0.1 FOR WINDOWS SERVER

--------------------------------------------------------------------------------
The new version of Kaspersky Security for Windows Server introduces the following
capabilities:

- Self-defense parameters.
In the application settings, you can now enable or disable protection of
application processes from external threats (the option is enabled by default).
When the option is enabled, the application protects its own processes, as well as
the processes of Kaspersky Security Center Network Agent, against interference from
third-party processes.

- Improvements to the Trusted Zone rules.

Now you can add exclusions for the Network Threat Protection task. Exclusions are
set in the form of Trusted Zone rules with the "Network Threat Protection" checkbox
selected. Application decisions that fall under the exclusions do not lead to
blocking of hosts.

- Changes to the algorithm for applying Traffic Security rules.

Now you can set one denying Traffic Security rule for all websites by a mask (for
example, *) and several allowing rules by a different mask to implement the
scenario "deny access to all sites except the explicitly allowed".

- Optimization of the Compact Diagnostic Interface.

With password protection enabled, access to the "Troubleshooting" tab now requires
a password. The rest of the tabs can still be accessed without entering a password.

- Interface optimization.
A new link was added to the main screen of the local Console to open the Trusted
Zone settings window. There is also a separate node for the Exploit Prevention
component in the Real-Time Server Protection section.
- Bug fixes.
The 11.0.1 version of the application comprises the bug fixes made within the
frames of the following critical updates for version 11.0.0: CORE3, CORE4, CORE5,
CORE6.

SYSTEM REQUIREMENTS FOR KASPERSKY SECURITY 11.0.1 FOR WINDOWS SERVER

--------------------------------------------------------------------------------
You can install Kaspersky Security 11.0.1 for Windows Server on a server running
one of the following Microsoft Windows operating systems:
* Windows Server 2003 Standard / Enterprise / Datacenter SP2 and later x32
* Windows Server 2003 R2 Standard / Enterprise / Datacenter SP2 and later x32
* Windows Server 2008 Standard / Enterprise / Datacenter SP2 and later x32
* Windows Server 2008 Core Standard / Enterprise / Datacenter SP2 and later x32
* Windows Server 2003 Standard / Enterprise / Datacenter SP2 and later x64
* Windows Server 2003 R2 Standard / Enterprise / Datacenter SP2 and later x64
* Windows Server 2008 Standard / Enterprise / Datacenter SP2 and later x64
* Windows Server 2008 Core Standard / Enterprise / Datacenter SP2 and later x64
* Microsoft Small Business Server 2008 Standard / Premium SP2 and later x64
* Windows Server 2008 R2 Foundation / Standard / Enterprise / Datacenter SP1 and
later x64
* Windows Server 2008 R2 Core Standard / Enterprise / Datacenter SP1 and later x64
* Windows Hyper-V Server 2008 R2 SP1 and later x64
* Microsoft Small Business Server 2011 Essentials / Standard x64
* Microsoft Windows MultiPoint Server 2011 x64
* Windows Server 2012 Foundation / Essentials / Standard / Datacenter / MultiPoint
Server x64
* Windows Server 2012 Core Standard / Datacenter x64
* Windows Storage Server 2012 x64
* Windows Hyper-V Server 2012 x64
* Windows Server 2012 R2 Foundation / Essentials / Standard / Datacenter x64
* Windows Server 2012 R2 Core Standard / Datacenter x64
* Windows Storage Server 2012 R2 x64
* Windows Hyper-V Server 2012 R2 x64
* Windows Server 2016 Essentials / Standard / Datacenter / MultiPoint Premium
Server x64
* Windows Server 2016 Core Standard / Datacenter x64
* Windows Storage Server 2016 x64
* Windows Hyper-V Server 2016 x64
* Windows Server 2019 all editions (including Core/Terminal/Hyper-V) x64
* Windows Storage Server 2019 x64
* Windows Hyper-V Server 2019
* Windows 10 Enterprise multi-session

You can install Kaspersky Security 11.0.1 for Windows Server on terminal servers
running following operating systems:
* Microsoft Remote Desktop Services based on Windows Server 2008 SP2 or later
* Microsoft Remote Desktop Services based on Windows Server 2008 R2
* Microsoft Remote Desktop Services based on Windows Server 2012
* Microsoft Remote Desktop Services based on Windows Server 2012 R2
* Microsoft Remote Desktop Services based on Windows Server 2016
* Microsoft Remote Desktop Services based on Windows Server 2019
* Citrix® XenApp® 6.0, 6.5, 7.0, 7.5 - 7.9, 7.15
* Citrix XenDesktop® 7.0, 7.1, 7.5 - 7.9, 7.15

