"user manual"
Contents
1. Screenshot 77 Scanning Profiles properties Vulnerabilities tab options The scanning profiles that ship with GFI LANguard 9 are already pre configured to run a number of vulnerability checks on selected target You can however disable vulnerability scanning as well as customize the list of vulnerability checks executed during a scan 7 4 1 Enabling disabling vulnerability scanning To enable vulnerability scanning 1 From the Vulnerability Assessment Options tab click Vulnerabilities sub tab 2 Select the scanning profile to customize from the left pane under Profiles 3 In the right pane select Enable Vulnerability Scanning option NOTE Vulnerability scanning is configurable on a scan profile by scan profile basis If in a particular profile this option is not selected no vulnerability tests will be performed in the security audits carried out by this scanning profile 7 4 2 Customizing the list of vulnerabilities to be scanned To specify which vulnerabilities will be enumerated and processed by a scanning profile during a security audit GFI LANguard 9 user manual Scanning Profiles e 93 1 From the Vulnerability Assessment Options tab select the scanning profile to customize from the left pane under Profiles A Vulnerability Assessment Options c Network amp Software Audit Options Scanner OL __ LA Vulnerabilities sj Patches Choose scan profile conditions Enable vulnerability scanning 94 e Scanni2. Disabled Group Policy Objects higher in the list have the highest priority This list obtained from v2ksE sch vesch2k 37 local New Add Edit Up Options Delete Properties Down Block Policy inheritance Screenshot 115 Configuring a new Group Policy Object GPO 3 In the properties dialog click on the Group Policy tab Then click on New to create a new Group Policy Object GPO in the root container 4 Specify the name of the new group policy for example Domain Policy and then click on Close NOTE Microsoft recommends that you create a new Group Policy Object rather than editing the default policy called Default Domain Policy This makes it much easier to recover from serious problems with security settings If the new security settings create problems you can temporarily disable the new Group Policy Object until you isolate the settings that caused the problems 5 Right click on the root container of your domain and select Properties This will bring up again the Domain Properties dialog 6 Click on the Group Policy tab and select the new Group Policy Object Link that you have just created example Domain Policy 7 Click on Up to move the new GPO to the top of the list and then click on Edit to open the Group Policy Object Editor GFI LANguard 9 user manual Miscellaneous e 143 im Group Policy Object Editor File Action View Help Py
3. 10 2 GFI LANguard VBscript language GFI LANguard supports and runs scripts written in VBscript compatible languages Use VBscript compatible languages to create custom scripts that can be run against your network targets Security auditing scripts can be developed using the script editor that ships with GFI LANguard This built in script editor includes syntax highlighting capabilities as well as debugging features that support you during script development Open the script editor from Start gt Programs gt GFI LANguard 9 0 gt LANguard Script Debugger NOTE For more information on how to develop scripts using the built in script editor refer to the Scripting documentation help file included in Start gt Programs gt GFI LANguard 9 0 gt LANguard Scripting documentation IMPORTANT NOTE GFI does not support requests related to problems in custom scripts You can post any queries that you may have about GFI LANguard scripting on the GFI LANguard forums at http forums gfi com Through this forum you will be able to share scripts problems and ideas with other GFI LANguard users 10 2 1 Adding a vulnerability check that uses a custom VB vbs script To create new vulnerability checks that use custom VBscripts e Step 1 Create the script e Step 2 Add the new vulnerability check The following are examples of how this is done GFI LANguard 9 user manual Adding vulnerability checks via custom conditions or scripts e 131
4. Full report Vulnerabilities All Vulnerabilities High security Vulnerabilities medium security Auto remediation High vulnerability level computers Missing patches and service packs Missing service packs Missing critical patches Open ports Open shares Groups and users Computer properties Hardware audit Important devices USB Important devices Wireless Installed Applications Non Updated security software Virtual machines 32 e Step 2 Analyzing the security scan results Displays all the information that was collected during a network vulnerability scan including system OS information outdated anti virus signatures and missing patches and service packs Displays all Critical High and Medium severity vulnerabilities discovered during a network security scan Displays only severe vulnerabilities such as missing critical security patches and service packs Displays only moderate severity vulnerabilities which may need to be addressed by the administrator Such as average threats and medium vulnerability patches Displays auto remediation actions triggered Use this filter to access list of computers and vulnerability details for which vulnerability level is high Use this filter to access list of missing patches and service packs discovered on scanned target computer s Use this scan filter to display a list of all computers and computer details of computers which have a miss
5. Screenshot 18 The network and software audit node Expand the Network amp Software Audit node to view security vulnerabilities identified on scanned targets Here vulnerabilities are grouped by type and severity as follows System Patching Status Ports Hardware Software System Information Fast response Medium Response Slow response NOTE The first icon indicates that the scan is queued while the second icon indicates that the scan is in progress GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 21 22 e Step 2 Analyzing the security scan results 3 6 1 System patching status Expand System Patching Status sub node to access Information on e Missing Patches List of missing Microsoft Patches e Missing Service Packs List of missing Microsoft Service Packs e Installed Patches List of installed Microsoft Patches e Installed Service Packs List of installed Microsoft Service Packs 3 6 2 Ports Expand the Ports sub node to view all TCP and UDP ports detected during a scan When a commonly exploited port is found open GFI LANguard will mark it in red Care is to be taken as even if a port shows up in red it does not mean that it is 100 a backdoor program Nowadays with the array of software being released it is becoming more common that a valid program uses the same ports as some known Trojans Further to detecting if the port is open or not GFI LANguard
6. 3 Click on the Group Policy tab Select the GPO to be checked for example Domain Policy GPO and click on Edit to open the Group Policy Object Editor 4 Expand the Computer Configuration node and navigate to Windows Settings gt Security Settings gt Account Policies gt Password Policy folder Va Group Policy Object Editor File Action View Help amx eB 2 y Domain Policy v2k3Exchl verc Policy Setting ag Computer Configuration T password history 24 passwords re E E Software Settings arca password age 42 days E ra windows settings RY Minium password age 2 days E I Scripts Startupy Shi RY Minimum password length 8 characters EF SECM ering omen must meet su requirements Enabled De p es panenane Ce ee ee es on Password P EH a Account Lor 2 r el Kerberos Pc H d Local Policies E zj Event Log H A Restricted Grou ene System Service i Registry Hig File System AT Wireless Netwo H Public Key Polici H LI Software Restri e E IP Security Polir H I Administrative Template amp User Configuration E I Software Settings B T Windows Settings Ir ant A E E Eee E l ele gt Screenshot 122 Verifying the GPO settings Store passw words using reversible encryption En abled RERRORARA The password policy configuration settings are displayed in the right pane of the GPO editor The password policy of your GPO shall be set as follows e Enforce password history 24
7. Common Tasks Edit DNS lookup options Help DNS lookup Configuration Utilities General Hostname IP to resolve www microsoft com v Retrieve Options Performing DNS Lookup operation through DNS Server 192 168 3 254 Resolving host www microsoft com Please wait Basic information results No Records found MX Records results CNAME toggle www ms akadns net CNAME g www ms akadns net CNAME Ibt www ms akadns net Screenshot 99 The DNS Lookup tool To resolve a domain host name 1 Click on the Utilities tab and select DNS Lookup in the left pane under Tools GFI LANguard 9 user manual Utilities e 115 2 Specify the hostname to resolve in the Hostname IP to resolve textbox DNS Lookup Options General Specify DNS Lookup information to be retrieved and the DNS server to be used Retrieve the following information M Basic information Host information Aliases NS Records Fl MX Records DNS Server s to query Use default DNS server Use alternative DNS server s Cancel Apply Screenshot 100 The DNS Lookup tool 3 Under Common Tasks in the left pane click on Edit DNS Lookup options or Options button on the right pane and specify the information that you wish to retrieve e Basic Information Select this option to retrieve the host name and the relative IP address e Host Information Select this option to retrieve HINF
8. GFI LANguard 9 Manual By GFI Software Ltd http www gfi com Email info gfi com Information in this document is subject to change without notice Companies names and data used in examples herein are fictitious unless otherwise noted No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of GFI SOFTWARE LTD GFI LANguard is copyright of GFI SOFTWARE LTD 2000 2009 GFI SOFTWARE LTD All rights reserved Last updated 4 September 2009 Version LANSS ACM EN 01 00 00 Contents 1 Introduction 1 1 1 2 1 3 2 Step 1 2 1 2 2 2 3 2 4 2 9 2 6 3 Step 2 3 1 3 2 3 3 3 4 3 5 3 6 3 3 8 3 9 3 10 3 11 Introduction to GFI LANguard GFI LANguard components Vulnerability management strategy Performing an audit Introduction Network Scanning options Quick Scan Full Scan Custom scan Setting up a scheduled scan Analyzing the security scan results Introduction Scan summary Vulnerability level rating Detailed scan results Detailed scan results Vulnerability assessment Detailed scan results Network amp Software Audit Displaying and sorting scan categories Saving scan results Scan filters Results comparison Reporting Fixing vulnerabilities Introduction Patch management Deploying missing updates Deploying custom software Uninstall applications Remote re
9. Screenshot 50 Software deployment status 4 5 Uninstall applications Through application uninstallation you can control which applications are installed on which computers and uninstall any unauthorized applications present on network computers To uninstall applications 1 Select Network Audit tab gt Remediate tab and click Uninstall Applications 54 e Step 3 Fixing vulnerabilities GFI LANguard 9 user manual F GF LANguard adad File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Scan Analyze 4 Remediate Patch Management AZ Deploy Microsoft Patches e Deploy Microsoft Service Packs RR Specify applications to uninstall and select Start to start the uninstall of applications ig Uninstall Microsoft Patches fE Uninstall Microsoft Service Packs Sort by computers Sortby applications Uninstall Status aa Uninstall Unauthorized Applications Application Management S Deploy Custom Software tA Uninstall Applications Ww Specify the target computers where to uninstall applications from Computer name Other Options 7 esm_DEMO a Remote Desktop Connections Credentials Authenticate using Currently logged on user X ve Specify which applications to uninstall from which computers Remember credentials Application name Version Publisher Uninstall string 7 Use computer profiles J 15 Microsoft SAL Server Setup Su 9 00 1399 Mi
10. Target localhost file Caches 200905 domain Primary do 192 168 3 20 192 168 3 20 localhost localhost localhost localhost localhost localhost 192 168 3 20 192 168 3 20 localhost localhost Profile Full scan High Security Full Scan Full scan Full scan Full W ulnerabi Top SANS 2 Full Yulherabi High Security Full scan High Security High Security Full Y ulnerabi High Security High Security Screenshot 31 Comparing scan results Date o 4 2009 13 39 06 Segr 2009 12 58 21 o 4 72009 12 54 45 grr 2009 10 42 05 ggr 2009 10 36 57 o 4 2009 10 18 16 S472009 10 15 59 5 4 2009 10 15 16 o 4 2009 10 09 52 5 4 2009 09 42 51 g4 2009 09 08 53 ggr 2009 09 06 24 gr4r2009 08 49 23 S4 2009 08 46 01 4 50 2009 17 22 45 2S a O O To generate a scan results comparison report 1 Click on Network Audit gt Analyze 2 Click on the Result comparison node Completed ETE 3 Click search file button and select files to compare select the scan result files that you wish to compare NOTE You can only compare results of the same type i e you cannot compare a result stored in XML with one stored in database 4 Click Compare to start the results comparison process GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 39 3 10 3 The Results Comparison Report GFI LANguard o e File Tools Configure Help Discuss this version
11. 135 149 150 P Patch Autodownload 71 73 74 patch deployment 1 45 48 50 127 128 program updates 84 R Registry 20 Remote Processes 28 results comparison 39 S scan categories 28 scan results 1 30 31 33 36 39 76 77 78 94 125 126 133 134 Scanning Profiles 87 93 100 102 103 113 125 scanning threads 113 Script Debugger 1 2 131 132 script editor 131 Security Audit Policy 26 services 20 77 127 SNMP Audit 115 122 SNMP Walk 115 123 SSH 134 135 SSH Private Key 65 134 Status Monitor 59 60 T target computers See TCP Ports 102 103 Trace Route 117 U UNIX 5 134 USB devices 105 106 108 Users 27 28 27 28 131 users and groups 27 V Vulnerabilities 19 20 94 98 132 135 Index e 157 W Whois 115 118 158 e Troubleshooting GFI LANguard 9 user manual
12. 2 Show Summar Table 3 Vulnerability Level W Automatic Remediation Details in scan Errors Yulnerability Assessment 4 S A S D Missing Service Packs Wf Missing Patches d High Security Vulnerabilities Medium Security Vulnerabilities ot Low Security Vulnerabilities 4 Potential ulnerabilities Information Network amp Software Audit Installed Patches amp Service Packs wf E Pons E i TCP Ports UDP Ports lt S S S S ks a _Aoew Screenshot 28 The new Scan Filter properties dialog Report Items tab page 7 Click Report Items tab and select the information categories sub nodes to display Click OK to save and create the new filter The new filter will be added as a new permanent sub node under the Results Filtering node NOTE To delete or customize a scan filter right click target filter and select Delete filter or Edit filter properties 36 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual 3 10 Results comparison GFI LANguard enables you to compare saved scan results and generate a list of network changes discovered 3 10 1 Configuring what scan results changes will be reported The result comparison tool can report various information discovered during the comparison of two saved scan results To configure what changes will be included in a comparison report fC GFI LANguard CICE File Tools Configure Help Discuss this v
13. GFI LANguard provides you with the ability to hone down and sort available scan categories and scanned computers This allows you to focus on specific data that might require your attention in more detail without getting lost in other data that might not be relevant at that point in time 28 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual Select which information categories you want to show hide inside the scan result window Item to show hide da High Security Vulnerabilities 4 Medium Security Vulnerabilities i Low Security Vulnerabilities dk Potential Vulnerabilities W Missing Service Packs Missing Patches Installed Service Packs Installed Patches Open TCP Ports Open UDP Ports k Network Devices F USB Devices gt Local drives j Processors 4 Motherboard A Memory Details Screenshot 21 Customize view To customize and sort the list of scan results 1 Under Common Tasks in the left panel click on Customize scan results view 2 From the View tab select which scan categories you want to show or hide Click Apply to save setting 3 Click on the Sorting tab and set your sorting preferences Click OK to finalize your configuration GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 29 3 7 1 Loading saved scan results from database F GF LANguard a fom Ex File Tools Configure Help Discuss this version Network Au
14. Network Audit Dashboard Configuration Utilities General Scan Analyze Remediate Analyze Scan result 1 localhost Full scan 5 4 2009 13 39 08 ve Compare Options Scan Results I Results Fittering Scan result 2 localhost Full Vulnerability Assessment 5 4 yy gt Results Comparison Reporting _ Results Comparison 2 Common Tasks eS The Results Comparison option enables the identification of network security changes which occurred over a period of time which spans two network security scans Print comparison results Save comparison results Edit comparison options f ESM_DEMO LT 192 168 3 85 Help c eneral Host Information Comparing the results 2 sers B Groups amp amp amp amp amp lll amp l euDP Ports services Shares W Sinames password Policy applications Drives j Processors k Mmotherboards a A a a a a ee a a Screenshot 32 Results Comparison Report On completion the results comparison report is displayed in the right pane of the management console 3 11 Reporting NOTE On Microsoft Windows Vista computers an error message might be displayed during the automatic installation of the Microsoft NET framework 1 1 For more information on how to resolve this issue refer to http kbase gfi com showarticle asp id KBID003100 3 11 1 Access download install report
15. Select the scanning profile that you wish to customize from the left pane under Profiles 4 In the right pane select Enable scanning for installed applications on target computer s option 5 Select either Only applications in the list below or All applications except the ones in the list below and click add button to add applications that will either be listed or blacklisted 6 In the Ignore Do not list save to db applications from the list below options key in applications by clicking Add Any application listed is whitelisted NOTE Include only one application name per line 7 11 2 Scanning security applications GFILANguard Scanning Profiles Editor Co le ex File Scanning Profiles Profile categories L Vulnerability Assessment Options lt yy Network amp Software Audit Options Scanner Options K Complete Combination Scans Vulnerability Assessment KE Network amp Software Audit Choose scan profile conditions TCP Ports UDP Ports System Information Devices Applications Profiles v Enable scanning for installed applications on target computer s amp Full Vulnerability Assessment Installed Applications Security Applications amp Full Scan A Full Scan Slow Networks amp My Scanning profile Use GFI LANguard to detect installed security software and ensure that they are using the latest definition files Where applicable GFI LANquard will also check that important settings are enabled e g rea
16. ia Group by Severity w Bulletin names Severity QNumber Date postec W La All Patches v x MS09 009 Important 959988 2009 0 v La Critical v x MS09 009 Important 959993 2009 0 i Important v mso9 009 Important 959995 2009 0 v La Moderate v x MS09 009 Important 959997 2009 0 v L Low v x M509 009 Important 960000 2009 0 v x MS09 009 Important 960003 2009 0 Common Tasks 7 mso9 010 Important 923561 2009 0 Ege ee eee ay 7 mso9 010 Important 923561 2009 0 Set Active v x MS09 010 Important 923561 2009 0 TE 7 mso9 010 Important 923561 2009 0 Delete v x MSO09 010 Important 923561 2009 0 v 9 MS09 010 Important 923561 2009 0 Help 7j x MS09 010 Important 933399 2009 0 v x MS09 010 Important 960476 2009 0 atu Probles WI amp mso9 011 Critical 961373 2009 0 7 LANquard Scripting q T oT ie ai gt File lanss_9_patchmngmt_en mdb Version 10 Last updated on 5 4 2009 5 12 00 PM 2161 patches Find bulletin Search by bulletin name e g MSO02 017 or QNumber e g 9311967 Screenshot 84 Scanning Profiles properties Patches tab options Use the Patches tab to specify which security updates are checked during vulnerability scanning The patches to be checked are selected from the complete list of supported software updates that is included by default in this tab This list is automatically updated whenever GFI releases a new GFI LANguard missing patch definition file 7 5 1 Enabling disabling missing
17. information e An OVAL Definition schema for expressing a specific machine state e An OVAL Results schema for reporting the results of an assessment Content written in OVAL Language is located in one of the many repositories found within the community One such repository known as the OVAL Repository is hosted by MITRE Corporation It is the central meeting place for the OVAL Community to discuss analyze store and disseminate OVAL Definitions Each definition in the OVAL Repository determines whether a specified software vulnerability configuration issue program or patch is present on a system The information security community contributes to the development of OVAL by participating in the creation of the OVAL Language on the OVAL Developers Forum and by writing definitions for the OVAL Repository through the OVAL Community Forum An OVAL Board consisting of representatives from a broad spectrum of industry academia and government organizations from around the world oversees and approves the OVAL Language and monitors the posting of the definitions hosted on the OVAL Web site This means that the GFI LANguard 9 user manual GFI LANguard certifications e 149 OVAL which is funded by US CERT at the U S Department of Homeland Security for the benefit of the community reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals worldwide 12 2 1 GFI LANguar
18. will be merged otherwise the XML file is first deleted Imports data from XML file to database When specified only vulnerabilities newer than the newest vulnerability in the database will be imported Exports Imports all scanning profiles Exports Imports all vulnerabilities Exports Imports all ports Exports Imports the specified scanning profile Exports Imports all vulnerabilities of the specified category Exports Imports the specified vulnerability VULNCAT must be specified Exports Imports all ports of the specified type Exports Imports the specified port PORTTYPE must be specified If an item already exists in the target XML database that item will be skipped If an item already exists in the target XML database that item will be overwritten If an item already exists in the target XML database that item will be renamed to lt value gt If PROFILE or VULN was specified port information merged with that item is a port or renamed by prefixing its name with lt value gt in any other case Example To export a specific alert impex xml regcheck xml vuln Blaster Worm vulncat Registry Vulnerabilities Example To import a whole XML file impex xml regcheck xml im NOTE 1 The Impex executable can be located in the GFI LANguard 9 0 installation folder GFI LANguard 9 user manual Using GFI LANguard from the command line e 129 NOTE 2 It is highly recommended not to use the Impex tool if GFI LANgua
