Hypervisors
VMware
With OC Scanner, you can scan the VMware virtualization platform over the vCenter or ESXi host.
Requirements
- ESXi 4.0 or higher / vCenter 4.0 or higher
- Network connection to the target machine (vCenter or ESXi host)
- HTTPS network connection to the target machine
- 80 TCP and 443 TCP ports opened on the machine with OC Scanner (to access
- vSphere API)
- Read rights for the account accessed on the target machine
Hyper-V
With OC Scanner, you can scan the Hyper-V virtualization platform over a Hyper-V host or cluster. OC Scanner has an auto-detection option for Hyper-V hosts, which is by default activated. If it finds Hyper-V hosts or clusters in the scan scope, it will automatically perform Hyper-V scan processes for such hosts.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
- Windows Remote Management (WinRM) started on the Hyper-V host machine
- Windows Remote Management (WinRM) started on the machine where OC Scanner
- is installed
- Only the domain admins, local admins, and members of Hyper-V administrators group can access the Hyper-V role. Other security rights are not available on the Hyper-V nodes themselves, so it’s not possible to scan with some kind of a read-only Hyper-V account.
Nutanix
With OC Scanner, you can scan the Nutanix virtualization platform over the Nutanix API.
Requirements
- Nutanix API V2
- HTTPS network connection to the target machine
- 80 TCP and 443 TCP ports opened on the machine with OC Scanner (to access
- Nutanix API)
- Read rights for the account accessed on the target machine
OpenStack
With OC Scanner, you can scan the OpenStack virtualization platform over the OpenStack API.
Requirements
- OpenStack API V3.
- HTTPS network connection to the target machine
- 80 TCP and 443 TCP ports opened on the machine with OC Scanner (to access
- OpenStack API)
- Read rights for the account accessed on the target machine
- The account assigned to the project
Following end points are requested during accessing the OpenStack API:
- IdentityEndpoint/auth/tokens
- IdentityEndpoint/auth/catalog
- IdentityEndpoint/auth/projects
- ComputeEndpoint/servers/detail
- ComputeEndpoint/os-hypervisors/detail
- ComputeEndpoint/flavors
RedHat (RHV)
With OC Scanner, you can scan the RedHat virtualization platform over the RedHat API.
Requirements
- A networked installation of Red Hat Virtualization Manager, which includes the API.
- HTTPS network connection to the target machine
- 80 TCP and 443 TCP ports opened on the machine with OC Scanner (to access
- RedHat API)
- Read rights for the account accessed on the target machine
Citrix Hypervisor
With OC Scanner, you can scan the Citrix virtualization platform over the API.
Requirements
- HTTPS network connection to the target machine
- 80 TCP and 443 TCP ports opened on the machine with OC Scanner (to access
- Citrix API)
- Read rights for the account accessed on the target machine
KVM
With OC Scanner, you can scan the KVM virtualization platform over the SSH. OC Scanner will perform Linux host scanning and KVM virtualization scanning.
Requirements
- SSH network connection to the target machine
- 22 TCP port open on the machine with OC Scanner (to access
- KVMI)
- Rights for the account to execute libvirt (virsh) commands on the target machine
- User account connecting over SSH should be a member of the “libvirt”, or “libvirtd” group on KVM server, depending on the KVM version/release.
Proxmox option:
With this option, OC Scanner will perform Linux host scan over SSH (as for KVM) and additionally Proxmox scanning over API. Additional requirements are:
- HTTPS network connection to the one of the target machine which house the Proxmox API / where the Proxmox API is accessible.
- 80 TCP and 443 TCP ports opened on the machine with OC Scanner (to access
- Proxmox API)
- Read rights for the account accessed on the target machine
CloudStack
With OC Scanner, you can scan the CloudStack virtualization platform over the CloudStack API.
Requirements
- Both the API Key and Secret Key for an account. This should have been generated by the administrator of the cloud instance.
- HTTPS network connection to the target machine
- 80 TCP and 443 TCP ports opened on the machine with OC Scanner (to access
- CloudStack API)
- Read rights for the account accessed on the target machine
Cloud
Azure
With OC Scanner, you can scan your Azure infrastructure over the Azure API.
