Exclude self signed certificates in policy profile for management servers

[Bobhond]

Hi!

 

We are using Kaspersky Security for Windows Server (11.0.0.480, KSC 13.2) and are currently trying to figure out how to create a policy profile for our management servers which excludes self signed certificates.

Currently, all internal websites (like web portal for switches, ...) with a self signed certificate return the same error in the browser:

 

We know that this is caused by the component "Traffic Security" and that we can exclude these internal websites in the policy.

But the server policy is applied to ALL servers, therefore we want to exclude these self signed sites only on our management servers.

 

We want to create a policy profile with all our internal websites in a trusted zone, would this be the correct way to handle this?

What do we have to enter in "object to detect" in order to exclude ALL self signed certificates from traffic security?

 

Can someone please inform me?

 

Kind regards

 

 

 

 

Edited February 17, 2023 by Bobhond
added tag + ksc version

[ElvinE5]

using policy profiles is a common practice ... if this option suits you, then why not.

you do not need to specify anything in this field, just do not select it when creating an exception.

it is necessary, for example, if you have some kind of software of your own (developed by you) that causes protection detections (false), you can make an exception by the name of this detection .. something like not-a-virus.* (and the name of the detection that Kaspersky told you)

in this case you do not need this field

 

Спойлер

 

[Bobhond]

Thank you for your quick response!

I selected "Objects to detect" because it was the only way where I could select "Traffic Security" under "Rules usage Scope". Otherwise this option is greyed out.

 

Adding the rule without selecting anything seems to do nothing:

 

[ElvinE5]

sorry maybe i was wrong...

For the traffic protection component to work, a special license for the KSWS product is required (which I do not have), so I cannot check the operation of the component. - https://support.kaspersky.com/ksws11/licensing/15634

Спойлер

 

In addition, in the policy profiles, you can make exceptions for the campaign only for anti-virus scanning. In your case, this is not what you need.

it looks like you will have to make a general exception in the main policy and it needs to be added here ... since blocking a connection to a resource with a self-signed certificate fulfills the process of checking secure connections

Спойлер

here you need to specify the addresses of your sites

[Bobhond]

I ended up creating a different group with a copy of the original policy and added the exclusions shown in your last screenshot.

That's what I thought of first but it would have been nice if the profiles were more elaborate.

This works fine though.

 

Thanks for helping me out!

 

 

 

 

[ElvinE5]

in the future, I would recommend considering switching to a KES solution (currently version 12.0), as the company plans to end support for KSWS and move to a single product for workstation and server class platforms.

currently in KES, the implementation of policy profiles has more functionality.