19. 14 Secur Pe ee o MS09013 Critical 960803 2009 04 14 Secur F x MS03 013 Critical 960803 2009 04 14 Secur F 7 MS03 013 Critical 960803 2009 04 14 Secur 4 mW b Actions meea a ooa O Oa Find patch Find Show Bulletin ID Approve selected patches Remove approval for selected patches 7 Define new or review existing scheduled scans that will perform approved patche Show Bulletin ID Configure scheduled scans that tigger auto deployment of patches and service packs Help Manage applicable scheduled scans vr Deploying Microsoft updates automaticalh Screenshot 63 Patch auto deployment NOTE For more information on how to enable patch auto deployment during scheduled scans refer to the Creating a scheduled scan section in this manual 6 6 2 Advanced Options From the Common Tasks gt Advanced options configure the patch approval for auto remediation advanced options GFI LANguard 9 user manual Advanced Options General L Configure patch approval for auto remediation advanced options Send mail when new patches or service packs are available Enable patches and service packs auto approval Automatically approve all patches Automatically approve all service packs By enabling patches and service packs auto approval all missing patches and service packs will automatically be deployed ta target computers after scheduled scans Screenshot 64 Patch Auto Deployment
20. 3 Customizing the list UDP ports 1 From the Network amp Security Audit Options tab click UDP Ports sub tab 2 Select the scanning profile to customize from the left pane under Profiles 3 Customize the list of UDP Ports through Add Edit or Remove NOTE The list of supported UDP Ports is common for all profiles Deleting a port from the list will make it unavailable for all scanning profiles 7 8 Configuring system information retrieval options GFILANguard Scanning Profiles Editor e osx File Scanning Profiles Profile categories K Complete Combination Scans i Vulnerability Assessment Options Network amp Software Audit Options F lt Vulnerability Assessment KE Network amp Software Audit Profiles amp Full Vulnerability Assessment amp Full Scan amp Full Scan Slow Networks amp My Scanning profile Common Tasks New scanning profile Set Active Rename Delete Help Scanning Profiles LANquard Scripting TCP Ports UDP Ports System Information Devices Applications Choose scan profile conditions Windows System Information Retrieve basic OS information by SMB Request server information Identify PDC Primary Domain Controller Identify BDC Backup Domain Controller Enumerate trusted domains Enumerate shares Display admin shares Display hidden shares Enumerate local users Enumerate logged on users Enumerate users logged on locally Enum
21. Click on the Security Applications tab 3 Select the scanning profile that you wish to customize from the left pane under Profiles GFI LANguard 9 user manual Scanning Profiles e 111 4 Select the Detect and process installed antivirus antispyware software on target computer s option NOTE Security applications scanning are configurable on a scan profile by scan profile basis Make sure to enable security applications scanning in all profiles where this is required Customizing the list of security application for scanning To specify which security applications will be scanned during an audit 1 From the Network amp Security Audit Options tab click on the Applications sub tab 2 Click on the Security Applications tab 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 Select the security applications that you wish investigate Configuring security applications advanced options Use the Advanced button included in the Security Applications configuration page to configure extended security product checks that generate high security vulnerability alerts when e The anti virus or anti spyware product definitions files are out of date e The Realtime Protection feature of a particular anti virus or anti spyware application is found disabled e None of the selected anti virus or anti spyware software is currently installed on the scanned target computer 112 e Scan
22. Domain Policy v k3Exchl vexe Sg Computer Configuration B Software Settings Seen Windows Settings 3 Scripts Startups Sh Policy ne Enforce password history Not Defined Rd Maximum password age Mot Defined RS Minium password age Mot Defined RY Minium password length Mot Defined Ag Password must meet complexity requirements Mot Defined Ag Security Settings Ee aan ils Ru store passwords using reversible encryption Not Defined E zgj Local Policies E zej Event Log H Restricted Grou i System Service a ig Registry Hig File System oe Wireless Netwo H E Public Key Polici H E Software Restri ese IP Security Polic o H Administrative Template Fg User Configuration H E Software Settings H Windows Settings ca or ee E E T A m Screenshot 116 The Group Policy Object Editor 8 Expand the Computer Configuration node and navigate to Windows Settings gt Security Settings gt Account Policies gt Password Policy folder Enforce password history Properties EI E4 Security Policy Setting Af Enforce password history M Define this policy setting Keep password history for g passwords remembered c Any _ Screenshot 117 Configure the GPO password history 9 From the right pane double click on the Enforce password history policy Then select the Define this policy setting option and set the Keep password history value to 24 144 e Miscella
23. Network amp Software Audit 346 x Screenshot 24 Scan filters Full report 2 Click Network Audit gt Analyze 3 Select the Results Filtering node and expand the Complete Scans node 4 Select the scan filter to apply against scan results 3 9 2 Creating a custom scan filter Apart the scan filters that ship by default you can create custom filters based on your requirements and network infrastructure To create a custom scan filter 1 Click Network Audit gt Analyze 2 Right click on the scan filter category where the new filter will be added and select Create new results filter GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 33 Report ken Se Scan Filter Properties a Filter name Filter conditions uernes Add cal High vulnerabilities Exists Edit wi AND Missing patches Exists Remove Remove All l og cal operator For the selected conditor And Or Screenshot 25 The new Scan filter properties dialog General tab page 3 In the General tab specify the name of the new scan filter 34 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual Add Filter Properties Select the filter property on which you want to make a restriction General e Vulnerability Level Be Auto remediation im Scan emors F Scan duration GS Service Pack Vulnerability assessment Gre
24. Now button 3 To automate the repair and compact process on an Microsoft Access database backend select One time only to schedule a onetime Microsoft Access database repair and compact or Every to execute a repair and compact process on a regular schedule Specify the date time and frequency in days weeks or months at which the 80 e Configuring GFI LANguard GFI LANguard 9 user manual compact and repair operations will be executed on your database backend 6 9 Importing and Exporting Settings GFI LANguard allows configurations import and export through Import and Export Configurations in the File menu Configurations that can be Imported Exported include e Scanning Profiles e Vulnerability Assessment e Ports TCP UDP e Results Filtering Reports e Auto Remediate Settings Auto Uninstall and Patch settings e Options Database Backend Alerting Schedule scan and Internal Settings 6 9 1 Exporting Configurations To export the configurations 1 From the main menu click File gt Import and Export Configurations 2 Select Export the desired configuration to a file and click Next 3 Specify the path were to save the exported configuration and click Next 4 Wait for the configuration tree to load and select the configurations to export Click Next to start export 5 A notify dialog will confirm that exporting is completed 6 Click OK to finish 6 9 2 Importing Configurations To import saved configura
25. Step 1 Create the script 1 Launch the Script Debugger from Start gt Programs gt GFI LANguard 9 0 gt LANguard Script Debugger 2 Go on File gt New 3 Create a script For this example use the following dummy script code Function Main echo Script has run successfully Main true End Function 4 Save the script in lt LANguard 9 0 installation folder path gt Data Scripts myscript vbs Step 2 Add the new vulnerability check 1 Open the GFI LANguard management console 2 Click on the Configuration tab and select scanning profiles management 3 Click on the Vulnerability Assessment sub node and from the middle pane select the category in which the new vulnerability check will be included for example High Security Vulnerabilities Add vulnerability General Description References Name Type ons sss OS Family windows OS Version Product Timestamp 5 5 2009 E severity sn o amp s Screenshot 108 The new vulnerability check dialog 132 e Adding vulnerability checks via custom conditions or scripts GFI LANguard 9 user manual 4 In the new window add a new vulnerability by clicking Add in the middle pane 5 Go through the General Description and References tabs while specifying the basic details such as the vulnerability name short description security level and OVAL ID if applicable 6 Click
26. To execute a scan GFI LANguard must logon target computers with administrator privileges Stage 3 Execute vulnerability Execute the vulnerability checks configured within checks the selected scanning profile and identify present security weaknesses GFI LANguard 9 user manual Step 1 Performing an audit e 3 2 2 Network Scanning options GFI LANguard includes default configuration settings that allow you to run immediate scans soon after the installation is complete GFI LANguard File Tools Configure Help Network Audit Dashboard Configuration Utilities General Scan Analyze 94 Remediate Launch a scan Load scan results from database j Select type of security scan to perform Load scan results from XML Save scan results to XML file Modify default settinas Pa Quick Scan l Discover high security vulnerabilities and critical missing patches and service packs Actions Go to Analyze Go to Remediate ne Full Scan l Full scan one or more computers for all security vulnerabilities and build system 1 inventory Help Performing an audit Launch a Custom Scan What audit operations mean Use the custom scan wizard to launch a scan using customized network auditing FAQ and scanning parameters ETA Set Up a Scheduled Scan y bj Schedule a scan which automatically audits target computers and triggers 47 remediation actions Modify default settings Help me
27. UDP ports commonly Assessment exploited by Trojans as well as missing patches and service packs The list of vulnerabilities enumerated by this profile can be customized through the Vulnerabilities tab Installed USB devices and applications are not enumerated by this profile This profile will scan for all vulnerabilities This includes vulnerabilities which have an associated Microsoft patch to them and which are considered missing patches Full Scan Use this scanning profile to retrieve system information Active as well as scan your network for all supported vulnerabilities including open TCP UDP ports missing patches and service packs USB devices connected and more The vulnerability check timeouts in this profile are specifically preconfigured to suite the network traffic and transmission delays usually associated with LAN environments GFI LANguard 9 user manual Scanning Profiles e 87 88 e Scanning Profiles Full Scan Slow Networks Use this scanning profile to retrieve system information as well as scan your network for all supported vulnerabilities including open TCP UDP ports missing patches and service packs USB devices connected and more The vulnerability check timeouts in this profile are specifically preconfigured to suite the network traffic and transmission delays usually associated with WAN environments 7 2 2 Vulnerability Assessment Vulnerability assessment scanning profiles Top SANS 20 Vulnerabil
28. USB keyboards This is achieved by compiling a safe whitelist of USB devices to be ignored during scanning Similarly you can create a separate scanning profile that enumerates only Bluetooth dongles and wireless NIC cards connected to your target computers In this case however you must specify Bluetooth and Wireless or WiFi in the unauthorized network and USB lists of your scanning profile All the device scanning configuration options are accessible through the two sub tabs contained in the devices configuration page These are the Network Devices tab and the USB Devices tab e Use the Network Devices sub tab to configure the attached network devices scanning options and blacklisted unauthorized whitelisted safe devices lists GFI LANguard 9 user manual Scanning Profiles e 105 e Use the USB Devices sub tab to configure the attached USB devices scanning options and unauthorized safe devices lists 7 9 1 Enabling disabling checks for all installed network devices To enable network device including USB device scanning in a particular scanning profile 1 From the Network amp Security Audit Options tab click Devices sub tab 2 Click Network Devices tab 3 Select the scanning profile to customize from the left pane under Profiles 4 From the right pane select Enable scanning for hardware devices on target computer s NOTE Network device scanning is configurable on a scan profile by scan profil
29. a newer build Updates can be disabled by removing the mark from the checkbox in the Auto download column 6 10 2 Configure GFI LANguard Proxy settings To manually configure proxy server settings for internet updates 1 Click on Edit proxy settings under common tasks LANguard 9 0 Proxy Settings General ze Use this option to manually provide your proxy server settings W Override automatic proxy detection f Connect directly to the Internet Proxy server requires authentication Note Patch file download scheduled updates and some operations performed during the scanning process need to open Internet connections Cancel Screenshot 73 Configuring proxy server settings 3 Select Override automatic proxy detection and chose one of the following options e Connect directly to the Internet Select this option when a direct internet connection is available GFI LANguard 9 user manual Configuring GFI LANguard e 83 e Connect via a proxy server Select this option when internet access is through a proxy server o Update the Server name and port number using this format lt server gt lt port gt o If applicable select Proxy server requires authentication and update the User name and Password respectively 6 10 3 Enable Disable GFI LANguard auto updates on startup GFI LANguard can check for the availability of software updates at every program startup To disable enable this feature 1
30. database backend and delete saved scan results that are no longer required Deletion of non required saved scan results can be achieved manually as well as automatically through scheduled database maintenance GFI LANguard 9 user manual Configuring GFI LANguard e 77 During scheduled database maintenance GFI LANguard automatically deletes saved scan results that are older than a specific number of days weeks or months You can also configure automated database maintenance to retain only a specific number of recent scan results for every scan target and scan profile Properties Change Database Saved Scan Results Scanned Computers Advanced Saved can results in database backend Target Frofile To Date localhost High Securit 5715 2009 10 35 42 localhost High Securit 5 14 2009 09 49 05 localhost My Protile 5 1 2009 13 45 45 localhost My Protile 541 2 2009 15 45 41 80 143 321 24 Full Scan 10 30 2008 14 07 54 80 143 321 24 Full Scan 10 28 2008 14 07 54 80 143 32 1 24 Full Scan 10 27 2008 14 07 54 80 143 32 1 24 PingthemAll 10 26 2008 14 07 54 Delete scars Mark scan s as read only Scan results retention policy Retain scans generated during the last a0 days scans per scan target per profile in number of 10 NOTE Scan results marked as read only will not be removed by the database results cleanup operations OK h Cance Apply Scr
31. debugger is accessible from Start gt Programs gt GFI LANguard 9 0 gt GFI LANguard Script Debugger 1 3 Vulnerability management strategy lt is recommended to use the following sequence for an effective vulnerability management strategy 1 Scan For more information refer to the Step 1 Performing an audit section in this manual 2 Analyze For more information refer to the Step 2 Analyzing the security scan results section in this manual 3 Remediate For more information refer to the Step 3 Fixing vulnerabilities section in this manual 2 e Introduction GFI LANguard 9 user manual 2 Step 1 Performing an audit 2 1 Introduction Security scans audits enable you to identify and assess possible risks within a network Auditing operations imply any type of checking performed during a network security audit This includes open port checks missing Microsoft patches and vulnerabilities service information user or process information and more Overview of the scanning process The automated scanning process has three distinct stages Stage 1 Determine availability Determining whether target computers is of target computer reachable and available for vulnerability scanning This is determined through connection requests sent in the form of NETBIOS queries SNMP queries and or ICMP pings Stage 2 Establish connection Establish a direct connection with the target with target device computer by remotely logging on to it
32. e System information Hardware including Network card details e g MAC address and any USB devices connected Quick Scans have relatively short scan duration times compared to the Full Scan mainly because only a subset of the entire vulnerability checks database is performed It is recommended to run a Quick Scan at least once a week When to use Quick Scans It is recommended to use Quick scans e When performing a first time scan since these provide in a very timely fashion a sample of the information that GFI LANguard can extract from target computers e Torun daily network audits of multiple network machines since it is non intrusive and does not overload network infrastructure bandwidth e To retrieve system information and to scan only for high security vulnerabilities GFI LANguard 9 user manual Step 1 Performing an audit e 5 2 3 1 How to launch a Quick Scan To run a quick scan 1 Launch the GFI LANguard management console from Start gt Programs gt GFI LANguard 9 0 gt GFI LANguard 2 From the Network Audit gt Scan tab which opens by default click on the Quick Scan option 3 Specify the target computer to be scanned by selecting one of the following options e Scan this computer Use this option to scan local host e Scan another computer Use this option to scan a specific computer Parameters required are target computer name or IP e Scan entire domain workgroup Use this option to s
33. hardware devices on target computer s Network Devices USB Devices Configure which USB devices you want to mark as dangerous and which you want to have ignored in your scan results Devices which will be marked as dangerous will have a high security vulnerability notification in the scan results Devices which are on the b ignore list will not be listed or saved to the database Create a high security vulnerability for USB devices which name contains Common Tasks New scanning profile Set Active Rename Delete Ignore Do not list save to db devices which name contains Help Scanning Profiles LANguard Scripting Screenshot 93 The Devices configuration page USB Devices tab options 7 10 1 Compiling a USB devices blacklist whitelist To compile a list of unauthorized dangerous USB devices 1 From the Network amp Security Audit Options tab click the Devices sub tab 2 Click USB Devices tab 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 In the right pane to create a USB device blacklist specify which devices you want to classify as high security vulnerabilities in the Space provided under Create high security vulnerability for USB devices that name contains For example if you enter the word IPod you will be notified through a high security vulnerability alert when a USB device whose name contains the word iPod is detect
34. htm We will answer your query within 24 hours or less depending on your time zone NOTE Before you contact our Technical Support team ensure that you have your Customer ID available Your Customer ID is the online GFI LANguard 9 user manual Index e 155 account number that is assigned to you when you first register your license keys in our Customer Area at hittp customers gfi com 13 6 Build notifications We strongly suggest that you subscribe to our build notifications list This way you will be immediately notified about new product builds To subscribe to our build notifications visit http www gfi com pages productmailing htm 156 e Troubleshooting GFI LANguard 9 user manual Index A Alerting Options 126 Applications 105 109 110 111 112 Attendant service 1 C command line 125 126 127 128 command line tools 125 Computer Profiles 65 126 127 Custom Patches 120 custom scripts 2 CVE 150 151 152 D database backend 30 31 75 76 77 80 81 Database Maintenance Options 75 DNS Lookup 115 116 117 E Enumerate Computers 115 119 120 Enumerate Users 115 121 G Group Policy Object 143 144 147 I installation 123 126 127 Intrusion Detection Software 5 M Microsoft Access 5 75 76 80 Microsoft SQL Server Audit 115 N NetBIOS 139 140 network devices 107 network tools 115 GFI LANguard 9 user manual O OS data 104 OVAL 1 95 133
35. import and export tool 10 Adding vulnerability checks via custom conditions or scripts 10 1 Introduction 10 2 GFI LANguard VBscript language 10 3 GFI LANguard SSH Module 10 4 Python scripting 11 Miscellaneous 11 1 Introduction 11 2 Enabling NetBIOS on a network computer 11 3 Installing the Client for Microsoft Networks component on Windows 2000 or higher140 11 4 Configuring Password Policy Settings in an Active Directory Based Domain 142 11 5 Viewing the Password Policy Settings of an Active Directory Based Domain 147 12 GFI LANguard certifications 12 1 Introduction 12 2 About OVAL 12 3 About CVE 13 Troubleshooting 13 1 Introduction 13 2 The Troubleshooting wizard 19 19 81 82 87 87 87 92 93 100 102 103 104 105 108 109 113 115 115 115 117 118 119 121 122 123 123 125 125 125 127 128 131 131 131 134 136 139 139 139 149 149 149 150 153 153 153 13 3 Knowledge Base 155 13 4 Web Forum 155 13 5 Request technical support 155 13 6 Build notifications 156 index 157 GFI LANguard 9 user manual Introduction e iii 1 Introduction 1 1 Introduction to GFI LANguard GFI LANguard is a security scanning network auditing and remediation application that enables you to scan and protect your network through e Identification of system and network weaknesses using a comprehensive vulnerability check database which includes tests ba
