Documentation

Table of Contents

Supported platforms

Type Name Support
Windows Windows Server 2000 Limited
Windows Windows Server 2003 Limited
Windows Windows Server 2008 Full
Windows Windows Server 2008 R2 Full
Windows Windows Server 2012 Full
Windows Windows Server 2012 R2 Full
Windows Windows Server 2016 Full
Windows Windows Server 2019 Full

Support for Unix scans on the following verified platforms:

Type Name
Unix Debian GNU/Linux 8 (jessie)
Unix Debian GNU/Linux 9 (stretch)
Unix Oracle Linux Server release 6.9
Unix Oracle Linux Server 7.5
Unix Red Hat Enterprise Linux Server release 6.7 (Santiago)
Unix Red Hat Enterprise Linux Server 7.5 (Maipo)
Unix Ubuntu 14.04.5 LTS, Trusty Tahr
Unix Ubuntu 16.04.5 LTS (Xenial Xerus)
Unix Ubuntu 18.04.1 LTS (Bionic Beaver)
Unix SUSE Linux Enterprise Server 12 SP3
Unix SUSE Linux Enterprise Server 15

Supported browsers

OpsAI supports the newest version of major browsers including Chrome and Firefox on Windows, and Chrome, Firefox and Safari on MacOS. Minimum required screen size is 1280 x 960 pixels.

However, Microsoft Edge is not a supported browser as Microsoft has publicly stated here here that they are switching to the Chromium Engine.

How to Install and run the OpsAI Scanner

Pre requisites for installing and configuring OpsAI Scanner

Determine and implement delegation model

The OpsAI scanner runs under a Service or User account. This account must have the following permissions granted in order to scan servers:

  1. Local administrator on the server on which the scanner is installed
  2. Execute remote WMI calls
  3. Execute remote PowerShell
 

Scanner security recommendations:
Always run OpsAI scanner with an account that has limited AD privileges – make sure the OpsAI scanner is not being executed as Domain Administrator or any other high privileged AD user. It is highly recommended to enforce a strong password policy for the Domain account that is configured in the OpsAI Scanner and ensure that the host running the scanner is monitored for security incidents.

Turn on the “Account is sensitive and cannot be delegated” AD account attribute to prevent delegation attacks using the OpsAI Service or User Account.

Disable Unconstrained Kerberos delegation for machines/accounts when possible.

Monitor all machines with Unconstrained Kerberos delegation enabled for security incidents and treat them as a part of the high risk infrastructure.

Monitor actions performed by the account configured in the OpsAI Scanner, e.g., create alerts for suspicious activity (RDP connections, AD User/Group manipulation).

Only allow WinRM connections coming from trusted hosts – can be implemented either via firewall rule or adding hosts to TrustedHostsList.

How these permissions are granted vary from company to company. It is recommended that customers use a delegation model to grant the least amount of privileges to OpsAI Scanner.

The delegation model chosen should consider that new servers are added over time, and as a consequence should grant the least amount of privileges to those new servers. If not, new servers will appear as “Access Denied” on the OpsAI scanner status page.

If no delegation model exist, a way to grant permissions would be to create an “OpsAI Service Accounts” security group, add the OpsAI Service or User Account to the group and use a GPO to add the group to “Local Administrators” group on all servers. This approach violates the least amount of privileges principle.

Servers running OpsAI scanners must be considered as “Secure Administrative Hosts” and should be configured accordingly. Please refer to Microsoft “Implementing Secure Administrative Hosts” article.


Administrative credentials to the servers that will be scanned:

  1. For Windows servers, a service or user account with access to read and execute WinRM and WMI. This is needed for each individual Windows domain which will be inventoried.
  2. For Linux servers, a user with rights to logon and execute ssh commands is needed. (See below for two commands that require sudo access)
  3. User account running the Scanner Service must be local administrator.
 

You can check the group memberships of the scanner account like this:

  1. Start a new Powershell console as the user running the scanner.
  2. Run this command: “runas /user:domain\name Powershell”
  3. Replace “domain” with the netbios domain name and “name” with the account name.
  4. You will be prompted for password
  5. In the new Powershell console type: “whoami /groups /fo csv | convertfrom-csv”

Configure OpsAI Scanner server

  1. Windows server 2012 R2 / Windows 10 (x64) or newer, with .NET Framework 4.6.1 or later, FIPS must be disabled if scanning Unix machines
  2. Minimum 4 vCPU and 16Gb RAM.
  3. Domain joined

Configure external network access

HTTPS TCP Port 443 over SSL from OpsAI scanner Windows server to:

https://scan.opsai.com

Configure internal network access

OpsAI is an agentless scanner that uses WMI and WinRM to gather data. Both services are widely used in server environments and they can be adjusted to only allow granular access to certain objects and commands. If these services are not used and it is necessary to open for these services in the network, access should only be granted between the scanner server and the servers to be scanned, by implementing specific firewall rules explicitly stating the rules described below.