Requirements
- HTTPS network connection to the Azure machine
- 80 TCP and 443 TCP ports opened on the machine with OC Scanner (to access
- Azure API)
- The registered client application (OC Scanner) in Azure (see here)
Applications
When scanning the registry for the installed software, OC Scanner checks if any of the following server applications are installed:
- Microsoft SQL Server
- Microsoft Exchange Server
- Microsoft SharePoint Server
- Microsoft Dynamics Server
- Microsoft Skype For Business Server
OC Scanner connects directly to these applications and collects user information related to Microsoft SPLA licenses. There are three options of connection:
- Using remote PowerShell (Exchange, SharePoint, Dynamics NAV, and Skype)
- Using the OLE DB connection string (SQL)
- Using the built-in WCF service (Dynamics CRM)
If you have Remote Desktop Services (Terminal Services), you can also collect user information for the following desktop applications:
- Office Professional Plus
- Office Standard
- Language Accessory Pack for Office
- Project Standard
- Project Professional
- Remote Desktop Services
- Visio Standard
- Visio Professional
- Visual Studio Enterprise
- Visual Studio Professional
- Visual Studio Test Professional
In this case, you need to specify which Active Directory (AD) groups or local user groups are dedicated to which application. If you want to collect user information from AD groups that are not in the same domain as the machine where OC Scanner is installed, you need to set the AD groups to global.
With OC Scanner, you can scan desktop applications automatically. The process is as follows:
- OC Scanner looks for applications with valid licenses on every server.
- OC Scanner collects user information from the local Remote Desktop Users and Administrator groups.
- OC Scanner assigns application licenses to the users.
Microsoft SQL Server
OC Scanner is able to scan all editions and versions of Microsoft SQL Servers, but it only connects to SQL Standard (and Business Intelligence) servers to read out the users accessing the SQL Server application. OC Scanner is compatible with all SQL Standard versions 2005 and higher.
Requirements
- Windows authentication on SQL allowed if SQL Server and OC Scanner are in the same domain or on the same stand-alone machine. Account needs SQL sysadmin rights, if for SQL Server Standard users should be scanned for the SAL license.
- SQL authentication allowed if SQL Server and OC Scanner are in different domains or on different stand-alone machines
- Remote Registry Service started on the machine where SQL Server is installed
- Firewall configured to allow access to SQL Server - see this article
Testing the remote connection
- Create an empty text file and change the file’s extension to udl on the OC Scanner machine.
- Run this file.
- In the Data Link Properties window, do the following:
- Enter the server name of the SQL server
- Enter valid credentials or use the integrated Windows NT security
- From the list, select the SQL instance on that server
- Select Test Connection
Microsoft Exchange Server
OC Scanner is compatible with Microsoft Exchange Server 2010 and higher.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
- Windows Remote Management (WinRM) started on the machine where Exchange Server is installed
- Windows Remote Management (WinRM) started on the machine where OC Scanner is installed
Connection prerequisites
- Using the Get-ExecutionPolicy cmdlet, check if you can run scripts on both the client and the target machines. The value should be RemoteSigned or Unrestricted. You can set it with the Set-ExecutionPolicy cmdlet
- Connect from an internal network (the same VLAN, subnet, access to domain controllers)
- Connect to the internal FQDN of Exchange Server, not the public MX record for routing emails
- Connect to the PowerShell website using HTTP
- The minimum right required is for the user to be a part of the Exchange View-Only Organization Management security group in AD. The alternative is to use a full Exchange admin group.
- In the Exchange Management Console, run Get-PSSessionConfiguration to check if the configuration file exists on the server
Security concerns
- For security reasons, you should scan all instances of the Exchange Server only through your local network.
- Enabling Basic Authentication for PowerShell is not recommended. With Basic Authentication, credentials are sent as plain text, which is risky when the machine is connected to the internet.