36. only missing Microsoft patches that were released last month The list of missing patches that will be enumerated by this profile can be customized through the Patches tab Use this scanning profile to enumerate missing Microsoft service packs The list of service packs that will be enumerated by this profile can be customized through the Patches tab GFI LANguard 9 user manual Protection from Use this scanning profile to check if GFI Portable Storage EndPointSecurity is installed or if GFI EndPointSecurity s security agent is deployed on scan targets You can customize this profile to enumerate only unauthorized blacklisted software or vice versa For more information on GFI EndPointSecurity refer to the user manual available at http Awww gfi com endpointsecurity esec4manual pdf GFI LANguard 9 user manual Scanning Profiles e 89 90 e Scanning Profiles 7 2 0 Network amp Software Audit Network and Software Audit scanning profiles Trojan Ports Port Scanner Software Audit Full TCP amp UDP Scan Only SNMP Ping Them All Share Finder Uptimes Disks Space Usage System Information Use this scanning profile to enumerate open TCP UDP ports that are commonly exploited by known Trojans The list of TCP UDP ports to be scanned can be customized through the TCP Ports and UDP Ports tabs respectively Only the TCP UDP ports commonly exploited by known Trojans are scanned by this profile Network auditing op
37. or manual updates refer to Program updates section in this manual GFI LANguard 9 user manual GFI LANguard dashboard e 61 6 Configuring GFI LANguard Introduction GFI LANguard allows you to run vulnerability scans straight out of the box using the default settings configured prior to shipping However if required you can also customize these settings to suit any particular vulnerability management requirements that your organization might need You can customize and configure various aspects of GFI LANguard including scan schedules vulnerability checks scan filters and scan profiles 6 2 Scheduled Scans GFI LANguard 9 user manual scheduled scans enable you to automate the process of performing regular scans auditing and remediation procedures 6 2 1 Reviewing editing or deleting scan schedules Scan schedules can be reviewed edited or deleted from the Configuration gt Scheduled Scans node H k me t O Screenshot 55 Scheduled scan toolbar All the scans are listed in the review page together with the relevant information Use the scheduled scan toolbar to o Add new scan button Use this button to display the New scheduled scan wizard and create a new scheduled scan Reporting options button Use this button to display the Scheduled Scans Reporting Options dialog for the selected td scheduled scan For more information on how to set up reporting options refer to the How to setup a Scheduled Scan
38. passwords remembered e Maximum password age 42 days e Minimum password age 2 days GFI LANguard 9 user manual Miscellaneous e 147 e Minimum password length 8 characters e Password must meet complexity requirements Enabled 148 e Miscellaneous GFI LANguard 9 user manual 12 GFI LANguard certifications 12 1 Introduction GFI LANguard is OVAL and CVE certified 12 2 About OVAL Open Vulnerability and Assessment Language OVAL is an international information security community standard to promote open and publicly available security content and to standardize the transfer of this information across the entire spectrum of security tools and services OVAL includes a language used to encode system details and an assortment of content repositories held throughout the OVAL community The language standardizes the three main steps of the assessment process e Representing configuration information of systems for testing e Analyzing the system for the presence of the specified machine state vulnerability configuration patch state etc e Reporting the results of this assessment The repositories are collections of publicly available and open content that utilize the language The OVAL community has developed three XML schemas to serve as the framework and vocabulary of the OVAL Language These schemas correspond to the three steps of the assessment process e An OVAL System Characteristics schema for representing system
39. patch detection checks To enable missing patch detection checks in a particular scanning profile 1 From the Vulnerability Assessment Options tab click Patches sub tab 2 Select the scanning profile that you wish to customize from the left pane under Profiles 3 In the right pane select Detect installed and missing service packs patches option NOTE Missing patch scanning parameters are configurable on a scan profile by scan profile basis Make sure to enable missing patch scanning in all profiles where missing patch scanning is required 7 5 2 Customizing the list of software patches to be scanned To specify which missing security updates will be enumerated and processed by a scanning profile 1 From the Vulnerability Assessment Options tab click Patches sub tab 100 e Scanning Profiles GFI LANguard 9 user manual 2 Select the scanning profile to customize from the left pane under Profiles Bulletin names Severity ONumber Date posted Tite mso09 009 Important 959988 2009 04 14 Security Update for Microsoft Excel 2002 KB a MiS09 009 Important 959993 2009 04 14 Security Update for Microsoft Office Excel Vie amp ms09 009 Important 959995 2009 04 14 Security Update for Microsoft Office Excel 20 x Ms03 009 Important 959997 2009 04 14 Security Update for Microsoft Office Excel 20 a M1509 009 Important 960000 2009 04 14 Security Update for Microsoft Office Excel Vie mso09 009 Important 960003 2
40. section in this manual Delete button Use this button to delete the selected scheduled scan P Properties button Use this button to review and edit the properties of the selected scan Enable Disable button Use these buttons to toggle the status ER of the selected scan between enabled and disabled This enables you to activate suspend a scanning schedule without deleting the scheduled scan Scan now button Use this button to trigger the selected scheduled scan This button overrides the scheduled scan date time settings and executes an immediate scan Configuring GFI LANguard e 63 6 2 2 Scheduled scan properties The scheduled scan properties page enables you to configure all the parameters of the scheduled scans To use the scheduled scan properties tab 1 Go to Configuration tab gt Scheduled Scans 2 Select the scheduled scan and click the Scheduled Scan Properties button 192 168 3 66 Properties ese General Logon Credentials Advan 3 Configure the scheduled scan Fe Scan target 192 168 3 66 Scanning profile Full Vulnerability Assessment Description Perform a scan One time only Every 1 Days Next scan 5 6 2009 E 10 55 57AM ok Cancel Apply Screenshot 56 Scheduled Scan properties General tab 3 Edit the properties as required and click OK to finalize your configuration e General tab Use this tab to make changes to scan targe
41. the following tasks a Edit existing scheduled scans by selecting an existing scan and clicking Edit selected Scan This will take you to the scan properties of the scheduled scan For more information on how to edit an existing scheduled scan refer to Scheduled Scans section in this manual b Create a new scheduled scan by clicking on Create a new scheduled scan button This will display the new scheduled scan wizard where you can create a new scheduled scan which will automatically uninstall applications For more information on how to set up a new scheduled scan refer to Setting up a scheduled scan section in this manual c Review all scheduled scans by clicking View all scheduled scans button This will display the Scheduled scan screen where you will be able to add new edit or delete scheduled scans For more information on how to edit an existing scheduled scan refer to Scheduled Scans section in this manual 6 6 Configuring Microsoft updates 6 6 1 Auto deployment settings GFI LANguard ships with a patch auto deployment feature which allows you to automatically deploy missing Microsoft patches and service packs in all 38 languages supported by Microsoft products To configure patch auto deployment 1 Click on the Configuration gt Microsoft updates gt Patch Auto Deployment 2 In the right pane select the patches that you would like to auto deploy GFI LANguard 9 user manual Configuring GFI LANguard e
42. the Conditions tab and click on the Add button This will bring up the check properties wizard Check properties Step 1 of 3 Select the type of check Specify what do you want to check from the list below hY h Check type Independent Family Test F Independent FTP Banner Test vee Independent HTTP Banner Test J Independent POP3 Banner Test J Independent Port Open Test Independent Python Script Test 2 Independent SMTP Banner Test oJ Independent SSH Banner Test an Independent TCP Banner Test J Independent TELNET Banner Test J Independent Text File Content Test SF A Independent VB Script Test Check description Executes a VB script and returns a boolean value gt lt Back Next gt Cancel Screenshot 109 The check triggering conditions dialog 7 Select Independent checks gt VBScript node and click on Next button to continue setup 8 Click on the Choose file button and select the custom VBscript file that will be executed by this check For this example select myscript vbs Click on Next to proceed 9 Select the relative condition setup in the wizard to finalize script selection Click on Finish to exit wizard 10 Click on OK to save new vulnerability check Testing the vulnerability check script used in example Scan your local host computer using the scanning profile where the new check was added In Network Audit gt Scan R
43. uninstalled Stage 2 Ensure that application supports silent uninstall by trying to remotely uninstall the application This is called the validation process Stage 3 Setup a scheduled scan which will successfully uninstall all instances of that application from targets during a scheduled scan NOTE Auto remediation option of scheduled scans and application un authorization only work for scanning profiles which perform Missing patches detection and or Installed application detection Important notes 1 Always test patches in a test environment before deployment 2 By default Microsoft updates are not enabled for automatic deployment Manually approve each patch as it is tested or set all Microsoft updates as approved 56 e Step 3 Fixing vulnerabilities GFI LANguard 9 user manual 4 7 1 Automatically deploy missing Microsoft updates To automatically deploy missing patches follow the instructions below before setting up a scan with auto remediation options Step 1 Approve the patches to deploy automatically 1 From the Configuration tab navigate to Microsoft Updates gt Patch Auto Deployment 2 Select the patches to approve for auto deployment Optionally set the automatic patch approval options by selecting the To automatically approve patches and or service packs click here option For more information refer to the Auto deployment settings section in this manual Step 2 Set up a scheduled scan Set up a
44. 009 04 14 Security Update for 2007 Microsoft Office Sy Ms09 010 Important 923561 2009 04 14 Security Update for Windows 2000 KB92356 x Ms03 010 Important 923561 2009 04 14 Security Update for Windows Server 2003 KI i M1509 010 Important 923561 2009 04 14 Security Update for Windows Server 2003 fo q mso9 010 Important 923561 2009 04 14 Security Update for Windows Server 2003 x6 x Ms03 010 Important 923561 2009 04 14 Security Update for Windows XP KB92356 1 a Mi509 010 Important 923561 2009 04 14 Security Update for Windows XP x64 Edition msos 010 Important 933399 2009 04 14 Security Update for Office XP KB933399 a M1509 010 Important 960476 2009 04 14 Security Update for Microsoft Office File Com wl 9 mso9 011 Critical s 961373 2009 04 14 security Update for DirectX 8 for Windows 2C i 4 mT I Screenshot 85 Selecting the missing patches to be enumerated 3 In the right pane select unselect which missing patches are enumerated by this scanning profile 7 5 3 Searching for bulletin information Find bulletin Find ae 1 a Ex Search by bulletin name e g MS02 017 or ONumber e g 0311967 Screenshot 86 Searching for bulletin information To search for a particular bulletin 1 Specify the bulletin name for example MSO2 017 or QNumber for example Q311987 in the search tool entry box included at the bottom of the right pane 2 Click Find to start searching for your entry GFI LANguard 9 user
45. 21140 Based PCI Fast Ethernet Configure This connection uses the following items 2p ent for Microsott Mal works 3 File and Printer Sharing for Microsott Networks W nternet Protocol TCP IP Install Uninstall Description Allows Your computer to access resources on a Microsoft network F Show icon in notification area when connected M Notify me when this connection has limited or no connectivity Screenshot 113 Local Area Connection Properties dialog 3 From the General tab select the checkbox next to Client for Microsoft Networks and click on Install to begin the installation process NOTE 1 If Client for Microsoft Windows checkbox is already selected then the component is already installed NOTE 2 If the network is currently active you may not see any checkboxes in the window In this case click the Properties button one more time to reach the full General tab NOTE 3 If the computer runs any older version of Windows view the Configuration tab and verify if Client for Microsoft Windows is present in the displayed list If not install the component by clicking on the Add button 4 From the new dialog on display select Client and click on Add to continue 5 From the list of manufacturers at the right of the active window choose Microsoft Then choose Client for Microsoft Windows from the list of network clients on the right side of the window Click OK button to cont
46. 3 951698 4508 030 951376 4508 023 948881 507 040 929729 Applic Windo Windo windo windo windo Help Deploying Microsoft updates ing Microsoft updates automatic Launch deployment Deploy immediately D Deploy on 5 5 2009 Screenshot 43 Stopping active downloads To stop an active patch download right click on the respective patches and select Cancel Download GFI LANguard 9 user manual Step 3 Fixing vulnerabilities e 49 4 3 4 Optional Configure alternative patch file deployment paramete rs Patch properties General Patch file name NDP 1 ispi KE979779 X86 exe Bulletin MS507 040 929729 Affected product Windows source URL http www download windowsupdate com msdownload update softwares Download directory C Program Files GFI LANguard 9 0 Repository English al Deploy patch with the following command line parameters q Screenshot 44 Patch file properties dialog You can optionally configure alternative patch deployment parameters on a patch by patch basis Parameters that can be configured include e Download URL e Destination path of the downloaded patch file To change the deployment and download settings of a missing patch 1 Right click on the respective patch file and select Properties 2 Make the required changes and click OK to finalize your configuration 4 3 5 Uninstall patches alrea
47. 71 72 e Configuring GFI LANguard NOTE If patches and service packs are automatically approved for auto deployment a message advising you of such status is displayed To manually approve patches service packs click the link that enables you to change the status manually approve patches service packs E GFI LANguard Ewes File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Configurations E a g Scanning Profiles vl Scheduled Scans i Computer Profiles Jei i Applications Inventory LQ Auto Uninstall Validation T Approve Microsoft patches and service packs for auto deployment Only approve patches that were previously tested and do not cause any issues Mag Patch Auto Deployment AZ The Patches Auto Deployment option enables you to select which patches are approved for automatic patch deployment 7 Microsoft Updates l Patch Auto Deployment Patch language filter English X Lg Patch Auto Download A Alerting Options To automatically approve patches and or service packs click here i Database Maintenance Options Program Updates 1 Approval Bulletin ID Severity QNumber Dateposted Title 7 O msos 011 Critical 961373 2009 04 14 Secur C 9 MS0S 011 Critical 961373 2005 04 14 Secur C x MS09 011 Critical 961373 2009 04 14 Secur F x MS03 011 Critical 961373 2009 04 14 Secur Common Tasks oO MS09013 Critical 960803 2009 04
48. ANguard 9 user manual Step 2 Analyzing the security scan results e 41 NOTE For more information on the reports in GFI LANguard refer to the GFI LANguard ReportPack manual available from http www gfi com lannetscan LANguard9rpmanual pdf 42 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual 4 Step 3 Fixing vulnerabilities 4 1 Introduction Following a scan GFI LANguard enables you to automatically fix some of the issues identified during your network audit This is achieved through the built in tools that ship with the product Available remediation actions include e Auto patch management This remediation feature automatically downloads missing Microsoft updates and deploys them network wide e Applications auto uninstall This remediation action enables the auto uninstall of applications that support silent uninstall The process involves a test phase called validation during which an application is uninstalled automatically to identify if silent uninstall is Supported by target application If it is all the other instances on the network will be automatically uninstalled during scheduled scans 4 1 1 Deployment options The general deployment options allow you to configure the actions and processes that must be triggered pre post deployment of the selected file Supported actions include e Send notification deployment request to the currently logged on user e Automated reboot of targe
49. Advanced Options 1 Click Advanced Options to view advanced options dialog 2 Select the notification and approval options by clicking the appropriate checkboxes and click OK to save changes 6 6 3 Manage applicable scheduled scans The Manage applicable scheduled scan option enables you to configure scheduled scans that trigger auto deployment of patches and service packs For more information on how to use the Manage applicable scheduled scan feature refer to Managing scheduled scans section in this manual 6 6 4 Auto download settings GFI LANguard ships with a patch auto download feature which enables you to automatically download missing Microsoft patches and service packs in all 38 languages supported by Microsoft products In addition you can also schedule patch auto download by specifying the timeframe within which the download of patches is performed To configure patch auto download 1 Click on Configuration gt Microsoft updates gt Patch Auto Download Click on link in the right pane GFI LANguard 9 user manual Configuring GFI LANguard e 73 Patch Auto download Properties General D Configure patches auto download options W Enable patch auto download Select patches to download All patches NOTE Download all patches for deployment C Only needed patches NOTE Download only required patches as determined by previous scans m
50. Click Start to uninstall applications based on your configuration Review the status of any uninstallation from the Uninstallation status tab 4 6 Remote remediation Through remote remediation you can control remote computers using Terminal Services and Remote Desktop Protocol Remote remediation enables you to install missing patches service packs and custom software through a remote connection To create a new remote connection 1 Select Network Audit gt Remediate gt Remote Desktop Connections gt New Connection GFI LANguard 9 user manual Step 3 Fixing vulnerabilities e 55 New Remote Desktop Connection Open Remote Desktop New Remote Desktop Connection Machine Name PCI Domain veach2k 31 local User Name administrator Password Share Printers Share Disk Drives Connect Cancel Screenshot 52 Creating a remote connection 2 Specify the credentials required to connect to the remote machine 3 Click Connect to open a remote connection with the target machine 4 7 Automatic Remediation Through scheduled scans you can launch automatic remediation actions This enables you to automatically download and deploy missing patches as well as to automatically uninstall unauthorized applications during scheduled operations To uninstall software a 3 stage process is required in order to identify whether the selected application supports silent uninstall Stage 1 Select the application to be auto
51. Click on the Edit program updates options 2 In the builds updates section select unselect the Check for updates at application startup option accordingly 3 Click OK to finalize your configuration 6 10 4 Enable GFI scheduled updates GFI LANguard scheduled updates are enabled by default To disable enable this feature 1 Click on the Edit program updates options 2 Optionally In the builds updates section unselect the Check for updates at application startup option 3 Click Enable scheduled updates 4 Specify auto updates frequency 6 10 5 Starting program updates manually To manually start GFl LANguard program updates 1 Click on Check for Updates Update LANguard 9 0 Eg Choose which action to do in the next step a 4 You can choose to update the application files or to download all the update files to a specific path used further as an alternative update location Update application files from the following location Location GFI web site Alternative location Download all update files from GFI web site to this path Screenshot 74 The Check for Updates wizard Stage 1 84 e Configuring GFI LANguard GFI LANguard 9 user manual 2 Specify the location from where the required update files will be downloaded 3 Optionally Change the default download path select Download all update files to this path option will allow the user to provide an alternate download path to store all GFI LANgu
52. F addresses computers Number of different computers IP addresses scanned to date 3 Computer Last canned ESM_DEMO 192 165 131 65 n o 2005 REORG 192 168 3 45 o o 2005 CO VeSPPRO 192 168 3 66 5572009 Delete selected computers Cancel Apel Screenshot 70 Database maintenance properties Scanned Computers tab To delete computers previously scanned 1 Click on Configuration gt Manage list of scanned computers 2 Select the computers to delete by holding the control key and clicking on the computers 3 Click on Delete selected computer s button to delete scanned computer data NOTE 1 Deleting computers from the database is a one way operation that will also delete all computer related data from the database Once deleted this data is no longer recoverable NOTE 2 While this is a very efficient mechanism for freeing up licenses previously occupied by unused nodes note that this affects the long term security reporting capabilities of GFI LANguard Where long term security reporting must be ascertained or in environments where security databases must be intact it is highly advisable to not delete any data whatsoever In such scenarios it is advisable that more licenses are acquired to cater for network growth or expansion GFI LANguard 9 user manual Configuring GFI LANguard e 79 6 8 6 Database maintenance Advanced options To improve the performance of your Micr