WMI:

  • TCP Port 135 from OpsAI scanner Windows server to all Windows servers
  • To test WMI connectivity use the “Get-WmiObject” PowerShell command
Get-WmiObject -Class Win32_Service -ComputerName 10.0.0.1
  • To test Remote Registry connectivity use this PowerShell command
[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(-2147483646, 10.35.11.207)

RPC inspect:

  • on firewalls with RPC inspect, dynamic high ports should be allowed. On firewalls without this feature, the dynamic high port range should be opened from the servers to be scanned to the scanning server.

WinRM (Remote PowerShell):

Example:

Test-WSMan 10.0.0.1

SSH::

  • TCP Port 22 between Scanner server and endpoints/both ways

Download latest scanner version

Sign in to the organization portal at OpsAI.com, and navigate to the Scanner page. Click the download scanner button.

Enable remote PowerShell

Enable PSRemoting remotely

  1. Download PsTools: https://download.sysinternals.com/files/PSTools.zip
  2. Extract PsExec to a folder, for example “C:\Temp\psexec.exe”
  3. Open Powershell and run: “Unblock-File C:\Temp\psexec.exe”
  4. Paste all names of the servers that should have WinRM enabled to an empty txt file with 1 server-name per line and save the file, for example “C:\Temp\Servers.txt”. The file content should look like this:Server1
    Server2
    Server3
  5. Start a new Powershell console as the user running the OpsAI scanner service. You can run this command to achieve this: runas /user:domain\name Powershell
  6. Replace “domain” with the netbios domain name and “name” with the account name. You will be prompted for password
  7. Create a variable holding the server names like this: “$Servers = Get-Content C:\Temp\servers.txt”
  8. Then run this command:
foreach ($Server in $Servers) {
Write-host "Updating WinRM on $Server" -fore green;
$exp = "C:\Temp\PsExec.exe -nobanner -d \\$($Server.Trim()) -s powershell Enable-PSRemoting -Force";
Invoke-Expression $exp
}

You are now ready to install the Scanner!

  1. Copy the downloaded scanner install exe file to the server where it must be installed, launch it and follow the installation wizard.
  2. The OpsAI Configuration wizard will automatically start once installation has been completed.
  3. If you need to re-configure the scanner later, use the OpsAI icon placed on the Desktop.

OpsAI scanner configuration

Activation Code:

  1. Log on to your OpsAI organization, and navigate to the scanner page. Click “Generate new Activation Code”. Then click the Copy icon, and paste it into the “Activation Code” textbox in the OpsAI Scanner configuration wizard.
  2. Note: The Activation Code is only active for one hour. A new code can be retrieved by signing in to the organization portal at OpsAI.com

Active Directory Domains

Press the “Add button” and select the Active Directory domains that should be scanned from the list. Once all desired domains have been configured, click “Next”

Linux/Unix credentials

On the Unix tab, select “Enable Unix Scanner” if you want to scan Linux or Unix servers.

Please note that Linux or Unix scanning requires that the NMap (https://nmap.org/) tool is installed on same server as the OpsAI Scanner.

You must add Unix Credentials on the Unix tab: You can add general (global) User and SSH credentials or credentials per machine (IP address)

Please add the entries below to /etc/sudoers (or even better, create a new sudoers file), so that the OpsAI scanner may execute dmidecode and service commands as a privileged user (replace “linuxuser” with the actual Unix user name used by the scanner):

Cmnd_Alias DMIDECODE_CMD = /sbin/dmidecode -t system
Cmnd_Alias SERVICE_CMD = /sbin/service --status-all
linuxuser ALL=(root) NOPASSWD:DMIDECODE_CMD
linuxuser ALL=(root) NOPASSWD:SERVICE_CMD

The private key file used with SSH credentials supports RSA and DSA private key in both OpenSSH and ssh.com format. If the file has a Subject: header, you must remove it.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,DD06FC017B349484 lGoF/TTnsMoRpxDiFInQQIB/LcdKElaEkf6g14c6MiLj2s18eNmbEFvkb0tt/69PaVRxULQJjp9yjhn1Utcq8LnEHZ6P6LpzV9f6TWA+8qiBFjfbKulXdfTHLxqGNdq5
…more lines
jihdzRM/vTqMLszqjgJ7y5uAnQ6U/vcD/gfud1MTd2jJKtlrel+xNQ==
-----END RSA PRIVATE KEY-----

Sample of a valid file:

Federal Information Processing Standards must be disabled on the OpsAI Scanner Windows server for Unix scanning to succeed.