Testing the remote connection
- On the machine where OC Scanner is installed, open PowerShell and run the following commands:
- $cred = Get-Credential
- $MyOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri <FQDN/IP> -Authentication <PARAMETER> -Credential $cred -SessionOption $MyOptions
- where <FQDN/IP> stands for the actual FQDN of Exchange Server or the IP address and
- where <PARAMETER> stands for the authentication parameter and can be replaced with the following values:
- Kerberos - used only with FQDN
- Negotiate
- Basic - used only with HTTPS
- Import-PSSession $Session
Microsoft SharePoint Server
OC Scanner is compatible with Microsoft SharePoint Server 2010 and higher.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
- Windows Remote Management (WinRM) started on the machine where SharePoint Server is installed
- Windows Remote Management (WinRM) started on the machine where OC Scanner is installed
Connection prerequisites
- In the SharePoint Management Shell, use the following PowerShell snippet to set the
- correct user permissions:
- $allFarmWebApplications = Get-SPWebApplication
- foreach($webApplication in $allFarmWebApplications)
- {
- $w = Get-SPWebApplication $webApplication.Url;
- $w.GrantAccessToProcessIdentity("DOMAIN\USER")
- }
- Run OC Scanner using the DOMAIN\USER credentials defined above
- Make sure the user has administrator rights on SharePoint Server
- Make sure the user has access to the SharePoint SQL database
Security concerns
To scan SharePoint users remotely, you would need to enable the CredSSP authentication on both the client and the target machines. If running a local Sharepoint scan on Sharepoint 2010, CredSSP is required. For servers, newer than SP 2010 CredSSP is not required for local scans.
Microsoft Dynamics NAV Server
OC Scanner is compatible with Microsoft Dynamics NAV Server 2013 and higher.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
- Windows Remote Management (WinRM) started on the machine where Dynamics NAV Server is installed
- Windows Remote Management (WinRM) started on the machine where OC Scanner is installed.
- Microsoft Dynamics NAV Server Administration Tool - a default component for the Server Option, not for the Client Option. For more information, see this article.
Connection prerequisites
- Using the Get-ExecutionPolicy cmdlet, check if you can run scripts on both the client
- and the target machines. The value should be RemoteSigned or Unrestricted. You
- can set it with the Set-ExecutionPolicy cmdlet.
- Connect from an internal network (the same VLAN, subnet, access to domain controllers).
- Connect to the internal FQDN of Dynamics NAV Server, not the public MX record.
- Connect to the PowerShell website using HTTP
- Make sure the user has administrator rights on Dynamics NAV Server
Security concerns
When you add addresses to the trusted hosts' list, you bypass the authentication at the machine level. Before you do that, you need to make sure that you can trust the system and that it’s safe to connect to it. The safest approach is to work only within your own network.
To add addresses to the trusted hosts' list, you can use the following PowerShell commands:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
or
set-item wsman:\localhost\Client\TrustedHosts -value <ComputerName>[,<ComputerName>]
Dynamics AX Server
OC Scanner is compatible with Microsoft Dynamics NAV Server 2012 and higher.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
- Windows Remote Management (WinRM) started on the machine where Dynamics AX Server is installed.
- Windows Remote Management (WinRM) started on the machine where OC Scanner is installed.
Connection prerequisites
- Using the Get-ExecutionPolicy cmdlet, check if you can run scripts on both the client
- and the target machines. The value should be RemoteSigned or Unrestricted. You
- can set it with the Set-ExecutionPolicy cmdlet.
- Connect from an internal network (the same VLAN, subnet, access to domain controllers).
- Connect to the PowerShell website using HTTP
- Make sure the user has administrator rights on Dynamics AX Server
Security concerns
When you add addresses to the trusted hosts' list, you bypass the authentication at the machine level. Before you do that, you need to make sure that you can trust the system and that it’s safe to connect to it. The safest approach is to work only within your own network.
To add addresses to the trusted hosts' list, you can use the following PowerShell commands:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
or
set-item wsman:\localhost\Client\TrustedHosts -value <ComputerName>[,<ComputerName>]
Microsoft Dynamics CRM
OC Scanner is compatible with Microsoft Dynamics CRM Server 2011 and higher.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
Connection prerequisites
- Make sure the user has the System Administrator role assigned.
- Make sure the user is a deployment administrator for Dynamics CRM Server. If the user isn’t a deployment administrator, log in as an existing deployment administrator and use the following PowerShell command to create a new deployment administrator:
- New-CrmDeploymentAdministrator -Name username
Security concerns
When you add addresses to the trusted hosts' list, you bypass the authentication at the machine level. Before you do that, you need to make sure that you can trust the system and that it’s safe to connect to it. The safest approach is to work only within your own network.
