Assets prerequisites for agentless connections
Flows matrix
This matrix sums up the flows that may be required to monitor assets using agentless connection, based on the equipment type.
| Source | Destination | Protocol | Port | Description |
|---|---|---|---|---|
| Cyberwatch scanner | monitored asset | TCP | 22 | SSH (Linux) |
| Cyberwatch scanner | monitored asset | TCP | 5985 | WinRM (Windows) |
| Cyberwatch scanner | monitored asset | UDP | 161 | SNMP (network devices) |
| Cyberwatch scanner | monitored asset | TCP | 443 | HTTPS VMware API |
| monitored asset | Cyberwatch scanner | TCP | 443 | HTTPS Microsoft cab file transfer |
Software prerequisites
- Operating System among those covered in the list of supported operating systems
- SSH service enabled on Linux / UNIX
- WinRM service enabled for Windows (PowerShell command:
Enable-PSRemoting -Force) - SNMPv3 enabled for network devices
Specific requirements for Linux assets
- Valid SSH account with login/password or public/private key authentication
- Sudoers rights WITHOUT TTY if you want to deploy security fixes with Cyberwatch (optional)
Specific requirements for Windows assets
- Valid local or domain WinRM Administrator account, with “NEGOTIATE” authentication mode
- The account provided MUST have administrator rights
- The Windows Update service (
wuauserv) must be activated - PowerShell v2 or higher must be installed, can be downloaded on the official Microsoft Update Catalog website
- Windows Update Agent v6.1.0022.4 or higher must be installed
Windows Server 2008 assets also must support SHA-2 hash algorithms as described in the official Microsoft documentation. In summary, three updates are required:
- SHA-2 Code Signing Support, by installing KB4474419
- January 2020 (monthly rollup) update by installing KB4534310 on Windows Server 2008 R2 SP1
- SHA-2 Related Servicing Stack Updates
In case these KBs are not installed, the following exception will be encountered in the Cyberwatch scan result:
# Error: Exception calling "AddScanPackageService" with "3" argument(s): "A certificate chain processed but terminated in a root certificate which is not trusted provider (HRESULT : 0x800B0109)"
Requirements for Windows Server 2012 and Windows Server 2012 R2 to enable WUA scans
To guarantee that Windows Update Agent is fully operational, Windows Server 2012 and 2012 R2 need a cumulative monthly rollup update that is equal or more recent than: