Articles in this section

Minimum Scanning Requirements

Avatar
John Bardwell
  • Updated
Follow

These are the minimum requirements for the server(s) running the Movere Console and the target device(s) to be scanned.

Please Note: The below requirements are specific for version 11.10.2.22 of the Movere Console, release August 2019. For more information on this release, please see 2019-08-26: Movere FWD & Security Updates.

Console Device System Requirements

  • Operating System: 64-bit Windows server running Windows Server 2008R2 SP1 (and above).
    • To check, run the following command in Command Prompt as an administrator: wmic OS get Caption, OSArchitecture, TotalVisibleMemorySize
    • TLS 1.2 must be supported.
    • While Movere will run on a workstation running Windows 10, we strongly recommend running the Console from a server only.
  • .NET Framework:  4.7.2 (and above)
    • To check, run the following command in Command Prompt as an administrator: reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version
  • Memory: minimum 8 GB RAM
    • If all Movere payloads are to be uploaded to the cloud via the Console, we recommend leveraging SSD storage on the server running the console.
  • Free space: minimum 1 GB
    • To check, run the following command in Command Prompt as an administrator: wmic OS get Caption, OSArchitecture, TotalVisibleMemorySize
  • User account running the console is a domain-joined account
    • To check, run the following command in Command Prompt as an administrator: whoami
  • Local admin access for the user account running the Movere console AND local admin access for the user account(s) leveraged for scanning the targeted Windows devices.
    • To check, run the following command in Command Prompt as an administrator: net localgroup administrators
  • Device has persistent internet access:
    • To check, run the following command in Command Prompt as an administrator: ping bing.com 
  • Microsoft Edge or Google Chrome browser is installed on the Console device; this will be used to login to Movere to confirm access, and to download the Movere Installer executable.

Target Device System Requirements 

  • Server(s): Windows 2000 Server (and above).
  • Workstation(s): Windows 2000 Pro (and above). 
  • Inventory scanning: Remote WMI and/or .NET 2.0 or higher.
  • ARC Scanning: .NET 3.5 or higher (remote WMI is not support for ARC scanning).
  • Linux: please refer to Currently Support Linux Distributions.
  • TLS requirement: In addition to supporting TLS 1.2, the Console device must also support any legacy version(s) of TLS that target devices may communicate on. More information can be found here.

Active Directory, DNS & Firewall Requirements

Device running the Movere Console:  

  • Device is domain-joined and connected to Active Directory, and device name resolves in DNS.
    • To check, run the following command in Command Prompt as an administrator: wmic computersystem get domain
  • Inbound Console rules: TCP 443 (http protocol over TLS/SSL)
    • Port 443 inbound for internal traffic from endpoint(s) being targeted back to Console (internal use only)
  • Outbound Console rules: TCP 389 (LDAP), TCP 3268 (ADGC), TCP 443
    • Port 443 outbound for Console, token download from Movere and payload upload via the Console

Target Windows Device(s): 

  • If targeting device(s) by long or short name: name resolves in DNS and the device(s) accessible on the network the Console device is connected to.
  • Inbound rule: TCP 445 (Windows file sharing), TCP 135 (RPC), TCP 139 (NetBIOS).
  • Outbound rule to Movere: TCP 443. 
    • Port 443 outbound internally for internal traffic from target device(s) back to Movere Console
    • Port 443 outbound externally for direct uploading to Movere's cloud from the target device(s) 
      • Please note: direct upload to cloud minimizes internal network traffic and is enabled by default.

Target Linux Device(s), ESXi Host(s), vCenter Appliance(s), XenServer Host(s):

  • Inbound rule: TCP 22 (Secure Shell SSH Protocol).
  • Outbound rule to Movere: TCP 443. 
    • Port 443 outbound internally for internal traffic from target device(s) back to Movere Console
    • Port 443 outbound externally for direct uploading to Movere's cloud from the target device(s) 
      • Please note: direct upload to cloud minimizes internal network traffic and is enabled by default.

Office365:

  • Device running the Movere Console must have the following installed:
    • Microsoft Online Services Sign-in Assistant. 
    • Windows Azure Active Directory Module for Windows PowerShell. 