53. GFI LANguard also supports integration with particular security applications These include various anti virus and anti spyware software During security scanning GFI LANguard will check if the supported virus scanner s or anti spyware software is correctly configured and that the respective definition files are up to date Application scanning is configurable on a scan profile by scan profile basis and all the configuration options are accessible through the two sub tabs contained in the applications configuration page These are the Installed Applications sub tab and the Security Applications Sub tab Enabling disabling checks for installed applications GF LANguard Scanning Profiles Editor o les File Scanning Profiles Profile categories I Vulnerability Assessment Options yy Network amp Software Audit Options Scanner Options Complete Combination Scans Vulnerability Assessment Network amp Software Audit Choose scan profile conditions TCP Ports UDP Ports System Information Devices Applications Profiles v Enable scanning for installed applications on target computer s Ai Full Vulnerability Assessment Installed Applications Security Applications amp Full Scan A Full Scan Slow Networks amp My Scanning profile Specify which installed applications are authorized un authorized and which you do not need to be notified about NOTE When an application is not authorized a high security vulnerabi
54. L local manager vexch2k3 L local From languard mailserver vexch k3 1 local Server localhost Port 25 E SMTP Server requires login Verify Settings ok Screenshot 66 Configuring Alerting Options 3 Configure the parameters To CC From Server Port Username and Password as required 4 Click on the Verify Settings bution to verify email settings 5 Click OK to finalize your settings 6 8 Database maintenance options GFI LANguard ships with a set of database maintenance options through which you can maintain your scan results database backend in good shape For example you can improve product performance and prevent your scan results database backend from getting excessively voluminous by automatically deleting scan results that are older than a specific number of months lf you are using a Microsoft Access database backend you can also schedule database compaction Compaction allows you to repair any corrupted data and to delete database records marked for deletion in GFI LANguard 9 user manual Configuring GFI LANguard e 75 your database backend hence ensure the integrity of your scan results database 6 8 1 Selecting a database backend GFI LANguard 9 supports both Microsoft Access and Microsoft SQL server 2000 or higher based database backend 6 8 2 Storing scan results in a MS Access database backend To store scan results in a Microsoft Access database 1 Click on Configuration gt Databas
55. Number of download threads 5 Cancel Apply Screenshot 65 Configuring Patch Auto download Properties 2 In the General tab select All patches or Only needed patches NOTE Selecting All patches downloads all patches issued by Microsoft regardless of whether these are required for deployment The Only needed patches option downloads only the patches required for deployment 3 To change the location where the downloaded patches are stored click the Patch Repository tab and specify the required details 4 To change the timeframe during which patch downloads are performed click on the Timeframe tab and specify the required details NOTE GFI LANguard can use patch files downloaded by Microsoft WSUS when deploying missing patches and service packs on target computers To enable use of Microsoft WSUS downloaded files select the Use files downloaded by Microsoft WSUS when available option and specify the path from where the Microsoft WSUS downloaded patches are retrieved 5 Click OK to finalize your settings 74 e Configuring GFI LANguard GFI LANguard 9 user manual 6 7 Configuring alerting options To configure mail server settings or administrator email address 1 Click Configurations gt Alerting options 2 Click the link in the right pane Alerting Options Properties bi General E Specify SMTP server and email address details for email notifications JR after each scheduled scan johndoe vexch k3
56. O details The host information known as HINFO generally includes target computer information such as hardware specifications and OS details NOTE Most DNS entries do not contain this information for security reasons e Aliases Select this option to retrieve information on the A Records configured on the target domain e MX Records Select this option to enumerate all the mail servers and the order i e priority in which they receive and process emails for the target domain e NS Records Select this option to specify the name servers that are authoritative for a particular domain or sub domain 116 o Utilities GFI LANguard 9 user manual 4 Specify if required the alternative DNS server that will be queried by the DNS Lookup tool or leave as default to use the default DNS server 5 Click on the Retrieve button to start the process 8 3 Traceroute Traceroute identifies the path that GFI LANguard followed to reach a target computer GFI LANguard o amp amp File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Tools Trace domain IP address name 192 168 3 66 Traceroute Options a DNS Lookup Traceroute Hop Itera IP Address Hostname Time ms Besttime Average a Whois fi i 192 168 3 66 VXPPRO 39 39 39 00 Enumerate Computers 2 Enumerate Users a SNMP Audit a SNMP Walk z SQL Server Audit Credent
57. SNMP information 3 Under Common Tasks in the left pane click on Edit SNMP Walk options or Options button on the right pane to edit the default options such as providing alternative community strings 4 Click on the Retrieve button to start the process NOTE SNMP activity is often blocked at the router firewall so that Internet users cannot SNMP scan your network The information enumerated through SNMP can be used by malicious users to attack your system Unless this service is required it is highly recommended to turn off SNMP 8 9 SQL Server Audit This tool allows you to test the password vulnerability of the sa account i e root administrator and any other SQL user accounts configured on the SQL Server During the audit process this tool will perform dictionary attacks on the SQL server accounts using the credentials specified in the passwords txt dictionary file However you can also direct the SQL Server Audit tool to use other dictionary files You can also customize your dictionary file by adding new passwords to the default list To perform a security audit on a particular Microsoft SQL server installation GFI LANguard 9 user manual Utilities e 123 124 e Utilities 1 Click on the Utilities tab and select SQL Server Audit in the left pane under Tools F GF LANguard P fom Ex File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Tools Au
58. Supporting documentation and short vulnerability descriptions are provided Rootkit Lists vulnerabilities discovered because of having a rootkit installed on the scanned network device s Links to supporting documentation and short vulnerability descriptions are provided 3 5 2 Potential vulnerabilities Click on the amp Potential vulnerabilities sub node to view scan result items that were classified as possible network weaknesses Although not classified as vulnerabilities these scan result entries still require meticulous attention since malicious users can exploit them during malicious activity E g during vulnerability scanning GFI LANguard will enumerate all of the modems that are installed and configured on the target computer lf unused these modems are of no threat to your network however if connected to a telephone line these modems can be used to gain unauthorized and unmonitored access to the Internet This means that users can bypass corporate perimeter security including firewalls anti virus website rating and web content blocking exposing the corporate IT infrastructure to a multitude of threats including hacker attacks GFI LANguard considers installed modems as possible threats and enumerates them in the Potential Vulnerabilities sub node 3 5 3 Missing Service Packs Patches Click on the Missing Service Packs or e Missing Patches sub node respectively to check which Microsoft software updates or patches are mis
59. able NetBIOS over TCPYIP Enable NetBIOS over TCP IP Disable NetBIOS over TCP IP cancel _ Screenshot 112 Local Areas Connection properties WINS tab 7 Select the Default option from the NetBIOS Setting area NOTE If static IP is being used or the DHCP server does not provide NetBIOS setting select the Enable NetBIOS over TCP IP option instead 8 Click on OK and exit the Local Area Properties dialog s 11 3 Installing the Client for Microsoft Networks component on Windows 2000 or higher The Client for Microsoft Networks is an essential networking software component for the Microsoft Windows family of operating systems A Windows computer must run the Client for Microsoft Networks to remotely access files printers and other shared network resources These step by step instructions explain how to verify that the client is present and if not how to install it 1 Navigate to Control Panel and access Networking options or Network or Sharing Centre 2 Right click on the Local Area Connection item and select Properties NOTE If the computer runs any older version of Windows like Windows 95 or Windows 98 locate and right click on Network Neighborhood then choose Properties Alternatively navigate to Control Panel and open the Network item 140 e Miscellaneous GFI LANguard 9 user manual L Local Area Connection Properties General Authentication Advanced Connect using BS Intel
60. age volumes SCSI and RAID controllers Storage Volume Snapshots Expand the Software sub node to access software audit categories Category Information provided amp General Applications Antivirus Applications GFI LANguard 9 user manual Application name Version Publisher Application name Real time protection Up to date Last update Version Publisher Step 2 Analyzing the security scan results e 23 3 6 5 cb System Information Expand the System Information sub node to access OS information grouped as follows Information Provided Category 2 Shares a Password Policy a Security e Audit Policy a Registry Xi NETBIOS Names 24 e Step 2 Analyzing the security scan results Share name Share remark extra details on the share Folder which is being shared on the target computer Share permissions and access rights NTFS permissions and access rights Minimum password length Maximum password length Minimum password age Force logoff Password history Audit account logon events Audit account management Audit directory service access Audit logon events And more Registered owner Registered organization Product name Current build number Workstation service Domain name Domain controllers File server service Helps to identify Users sharing entire hard drives shares that have weak or incorrectly configured access permissions Startup fo
61. al for more information regarding email phone or web forum support channels GFI Software Ltd will endeavor to look into any issues reported and if any inconsistency or error is ascertained it will issue updates to fix such issues Vulnerability check updates are usually released on monthly basis 12 3 About CVE CVE Common Vulnerabilities and Exposures is a list of standardized names for vulnerabilities and other information security exposures Its aim is to standardize the names for all publicly known vulnerabilities and security exposures CVE is a dictionary which aim is to facilitate data distribution across separate vulnerability databases and security tools CVE makes searching for information in other databases easier and should not be considered as a vulnerability database by itself CVE is a maintained through a community wide collaborative effort known as the CVE Editorial Board The Editorial Board includes representatives from numerous security related organizations such as security tool vendors academic institutions and governments as well as other prominent security experts The MITRE Corporation maintains CVE and moderates editorial board discussions 150 e GFI LANguard certifications GFI LANguard 9 user manual 12 3 1 About CVE Compatibility CVE compatible means that a tool Web site database or service uses CVE names in a way that allows it to cross link with other repositories that use CVE names CVE compatib
62. an will uninstall There are Microsoft updates that are not approved for auto deployment m Itis recommended to have System Restore on for the system drive on the target computers Screenshot 9 Scheduled scan auto remediation options 9 Optional Select Automatically uninstall unauthorized applications so that all applications validated as unauthorized will be uninstalled from the scanned computer unauthorized applications are 12 e Step 1 Performing an audit GFI LANguard 9 user manual defined in Application Inventory For more details see Application auto uninstall 10 Optional Click View applications which this scan will uninstall To launch the Applications which will be uninstalled dialog This will list all the applications that will be uninstalled when the scheduled scan is finished 11 Optional Click Configure auto remediation option to configure the processes that must be triggered before and after a deployment of an application For more information refer to Deployment options 12 Click Next New scheduled scan Step 7 of 7 Review scheduled scan job 7 Please review the settings for this scheduled scan job tt Scheduled scan summary Target localhost 1 Triggering time Every 1 day s at 4 35 36 PM starting on 4 30 2009 Scanning profile High Security Vulnerabilities Credentials Alternative credentials Auto emediation Automatically download and deploy missing patches Do Alerting options are not config
63. and export tool The Impex tool is a command line tool which can be used to Import and Export profiles and vulnerabilities from GFI LANguard Network Security Scanner The parameters supported by this tool are the following impex H XML xmlfile DB dbfile EX MERGE IM ONLYNEWER PROFILES VULNS PORTS PROFILE name VULNCAT cat VULN name PORTTYPE type PORT number SKIP OVERWRITE RENAME value Options Option Description H running without Displays help information parameters 128 e Using GFI LANguard from the command line GFI LANguard 9 user manual XML lt xmifile gt DB lt dbfile gt EX MERGE IM ONLYNEWER PROFILES VULNS PORTS PROFILE lt name gt VULNCAT lt category gt VULN lt name gt PORTTYPE lt type gt PORT lt number gt SKIP OVERWRITE RENAME lt value gt This parameter specifies the name of the imported or exported XML file lt xmifile gt needs to be replaced with the name of the file the profile is being exported to NOTE This parameter is mandatory to import or export alerts Where lt dbfile gt is the database file to be used during the import export operation If this is not specified the default operationsprofiles mdb file will be used Exports data from database to XML file Default option If this is specified when the target XML for export already exists the file will be opened and data
64. ard updates 4 Click Next to proceed with the update Update LANguard 9 0 Choose which packages to update b a Disabled items represents packages already updated that you can also update by checking Update ALL files or packages without update Packages Microsoft Software Updates English Version 4 Microsoft Software Updates German Version 4 Microsoft Software Updates French Version Microsoft Software Updates Italian Version 4 Microsoft Software Updates Spanish Version 4 Microsoft Software Updates Arabic Version Microsoft Software Updates Danish Version Microsoft Software Updates Czech Version Microsoft Software Updates Finnish Version Microsoft Software Updates Hebrew Version Microsoft Software Updates Hungarian Version Checked packages details Size 23139134 bytes mi p lanss_9_patchmngmt_de cab Version 16 Tuesday June 09th 2009 Added New Patches lanss_9_ patchmngmt_fr cab Version 16 Tuesday June 09th 2009 Added New Patches aa Update ALL files induding the ones already updated Sted Screenshot 75 The Check for updates Wizard Stage 2 5 Select the updates to be downloaded and click Next 6 Click Start to initiate the update process 6 10 6 Product Updates Activity GFI LANguard 9 0 maintains a comprehensive log of all updates activity This information can be reviewed by open Dashboard tab gt Scheduled Operations gt Product Updates Activit
65. ault 1500 ms UDP port scan query timeout default 600 ms Scanning Profiles WMI Options LANquard Scripting WMI timeout default 20000 ms SSH Options SSH Timeout default 15000 ms Scanner activity window Tuma nf nrammar mreti its m het Screenshot 98 Scanning Profiles properties Scanner Options tab Configurable options include timeouts types of queries to run during target discovery number of scanning threads count SNMP scopes for queries and more NOTE Configure these parameters with extreme care An incorrect configuration can affect the security scanning performance of GFI LANguard GFI LANguard 9 user manual Scanning Profiles e 113 8 Utilities 8 1 Introduction Use the Utilities tab to access the following list of default network tools e DNS Lookup e Traceroute e Whois e Enumerate Users e SNMP Audit e SNMP Walk e SQL Server Audit Enumerate Computers 8 2 DNS lookup DNS lookup resolves domain names into the corresponding IP address and retrieves particular information from the target domain for example MX record etc GFI LANguard File Tools Configure Network Audit Dashboard Tools DNS Lookup amp Traceroute z Whois m Enumerate Computers mt Enumerate Users a SNMP Audit a SNMP Walk mw SQL Server Audit Credentials Authenticate using Currently logged on user Remember credentials V Use computer profiles Edit
66. be enumerated during a scan GFI LANguard 9 user manual Edit vulnerability General Conditions Description Name All Servers eshop Online Shop System Type Miscelaneous o 0S Family windows bi OS Version Product Timestamp 9 15 2001 severity Screenshot 79 Vulnerability properties dialog General tab To change the properties of a vulnerability check 1 Right click on the vulnerability to customize and select Properties 2 Customize the selected vulnerability check through the following tabs e General Use this tab to customize the general details of a vulnerability check including vulnerability check name vulnerability type OS family OS version Product Timestamp and Severity e Conditions Use this tab to configure the operational parameters of this vulnerability check These parameters will define whether a vulnerability check is successful or not For information on how to configure vulnerability check conditions refer to the Vulnerability check conditions setup section in this manual e Description Use this tab to customize the vulnerability check description e References Use this tab to customize references and links that lead to relevant information in the OVAL CVE MS Security Security Focus and SANS TOP 20 reports 3 Click on OK to save your settings GFI LANguard 9 user manual Scanning Profiles e 95 7 4 4 Vulnerability check conditions setup The Conditions tab ena
67. bles you to add or customize conditions which define whether the computer or network being scanned is vulnerable or not It is therefore of paramount importance that any custom checks defined in this section are set up by qualified personnel that are aware of the ramifications of their actions Edi it vulnerability Ea This vulnerability will be triggered when the below conditions are met AND Enot mme Independent CGI Abuse Test AND Ei Windows Group Test Description Enables different users belonging to specific groups to be tested Joao GeS C Geet ae Screenshot 80 Vulnerability conditions setup tab To add a vulnerability check condition 1 Click Add 96 e Scanning Profiles GFI LANguard 9 user manual Check properties Step 1 of 3 Select the type of check Specify what do you want to check from the list below Check type J Independent Family Test Independent FTP Banner Test Independent HTTP Banner Test Independent POP3 Banner Test Independent Port Open Test Independent Python Script Test Independent SMTP Banner Test J Independent SSH Banner Test Independent TCP Banner Test J Independent TELNET Banner Test Independent Text File Content Test Fd independent VB Script Test Check description Executes a VB script and returns a boolean value Screenshot 81 Check properties wizard 2 Select the type of check to be configured and click Next 3 D
68. can the domain workgroup to which your local host is joined 4 Click Next 5 Specify the credentials that GFI LANguard will use to logon to target computers GFI LANguard must logon to target computers with administrator privileges 6 Click Scan to start the process 2 4 Full Scan During a full scan GFI LANguard will scan target computers to retrieve setup information and identify all security vulnerabilities including e Missing Microsoft updates e System information Software including unauthorized applications incorrect anti virus settings and outdated signatures e System information Hardware including modems and USB devices connected Due to the large amount of information retrieved from scanned targets Full Scans tend to often be lengthy It is recommended to run a Full scan at least once every 2 weeks When to use Full Scans It is recommended to launch Full Scans e At least once every 2 weeks to run network audits on multiple network machines e To retrieve system information and to scan targets for all vulnerabilities e Whenever new threats emerge e Whenever suspicious activity is noticed 2 4 1 How to launch a Full Scan 1 Launch the GFI LANguard management console from Start gt Programs gt GFI LANguard 9 0 gt GFI LANguard 2 From the Network Audit gt Scan tab which opens by default click on the Full Scan option 6 e Step 1 Performing an audit GFI LANguard 9 user manual 3 Sp
69. canning tool The Insscmd exe command line target scanning tool allows you to run vulnerability checks against network targets directly from the command line or through third party applications batch files and scripts The Insscmd exe command line tool supports the following switches Insscmd_ Target profile profileName report reportPath output pathToXmIFile user username password password UseComputerProfiles email emailAddress DontShowStatus Switches Target Specify the IP range of IPs or host name s to be scanned Profile Optional Specify the scanning profile that will be used during a security scan If this parameter is not specified the scanning profile that is currently active in the GFI LANguard will be used NOTE In the management console the default i e currently active scanning profile is denoted by the word Active next to its name To view which profile is active expand the Configuration gt Scanning Profiles node Output Optional Specify the full path including filename of the XML file where the scan results will be saved Report Optional Specify the full path including filename of the HTML file where the scan results HTML report will be output saved GFI LANguard 9 user manual Using GFI LANguard from the command line e 125 User and Optional Specify the alternative credentials that the Password scanning engine will use to authenticate to a target comp