Kaspersky specialists may offer limited technical support for the application
installed on servers running the Windows Server 2003 family of operating systems,
because Windows Server 2003 operating systems are no longer supported by Microsoft.
MIGRATION FROM PREVIOUS VERSIONS
--------------------------------------------------------------------------------
Migration from previous versions of the application is described in migration.txt.

KNOWN ISSUES AND LIMITATIONS OF KASPERSKY SECURITY 11.0.1 FOR WINDOWS SERVER
--------------------------------------------------------------------------------
Interaction with Kaspersky Endpoint Agent:
- If the Interaction with Kaspersky Endpoint Agent component is selected for
installation, and the server restart is required at the last stage of Kaspersky
Security installation, Kaspersky Endpoint Agent will not be installed on the server
until it is restarted. In this case, Kaspersky Security Installer plans startup of
Kaspersky Endpoint Agent installation in the System Planner.

Traffic Security:
- We do not recommend including the VPN traffic (port 1723) in the protection scope
of the task.
- The Opera Presto Engine web browser reports an attempt to connect using an
untrusted certificate if Kaspersky Security for Windows Server is used to protect
HTTPS traffic.
- IPv6 traffic is not scanned.
- The Traffic Security component is available only on Microsoft Windows Server 2008
R2 and later.
- The application supports only TCP traffic.
- The Administration Server Network Agent detects the Traffic Security component
when attempting to connect to the Administration Server, so we recommend you to
install the Network Agent before deploying the Traffic Security component. If the
component was installed and the Traffic Security task was started before
installation of Network Agent, restart the Traffic Security task.

On-Demand Scan, Real-Time File Protection, Anti-Cryptor, Exploit Prevention:

- Anti-virus scan of MTP devices upon connection is not available.
- Scan of archive objects is not available without scan of SFX archives: if the
archive scanning mode is applied by Kaspersky Security for Windows Server security
settings, the application automatically scans both objects in archives and objects
in SFX archives. Scanning of SFX archives is available without scanning archives.
- Exclusions from the Trusted Zone are not applied when scanning Windows Server
2016 containers.
- iSwift technology is not applied when scanning Windows Server 2016 containers.
- The Exploit Prevention component does not protect applications installed via the
Microsoft Store on Windows Server 2012 and Windows Server 2012 R2.
- Protecting the firefox.exe process using the Exploit Prevention component in the
"Terminate on exploit" mode blocks the launch of the Firefox web browser. If you
are using the Firefox web browser, remove the firefox.exe process from the
protection scope. However, please keep in mind that this may lower the protection
level. The limitation applies to Firefox 80.0 or higher on devices running Windows
Server 2016 or higher.
- Simultaneous usage of DEP mitigation technique with switched-off system DEP may
lead to operation errors of the protected processes and the operating system as a
whole. If problems occur while using DEP mitigation technique for protection of
processes, contact Technical Support.

Server control and diagnostics:

- The Log Inspection task detects potential Kerberos (MS14-068) attack patterns
only on servers running Windows Server 2008 and higher as a domain controller with
installed updates.
- The Device Control task blocks any connections of MTP devices when running in the
Active mode.

Firewall Management:
- IPv6 addresses are not supported when the rule usage scope consists of only one
address.
- When starting the Firewall Management task in the operating system's firewall
settings, the following types of rules are automatically deleted: denying rules,
outgoing network traffic control rules.
- The standard Firewall Management policy rules ensure performance of the main
scenarios for interaction of local servers with the Administration Server. To use
the full functionality of Kaspersky Security Center, manually set the rules for
allowing ports. Information about port numbers, protocols, and their functions is
provided in Kaspersky Security Center Knowledge Base (Article ID: 9297).
- The application does not monitor changes to Windows Firewall rules and rule
groups during polling of the Firewall Management task, if these rules and groups
were added to the task settings during installation of the application. To update
the status and presence of such rules, you must restart the Firewall Management
task.
- For Microsoft Windows Server 2008 and later family of operating systems: before
installation of the Firewall Management component, you must start the Windows
Firewall service (started by default).
- For Microsoft Windows Server 2003 family of operating systems: the SharedAccess
service must run for Windows Firewall to work. By default, the service is stopped
and can be started only with Administrator rights. If the Firewall Management
component is started when the SharedAccess service is stopped, the application
displays the component status as inactive: visually, the task is active and
running, but Windows Firewall is not started and the network rules are not applied.
To allow the Firewall Management component to work correctly, start the
SharedAccess service.

