Scanning requirements for Windows devices
This article summarizes requirements for scanning Windows devices in Movere.
Supported Windows operating systems
The table summarizes Windows devices you can scan with Movere.
| Device | Details |
|---|---|
| Windows Servers | Movere can inventory Windows servers running Windows Server 2000 or later. Movere can collect actual resource consumption data from Windows servers running Windows Server 2003 or later with Microsoft .NET 3.5 SP1 or later. |
| Windows workstations | Movere can inventory Windows workstations running Windows 2000 Pro or later. Movere doesn't collect actual resource consumption data from Windows workstations. |
| .NET Framework | .NET framework is the default, recommended method for scanning. For inventory scanning, when scanning as a service or scanning as a process, then the target device must run .NET 2.0 or higher. For resource consumption scanning, the target device must run .NET 3.5 SP1 (.NET 3.5 doesn't support TLS 1.2). - Remote WMI isn't supported for resource consumption scanning. |
| TLS | Windows devices you want to scan must be running Transport Layer Securit (TLS) 1.0 or later. As a best security practice, we recommend running TLS 1.2. All communications between the Movere Console and bots running on devices use TLS. |
URL access
The table summarizes internet access requirements for Windows devices you want to scan. Linux devices have the same access requirements.
| Scan | Details |
|---|---|
| Internet access | Scanned devices that upload data directly to Movere need internet access. |
| URL access | Scanned devices that directly upload data must be able to reach Movere URLs, specific to the region in which the Movere customer tenant is located. |
Scanning permissions
Review the permissions needed to scan Windows devices.
| Device | Permissions |
|---|---|
| Windows Server | Local admin access on Windows devices you want to scan. The user must be enabled for interactive log-on on each target device. Scanning devices can include scanning secondary data such as SQL. Movere doesn't allow accounts with Domain Admin privileges to collect secondary data. We recommend that you create a dedicated service account for Movere, and assign Local Admin permissions to the account so that it can access Windows devices that you want to scan. |
| Windows workstations | Local admin access on Windows devices you want to scan. The user must be enabled for interactive log-on on each target device. |
| Active Directory | For each forest to be scanned, you need a Windows account with permission to query the Global Catalog. |
| SQL Server | For scanning SQL Server, Movere will first attempt to connect to the SQL instance using the domain account entered in the Movere Console, provided that the account is not a domain admin account. If the account provided has domain admin capability then Movere will leverage any SQL credentials entered in the Movere Console and then finally, Movere will attempt to leverage NT AUTHORITY\SYSTEM account. The account used for connecting to SQL Server requires View Server State role, View Any Definition role, db_datareader access to master, msdb, and any created databases. Alternatively, you can grant the account sysadmin server role. Database and Secondary data: Movere will gather a list of databases (state, size, creation date), and cluster, mirroring, and availability group data as a result successful connection to SQL Server instance. If specific data is required from individual databases such as System Center Configuration Manager, SharePoint, VMware vCenter, System Center VMM, then the account used for connecting to SQL Server must have View Server State role, View Any Definition role, db_datareader access to master, msdb, and any created databases or must be part of the sysadmin server role on each database. SQL performance/connection: Movere will gather SQL performance and connection information, (including CPU usage per minute by instance, CPU usage by database, and database connections) as a result successful connection to SQL Server instance. If specific data is required from individual databases, then the account used for connecting to SQL Server must have View Server State role, View Any Definition role, db_datareader access to master, msdb, and any created database or must be part of the sysadmin server role on each database. Log shipping: For log shipping data, the account provided by the user in the Movere Console needs db_datareader access on the msdb database. If the account provided has domain admin capability then NT AUTHORITY\SYSTEM account needs View Server State role, View Any Definition role, db_datareader access to master, msdb, and any created databases. No SQL access: If the account provided in the Movere Console and the NT AUTHORITY\SYSTEM account doesn't have the required access to SQL Server, then Movere will retrieve the name and size of each online database running on the SQL Server. Movere will also report any database that is not in an online state, however, the status of such devices will be Unconfirmed. |
| Microsoft 365 | The Movere Microsoft 365 account must have Global Reader access to the Microsoft 365 subscription, and have an active Microsoft 365 license assigned. Multi-factor authentication (MFA) isn't supported, and should be turned off. PowerShell Query permission should be enabled for the Global Reader account. |
| Windows vCenter Server | Movere requires local admin access on the Windows device running SQL Server as well as the minimum permission needed to access the vCenter SQL database. |
Allow Movere files
Allow these Movere executable files on Windows target devices you want to scan. Allow in any anti-virus or security software running on the device. By default, during scanning, bots are installed on target devices in the Admin$\Temp\ or C:\Windows\Temp\ folders.