70. choose Screenshot 2 Scan Options GFI LANguard ships with preconfigured scanning options These options are located in the Network Audit tab which opens by default every time that the GFI LANguard management console is launched Parameters preconfigured in these default scanning options include the scan profile Scan profiles are a collection of vulnerability checks that determine what vulnerabilities will be identified and which information will be retrieved from scanned targets The default scanning options provide quick access to the following scanning modes e Quick scan Scanning mode set to audit target computers for system information and high security vulnerabilities only including missing Microsoft updates The scanning profile used in this scanning option is by default set to High Security Vulnerabilities e Full scan Scanning mode set to audit target computers for system information and all possible security vulnerabilities The scanning profile used in this scanning option is by default set to High Security Vulnerabilities e Launch a custom scan Scanning mode which allows you to configure on the fly the parameters to be used during a scan Configuration is wizard assisted and configurable parameters 4 e Step 1 Performing an audit GFI LANguard 9 user manual include scanning profile For more information on how to execute a custom scan refer to the Custom scans section in this manual e Set u
71. common issues Click Next to continue 154 e Troubleshooting GFI LANguard 9 user manual Troubleshooter Wizard Known Issues Fixing issues Done Fred all of the issues which can be automatically solved Does this solve the problem s you were having Yes ia No Screenshot 126 Troubleshooter fixed known issues 5 The troubleshooter will fix any known issues that it encounters Select Yes if your problem was fixed or No if your problem is not solved to search the GFI Knowledge base for information 13 3 Knowledge Base GFI maintains a Knowledge Base which includes answers to the most common problems The Knowledge Base always has the most up to date listing of technical support questions and patches To access the Knowledge Base visit htip koase gfi com 13 4 Web Forum User to user technical support is available via the web forum The forum can be found at hitp forums gfi com 13 5 Request technical support If you have referred to this manual and our Knowledge Base articles and you still cannot solve issues with the software contact the GFI Technical Support team by filling in an online support request form or by phone e Online Fill out the support request form on http support gfi com supportrequestform asp Follow the instructions on the page to submit your support request e Phone To obtain the correct technical support phone number for your region visit http Awww gfi com company contact
72. computer on which to test the application auto uninstall Click Next to continue 4 Provide the authentication details for the validation operation and click Next to continue GFI LANguard 9 user manual Step 3 Fixing vulnerabilities e 57 5 Review the Auto uninstall validation wizard information and click Start to validate application auto uninstall For more information on auto uninstall validation refer to Application auto uninstall validation in this manual Step 3 Set up a scheduled scan Define a scheduled scan that will have the option to automatically uninstall all unauthorized applications which are validated Within the scheduled scan define what computers are scanned the frequency and which the unauthorized applications are Step 4 Review scheduled scan status Select Dashboard gt Scheduled Operations to review the status of scheduled scans and auto remediation operations 58 e Step 3 Fixing vulnerabilities GFI LANguard 9 user manual 5 GFI LANguard dashboard 5 1 Introduction GFI LANguard provides you with a dashboard which graphically indicates the status of various operations that might be currently active or are scheduled Access the GFI LANguard dashboard from the Dashboard tab 9 2 Viewing the global security threat level i GFI LANguard 2 amp File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Security Status lt Sche
73. crosoft Corporation MsiExec exe Edit 7i CS MSXML 4 0 SP2 KB954430 4 20 9870 0 Microsoft Corporation MsiExec exe 7 SQLXML4 9 00 1399 Microsoft Corporation MsiExec exe 7 5 Microsoft Office 2003 Web Com 11 0 6558 0 Microsoft Corporation MsiExec exe Deployment options J Microsoft SAL Server 2005 Bac 8 05 1054 Microsoft Corporation MsiExec exe 7 1 GFI Report Center Framework 3 5 113 GFI Software Ltd MsiExec exe 4 mW t Common Tasks Help Uninstalling applications we Launch uninstall Removing unauthorized software automati en Uninstall immediately Uninstall on Screenshot 51 Uninstall applications 2 From the Uninstall Unauthorized Applications screen select either the Sort by computers tab view list of computers and the relative applications to uninstall or the Sort by applications tab list of applications and relative computers to uninstall from 3 Select the applications computer combination to uninstall NOTE The list of applications displayed relies on the unauthorized applications set up for the scanning profile in use For more information on how to set up and validate applications to uninstall refer to the Applications inventory and Application _auto uninstall validation sections in this manual 4 Select Uninstall immediately to immediately uninstall any applications selected or provide a date time combination in the Uninstall on field 5
74. cular targets such as for example identifying only which patches are missing in your system GFI LANguard File Tools Configure Help Network Audit Dashboard Configuration kelkaJ Discuss this version Utilities General Scan Analyze 4 Remediate Analyze Scan Results i Ha Results Comparison Reporting Reports Li Full Report ae Vulnerability Assessment Lagi Vulnerabilities All iw Vulnerabilities High security iu Vulnerabilities Medium security iu Auto Remediation BA High Vulnerability Level Computers Lad Missing Patches and Service Packs i Lad Missing Service Packs l boai Missing Critical Patches Network amp Software Audit i ea Open Ports ng Pa Open Shares ca Groups and Users af Computer Properties 5 P Hardware Audit a Important Devices USB ad W Important Devices Wireless H Installed Applications iu Non Updated Security Software Lug Virtual Machines Common Tasks Create new results filter Help Filtering the results Screenshot 23 Scan filter nodes G Results Filtering The Results Filtering option enables you to generate reports based on security scan results What are scan results filters Through scan results filters you can define queries for results generated after each scan You can specify parameters on what information you want to see as well as create customize and delete results filters Filter
75. d 9 0 OVAL Support GFI LANguard 9 0 supports all checks defined in the XML file issued by OVAL with the exception of HP UX checks GFI LANguard 9 0 does not support HP UX based machines and therefore it is beyond the scope of this product to include these checks within its check definition database 12 2 2 About OVAL Compatibility OVAL Compatibility is a program established to develop consistency within the security community regarding the use and implementation of OVAL The main goal of the compatibility program is to create a set of guidelines that will help enforce a standard implementation An offshoot of this is that users are able to distinguish between and have confidence in compatible products knowing that the implementation of OVAL coincides with the standard set forth For a product or service to gain official OVAL Compatibility it must adhere to the Requirements and Recommendations for OVAL Compatibility and complete the formal OVAL Compatibility Process OVAL Compatibility means that GFI LANguard incorporates OVAL in a pre defined standard way and uses OVAL for communicating details of vulnerabilities patches security configuration settings and other machine states 12 2 3 Submitting OVAL listing error reports Any issues with the GFI LANguard or the listing of the OVAL checks included with GFI LANguard should be reported to GFI through its official support lines Refer to the Troubleshooting section within this manu
76. diately displays a scan summary that graphically displays the vulnerability level of the scanned computer or a combined interpretation of the scan results obtained following a network scan GFI LANguard File Tools Configure Help Network Audit Dashboard Configuration Utilities General Scan F gt Analyze 84 Remediate Common tasks V Scan completed Load scan results from database Summary of scan results generated during this network audit Load scan results from XML Save scan results to XML file Export computers to file Modify default settings Scan Properties Actions Go to Analyze Go to Remediate Help Performing an audit What audit operations mean FAQ Screenshot 13 Scan summary GFI LANguard 9 user manual Scan type Profile Duration Computers audited Results Audit operations Network vulnerability level Missing secunty updates Other vulnerabilities Installed securty updates Installed applications Open ports Next Steps Local computer scan High Secunty Vulnerabilities 3 minutes 44 seconds 1 696 audit operations processed High WA Joe 15 15 Critical High nia 25 ma Step 2 Analyzing the security scan results e 17 3 3 Vulnerability level rating The vulnerability level is a rating given by GFI LANguard to each computer after it has been scanned This rating indicates the vulnerability level of a computer network depending on th
77. dit Dashboard Configuration Utilities General Scan Analyze Remediate Analyze Quick Launch a New Scan y k Scan Results Scan Results Overview Scan Results Details Wl Results Filtering U gt Results Comparison bf Saved Scan Result localhost 08 May 2009 11 gt L Backdoors Open ports commonly used by Troja a Reporting J Slapper 4156 H gt Saved Scan Result localhost a Voce Spy 2339 Common Tasks 3 V 192 168 3 85 ESM_DEMO Slapper 2002 a 4 Vulnerability Assessment J KiLo 8488 High Security Vulnerabilitie Load scan results from database a 9 iai i rem Z KiLo 8489 Load scan results from XML file a E J Delta Source 47262 Save scan results to XML file l Missing Service Packs 10 4 J Miscellaneous 1 Export computer names to file z Missing Patches 26 Customize scan results view 4g Network amp Software Audit Remediate Go to loy Microsoft patches Go to loy Microsoft service pac Go to Uninstall Microsoft patches Go to Uninstall Microsoft service pa Go to loy custom software Go to Uninstall applications Go to Open remote desktop mH p 4 Wr r Help _ Scanner Activity Window x Screenshot 22 Reloaded scan results By default saved scan results are stored in a database GFI LANguard stores the results data of the last 10 scans performed per scanning profile NOTE You can configure the number of scan
78. dit MS SOL Server Audit Options DNS Lookup Traceroute a Whois m Enumerate Computers z Enumerate Users a SNMP Audit a SNMP Walk wm SQL Server Audit Credentials Authenticate using Remember credentials v Use computer profiles Common Tasks Edit SQL server audit options Help SQL server audit Screenshot 107 SQL Server Audit 2 In the Audit MS SQL Server dropdown specify the IP address of the SQL Server that you wish to audit 3 Under Common Tasks in the left pane click on Edit SQL Server Audit options or Options button on the right pane to edit the default options such as performing dictionary attacks on all the other SQL user accounts 4 Click on the Audit button to start the process GFI LANguard 9 user manual 9 Using GFI LANguard from the command line 9 1 Introduction In this chapter you will discover how to use the three command line tools bundled with GFI LANguard Insscmd exe deploycmd exe and impex exe These command line tools allow you to launch network vulnerability scans and patch deployment sessions as well as importing and exporting profiles and vulnerabilities without loading up the GFI LANguard management console Configured through a set of command line switches the complete list of supported switches together with a description of the respective function is provided below 9 2 Using Insscmd exe the command line s
79. duled Operations Security Status Use this tab to gain visibility into to the most vulnerable computers and security status trends on your network Network Security Level a Computer Vulnerability Distribution a Most Vulnerable Computers a Ov m bility i IP Address 7 Name Operating System r erall vulnerability leve ad noe E 80 143 32 2 Andrew Windows 2000 80 143 32 1 Jane Windows XP High a g aaa B 280 143 32 2 Andy Windows XP aa WNeaee m h 9 20 143 32 2 Joe2 Windows XP Low ll80 143 32 2 GamesPC Windows XP E NA 4 82 168 102 Julia Windows XP _ 82 168 102 Steve Windows XP x64 Resulting security level of your network 71 43 based on the security audits performed to date canned Targets Vulnerability Level High 5 compute 7 computer s Medium 1 compute w 1 compute N A 0 compute Network Computer Vulnerability Trends Over Time a ae 3 O S E High a 4 E Medium 5 E Low o E N A p 10 25 2008 10 26 2008 10 27 2008 10 28 2008 10 29 2008 10 30 2008 Time Screenshot 53 Status Monitor Statistics tab The Security Status tab provides you with extensive security information based on data acquired during scans This enables you to determine at a glance the current network vulnerability level the top most vulnerable computers the number of computers in the database lt also provides you with a breakdown of the vulnerable computers according to their vulnerability level NOTE The data d
80. dy deployed on targets To roll back deployed patches and service packs 1 Go to Network Audit gt Scan and launch a scan on the computer s from which you need to roll back patches 2 From the scan results right click on listed computers and select Remediate gt Uninstall Microsoft patches 3 Select the target computer 50 e Step 3 Fixing vulnerabilities GFI LANguard 9 user manual S GFI LANguard File Tools Configure Help Network Audit Dashboard Scan Analyze 4 Remediate Patch Management AZ Deploy Microsoft Patches l Deploy Microsoft Service Packs fe Uninstall Microsoft Patches fe Uninstall Microsoft Service Packs Application Management S Deploy Custom Software fA Uninstall Applications Other Options Sw Remote Desktop Connections Credentials Authenticate using Currently logged on user z Remember credentials Use computer profiles Edit Common Tasks Help Uninstalling Microsoft updates Configuration koda Discuss this version Utilities General P Uninstall Microsoft Patches r B Specify updates to uninstall and select Start to start the uninstall of updates Sort by computers Sortby patches Uninstall status Ww Specify the target computers where to uninstall patches from Computer name Notes T esm_pDeEmo Language English 4 Aii ve Specify which patches to uninstall from which computers Title a Cumulative Security Updat
81. e Configuration tab to download the latest Microsoft Software Update files in all languages currently in use on your network This would allow the security scanning engine to discover and report both English as well as non English missing patches and service packs Based on this information you can then use the patch deployment engine to download and install the missing update files in their respective languages network wide The Automatically download the required Microsoft Language packs option enables you to automatically download language packs for a wide range of languages which includes but is not limited to English German French Italian Spanish Arabic Danish Czech Finnish Hebrew Hungarian Japanese Korean Dutch Norwegian Polish Portuguese Portuguese Brazilian Russian Swedish Chinese Chinese Taiwan Greek and Turkish Information on how to manually download and deploy multilingual Microsoft Update Files is provided further on in this chapter GFI LANguard 9 user manual NOTE Manual updates are required only if GFI LANguard is not configured to automatically download the required Microsoft Language packs 6 10 1 GFI LANguard updates The program updates tool will allow the user to download and customize the GFI LANguard updates The user can configure GFI LANguard to auto download updates released by GFI to improve functionalities in GFI LANguard These updates include also checking GFI web site for
82. e Maintenance Options gt Database backend settings Properties Change Database Sayed Scan Results Scanned Computers Advanced Current GFI LAN guard database backend settings EA Database type MS Access File path C Program Files GFISLAN guard 9 0D ata ecanrese New GFI L Nguard database backend settings Indicate below the new type of database backend to use MS Access MS SOL Server Please specify the path where the new database backend ts to be located C Program Files GFISLA guard 9 040 ata scanresults mdb Browse DK eaGancels Apply Screenshot 67 The database maintenance properties dialog 2 Select the MS Access option and specify the full path including the file name of your Microsoft Access database backend NOTE 1 If the specified database file does not exist it will be created NOTE 2 if the specified database file already exists and belongs to a previous version of GFI LANguard you will be asked whether you want to over write the existing information 3 Click OK to finalize your settings 6 8 3 Storing scan results in an MS SQL Server database To store scan results in a Microsoft SQL Server database 76 e Configuring GFI LANguard GFI LANguard 9 user manual 1 Click on Configuration gt Database Maintenance Options gt Database backend settings Properties Change Database Saved Scan Results Scanned Computers Advanced Current GFI LAN guard databa
83. e basis Make sure to enable network device scanning in all profiles where this is required 7 9 2 Scanning for network devices Compiling a network device blacklist whitelist To compile a network device blacklist whitelist for a scanning profile 1 From the Network amp Security Audit Options tab click Devices sub tab 2 Click Network Devices tab 3 Select the scanning profile to customize from the left pane under Profiles 4 In the right pane to create a network device blacklist specify which devices you want to classify as high security vulnerabilities in the Space provided under Create a high security vulnerability for network devices which name contains For example if you enter the word wireless you will be notified through a high security vulnerability alert when a device whose name contains the word wireless is detected To create a network device whitelist specify which devices you want to ignore during network vulnerability scanning in the space provided under Ignore Do not list save to db devices which name contains NOTE Only include one network device name per line 106 e Scanning Profiles GFI LANguard 9 user manual 7 9 3 Configuring advanced network device scanning options Advanced Network Devices Properties General Specify advanced network devices options Enumerate Network Devices Enumerate wired network devices Enumerate wireless network devices Enumerate software e
84. e for Internet Explorer 1 Security Update for Windows Vista KB960803 Security Update for Windows Vista KB952004 Security Update for Windows Vista KB956572 Security Update for Windows Vista KB958690 Security Update for Windows Vista KB960225 Update Rollup for Activex Killbits for Windows Vis _ Application Windows Windows Windows Windows Bulletin T ms09 014 963027 V 3 ms09 013 960803 E ms09 012 952004 3 mS09 012 956572 E6 MS09 006 958690 Windows E6 ms09 007 960225 Windows Not Available 960715 Windows ICAN AFCO ACANA fete I NACANCMY 4 mm p vr Launch deployment Uninstall immediately Reset Uninstall on Screenshot 45 Uninstalling a patch 4 Select the patches or service packs to be uninstalled from selected targets 5 Click Start to initiate the uninstall process 4 3 6 Monitoring the patch uninstall process To view the patch rollback progress click on the Uninstallation Status tab 4 4 Deploying custom software In addition to Microsoft security updates i e patches etc GFI LANguard also allows you to remotely deploy third party or custom software network wide Software that can be remotely deployed via this engine includes security applications such as complete anti virus anti soyware solutions software firewalls and more e Third party software updates and patches such as anti virus anti spyware signature file updates e Custom cod
85. e for which this application will be set as unauthorized and click Next 4 GFI LANguard can associate partial names with entries already in the list As a result the system will prompt you to confirm whether to apply the same changes also to applications partially have the same name 5 Click Finish to finalize settings Adding a new unauthorized application To manually add a new application without selecting an application from the applications inventory 1 Click on Configuration tab gt Applications inventory sub node 2 Under Common Tasks click on Add a new application 3 The Add unauthorized application wizard is launched In the welcome screen click Next to proceed 68 e Configuring GFI LANguard GFI LANguard 9 user manual Add unauthorized application wizard Step 1 of 4 Specify application details a a Specify a generic application name and optional details such as publisher and ey version Specify a complete or partial application name by which this application can be identified Application name My Application Note Partial application names are accepted Optionally you can provide the following details Version Number 1 0 Publisher My Application Software Inc Tell me more lt Back en Canel Screenshot 60 Applications inventory wizard 4 Specify application name Optionally you can also specify version number and publisher Click Next to continue 5 Select t
86. e number and type of vulnerabilities and or missing patches found High WA Jaa Screenshot 14 Vulnerability level meter A high vulnerability level is a result of vulnerabilities and or missing patches whose average severity is categorized as high When a number of computers are scanned in a single audit session a measurement of the global vulnerability level is based on a weighted sum of the vulnerabilities detected on the computers scanned Vulnerability level is indicated using color coded graphical bar A red color code indicates a high vulnerability level whilst a green color code indicates a low vulnerability level 3 4 Detailed scan results Click on the Analyze tab to access a more detailed list of vulnerabilities S GFI LANguard a fog Ex File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General E Scan Analyze 4 Remediate Scan Results Scan Results Overview Scan Results Details l Results Filtering U Results Comparison ap a Reporting V a y Vulnerability Assessment Common Tasks _g Network amp Software Audit Analyze 2 Quick Launch a New Scan New Scan Load scan results from Load scan results from Save scan results to _ Export computer name Customize scan results Remediate Go to loy Microso Go to loy Microso Go to Uninstall Micros Go to Uninstall Micros Go to Deploy custom Go to Uninstall applic Go