See https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/

Start / Stop Scanner service

  1. On the Operate tab select the Domain(s) which scanner service you wish to install.
  2. Click “Install” and enter the full username and password for the service or user account that will run the service.
  3. Press “OK” to install and start the Windows Service instance. When the scanner service has been started, a full scanning of your IT infrastructure may take up to several hours.

 

Optionally, you can exclude individual servers from scanning. Create a txt file with either a computer name or IP address per line, and add it to the scanner via the “Exclusions” button. Notice that Windows servers that have been discovered and then removed from Active Directory will be automatically excluded from scanning.

Advanced scanner configuration

Usually, it is not necessary to change any settings in opsai.exe.config, but some of the settings may need changes based on special customer needs. The settings file (opsai.exe.config) is located in the “C:\program Files\OpsAI\Scanner” folder. To change any setting, open the file in Notepad and modify as required.

The following settings could be changed due to customer requirements:
MaxDop indicates the number of concurrently scanned machines. You can change the MaxDop default value of 4 to a higher value if you have a powerful machine (for example to 8 or 12 concurrent threads).
The RunnerTimeoutInSeconds value can be altered if you have a network with high latency and a number of servers remain in WMI status Unclassified.
The WmiTimeoutInSeconds value can be altered if you have a network with high latency and a number of servers remain in WMI status “Partial Data” and you see WMI timeout errors in the Troubleshoot tab for the server.

How to activate the Azure Cloud Connector

Use the following link as an Azure AD admin that would like to connect a tenant to the OpsAI Cloud Connector:

https://login.microsoftonline.com/common/adminconsent?client_id=d0ef5253-a9c7-4778-b027-1b2270c0825d

You can verify the registration in your Azure AD under “Enterprise Applications” – you can locate “OpsAI Cloud Connector” there.

Before the connector can scan subscriptions in the customer tenant, the customer needs to add the app registration as a subscription reader.

To give the app registration permission to read subscriptions, do the following in the customer Azure portal:

  • Go to “Subscriptions” and open the subscription that the connector should scan.
  • Open “Access Control (IAM)” -> “Role assignment”
  • Add a new “Role Assignment” for the App Registration named “OpsAI Cloud Connector” with a Reader role.

(Alternatively, this can also be done using Management Groups)

Finally, contact OpsAI support with your Azure AD “directory id” (tenant id), and subscription id(s).

How to configure and run SQL Server assessments

The purpose of this feature is to scan SQL Server instances and user databases to evaluate if they can be migrated to Azure SQL DB Managed Instance.

In order to use this feature perform the following steps:

  • Disable UAC on the scanner, follow these instruction.
  • Download and install the latest version of Microsoft Data Migration Assistant on the scanner machine. Version 4.5 or higher is required.
  • Enable SQL Server assessments in the OpsAI configuration tool on the scanner machine.
  • Optionally, configure credentails for your SQL Server instances using the OpsAI configuration tool. If no credentials are configured, the credentials of the scanner service will be used.
  • The scans will then be performed and the results can be viewed in the portal, by clicking the instance name on the SQL Server instance list.

 

The Windows account used for running the assesments must be granted the following rights (for SQL Server 2014 and later, otherwise sa rights are required) :

GRANT CONNECT SQL TO [MyDomain\dma_user]
GO
GRANT CONNECT ANY DATABASE TO [MyDomain\dma_user]
GO
GRANT VIEW SERVER STATE TO [MyDomain\dma_user]
GO
GRANT VIEW ANY DEFINITION TO [MyDomain\dma_user]
GO

Notice that these rights does not enable the account to access any data in the user databases on the SQL Server instance (for SQL Server 2014 and later).

How to locate "obsolete" Windows servers

You can use the filtering features of the server list to only display servers that are “obsolete”, for example servers that have been shut down and decommissioned.

