These are the minimum requirements for the server(s) running the Movere Console and the target device(s) to be scanned.
Please Note: The below requirements are specific for version 11.10.2.22 of the Movere Console, release August 2019. For more information on this release, please see 2019-08-26: Movere FWD & Security Updates.
Console Device System Requirements
- Operating System: 64-bit Windows server running Windows Server 2008R2 SP1 (and above).
- To check, run the following command in Command Prompt as an administrator: wmic OS get Caption, OSArchitecture, TotalVisibleMemorySize
- TLS 1.2 must be supported.
- While Movere will run on a workstation running Windows 10, we strongly recommend running the Console from a server only.
- .NET Framework: 4.7.2 (and above)
- To check, run the following command in Command Prompt as an administrator: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version
- Memory: minimum 8 GB RAM
- If all Movere payloads are to be uploaded to the cloud via the Console, we recommend leveraging SSD storage on the server running the console.
- Free space: minimum 1 GB
- To check, run the following command in Command Prompt as an administrator: wmic OS get Caption, OSArchitecture, TotalVisibleMemorySize
- User account running the console is a domain-joined account
- To check, run the following command in Command Prompt as an administrator: whoami
- Local admin access for the user account running the Movere console AND local admin access for the user account(s) leveraged for scanning the targeted Windows devices.
- To check, run the following command in Command Prompt as an administrator: net localgroup administrators
- Device has persistent internet access:
- To check, run the following command in Command Prompt as an administrator: ping bing.com
- Microsoft Edge or Google Chrome browser is installed on the Console device; this will be used to login to Movere to confirm access, and to download the Movere Installer executable.
Target Device System Requirements
- For Server(s): Windows 2000 Server (and above).
- For Workstation(s): Windows 2000 Pro (and above).
- For inventory scanning: Remote WMI and/or .NET 2.0 or higher.
- For ARC Scanning: .NET 3.5 or higher (remote WMI is not support for ARC scanning).
- For Linux: please refer to Currently Support Linux Distributions.
Active Directory, DNS & Firewall Requirements
Device running the Movere Console:
- Device is domain-joined and connected to Active Directory, and device name resolves in DNS.
- To check, run the following command in Command Prompt as an administrator: wmic computersystem get domain
- Inbound Console rules: TCP 443 (http protocol over TLS/SSL)
- Port 443 inbound for internal traffic from endpoint(s) being targeted back to Console (internal use only)
- Outbound Console rules: TCP 389 (LDAP), TCP 3268 (ADGC), TCP 443
- Port 443 outbound for Console, token download from Movere and payload upload via the Console
Target Windows Device(s):
- If targeting device(s) by long or short name: name resolves in DNS and the device(s) accessible on the network the Console device is connected to.
- Inbound rule: TCP 445 (Windows file sharing), TCP 135 (RPC), TCP 139 (NetBIOS).
- Outbound rule to Movere (optional for direct upload to cloud): TCP 443.
- Please note: direct upload to cloud minimizes internal network traffic and is enabled by default.
Target Linux Device(s), ESXi Host(s), vCenter Appliance(s), XenServer Host(s):
- Inbound rule: TCP 22 (Secure Shell SSH Protocol).
- Outbound rule to Movere (optional for direct upload to cloud): TCP 443.
Office365:
- Device running the Movere Console must have the following installed:
- Microsoft Online Services Sign-in Assistant.
- Windows Azure Active Directory Module for Windows PowerShell.
Whitelisting:
- The default installation location on targeted device(s) is C:\Windows\Temp\.
- The following executables should be whitelisted on all target devices.
- Bot2\Movere.Bot2.Local.exe
- Bot4\Movere.Bot4.Local.exe
- Arc2\Movere.Arc2.exe
- Arc4\Movere.Arc4.exe
- FrameworkVerifier.exe
- The following executables should be whitelisted on all target devices.
- The default installation location on device Movere Console is run from is C:\Users\username\Documents\Movere\Console\
- The following executables should be whitelisted on the Console device:
- Movere.Console.WPF.exe
- Movere.Service.exe
- Movere.Uninstall.exe
- The following executables should be whitelisted on the Console device:
- For a comprehensive list of all URLs and IP addresses used by Movere, please see Movere URLs and IP Addresses for Whitelisting.
Antivirus Software:
- If necessary, whitelist the Movere binaries listed above in your Antivirus software. If you set a specific duration of whitelisting, be sure to refresh the whitelisting window before expiration to ensure no disruption to scanning.
Movere Service Accounts
Movere Windows Service Account:
- Local Admin on the Windows device(s) to be scanned.
- Please Note: For security purposes, Movere prohibits the propagation of Domain Admin credentials to the bots. Domain Admin credentials can be used to scan Windows devices, but they cannot be leveraged as secondary credentials to access SQL.
Movere SQL Service Account:
- Server Roles:
- public
- User Mapping:
- master (db_datareader)
- msdb (db_datareader)
- Securables:
- Connect SQL
- View server state
- View any definition
- Status:
- Grant: permission to connect to database engine
- Enable: Login
- Secondary SQL access:
- Querying SQL databases housing data from sources such as SCCM, SharePoint, vCenter, VMM etc. requires db_datareader access to the specific database(s).
Movere Linux Service Account:
- The Linux service account will require SSH access to the Linux device(s) to be scanned.
- Movere does not support the use of OpenSSH keys at this time.
- The account must also have a local home directory. Home directories housed on a distributed filesystem, e.g. NFS used to mount storage to multiple systems will not work.
- Movere can scan a Linux device without ‘root’ or a ‘superuser’ account by setting the ‘LinuxSkipSudo’ flag in the ‘Movere.Service.exe.config’ to ‘true’.
- While superuser access is NOT required, scanning a Linux device that Movere is already running on with a Linux account that does not have superuser access will not work, since a non-superuser account will be unable to terminate the existing Movere instance that it did not start.
- While many customers create individual service accounts for each of these roles, all three roles can be combined into a single account, if domain-based credentials can be used to authenticate into your Linux systems.
- Please Note: unlike during Windows scanning, Movere will not cycle through multiple Linux credentials. If an environment has multiple Linux credentials, individual Movere scans must be run against each unique set of Linux devices leveraging only the applicable Linux credential.
Movere Office 365 Account:
- User account must be Global Admin access to the Office365 subscription.
- Multi-factor authentication (MFA) must be disabled. Movere does not support MFA for Office365 scans at this time.
- PowerShell query permission is enabled for the Global Admin account being leveraged.
Helpful Hints
Website Visualizations:
- TCP 4244 need to be open to view the visualizations on the Movere website (https://go.movere.io).
- Microsoft Edge or Google Chrome browser is installed to ensure greatest compatibility with the Movere website.
Simple Movere Connectivity Test:
- Open a browser and navigate to: https://geo.movere.io/ip. If you see an IP address, you can connect to Movere:
SMS Authentication:
- Certain cell providers (by default) block all SMS text messages from overseas commercial numbers. If this occurs, call your cell provider and ask them to whitelist Movere's phone number on your account:
- Movere SMS text messages come from +1 206 900 8003.
Comments
0 comments
Please sign in to leave a comment.