87. e such as scripts and batch files GFI LANguard 9 user manual Desktop applications such as MS Office 2007 and more Step 3 Fixing vulnerabilities e 51 4 4 1 Enumerating the software to be deployed GFI LANguard kaba File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Scan Analyze 94 Remediate Patch Management Ak Deploy Microsoft Patches A Deploy Microsoft Service Packs lt Specify the custom software e g custom scripts which will be deployed to target computers fe Uninstall Microsoft Patches fe Uninstall Microsoft Service Packs Deployment Configuration Deployment Status amp amp Deploy Custom Software Application Management 3 Deploy Custom Software fA Uninstall Applications Specify the software to be deployed Software Location Parameters Other Options Remote Desktop Connections Credentials Authenticate using Currently logged on user e Specify the target computers where to deploy software Computer Name Notes Remember credentials V Use computer profiles Edit Common Tasks Edit deployment options 3 Launch software deployment Deploy immediately Deploy D Deploy on 5 5 2009 Help Deploying custom software Screenshot 46 Deploy custom software To specify which software to deploy 1 Click on Network Audit tab gt Remediate 2 Click Deploy Custo
88. ecify the target computer to be scanned by selecting one of the following options e Scan this computer Use this option to scan local host e Scan another computer Use this option to scan a specific computer Parameters required are target computer name or IP e Scan entire domain workgroup Use this option to scan the domain workgroup to which your local host is joined 4 Click Next 5 Specify the credentials that GFI LANguard will use to logon to target computers GFI LANguard must logon to target computers with administrator privileges 6 Click Scan to start the process 2 5 Custom scan A custom scan is a network audit based on parameters which you configure on the fly before launching the scanning process Various parameters can be customized during this type of scan including e Type of scanning profile to use i e the type of checks to execute type of data to retrieve e Scan targets e Logon credentials In custom scans scan profiles are organized under 3 profile groups e Vulnerability assessment This group contains profiles that scan target computers for network threats based on guidelines provided by OVAL CVE and SANS TOP20 bulletins e Network amp Software audit This group contains profiles that scan target computers for system information such as OS information installed applications and USB devices connected e Complete Combination scans This group contains Full Scan profiles that audit targ
89. ecify which applications are authorized to be installed Only the applications in the list below All applications except the ones in the list below Ignore Do not list save to db applications in the list below Application name Version Screenshot 94 The applications configuration page Through this tab you can also configure GFI LANguard to detect and report unauthorized software installed on scanned targets and to generate high security vulnerability alerts whenever such software is discovered 7 11 1 Scanning installed applications SRE 5 Antivirus applications W BitDefender Client Standard off 4 BitDefender Antivirus 2009 a 3 BitDefender Internet Security 2009 Jl BitDefender Client Professional Plus A BitDefender Professional Edition E BitDefender 8 Professional V Panda Antivirus Pro 2009 AT S Panda Antivirus Firewall 2007 nlf F Panda Antivirus 2007 ff gt Panda Titanium Antivirus 2005 SF 4 CA eTrust Antivirus Client AW 4 eTrust EZ Antivirus H Kaspersky Internet Security 2009 V Kaspersky Anti Virus 6 0 A 4 Kaspersky Anti Virus 5 0 for Windows Workstations ou F Kaspersky Anti Virus for Windows Workstations Jl Kaspersky Anti Virus Personal Pro 5 0 AT 2 McAfee VirusScan Enterprise v8 a J McAfee v i Screenshot 95 List of supported anti virus and anti spyware applications GFI LANguard 9 user manual Scanning Profiles e 109 By default
90. ed To create a USB device whitelist soecify which USB devices you want to ignore during network vulnerability scanning in the space provided under Ignore Do not list save to db devices which name contains NOTE Only include only one network device name per line 108 e Scanning Profiles GFI LANguard 9 user manual 7 11 Configuring applications scanning options Use the Applications tab to specify which installed applications will be investigated by a scanning profile during a target computer scan 8 GFI LANguard ea Profiles Editor File Scanning Profiles Profile categories Complete Combination Scans Vulnerability Assessment K Network amp Software Audit Profiles A Full Vulnerability Assessment A Full Scan amp Full Scan Slow Networks My Scanning profile Common Tasks New scannin ile Set Active Rename Delete Help Scanning Profiles LANquard Scripting Vulnerability Assessment Options r Network amp Software Audit Options Scanner Options TCP Ports UDP Ports System Information Devices Applications Choose scan profile conditions V Enable scanning for installed applications on target computer s Installed Applications Security Applications Specify which installed applications are authorized un authorized and which you do not need to be notified about NOTE When an application is not authorized a high security vulnerability warning will be generated Sp
91. eenshot 69 Database maintenance properties Managed saved scan results tab TO manage saved scan results 1 Click on the Configuration gt Manage saved scan results 2 o manually delete saved scan results select the particular result s and click on Delete Scan s button 3 To let GFI LANguard manage database maintenance for you select Scans generated during the last to automatically delete scan results which are older than a specific number of days weeks or months or Scans per scan target per profile in number of to retain only a specific number of recent scan results 6 8 5 Database maintenance List of scanned computers GFI LANguard incorporates a mechanism where a global list of scanned computers is maintained for licensing purposes This enables GFI LANguard to enforce its licensing details where a larger range of scanned computers than what is specified in the licensing information will not be scanned 78 e Configuring GFI LANguard GFI LANguard 9 user manual GFI LANguard enables systems administrators to delete previously scanned computers nodes so that node licenses taken by computers that are no longer present on the network or which should no longer be scanned can be reutilized Properties Change Database Saved Scan Results Scanned Computers Advanced E ss four current GFI LAN guard license enables you to scan an unlimited A number of different target I
92. efine the object to examine and click Next 4 Set attributes desired parameters and click Finish to finalize your settings GFI LANguard 9 user manual Scanning Profiles e 97 Edit vulnerability me So This vulnerability will be triggered when the below conditions are met Not Independent CGI Abuse Test AND Windows Group Test AND ES Independent VB Script Test Descripton Executes a VB script and returns a boolean value Screenshot 82 Edit vulnerability 5 If more than one condition is set up define conditional operators and click OK to finalize your configuration settings Vulnerability checks advanced options Use the Advanced included in the Vulnerabilities tab to bring up the advanced vulnerabilities scanning options 98 e Scanning Profiles GFI LANguard 9 user manual Advanced Vulnerabilities Properties T Specify advanced vulnerabilities options Vulnerability Scan Options Internal checks Weak passwords FTF anonymous access allowed Administrator account exists Users that never logged on New vulnerabilities are enabled by default Yes Show vulnerabilities with errors during evaluatio No CGI Probing Settings Send CGI request through proxy No Proxy IF address Proxy port OK bance Apel Screenshot 83 Advanced vulnerability scanning dialogs Use these options to e Configure extended vulnerability scanning features that check your target computers for weak pas
93. egal compliance Ensure that the GFI LANguard Attendant service is running otherwise scheduled operations will fail to start 2 6 1 How to setup a Scheduled Scan To perform a scheduled scan 1 Launch the GFI LANguard management console from Start gt Programs gt GFI LANguard 9 0 gt GFI LANguard 2 From the Network Audit gt Scan tab which opens by default click on the Set Up a Scheduled Scan option New scheduled scan Step 1 of 7 Define target type S Select the type of targets to be scanned and describe this scan re Scan type Description Scan a single computer Scan a single computer Scan a range of computers Choose the local computer or specify the hostname or IP address of a remote 5 Scan a list of computers computer Scan computers in text file Scan a domain or workgroup Scan job description Tell me more z Back a Screenshot 7 New Scheduled Scan dialog 3 Select one of the following options and click Next e Scan a single computer Select this option to scan local host or one specific computer e Scan a range of computers Select this option to scan a number of computers defined through an IP range For more information refer to http kbase gfi com showarticle asp id KBID002749 e Scan alist of computers Select this option to manually create a list of targets import targets from file or select targets from network list e Scan computers in text file Select this o
94. ener W Missing service packs Q Vulnerability dh High vulnerabilities h Medium vulnerabilities oy Low vulnerabilities Information notes DO Backdoors a DNS vulnerabilities BO FTP vulnerabilities Het gt Cancel Screenshot 26 Filter properties dialog 4 Click Add and select the required filter property from the provided list This defines what type of information is extracted from the scan results i e the area of interest of the scan filter Click Next to continue Add Filter Properties Filter Condition Properties Filter Property Informatior Filter condition to add Property Missing patches Conditions Does not exist Value Summary Determine if missing patches are NOT found on the remote computer en Geen ee Screenshot 27 Filter condition properties dialog 5 Select the required filter condition from the drop down provided GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 35 6 Specify the filter value This is the reference string with the specified condition to filter information from scan results Click Add to continue NOTE You can create multiple filter conditions for every scan filter This allows you to create powerful filters that more accurately isolate the scan results information that you may want to analyze Advanced Properties General Report Items Ki Select the tems that will be contained in HTML report
95. erate users logged on remotely Enumerate disk drives Request remote time of day Request information from remote registry Enumerate services Enumerate sessions Read password policies Enumerate remote processes Security audit policy Identify virtualization technology linux Svstem Information List all user groups present on the target machine Screenshot 90 Scanning Profiles properties System Information tab options 104 e Scanning Profiles To specify what System Information is enumerated by a particular scanning profile during vulnerability scanning 1 From the Network amp Security Audit Options tab click System Information sub tab 2 Select the scanning profile that you wish to customize from the left pane under Profiles 3 From the right pane expand the Windows System Information group or Linux System Information group accordingly 4 Select which Windows Linux OS information will be retrieved by the security scanner from scanned targets GFI LANguard 9 user manual For example to enumerate administrative shares in scan results expand the Enumerate shares option and set the Display admin shares option to Yes 7 9 Configuring the attached devices scanning options Use the Devices tab to enumerate network devices GFI LANguard Scanning Profiles Editor File Scanning Profiles Profile categories Complete Combination Scans Vulnerability Assessment c Vulnerability Assessment Opt
96. erations as well as enumeration of other open TCP UDP ports and missing patches are not performed by this profile Use this scanning profile to enumerate open TCP UDP ports including those most commonly exploited by Trojans The list of ports that will be enumerated by this profile can be customized through the TCP UDP ports tab Use this scanning profile to enumerate all software applications installed on scan targets This includes security software such as anti virus and anti spyware Use this scanning profile to audit your network and enumerate all open TCP and UDP ports Use this scanning profile to perform network discovery and retrieve information regarding hardware devices routers switches printers etc that have SNMP enabled This enables you to monitor network attached devices for conditions that require administrative attention Use this scanning profile to audit your network and enumerate all computers that are currently connected and running Use this scanning profile to audit your network and enumerate all open shares either hidden or visible No vulnerability checks are performed by this profile Use this scanning profile to audit your network and identify how long each computer has been running since the last reboot Use this scanning profile to audit your network and retrieve system information on available storage space Use this scanning profile to retrieve system information such as operating system details
97. ersion Network Audit Dashboard Configuration Utilities General D Scan Analyze Remediate Analyze Scan result 1 je Compare Options L Scan Results 5 t2 1 Results Filtering can result 2 fe Results Comparison Reporting Results Comparison Common Tasks pa E The Results Comparison option enables the identification of network security changes which Print comparison results occurred over a period of time which spans two network security scans Save comparison results Edit comparison options Help GFI LANguard Warning Comparing the wads Select two previously saved scan results and click Compare button for a comparison report Screenshot 29 Results comparison configuration options 1 Click on Network Audit gt Analyze 2 Right click Result comparison node and select Edit comparison options GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 37 Options E General LE Result comparison options Display the following items Ner items Removed tems Changed tems Options Show vulnerability changes Show only hotfis changes Screenshot 30 Edit comparison options 3 Select the information item s to be reported 38 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual 3 10 2 Generating a results comparison report Database Source General Select the scan result to use for the required operation
98. esults a vulnerability warning will be shown in the Vulnerability Assessment node of the scan results GFI LANguard 9 user manual Adding vulnerability checks via custom conditions or scripts e 133 10 3 GFI LANguard SSH Module GFI LANguard includes an SSH module which handles the execution of vulnerability scripts on Linux UNIX based systems The SSH module determines the result of vulnerability checks through the console text data produced by an executed script This means that you can create custom Linux UNIX vulnerability checks using any scripting method that is supported by the target s Linux UNIX OS and which outputs results to the console in text 10 3 1 Keywords The SSH module can run security scanning scripts through its terminal window When a security scan is launched on Linux UNIX based target computers vulnerability checking scripts are copied through an SSH connection to the respective target computer and run locally The SSH connection is established using the logon credentials i e username and password SSH Private Key file specified prior to the start of a security scan The SSH module can determine the status of a vulnerability check through specific keywords present in the text output of the executed script These keywords are processed by the module and interpreted as instruction for the GFI LANguard Standard keywords identified by the SSH module include e TRUE e FALSE e AddListltem e SetDescriptio
99. et computers for a wide array of threats and system information When to use Custom Scans It is recommended to use custom scans e When performing a onetime scan with particular scanning parameters profiles e When performing a scan for particular network threats and or system information e To perform a target computer scan using a specific scan profile 2 5 1 How to launch a Custom Scan To perform a custom scan 1 Launch the GFI LANguard management console from Start gt Programs gt GFI LANguard 9 0 gt GFI LANguard 2 From the Network Audit gt Scan tab which opens by default click on the Launch a Custom Scan option GFI LANguard 9 user manual Step 1 Performing an audit e 7 Custom scan wizard Step 1 of 5 Select scan job type Select the type of data to collect from scan targets n gt Scan job operation A Vulnerability Assessment Scan for network threats e g missing Microsoft updates using builtin vulnerability checks based on OVAL CVE and SANS TOP 20 vulnerabilities K Network amp Software Audit Collect system information such as installed applications i e identify malware unauthorized software open network shares i e potential intrusion point and USB devices connected i e potential data theft K Complete Combination Scans Combine vulnerability assessment and network inventory in a single scanning session NOTE These scans can be time consuming ye Current configuration s
100. ettings lt Back Screenshot 3 Scan profile groups 3 Select the scan profile group applicable to the type of information to be retrieved from targets and click Next E g to audit targets for USB devices connected select the Network amp Software Audit option Custom scan wizard Step 2 of 5 Select scan profile Select parameters to use for scan job Scan profiles Description Full Vulnerability Assessment scan your network for all supported ii vulnerabilities induding open TCP UDP ports missing patches and service packs USB a Full Scan Slow Networks devices and more This scanning profile is also used to retrieve system information NOTE The vulnerability check timeouts in this profile are preconfigured to suit the network traffic and transmission delays usually associated with LAN environments NOTE Scan profiles contain pre set parameters used by the scanner for the job type selected x Current configuration settings lt Back Screenshot 4 Custom Scan Wizard Scan type 4 Select the profile to use during this scan and click Next 8 e Step 1 Performing an audit GFI LANguard 9 user manual Custom scan wizard Step 3 of 5 Define target type i Select the type of targets to be scanned Scan type Description Scan a single computer Choose the local computer or specify the hostname or IP address of a remote Scan a range of computers computer Scan a list of computers Scan compu
101. f GFI LANguard and is stored on the remote target computer s All new computer profiles are disabled by default For information on how to enable newly created computer profiles refer to the Enabling Disabling Profiles section in this manual 6 3 2 Creating a new computer profile 1 Select Configuration gt Computer Profiles 2 Under Common Tasks click on New computer s profile 3 In the General tab specify the target computer name GFI LANguard 9 user manual Configuring GFI LANguard e 65 Computer s profile Logon Credentials Specify credentials to use to log on to target computer s Logon to target computer s using Security context of the account under which the security scan is being made Alternative credentials NOTE To scan Windows computers use the scan security context currently logged on user service user or alternative logon credentials To scan non Windows computers such as Linux machines you need to specify alternative credentials or a 55H private key file Screenshot 57 Computer profile properties dialog 4 Click on the Logon Credentials tab and specify credentials accordingly 5 Click OK to finalize configuration 66 e Configuring GFI LANguard GFI LANguard 9 user manual 6 3 3 Configuring computer profile parameters 9 GFI LANguard Es Rog Exe File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities Ge
102. f the Password must be at least entry field to 8 16 Click on the OK button to close the dialog Password must meet complexity requirements Properties x Security Policy Setting A Password must meet complexity requirements IW Define this policy setting Disabled Screenshot 121 Enforcing password complexity 17 From the right pane double click on the Password must meet complexity requirements policy Then enable the Define this policy setting in the template option and select Enabled 18 Click on the OK button to close the dialog 19 At this stage the password policy settings of the new GPO have been configured Close all dialogs and exit the Active Directory Users and Computers configuration dialog 146 e Miscellaneous GFI LANguard 9 user manual 11 5 Viewing the Password Policy Settings of an Active Directory _ Based Domain NOTE You must be logged on as a member of the Domain Admin group Use the following procedure to verify that the appropriate password policy settings are applied and effective in the Domain Policy GPO Verifying the settings and their operation ensures that the correct password policies will be applied to all users in the domain To verify password policy settings for an Active Directory domain 1 Navigate to the Control Panel and open the Administrative Tools 2 Open Active Directory Users and Computers Right click on the root container of the domain and select Properties
103. fer to the logon credentials stored in these computer profiles when authenticating to target computers This way you will not need to specify a default set of logon credentials prior to starting a network scan It also makes it possible to scan target computers that require different logon credentials and authentication methods in the same single session For example you can run vulnerability checks on Windows targets which require username password credential strings and Linux based targets which require username SSH private key files in a single scanning session 6 3 1 About SSH private key authentication GFI LANguard connects to Linux based target computers through SSH connections In public key cryptography two keys in the form of text files are used to verify the authenticity of an SSH connection request These keys are identified as the SSH private key and SSH public key The SSH key pair i e public and private keys are manually generated using a third party tool such as SSH KeyGen generally included by default in the Linux SSH package The SSH private key is the half of the key pair that the scanning engine will use to authenticate to a remote Linux based target This means that the SSH private key is used instead of the conventional password string and hence must be stored on the computer which is running GFI LANguard The SSH public key is the part which the remote target computer will use to challenge the authentication o
104. ferences i e vulnerability reports and advisories or OVAL ID For an in depth understanding of CVE names and CANSs refer to http cve mitre org cve identifiers index html 12 3 3 Searching for CVE entries in GFI LANguard CVE entries can be searched from the Scanning profiles node within the Configuration tab Find bulletin a ee Search by bulletin name e g MS02 017 or QNumber e g 311967 Screenshot 123 Searching for CVE information To search for a particular CVE bulletin 1 Specify the bulletin name for example CVE 2005 2126 in the search tool entry box included at the bottom of the right pane 2 Click on Find to start searching for your entry GFI LANguard 9 user manual GFI LANguard certifications e 151 12 3 4 Obtaining CVE names CVE entry names can be obtained through the GFI LANguard user interface from within the Scanning profiles node within the Configuration tab By default the CVE ID is displayed for all the vulnerabilities that have a CVE ID 12 3 5 Importing and exporting CVE Data CVE data can be exported through the impex command line tool For more information on the impex command line tool refer to the Using impex exe the command line import and export tool section within this manual 152 e GFI LANguard certifications GFI LANguard 9 user manual 13 Troubleshooting 13 1 Introduction The troubleshooting chapter explains how you should go about resolving any software issues tha
