Hello community. 👋
At Lansweeper we receive many requests for health checks. Each account representative may perform a health check and each perform them well. The difficulty of such a health check is that each environment's network and use case is different.
I have created a Health Checklist that I'm putting in "Beta" and would love to have feedback from you! Please be open and honest with your feedback so we can improve this for your needs.
We have a few different ideas on how to present this -- the most popular one is to have 2 lists; 1 - sent to the SysAdmin who manages the environment Lansweeper is installed onto, 2 - used by the staff reviewing your Lansweeper environment itself. But I'm open to other options as well.
Please see the list below.
a) Server Configuration
i) Operating System is not nearing EOL: https://community.lansweeper.com/t5/requirements/lansweeper-installation-requirements/ta-p/64267
ii) CPU & RAM assigned
Open “Task Manager > Performance” (select “more details”) while going through the checklist.**
iii) Database storage: should be big enough for growth.
1MB per asset recommended; for example: 1000 assets = 1GB storage.
Hint: if it’s a new install and the DB is full, recommend more storage.
iv) What are the largest tables in the database.
v) Size of the database, compared to asset count.
vi) At least one server with outgoing internet access for sync with Ls Sites
vii) Server used with LsAgent has internet access
viii) Balancing the scanning load
ix) DNS database is clean and doesn’t contain stale entries
x) Read access to Active Directory
xi) Server has access to target devices - https://community.lansweeper.com/t5/requirements/ports-scanned-or-used-by-lansweeper/ta-p/64273
i) The on-prem installation version is within the supported version
ii) Verify license asset count usage
Review used licenses and recommend as necessary
iii) Review Threads in Configuration > Server Options > Service Options
iv) SQL Compatibility level
v) Is LsAgent used (import spread over groups, how are scan items interval set)
vi) Minimal Scanning errors
vii) Software normalization is enabled
c) Configuration > Server Settings
i) Ensure each “cleanup” option is configured as the customer intends
Disable “Scan Logging”
If enabled, let the customer know this will greatly increase the size of the database
ii) Credential-free Device Recognition (CDR) is enabled and using the server with internet access
iii) Warranty tracking is enabled on the server with internet access
iv) If Event Log scanning is enabled, warn how this can increase the size of the database
v) Check the Cleanup option for unique records
vi) Are Cleanup options aligned for all scanning servers
**Review Task Manager > Performance and recommend CPU/RAM as needed
a) SSL Certificate (HTTPS:// without errors)
b) Users are managed through AD group
This will ensure easier management of users via the group instead of individually
c) Limit the number of Local Users
A Local User will need to be manually disabled when leaving the organization. Optionally, consider an AD group so the user is managed through AD.
d) Limit the number of Ls Administrators - Account Roles & Permissions
e) Force HTTPS: Configuration > Website Settings
f) Disable Built-in Admin: Configuration > Website Settings
On-prem installation only
g) Asset Radar is enabled
Minimal enablement should be “logging only”
h) Ls Cloud
i) Enable SSO for the entire organization
j) Enable MFA for all users
3) Scan Targets
a) IP Ranges
i) A separate IP Range scan target should be configured for each vLAN within the organization.
ii) Each scan server should scan the network they are sitting in.
iii) Review size of IP ranges, scan schedules, and mapped credentials
iv) Compare DHCP scopes with IP Range targets
v) Review IP scope ranges
Class C /24 networks are recommended sizes due to scan times. Larger networks are ok, but explain the potential impact to scan time.
vi) Review exclusions and understand why they are excluded
This helps you understand the customer’s IT estate.
vii) Review scanning schedules
Encourage caution for many IP scopes being scanned at the same time. Encourage staggering start times for better results.
b) Active Directory
i) Scanning Domain
Ensure clean AD environment with disabled asset status for those assets not active.
ii) Scanning OU doesn’t include deactivated/stale/disabled assets
Ensure unused devices have a “disabled” state
iii) LAPS is configured & used for scanning domain-joined computers
c) SSH & SNMP
i) Firewalls configured with SNMP v.2 or v.3
ii) Switches configured with SNMP v.2 or v.3
iii) Printers are configured for SNMP discovery
iv) SSH scanning is enabled on Linux and other SSH devices
d) Complete Discovery
i) For a complete estate discovery, scanning all asset-holding/managing devices is necessary.
ii) IP Ranges include all subnets and vLAN’s
iii) All remote devices include LsAgent
iv) Active Directory Domain
v) Azure Active Directory
vi) All networking switches and firewalls
vii) All virtual hosts: VMware or Hyper-V
viii) All printers, cameras, scanners, mobile devices, etc.
ix) Wireless (non-public) networks and vLAN's
x) Mobile Device Managers (Intune, Chrome, Airwatch, etc.)
xi) Microsoft 365
xii) Any non-domain systems
xiii) OT Systems (only use OT scanner for these devices)
This looks great, but I did see you mention 1GB per asset but in the same line have an example of 1000 assets = 1GB. The 1000 assets per 1GB makes more sense so a quick edit there would be clearer. I first thought it was really 1GB per asset. We have over 12,000 assets and that would be a massive database size when each contains only a fraction of data 😅