To add addresses to the trusted hosts' list, you can use the following PowerShell commands:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
or
set-item wsman:\localhost\Client\TrustedHosts -value <ComputerName>[,<ComputerName>]
Learn more about creating deployment administrators.
Microsoft Dynamics GP
OC Scanner is compatible with Microsoft Dynamics GP Server 2013 and higher.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
Connection prerequisites
- Make sure the user has the System Administrator role assigned.
- Make sure that OC Scanner has access to Dynamics GP SQL database.
- Make sure the user has administrator role assigned to Dynamics GP SQL master database.
- User to scan Dynamics GP may be either AD user or SQL local user for Dynamics GP SQL master database.
Security concerns
When you add addresses to the trusted hosts' list, you bypass the authentication at the machine level. Before you do that, you need to make sure that you can trust the system and that it’s safe to connect to it. The safest approach is to work only within your own network.
To add addresses to the trusted hosts' list, you can use the following PowerShell commands:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
or
set-item wsman:\localhost\Client\TrustedHosts -value <ComputerName>[,<ComputerName>]
Learn more about creating deployment administrators.
Microsoft Skype for Business (formerly Lync) Server
OC Scanner is compatible with Lync Server 2010 or higher, and Microsoft Skype For Business Server 2015 or higher.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
- Windows Remote Management (WinRM) started on the machine where Skype for Business Server is installed.
- Windows Remote Management (WinRM) started on the machine where OC Scanner is installed.
Connection prerequisites
- Using the Get-ExecutionPolicy cmdlet, check if you can run scripts on both the client and the target machines. The value should be RemoteSigned or Unrestricted. You can set it with the Set-ExecutionPolicy cmdlet.
- Connect to the PowerShell website using HTTPS as Skype for Business requires the SSL certificate.
- Make sure the user has administrator rights on Skype for Business Server
- In order to scan Lync/SFB, the user can be either a member of the limited security group CsViewOnlyAdministrator, or the member of the CsAdministrator group (full admin rights).
- Provide credentials required to scan Skype for Business Server for users
Testing the remote connection
On the machine where OC Scanner is installed, open PowerShell and run the following
commands:
- $cred = Get-Credential “ExampleDomain\Lync_Administrator”
- $session = New-PSSession -ConnectionURI “https://SkypeServer/OcsPowershell” -Credential $cred
- Import-PsSession $session
Microsoft App-V
App-V is a virtualization server that stores software packages. You can create access rules so that only specific Active Directory users can access each package. OC Scanner is compatible with Windows Server 2008 or higher.
Requirements
- Windows 7 SP1 (or higher) / Windows 2008 R2 SP1 (or higher)
- Microsoft .NET Framework 4.5
- Windows Management Framework 3.0 or higher
- Windows Remote Management (WinRM) started on the machine where App-V server is installed.
- Windows Remote Management (WinRM) started on the machine where OC Scanner is installed.
- An App-V client installed on the machine is allowed to access the App-V server.
Connection prerequisites
- Using the Get-ExecutionPolicy cmdlet, check if you can run scripts on both the client and the target machines. The value should be RemoteSigned or Unrestricted. You can set it with the Set-ExecutionPolicy cmdlet.
- Connect from an internal network (the same VLAN, subnet, access to domain controllers).
- Connect to the internal FQDN of Windows Server, not the public MX record.
- Connect to the PowerShell website using HTTP.
- Make sure the user has administrator rights on Windows Server.
- Make sure App-V policies are imported from the App-V server.
Security concerns
When you add addresses to the trusted hosts' list, you bypass the authentication at the machine level. Before you do that, you need to make sure that you can trust the system and that it’s safe to connect to it. The safest approach is to work only within your own network.
To add addresses to the trusted hosts' list, you can use the following PowerShell commands:
winrm s winrm/config/client '@{TrustedHosts="RemoteComputer"}'
or
set-item wsman:\localhost\Client\TrustedHosts -value <ComputerName>[,<ComputerName>]