105. g NOTE The information enumerated in this sub node also includes the remote connection details of the scanning session just performed by GFI LANguard i e the IP of the computer that is running GFI LANguard the logon credentials etc Ta Services Active services can be a potential security weak spot in your network system Any of these services can be a Trojan a viruses or another type of malware which can seriously affect your system in a dangerous way Furthermore unnecessary applications and services that are left running on a system consume valuable system resources During the scanning process GFI LANguard enumerates all services running on a target computer for you to analyze This way you can identify which services must be stopped Further to the freeing up of resources this exercise automatically hardens your network by reducing the entry points through which an attacker can penetrate into your system To access the list of services enumerated during a scan click on the Services sub node ER Processes Click on the amp Processes sub node to access the list of processes that were running on the target computer during a scan Remote time of day Click on the Remote TOD time of the day sub node to view the network time that was read from the target computer during the scan This time is generally set on network computers by the respective domain controller 3 Displaying and sorting scan categories
106. he scanning profiles on which you would like the unauthorized application e g Full Scan and click Next to continue 6 Specify whether changes made will effect applications which have partial full name match Click Next to continue 7 Review Add application wizard information and click Finish to finalize configuration 6 5 Application auto uninstall Application auto uninstall entails that applications marked as unauthorized for specific scanning profiles are first validated for a successful uninstall on a test machine Subsequently a scheduled scan base on the scanning profile for which the application is marked as unauthorized is configured to auto uninstall applications For more information on how to set a scheduled scan refer to the Setting up a scheduled scan section in this manual GFI LANguard 9 user manual Configuring GFI LANguard e 69 6 5 1 Application auto uninstall validation m F GF LANguard a fom Ex File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Configurations 4 amp Scanning Profiles Ea M Scheduled Scans l Computer Profiles e Application Auto Uninstall Validation Use the validation feature to identify which unauthorized applications can be automatically uninstalled by GFI LANguard Applications Inventory re 7 w a A inal e Select unauthorized applications for validation and dick Validate button Micr
107. his is achieved by right clicking on the account and selecting Enable Disable account accordingly GFI LANguard 9 user manual Utilities e 121 8 7 SNMP Auditing S GFI LANguard ele File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Tools IP address or range of IP addresses for computer s unning SNMP 192 168 3 100 v Options a DNS Lookup z Traceroute IP Address Comp public private all pri router cisco admin proxy wite access foo t _ 192 168 3 100 z Enumerate Computers Enumerate Users SNMP Audit a SNMP Walk z SQL Server Audit Credentials Authenticate using Currently logged on user hd Remember credentials v Use computer profiles Common Tasks Edit SNMP audit options Help SNMP audit 100 Screenshot 105 SNMP Audit tool This tool identifies and reports weak SNMP community strings by performing a dictionary attack using the values stored in its default dictionary file Snmp pass txt You can add new community strings to the default dictionary file by using a text editor for example notepad exe You can also direct the SNMP Audit tool to use other dictionary files To achieve this specify the path to the dictionary file that you want to from the tool options at the right of the management console To perform SNMP audits on network targets and identify weak community strings 1 Click on the Utilit
108. horized users to gain access to restricted areas of your IT infrastructure The Guest account for example is just one example of commonly exploited accounts reason being that more often than not this account is left configured within a system and even worse without changing the default password settings Malicious users have developed applications which can automatically re enable the Guest account and grant it administrative rights Empowering users to gain access to sensitive areas of the corporate IT infrastructure GFI LANguard collects information on all user accounts and user groups currently enabled on scanned targets This information is organized in the scan results under two separated nodes To access the list of user accounts identified during on a target computer click on the Users sub node Use the information enumerated in this sub node to inspect the access privileges assigned to each user account To gain access to the list of user groups configured on a target computer click on the 3 Groups sub node NOTE Users should not use local accounts to log on to a network computer For better security users should log on to network computers using a Domain or an Active Directory account GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 27 Sessions Click on the S Sessions sub node to access the list of hosts that were remotely connected to the target computer during scannin
109. ials Authenticate using Remember credentials v Use computer profiles Common Tasks Edit traceroute options Help Traceroute Ready Screenshot 101 Trace route tool To use this tool 1 Click on the Utilities tab and select Traceroute in the left pane under Tools 2 In the Trace domain IP name dropdown specify the name IP or domain to reach 3 Under Common Tasks in the left pane click on Edit Traceroute options or Options button on the right pane to change the default options 4 Click on the Traceroute button to start the tracing process Traceroute will break down the path taken to a target computer into hops A hop indicates a stage and represents a computer that was traversed during the process The information enumerated by this tool includes the IP of traversed computers the number of times that a computer was traversed and the time taken to reach the respective computer An icon is also included next to each hop This icon indicates the state of that particular hop The icons used in this tool include e v Indicates a successful hop taken within normal parameters e amp Indicates a successful hop but time required was quite long e amp Indicates a successful hop but the time required was too long e X Indicates that the hop was timed out gt 1000ms GFI LANguard 9 user manual Utilities e 117 8 4 Whois 118 e Utilities Whois looks up informa
110. ies tab and select SNMP Audit in the left pane under Tools 2 In the IP of computer running SNMP dropdown specify the IP to reach 3 Under Common Tasks in the left pane click on Edit SNMP Audit options or Options button on the right pane to edit the default options 4 Click on the Retrieve button to start the process 122 e Utilities GFI LANguard 9 user manual 8 8 SNMP Walk S GFI LANguard cbaE File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Tools IP address 127 0 0 1 v ObjectID 1 3 6 1 5 Options x DNS Lookup a Traceroute Description iso org dod internet security a Whois a Enumerate Computers 3 iso ree siia a Enumerate Users 5 org a SNMP Audit 5 0 dod w SNMP Walk 3 13 internet eer 4 mgmt aman 9 experimental Authenticate using private Currently logged on user 3 3 enterprises 4 cisco dell 3 1 microsoft 1 software hp 4 novell Remember credentials lanmanager V Use computer profiles 4 sun Edit H E snmpV 2 Ea security Common Tasks Edit SNMP walk options Help SNMP walk J IK m Screenshot 106 SNMP Walk To probe your network nodes and retrieve SNMP information for example OID s 1 Click on the Utilities tab and select SNMP Walk in the left pane under Tools 2 In the IP address dropdown specify the IP address of the computer that you wish to scan for
111. ile to customize from the left pane under Profiles 3 Select TCP ports analyze with this scanning profile 102 e Scanning Profiles GFI LANguard 9 user manual 7 6 3 Customizing the list TCP ports 1 From the Network amp Security Audit Options tab click TCP Ports sub tab 2 Select the scanning profile that you wish to customize from the left pane under Profiles 3 Customize the list of TCP Ports through Add Edit or Remove NOTE The list of supported TCP UDP Ports is common for all profiles Deleting a port from the list will make it unavailable for all scanning profiles 7 7 Configuring UDP port scanning options GFI LANguard Scanning Profiles Editor File Scanning Profiles Profile categories Vulnerability Assessment Options yy Network amp Software Audit Options Complete Combination Scans 2 Vulnerability Assessment TCP Ports UDP Ports System Information Devices Applications Network amp Software Audit Choose scan profile conditions Profiles V Enable UDP Port Scanning amp Full Vulnerability Assessment Ports Description amp Full Scan vj a 2 Compressnet Management Utility ay Full Scan Slow Networks v a 3 Compressnet Compression Process amp My Scanning profile v a 5 Remote Job Entry 41 7 Echo v a 11 Active Users 7 13 DAYTIME RFC 867 j a 17 Quote of the Day v a 18 Message Send Protocol j Aa 19 Character Generator Common Tasks v a 22 Secure Shell SSH MERRER ERN v a 35 Any
112. included for example High Security Vulnerabilities 4 In the new window add a new vulnerability by clicking Add in the middle pane 5 Go through the General Description and Reference tabs while specifying the basic details such as the vulnerability name short description security level and OVAL ID if applicable 6 Choose the Conditions tab and click on the Add button This will bring up the check properties wizard GFI LANguard 9 user manual Adding vulnerability checks via custom conditions or scripts e 135 Check properties Step 1 of 3 Select the type of check Specify what do you want to check from the list below xX Check type H Windows Checks E9 Unix Checks Unix File Test Unix Inetd Test a Unix Process Test Unix RPC Service Test Fa Unix SSH Script Test Unix Uname Test 4 Solaris Checks Linux Checks 4 9 Independent Checks Check description Executes a SSH script on the target computer and returns a boolean value or a string Next gt Cancel Screenshot 110 The check triggering conditions dialog 7 Select Unix checks gt SSH Script Test node and click on Next button to continue setup 8 Click on the Choose file button and select the custom SSH Script file that will be executed by this check For this example select myscript sh Click on Next to proceed 9 Select the relative condition setup in the wizard to finalize script selection C
113. ing GFI LANguard ships with a powerful reporting companion that is ideal to generate management and technical reports To access reporting 1 Click on Network Audit gt Analyze 2 Select the Reporting node 40 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual File Tools Configure Help Network Audit Dashboard Configuration Utilities General Scan Analyze 4 Remediate s5 A GFI LANguard ReportPack s Results Filtering Management amp technical reports for GFI LANguard gt Results Comparison Py Reporting Jode wo CA oe he eee oe GFI ReportCenter a GFI LANguard Repo GP ahga 59 Rasat ack a Mirani mantrat Mataad A inamoy 5 wed Vlnwrnblty Samra E aask Vulrwennity wed Warerahty Dattutce by Moe Warerahaty Dattitior by Opacming Sitter ks Secut Sere ieor _ Warerahlty Lites by Crmagory Warerahdty Lites by Moe Warerabaty Lites by Pout Warerahaty Liates by Sewety Open Trase Pote cy hee ae SANS Woreabites Rna Waarna Here Itsas on Vudraeinity Wan T Warerabia Nees liaec on Opar Pate v Open Trase fote Nataak Pang Sator ees re m m B T ae a Defasit Reports The GFI LANguard ReportPack is a full fledged reporting companion and a FREE add on to GFI LANguard Click on the button below in order to download and install GFI LANguard ReportPack For more information on GFI LANguard ReportPack click here A GFI LANguard ReportPack is currentl
114. ing one 15 Click OK to finalize your settings 16 Click Finish to finalize your configuration 17 All new scheduled scans are by default disabled To enable select Configuration gt Scheduled Scans and click on the NOTE For more information on Scheduled Scans refer to the Scheduled Scans section in this manual 14 e Step 1 Performing an audit GFI LANguard 9 user manual py Scheduled Security Scans Cy Provides visibility to the queue progress and status of all scheduled scans Target Profile Start Time Status Er 197 168 3 20 Full Vulnerability Assessment 57 47 2009 8 49 23 AM completed ia localhost High Securty Vulnerabilities 57 47 2009 8 46 01 AM completed Screenshot 12 Scheduled scan status 18 Confirm that the new scheduled scan has been successfully set by clicking on Dashboard gt Scheduled Operations New scheduled scan should be listed in the queue For more information on how scheduled scans can be monitored please refer to Monitoring scheduled activity GFI LANguard 9 user manual Step 1 Performing an audit e 15 3 Step 2 Analyzing the security scan results 3 1 Introduction The most important thing following a network security scan is identifying which areas and systems require your immediate attention This is achieved by analyzing and correctly interpreting the information collected and generated during a network security scan 3 2 Scan summary Upon completing a scan GFI LANguard imme
115. ing service pack Displays all missing patches marked as critical Shows all open TCP and UDP ports discovered on the scanned target computer s Shows all open shares and the respective access rights Shows the users and groups detected on the scanned target computer s Shows the properties of each target computer Displays information about the hardware configuration of the scanned computer s Shows all the USB devices attached to the scanned target computer s Shows all the wireless network cards both PCI and USB attached to the scanned target computer s Shows all the installed applications including security software discovered during target computer scanning Shows only the installed security applications i e anti virus anti spyware software that have missing updates and outdated signature definition files Shows a list of non updated security software on the scanned target computer s GFI LANguard 9 user manual 3 9 1 Filtering scan results To apply a scan result filter on security scan results 1 Launch and complete a security scan of your network or load the scan results of past scans from your database or XML file GF LANguard File Tools Configure Help Network Audit Dashboard Scan Analyze Remediate L Scan Results Results Filtering U gt Results Comparison Reporting Reports Complete Scans Vulnerability Assessment i Vulnerabilities All i ina Vul
116. ing the results Filters apply to the scan currently loaded in Security Scanner To load a previously saved scan use GFI LANguard main menu gt File gt Load scan results from gt Database XML file Example 1 WW Filter for Windows computers missing only MS03 041 823182 patch in an XML scan result file for 1000 computers 1 Create a new results filter GFI LANguard main menu Tools gt Results Filtering gt Common tasks gt Create new results filter 2 Inthe properties window of the scan filter add the following two filter conditions a Operating system gt Equal to gt operating system you are interested in b Patch gt Is not installed gt MS03 041 823182 3 Select OK to confirm the filter properties Results will be displayed in the filter results area Example 2 You want to list all Sun stations running a web server on port 80 Create a new filter and add the following two filter conditions 1 Operating system gt Includes gt Sunos 2 TCP port gt Is open gt 80 GFI LANguard ships with a default set of scan result filters that allow you to sift scan results data and display only the relevant information Scan filters are organized in three categories e Complete Scans e Vulnerability Assessment e Network amp Software Audit GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 31 The filters which ship with GFI LANguard are Scan result filter Description
117. install Applications Other Options Sm Remote Desktop Connections Credentials Authenticate using Currently logged on user gt Copying process started gt Copying 4eDBVBG 1EBeQZnnsjujwmw4Vd 4 _Windows6 0 KB95 1072 v2 x86 cab 750 8 KB gt Copying 4KViofZn3yWBOGZQmhYQ L_kVvg _Windows6 0 KB953733 x86 cab 287 6 KB gt Copying N49dL3hnxRzcVdoIXqqjCm 0xwce _Windows6 0 KB95 1698 x86 cab 668 1 KB gt Copying jlsYARR32n7dfBOoIDkQQO fq0nE _Windows6 0 KB951376 x86 cab 243 8 KB gt Copying RE jvrfASdgI82EP _i7g280uv8k _Windows6 0 KB94888 1 x86 cab 44 2 KB V Copying process completed v Batch file copy OK gt NT machine Starting the GFI LANguard Patch agent service on the remote machine D The PatchAgent service is stopped Deleting the service gt Service is not installed Installing the service gt Copying the files needed v Service installed v Service started Remember credentials ere arrose gt Deploying pkgmar p norestart quiet s temp m 4eDBVBG 1EBeQZnnsjujwmw4Vd 4 _Windows6 0 KBS W Use computer profiles Edit Common Tasks Go to Patch auto download option Edit proxy settings Help Deploying Microsoft updates Denlowina Micmsoft undates atom ba Screenshot 42 Monitoring the deployment process To view the patch deployment activity in progress click the Deployment Status tab located at the top of the right pane 48 e Step 3 Fixing vulne
118. inue 6 To finalize the installation click on the OK button and reboot the computer After the computer has restarted Client for Microsoft Windows will be automatically installed GFI LANguard 9 user manual Miscellaneous e 141 11 4 Configuring Password Policy Settings in an Active Directory Based Domain NOTE You must be logged on as a member of the Domain Admin group To implement password policies on network computers belonging to an Active Directory domain 1 Navigate to the Control Panel and open the Administrative Tools 4 Active Directory Users and Computers Miel Ea File Action View Window Help mie EETA Active Directory Users and Computers v2ksExchl ve Type Description ueries Folder to store ilo Domain Sa Active Directory Users and Computers ve Find Connect to Domain Connect bo Domain Controller Raise Domain Functional Level Operations Masters Mew All Tasks Mew window From Here Properties Opens property sheet For the current selection Screenshot 114 Active Directory Users and Computers configuration dialog 2 Open Active Directory Users and Computers Right click on the root container of the domain and select Properties 142 e Miscellaneous GFI LANguard 9 user manual fexch2k31 local Properties ki General Managed By Group Policy To improve Group Policy management upgrade to the Group Policy Management Console GPM
119. ions Network amp Software Audit Options TCP Ports UDP Ports System Information Devices Applications Network amp Software Audit Profiles A Full Vulnerability Assessment amp Full Scan amp Full Scan Slow Networks amp My Scanning profile Choose scan profile conditions v Enable scanning for hardware devices on target computer s gt Network Devices USB Devices Configure which Network devices you want to mark as dangerous and which you want to have ignored in your scan results Devices which will be marked as dangerous will have a high security vulnerability notification in the scan results Devices which are on the ignore list will not be listed or saved to the database Create a high security vulnerability for network devices which name contains Common Tasks Set Active Rename Delete Ignore Do not list save to db devices which name contains Help Scanning Profiles LANguard Scripting Screenshot 91 The network devices configuration page Together with device enumeration you can further configure GFI LANguard to generate high security vulnerability alerts whenever particular USB and network hardware is detected This is achieved by compiling a list of unauthorized blacklisted network and USB devices that you want to be alerted You can also configure GFI LANguard to exclude from the scanning process particular USB devices that you consider as safe such as
120. ions detected during past scans This list is used to specify which applications are unauthorized You can also manually add applications to the list You can do this by specifying the entire name as well as a partial name specify generic names or part of an application name GFI LANguard 9 user manual Configuring GFI LANguard e 67 Automatically GFI LANguard scans the list of applications and detects partial names To indicate an application as unauthorized 1 Click on Configuration gt Applications inventory sub node 2 From the list of applications detected locate the application to set to unauthorized by clicking in the Unauthorized on column entry Configure application wizard Step 1 of 2 Mark application as unauthorized Select the profiles under which the application will be unauthorized e Configure application Microsoft SQL Server Setup Support Files English Version 9 00 1399 06 Publisher Microsoft Corporation Unauthorized applications are cdassified in scan results as High Security Vulnerability To mark this application as unauthorized select the scanning profile s which will dassify this software as High Security Vulnerability Scanning profiles Full Scan Full Scan Slow Networks Software Audit Fa System Information Tell me more lt Back Next gt Cancel Screenshot 59 Unauthorized application scanning profile 3 Select the scanning profil
121. isplayed in the Security Status tab is dynamically worked out by GFI LANguard based on previous scans GFI LANguard 9 user manual GFI LANguard dashboard e 59 5 3 Monitoring scheduled activity Scheduled Activity is all the GFI LANguard operations that have been set up to trigger at a later date and time Through the Scheduled Operations tab in the Dashboard tab you can monitor these operations and stop operations in progress or remove finished operations details GFI LANguard o lE File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Security Status Scheduled Operations r 4 Scheduled Security Scans i Microsoft Updates Download Ny Provides visibility to the queue progress and status ofall scheduled scans Ry Remediation Operations Product Updates Activity Target Profile Start Time Status Remaining Ti 192 168 3 66 Full Vulnerability Assessm 5 5 2009 10 56 08 AM running 0 1 2minutes c Ti 192 168 3 66 Full Vulnerability Assessm 5 5 2009 10 55 46 AM running 0 1 2minutes Filter scheduled scans Go to Scheduled scans Actions Stop selected scan s View remediation details View scan results details Help Monitoring scheduled operations um p Screenshot 54 Dashboard Scheduled Operations tab To view scheduled operations in progress 1 Select the Dashboard Scheduled Operations tab 2 Under Scheduled Activity in the lef