Whitelisting:

  • The default installation location on targeted device(s) is C:\Windows\Temp\.
    • The following executables should be whitelisted on all target devices. 
      • Bot2\Movere.Bot2.Local.exe
      • Bot4\Movere.Bot4.Local.exe
      • Arc2\Movere.Arc2.exe
      • Arc4\Movere.Arc4.exe
      • FrameworkVerifier.exe
  • The default installation location on device Movere Console is run from is C:\Users\username\Documents\Movere\Console\
    • The following executables should be whitelisted on the Console device:
      • Movere.Console.WPF.exe
      • Movere.Service.exe
      • Movere.Uninstall.exe
  • For a comprehensive list of all URLs and IP addresses used by Movere, please see Movere URLs and IP Addresses for Whitelisting

Antivirus Software:

  • If necessary, whitelist the Movere binaries listed above in your Antivirus software. If you set a specific duration of whitelisting, be sure to refresh the whitelisting window before expiration to ensure no disruption to scanning.

Movere Service Accounts

Movere Windows Service Account:

  • Local Admin on the Windows device(s) to be scanned.
  • Please Note: For security purposes, Movere prohibits the propagation of Domain Admin credentials to the bots. Domain Admin credentials can be used to scan Windows devices, but they cannot be leveraged as secondary credentials to access SQL.

Movere SQL Service Account:

  • Server Roles:
    • public
  • User Mapping:
    • master (db_datareader)
    • msdb (db_datareader)
  • Securables:
    • Connect SQL
    • View server state
    • View any definition
  • Status:
    • Grant: permission to connect to database engine 
    • Enable: Login
  • Secondary SQL access:
    • Querying SQL databases housing data from sources such as SCCM, SharePoint, vCenter, VMM etc. requires db_datareader access to the specific database(s).

Movere Linux Service Account:

  • The Linux service account will require SSH access to the Linux device(s) to be scanned.
    • Movere does not support the use of OpenSSH keys at this time.
  • The account must also have a local home directory. Home directories housed on a distributed filesystem, e.g. NFS used to mount storage to multiple systems will not work.
  • Movere can scan a Linux device without ‘root’ or a ‘superuser’ account by setting the ‘LinuxSkipSudo’ flag in the ‘Movere.Service.exe.config’ to ‘true’.
    • While superuser access is NOT required, scanning a Linux device that Movere is already running on with a Linux account that does not have superuser access will not work, since a non-superuser account will be unable to terminate the existing Movere instance that it did not start.
  • While many customers create individual service accounts for each of these roles, all three roles can be combined into a single account, if domain-based credentials can be used to authenticate into your Linux systems.
  • Please Note: unlike during Windows scanning, Movere will not cycle through multiple Linux credentials. If an environment has multiple Linux credentials, individual Movere scans must be run against each unique set of Linux devices leveraging only the applicable Linux credential. As Movere only supports one Linux credential, there is no credential mapping required in the console for Linux scans.

Movere Office 365 Account:

  • User account must be Global Admin access to the Office365 subscription. 
  • Multi-factor authentication (MFA) must be disabled. Movere does not support MFA for Office365 scans at this time.
  • PowerShell query permission is enabled for the Global Admin account being leveraged.

Helpful Hints

Website Visualizations:

  • TCP 4244 need to be open to view the visualizations on the Movere website (https://go.movere.io).
  • Microsoft Edge or Google Chrome browser is installed to ensure greatest compatibility with the Movere website.

Simple Movere Connectivity Test:

GeoIP.jpg

SMS Authentication with a One Time Password (OTP):

Movere leverages SMS based two-factor authentication. As part of the registration process, you will be asked for a phone number that you can be reached at. Certain cell providers by default block SMS text messages from oversea numbers. If you are not receiving SMS text messages from Movere then you will need to contact your cell provider and have them white list our phone number on your account.

Movere SMS text messages come from +1-206-900-8003.

  • If you continue to experience issues, please work with your mobile phone provider/carrier to check for any blacklisting or Do Not Disturb setting(s) or policy that could block receipt of a US-based commercial SMS text message.
  • Some countries provide a government-sponsored Do Not Disturb list that users can register their mobile phone number too. Please also ensure that your mobile number is not registered to such a list, as this can block the receipt of Movere SMS text messages.

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk