To ensure OC Scanner operates correctly, the server on which you install the application must meet the requirements shown below.
Hardware Requirements
| vCPU Cores | 4 |
|---|---|
| RAM | 4 GB (8 GB optimal) |
| Disk | 40 GB |
Software Requirements
| Architecture | 64-bit |
|---|---|
| Operating system | Windows Server 2008 R2 or higher |
| Frameworks |
|
| Updates | Windows updates fully applied to the latest patch level. |
NOTE: If you want to use OC Scanner on a server that runs Windows Server 2008 R2, ensure that Windows Management Framework is installed on that server.
NOTE: OC Scanner can work in agent mode on 32-bit systems (Windows Server 2008 and later). 32-bit OC Scanner has a separate executable file.
Network Requirements
| Network traffic direction |
|
|---|---|
| Ports towards target machines (all requirements for remote access are only required for the agentless scanner approach) | Make sure the following ports are open from OC Scanner towards target machines:
Make sure the following port ranges are open:
|
| Services on target machines (all requirements for remote access are only required for the agentless scanners approach | Make sure the following services are running on the target machines:
|
| Additional requirements |
|
Access Credential Requirements
If your machine belongs to a domain, you should connect to the target machine using a domain account included in the local administrator group of the target machine. When the User Account Control service filters the tokens, the domain accounts in the local administrator group aren’t affected.
NOTE: Do not use a non-domain account on the target machine, even if the account belongs to the local administrator group.
In a workgroup, any account connecting to the target machine is a local user on that machine. Even if the account belongs to the administrator group, User Account Control treats it as a standard user.
For remote connections, you need to create a local user group or a user account on the target machine.
To give administrator rights to local user
- To access DCOM, give the remote launch, and activate rights. For more information, see this article.
- Give the rights to access the WMI namespace remotely. For more information, see this article.
- Give the rights to access specific securable objects, depending on the security required by the object.
Some securable objects do not allow standard users to perform tasks and it’s not possible to change the default security setting for them. In such cases, you need to disable remote UAC so that the local user account is not filtered out and is treated as a proper administrator.
To disable Remote UAC
- Open the Windows Registry.
- In the Registry, find the
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy entry.
- Change the value of this entry to 1.
NOTE: For security reasons, disabling UAC should be the last resort.
When using a local account, you may need to give specific permissions to a local user, for example, grant the user the right to start and stop a specific Windows service with the Sc.exe command, or apply Group Policy rules with the gpedit.msc editor.
Trusted Hosts
When you add addresses to the trusted hosts' list, you bypass the authentication at the machine level. Before you do that, you need to make sure that you can trust the system and that it’s safe to connect to it. The safest approach is to scan only within your own network.
To check the list of trusted hosts
Use the following PowerShell command:
Get-Item WSMan:\localhost\Client\TrustedHosts
To add an address to the trusted hosts' list
Use the following PowerShell command:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
OR
Use the following PowerShell command:
set-item wsman:\localhost\Client\TrustedHosts -value <ComputerName>[,<ComputerName>]
To add all addresses to the trusted hosts' list
Use the following PowerShell command:
*Set-Item wsman:\localhost\Client\TrustedHosts -value **
To add a list of addresses to the trusted hosts' list
Use the following PowerShell command:
Set-Item wsman:\localhost\Client\TrustedHosts -value ‘<IP ADDRESS(ES)>
For example:
Set-Item wsman:\localhost\Client\TrustedHosts -value ‘172.16.0.0, 172.16.0.10’
To add all machines from a domain to the trusted hosts' list
Use the following PowerShell command*:*
*Set-Item wsman:\localhost\Client\TrustedHosts -value .<DOMAIN>
For example:
*Set-Item wsman:\localhost\Client\TrustedHosts -value .fabrikam.com