In order to use this feature perform the following steps:

  • Add the WMI State column to the server list, and filter by “Not responding”.
  • Add the “Last Logon” column, and order to this to see “old” servers.
  • Optionally, export the csv list of the result for further processing.

How do I see the scanning status of my servers

Go to the server list, and add the WMI Status column.

The WMI status can have one of the following values:

  • Unclassified: OpsAI knows of the server (from Active Directory for example), but has never attempted to scan it.
  • Success: OpsAI has successfully performed a full scan of the server.
  • Partial data: OpsAI has successfully performed a full scan of the server, but some parts of the scan has failed.
  • Not responding: OpsAI is unable to connect to the server – most likely due to missing network connectivity or because the server has been shut down.
  • Unauthorized: OpsAI can connect to the server, but the server actively refuses access.

How do I remove a shutdown Windows server from the server list

Provided the scanner is still running, you can remove it by removing the machine account from Active Directory.

How to use the OpsAI Platform

When you create an account and install the OpsAI scanner onto a designated Windows machine, you will be able to see the data collected from the scan on the OpsAI platform. 

Dashboard
The Platform’s dashboard gives you an overview of your IT environment. You will be able to view the data collected about your Geo Map, IT Infrastructure, Compliance Ratio, Business Applications, Risk Assessment, Technical Debt, Rightsizing potential and Support.

*Please note: in the demo version of OpsAI only Risk Assessment and Technical Debt data will be available.

Scanner Status
The OpsAI Platform lets you view the status of the scanner and the total amount of assets found and their states. Here you can download the latest version of the OpsAI scanner and generate a new keycode.

Assets
OpsAI gathers data from all your assets and lists in one place for you or you can view them by type. You can multi-select and edit servers, group them into the necessary application groups, filter and view server or application group details.  

  • How do I edit?
    To edit a server, select one or multiple servers in the server list, then click More Options. menu. Here you can move to an application group, create a new application group or change the server lifecycle. 

  • How do I group? 
    As mentioned above, to create an application group select multiple servers from the server list, click More Options menu Ad to an existing application group or Create a new group.

  • How do I see the details of an application group or server?
    To view the details of a server or application group simply click on the name of the asset in their given list.   

 

Cost
In the cost section of OpsAI, you have an overview of the potential cost of your assets when moved to the cloud either mapped 1:1 or Right Sized and based on Cloud provider, region, commitment and licensing. 

Settings
As an owner of the OpsAI organization account you can invite, delete or move ADMIN rights to another user and create another organization account if needed. You are also able to download an Excel file of the scanned data. 

  • How do give Admin rights to another in the organization?
    If you wish to invite another to manage your account, you must give them ADMIN rights. ADMIN rights give that person full access and the ability to edit the account itself.

  • How do I Invite a new user to the organization?
    Yes, you can give others access to your organization account under Organization settings.  When you invite someone to your account, they will have access to view your data that has been collected

  • How do I delete an unwanted organization account?
    If you feel that you no longer want to use OpsAI or created an unwanted organization, you can simply delete the organization account in the Organization settings under the profile “Edit”.
    Be aware that when you delete an organization, you will no longer be able to access that account and any data collected will be deleted.

I have feedback to the product; can I give this anywhere?

Of course! We appreciate any feedback you may have about OpsAI. This can easily be done from the Contact section here, or by clicking “Feedback” in the OpsAI platform. 

Where can I get support?

If you have any problems with OpsAI, you can let us know by sending us an email through our website. Go to the Contact section here. We will try our best to fix any problem you may have. 

EULA

Scanner release notes

Release 3.2.162, April 24, 2020

  • Single machine Scanner (Workgroup scanner)
  • Fix domain dropdown in OpsAI config tool
  • Redundant entries in MsSqlDatabaseUsage
  • Batch SELECT of RawConnections (to avoid OOM)

Release 3.2.155, March 30, 2020

  • Collect TCP connections with timestamp
  • Detect and save if SecureBoot is enabled
  • Improve DMA Scan file cleanup
  • Default to full file share scanning
  • Run DMA assesments less often
  • Stop collecting per user services

Release 3.2.129, January 28, 2020

  • Sync IIS Website info
  • Collect workstation FQDN and SQL database size
  • Collect log warnings
  • Improve Domain Controller detection
  • Remove duplicate indexes on ServerPerformances
  • Investigate Duplicate Non-Domain

Suggestions for Features

If you have suggestions for new features or would like changes to existing features.