Installation:
- During installation of the application, a warning is displayed about the path
being too long if the full path to the installation folder of Kaspersky Security
for Windows Server contains more than 150 characters. The warning does not affect
the installation process: Kaspersky Security for Windows Server installation
completes successfully and the application operates normally.
- Installation of the SNMP Protocol Support component requires the SNMP service on
the protected server.
- To install the SNMP Protocol Support component, restart the SNMP service if this
service is running.
- Kaspersky Security for Windows Server Administration Tools cannot be installed
through Microsoft Active Directory group policies.
- When installing the application on the servers running operating systems with
discontinued support, that are unable to receive regular updates, you must check
for the following root certificates: DigiCert Assured ID Root CA,
DigiCert_High_Assurance_EV_Root_CA, DigiCertAssuredIDRootCA. Absence of these
certificates may cause the application to work incorrectly. We recommend that you
install the specified certificates using any available means. You can find
instructions on how to download and apply up-to-date certificates in the Knowledge
Base (Article ID: 13727).

Licensing:
- The application cannot be activated using a key file specified in the
installation wizard if the key file is located on a disk created using the SUBST
command or the specified path to the key file is a network path.

Updates:
- After installation of critical updates of Kaspersky Security for Windows Server
modules, the Kaspersky Security for Windows Server icon is hidden by default.
Interface:
- In Kaspersky Security for Windows Server Console, filters in the Quarantine,
Backup, System Audit Log, and Task Logs nodes are case sensitive.
- When configuring the protection and scan scope in Kaspersky Security Console, you
can use only one mask in a path and only at the end of the path. Correct mask
examples: "C:\Temp\Temp*", or "C:\Temp\Temp???.doc", or "C:\Temp\Temp*.doc". This
limitation does not apply to the Trusted Zone settings.

Integration with Kaspersky Security Center:

- Administration Server checks the correctness of application database updates as
they are received and before they are deployed to the network servers. Correctness
of the application module updates is not checked by Administration Server.
- When working with components that pass dynamically changing data to Kaspersky
Security Center using the network lists (Quarantine, Backup, Blocked Hosts
Storage), be sure that the corresponding check boxes are selected in the settings
for interaction with Administration Server.

Other functions:
- The application partially supports CaseSensitive directories; there are known
scenarios in which CaseSensitive directories are not supported:
- exclusions specified in the settings of protection and scan tasks;
- Trusted Zone exclusions;
- Applications Launch Control rules.
- When using a command line utility, special characters are displayed if the
operating system’s regional settings match the locale of Kaspersky Security for
Windows Server.
- When using the basic authentication on a proxy server, authentication errors may
occur if the user name or password is specified using multibyte encoding.
- When a file is restored from Quarantine or Backup, the file's Encrypted attribute
is not restored.
- A mirror server cannot be used when connecting to a syslog server via UDP.
- The device type may not be recognized when a USB connection event is generated.
In this case, the event will only contain the device GUID.
- Values of Device Instance Path are specified in different formats for the Device
Control component and the USB-connection tracking function.

CONTACT INFORMATION AND APPLICATION SUPPORT

--------------------------------------------------------------------------------
* You can find the general application information on the
https://www.kaspersky.com/small-to-medium-business-security/windows-server-security
page.
* You can send your request to Kaspersky Technical Support on the
https://companyaccount.kaspersky.com/ page.
* You can read the program Online Help on the
https://support.kaspersky.com/KSWS/11.0.1/en-US/ page.
* You can read the Knowledge Base articles for the current application version as
well as download the accompanying artifacts and documents on the
https://support.kaspersky.com/ksws11 page.
* You can discuss questions related to usage of the application on the
https://community.kaspersky.com/ page.

© 2021 AO Kaspersky Lab