| File | Details |
|---|---|
| FrameworkVerifier.exe | Required to verify the .NET version running on the target device, in order to start the inventory scan bot. |
| Bot2\Movere.Bot2.Local.exe | Bot for inventory scan of Windows devices running .NET 2.0 to .NET 3.5 |
| Bot4\Movere.Bot4.Local.exe | Bot for inventory scan of Windows devices running .NET 4.0 or higher. |
| Arc2\Movere.Arc2.exe | Bot for actual resource consumption scan of Windows devices running .NET 3.5 SP1 or higher. |
| Arc2\Movere.Arc4.exe | Bot for actual resource consumption scan of Windows devices running .NET 4.0 or higher. |
Port access
The table summarizes the ports used by Movere when scanning windows devices. You can't customize the ports.
| Port | Direction | Location | Details |
|---|---|---|---|
| TCP 445 (Windows File Sharing) | Inbound internal | Target machine | Used to deliver the Movere bots (Inventory and ARC), Framework verifier, and token file to the target Windows devices. Used to pull actual resource consumption scanning payloads from the target device if the upload to the Console or cloud fails. |
| TCP 139 (NetBios) | Inbound internal | Target machine | Used to deliver the Movere bots (Inventory and ARC), Framework verifier, and token file to the target Windows devices. Used to pull actual resource consumption scanning payloads from the target device if the upload to the Console or cloud fails. |
| TCP 135 (NetBios) | Inbound internal | Target machine | Used for scanning with Remote WMI. |
| UDP 137-139 | Outbound internal | Target machine | Used to pull actual resource consumption scanning payloads from the target device if the upload to the Console or cloud fails. |
| TCP 443 | Outbound external | Target machine | Used to upload inventory and resource consumption payloads directly to the Movere cloud from the target device. |
| TCP 443 | Outbound external | Console machine | Used to upload payloads via the Console to the cloud. |
| TCP 443 | Outbound internal | Console machine | Used to download the token.txt file. Query VMware ESXi and XenServer. |
| TCP 445 (Windows File Sharing) | Outbound internal | Console machine | Used to deliver the Movere bots (Inventory and ARC), Framework verifier, and token file to the target Windows devices. Used to pull actual resource consumption scanning payloads from the target device if the upload to the Console or cloud fails. |
| TCP 389 | Outbound internal | Console machine | Used to query Active Directory (LDAP). |
| TCP 3268 | Outbound internal | Console machine | Used to query the Global Catalog. |
| TCP 135 (NetBios) | Outbound internal | Console machine | Used for scanning Remote WMI. |
| TCP/UDP 53, TCP/UDP 88 | Outbound internal | Console machine | Used to locate the domain controllers and authenticate prior to object enumeration. |
| TCP 636 | Outbound internal | Console machine | Used to communicate with the domain controller in the customer’s environment if secure LDAP is enabled. |
| TCP 443 | Inbound internal | Console machine | Used for all internal traffic between the targeted endpoints and the Console. Used for all requests from the Movere bots for secondary credentials and token refresh, and for routing payloads back to the Console for uploading. |
| UDP 137-139 | Inbound internal | Console machine | Used to pull actual resource consumption scanning payloads from the target device if the upload to the Console or cloud fails. |
| Ephemeral port 49152 - 65535 | Inbound internal | Console machine | Used to receive return traffic at the console. |
Next steps
- Deploy the Movere Console.
- Run a Windows scan.