122. ities High Security Vulnerabilities Last Year s Vulnerabilities Only Web Missing Patches Critical Patches Last Month s Patches Only Service Packs Use this scanning profile to enumerate all vulnerabilities reported in the SANS top 20 list Use this scanning profile to enumerate open TCP UDP ports and high security vulnerabilities The list of TCP UDP ports and high security vulnerabilities that will be enumerated by this profile can be customized through the TCP UDP Ports tabs and the Vulnerabilities tab respectively Use this scanning profile to enumerate network vulnerabilities that emerged during the last 12 months Use this scanning profile to identify web server specific vulnerabilities This includes scanning and enumerating open TCP ports that are most commonly used by web servers such as port 80 Only TCP ports commonly used by web servers are scanned by this profile Network auditing operations as well as enumeration of vulnerabilities and missing patches are not performed using this profile Use this scanning profile to enumerate missing Microsoft patches The list of missing patches that will be enumerated by this profile can be customized through the Patches tab Use this scanning profile to enumerate only missing Microsoft patches that are tagged as critical The list of critical patches that will be enumerated by this profile can be customized through the Patches tab Use this scanning profile to enumerate
123. l time scanning v Detect and process installed antivirus antispyware software on target computer s v Norton AntiVirus 2005 v Symantec AntiVirus type 1 Symantec AntiVirus type 2 W Trend Micro AntiVirus plus Antispyware 2009 v Trend Micro AntiVirus 2007 Common Tasks viJ Trend Micro OfficeScan Client vj Trend Micro PC cillin Internet Security via F Secure Anti Virus for Workstations Virus amp Spy Protection 7 Set Active v F Secure Client Security Virus amp Spy Protection Rename W3 F Secure Anti Virus 2007 Delete v F Secure Anti Virus Client Security Virus amp Spy Protection 6 v F Prot Antivirus for Windows v6 Help v F Prot Antivirus for Windows v3 34V Antispyware applications Scanning Profiles v Trend Micro Anti Spyware LANquard Scripting VI Ad Aware 2008 v Ad Aware SE Personal Edition v Lavasoft Ad Aware Enterprise Client CA PestPatrol Anti Spyware Client v CA eTrust PestPatrol Anti Spyware Corporate Edition Advanced Screenshot 97 The Applications configuration page Security Applications tab options GFI LANguard ships with a default list of anti virus and anti spyware applications that can be checked during security scanning Enabling disabling checks for security applications To enable checks for installed security applications in a particular scanning profile 1 From the Network amp Security Audit Options tab click on the Applications sub tab 2
124. lders and similar system files that are accessible by unauthorized users or through user accounts that do not have administrator privileges but are allowed to execute code on target computers Unnecessary or unused shares Incorrectly configured lockout control Password strength enforcement policies Security holes or breaches Hardware and software settings such as which drivers and applications will be automatically launched at system startup Rogue computers and Wrong configurations GFI LANguard 9 user manual Computer a Groups 5 Users Logged On Users tS Sessions Re Services dy Processes Remote TOD time of day GFI LANguard 9 user manual MAC address Time to live TIL Network role Domain Account operators Administrators Backup operations Guests Full name Privilege Flags Login List of logged on users Lists hosts remotely connected to the target computer during scanning List of active services List of active processes Time of remote workstation server or laptop Step 2 Analyzing the security scan results e 25 Rogue computers and Wrong configurations Wrong configurations and security flaws due to rogue or obsolete user groups Rogue obsolete or default user accounts Authorized and unauthorized users currently logged on computers Authorized and unauthorized remote connections Rogue or malicious processes redundant services Rogue or ma
125. le before it is installed Using GFI LANguard from the command line e 127 reboot Optional Parameter Include this switch if you want to reboot the target computer after file patch deployment rebootuserdecides Optional Parameter Include this switch to allow the current target computer user to decide when to reboot his computer after patch installation shutdown Optional Parameter Include this switch if you want to shutdown the target computer after the file patch is installed deletefiles Optional Parameter Include this switch if you want to delete the source file after it has been successfully installed timeout Optional Parameter Specify the deployment operation timeout This value defines the time that a deployment process will be allowed to run before the file patch installation is interrupted Optional Use this switch to show the command line tool s usage instructions Example How to launch a patch deployment process from the command line tool For this example we will be assuming that a patch deployment session with the following parameters is required 1 Deploy a file called patchA001002 XXX 2 On target computer TMJohnDoe 3 Reboot the target computer after successful deployment of the file The command line tool instruction for this particular patch deployment session is deploycmd TMJohnDoe file patchA001002 XXX reboot 9 4 Using impex exe the command line import
126. le products and services must meet the four requirements e CVE Searchable A user must be able to search for vulnerabilities and related information using the CVE name e CVE Output Information provided must include the related CVE name s e Mapping The repository owner must provide a mapping relative to a specific version of CVE and must make a good faith effort to ensure accuracy of that mapping e Documentation The organization s standard documentation must include a description of CVE CVE compatibility and the details of how its customers can use the CVE related functionality of its product or service NOTE For an in depth understanding of CVE compatibility refer to the complete list of CVE requirements available at http cve mitre org compatible requirements html 12 3 2 About CVE and CAN CVE names also called CVE numbers CVE IDs and CVEs are unique common identifiers for publicly Known information security vulnerabilities CVE names have entry or candidate status Entry status indicates that the CVE name has been accepted to the CVE List while candidate status also called candidates candidate numbers or CANs indicates that the name is under review for inclusion in the list Each CVE name includes the following e CVE identifier number i e CVE 1999 0067 e Indication of entry or candidate status e Brief description of the security vulnerability or exposure e Any pertinent re
127. le will be replaced with the time of scan Example How to launch target computer scanning from the command line tool For this example we will be assuming that a scan with the following parameters is required 1 Perform a security scan on a target computer having IP address 130 16 130 1 2 Output the scan results to c out xml i e XML file 3 Generate an HTML report and save it in c result hAtmP 4 Send the HTML report via email to lanss 127 0 0 1 The command line tool instruction for this particular security scan is 126 e Using GFI LANguard from the command line GFI LANguard 9 user manual 9 3 Using deploycmd exe the command line patch deployment tool GFI LANguard 9 user manual Insscmd exe 130 16 130 1 Profile Default Output c out xml Report c result html email Inss 127 0 0 1 The deploycmd exe command line patch deployment tool allows you to deploy Microsoft patches and third party software on remote targets directly from the command line or through third party applications batch files or scripts The deploycmd exe command line tool supports the following switches deploycmd target file FileName username UserName password Password UseComputerProfiles warnuser useraproval stopservices customshare CustomShareName reboot rebootuserdecides shutdown deletefiles timeout Timeout sec Switches Target Specify the
128. licious processes Time inconsistencies and regional settings Wrong configurations Security audit policy An important part of any security plan is the ability to monitor and audit events happening on your network These event logs are frequently referenced in order to identify security holes or breaches Identifying attempts and preventing them from becoming successful breaches of your system security is critical In Windows you can use Group Policies to set up an audit policy that can track user activities or system events in specific logs In order to help you keep track of your system s auditing policy GFI LANguard collects the security audit policy settings from scanned target computers and includes in the scan results This information is accessed by click on the a Security Audit Policy sub node Apart from gaining knowledge on the current audit policy settings you can also use GFI LANguard to access and modify the audit policy settings of your target computers To achieve this 1 From the Scanned Computers middle pane right click on the respective target computer and select Enable auditing on gt This computer Selected computers All computers GFI LANguard Administration Wizard Switch on secunty auditing policies Automatic tuming on of secunty auditing policies Specify which auditing policies are to be tumed on The recommended auditing policies Auditing Policy Success Failure Audit account logon event
129. lick on Finish to exit wizard 10 Click on OK to save new vulnerability check Testing the vulnerability check script used in our example Scan your local host computer using the scanning profile where the new check was added 1 Log on to a Linux target computer and create a file called test file This check will generate a vulnerability alert if a file called test file is found 2 Launch a scan on the Linux target where you created the file 3 Check you scan results 10 4 Python scripting GFI LANguard also supports a new type of vulnerability checks Python Script Test This type of check is available under the Independent Checks type 136 e Adding vulnerability checks via custom conditions or scripts GFI LANguard 9 user manual Step 1 of 3 Select the type of check Specify what do you want to check from the list below Check type E Linux Checks D E Independent Checks J Independent CGI Abuse Test Independent DNS Banner Test Independent Family Test Independent FTF Banner Test Independent HTTF Banner Test Independent POP3 Banner Test Independent Port Open Test Fa independent Python Script Test Independent SMTP Banner Test Independent SSH Banner Test i 4 Independent TCP Banner Test Check description Executes a Python script and returns a boolean value Back cancel Screenshot 111 Independent checks Python Script Test For more information on Python scripting refer t
130. lity warning will be generated Specify which applications are authorized to be installed Only the applications in the list below All applications except the ones in the list below Application name Publisher i T ares E gt bittorrent New scanning profile Set Active Rename Delete p p Add Edit Remove Help Scannina Profiles Ignore Do not list save to db applications in the list below LANguard Scripting Application name Version Publisher Screenshot 96 The Applications tab Installed Applications tab options To enable installed applications scanning in a particular scanning profile 1 From the Network amp Security Audit Options tab click on the Applications sub tab 2 Click on the Installed Applications tab 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 Select the Enable scanning for installed applications on target computers option NOTE Installed applications scanning are configurable on a scan profile by scan profile basis Make sure to enable installed applications scanning in all profiles where this is required Compiling installed applications blacklist whitelist To compile installed applications blacklist whitelist 110 e Scanning Profiles GFI LANguard 9 user manual 1 From the Network amp Security Audit Options tab click Applications sub tab 2 Click on the Installed Applications tab 3
131. ll need to run the tool i e GFI LANguard under an account that has access rights to the Active Directory Utilities e 119 8 5 1 Starting a security scan The Enumerate Computers tool scans your entire network and identifies domains and workgroups as well as their respective computers After enumerating the computers in a domain or workgroup you can use this tool to launch a security scan on the listed computers To start a security scan directly from the Enumerate Computers tool right click on any of the enumerated computers and select Scan You can also launch a security scan and at the same time continue using the Enumerate Computers tool This is achieved by right clicking on any of the enumerated computers and selecting Scan in background 8 5 2 Deploying custom patches You can use the Enumerate Computers tool to deploy custom patches and third party software on the enumerated computers To launch a deployment process directly from this tool 1 Select the computers that require deployment 2 Right click on any of the selected computers and select Deploy Custom Patches 8 5 3 Enabling auditing policies The Enumerate Computers tool also allows you to configure auditing policies on particular computers This is done as follows 1 Select the computers on which you want to enable auditing policies 2 Right click on any of the selected computers and select Enable Auditing Policies This will launch the A
132. loying missing patches on selected computers 4 From list of target computers labeled as 1 select the target computers on which patches service packs will be deployed Right click on list to access Select Unselect all options m Specify which patches to deploy to which computers Update file name State Bulletin Applicatior Fj EL windows6 0 KB 991 Of 2 v 2 406 cab Downloaded Not Available 951072 9 Windows Fj EL windows6 0 KB 953733 486 cab Downloaded MS08 047 953733 Windows E EL Windows6 0 KB 991 698 266 cab Downloaded MS08 033 951698 Windows E EL windows6 0 KB 9351 376 486 cab Downloaded MS08 030 951376 Windows Fl EL windows6 0 KB 948581 x56 cab Downloaded MSO08 023 9498871 Windows Fl E NOP1 1sp1 RB929 29 406 ese Not downloaded MSOF 040 929729 windows prr F Screenshot 39 Select the updates to deploy 5 From the list of missing patches service packs labeled as 2 select the updates to be downloaded and deployed Right click on the list to access Select Unselect all options G Launch deployment Deploy immediately Heset Deploy on m 5 2009 at 6 45 30 AS Screenshot 40 Deploy patches 6 Select the preferred launch deployment option e To schedule patch service pack deployment to a later date time choose the Deploy on option and specify date time e To start the deployment immediately select Deploy immediately and click Start 7 Follow o
133. m Software we Specify the software to be deployed Software Location C Program Files GFI LANguard 9 0 C Program Files GFI LANquard 9 0 C Program Files GFI LANguard 9 0 Screenshot 47 List of software to be deployed 3 From list of software to be deployed labeled as 1 click Add and specify the path to the application to be deployed 4 Specify any additional parameters needed by the application and click OK 52 e Step 3 Fixing vulnerabilities GFI LANguard 9 user manual ve Specify the target computers where to deploy software Computer Name Notes 197 168 3 20 WARNING Filters will not work on this comp Screenshot 48 Target computers for software deployment 5 From list of target computers labeled as 2 click Add to specify the target computers on which the software will be deployed a Launch software deployment Deploy immediately Reset Deploy Deploy on B 5 2009 at 9 15 49 AMS Screenshot 49 Launch deployment options 6 Select the preferred launch deployment option e To schedule patch service pack deployment to a later date time choose the Deploy on option and specify date time e To start the deployment immediately select Deploy immediately and click Start 7 Repeat the process described above for every file software to deploy 8 Follow on screen instructions if applicable and switch to the Deployment Status tab to view the p
134. manual Bulletin Info 2 Bulletin Bulletin ID MS509 009 ONumber 959995 Date 2009 04 14 Severity Important Title Security Update for Microsoft Office Excel 2003 KB959995 Description A security vulnerability exists in Microsoft Office Excel 2003 that could allow arbitrary code to run when a maliciously modified file is opened This update resolves that vulnerability Applies To Office 2003 File File Name EXCEL CAB File Size 4 984 KB File URL h download windowsupdate com msdownload update software secu 2009 03 excel be lae3cicofe71 Screenshot 87 Extended bulletin information Scanning Profiles e 101 7 6 Configuring TCP port scanning options GF LANguard Scanning Profiles Editor ng File Scanning Profiles Profile categories Vulnerability Assessment Options yy Network amp Softwar Beit K Complete Combination Scans K Vulnerability Assessment Network amp Software Audit Choose scan profile conditions W Enable TCP Port Scanning TCP Ports UDP Ports System Information Devices Applications Profiles A Full Vulnerability Assessment or Description amp Full Scan E TCF Port Service Multiplexer My Full Scan Slow Networks E Compressnet Management Utility If this service is m My My Scanning profile Compressnet Compression Process BIEI Remote Job Entry If this service is not installed bew Echo Active Users If this service is not installed beware a DAYTIME RFC 867 Qu
135. mber credentials Use computer profiles Common Tasks Edit enumerate computers options Help Enumerate computers Screenshot 103 Enumerate Computers tool The enumerate computers utility identifies domains and workgroups on a network During execution this tool will also scan each domain workgroup discovered so to enumerate their respective computers The information enumerated by this tool includes e the domain or workgroup name e the list of domain workgroup computers e the operating system installed on the discovered computers e any additional details that might be collected through NetBIOS Computers can be enumerated using one of the following methods e From the Active Directory This method is much faster and will include computers that are currently switched off e Using the Windows Explorer interface This method enumerates computers through a real time network scan and therefore it is slower and will not include computers that are switched off To enumerate computers 1 Click on the Utilities tab and select Enumerate Computers in the left pane under Tools 2 In the Enumerate computers in domain dropdown select the desired domain 3 Under Common Tasks in the left pane click on Edit Enumerate Computers options to change the default options or Options button on the right pane 4 Click on the Retrieve button to start the process NOTE For an Active Directory scan you wi
136. mediation Automatic Remediation 5 GFI LANguard dashboard 5 1 5 2 5 3 Introduction Viewing the global security threat level Monitoring scheduled activity 6 Configuring GFI LANguard 6 1 6 2 6 3 6 4 6 5 6 6 Introduction Scheduled Scans Computer profiles Applications inventory Application auto uninstall Configuring Microsoft updates GFI LANguard 9 user manual Introduction e i 6 6 8 6 9 6 10 Configuring alerting options Database maintenance options Importing and Exporting Settings Program updates 7 Scanning Profiles 7 1 Introduction 7 2 Scanning profile description 7 3 Creating a new scanning profile 7 4 Configuring vulnerabilities 7 5 Configuring patches 7 6 Configuring TCP port scanning options 7 7 Configuring UDP port scanning options 7 8 Configuring system information retrieval options 7 9 Configuring the attached devices scanning options 7 10 Scanning for USB devices 7 11 Configuring applications scanning options 7 12 Configuring the security scanning options 8 Utilities 8 1 Introduction 8 2 DNS lookup 8 3 Traceroute 8 4 Whois 8 5 Enumerate computers 8 6 Enumerate users 8 7 SNMP Auditing 8 8 SNMP Walk 8 9 SQL Server Audit 9 Using GFI LANguard from the command line 9 1 9 2 9 3 9 4 Introduction Using Insscmd exe the command line scanning tool Using deploycmd exe the command line patch deployment tool Using impex exe the command line
137. mote Desktop Connections Credentials Authenticate using Currently logged on user 7 4 mW e Specify which patches to deploy to which computers Remember credentials Update file name State Bulletin Applic 7 Use computer profiles Fi EL windows 0 KB951072 v2 x86 cab Downloaded Not vailable 951072 windo Edit W EX Wwindows6 0 KB 953733 x86 cab Downloaded MS08 04 953733 Windo 7 EX Windows6 0 KB 951698 x86 cab Downloaded MS08 033 951698 Windo Common Tasks 7 ER Windows6 0 KB951376 x86 cab Downloaded MS08 030 951376 Windo a 7 E amp Windows6 0 KB949881 86 cab Downloaded MS08 023 948881 windo TE ee e 7 Ep NDP1 1sp1 KB929729 X86 exe Not downloaded MS07 040 929729 windo Edit proxy settings 4 Help TOOP E E w Launch deployment Deploying Microsoft updates automatic Deploy immediately Reset Deploy on Screenshot 37 Deploying missing service packs and patches To deploy missing patches and service packs on specific computers 1 Launch a scan or load saved scan results from Network Audit gt Scan 2 Once the scan results are loaded click on the Network Audit gt Remediate tab 3 Click on Go to Deploy Microsoft Patches or Go to Deploy Microsoft Service Packs accordingly 46 e Step 3 Fixing vulnerabilities GFI LANguard 9 user manual ww Specify the target computers where to deploy patches Computer name Language M esm_DEMo English Screenshot 38 Dep
138. n e IISCRIPT_FINISHED Each of these keywords triggers an associated and specific process in the SSH Module The function of each keyword is described below e TRUE FALSE These strings indicate the result of the executed vulnerability check script When the SSH module detects a TRUE it means that the check was successful FALSE indicates that the vulnerability check has failed e AddListltem This string triggers an internal function that adds results to the vulnerability check report i e scan results These results are shown in the GFI LANguard management console after completion of a scan This string is formatted as follows AddListltem parent node actual string o parent node Includes the name of the scan results node to which the result will be added o actual string Includes the value that will be added to the scan results node NOTE Each vulnerability check is bound to an associated scan result node This means that AddListltem results are by default included under an associated default vulnerability node In this way if the parent node parameter is left empty the function will add the specified string to the default node e SetDescription This string triggers an internal function that will overwrite the default description of a vulnerability check with a new 134 e Adding vulnerability checks via custom conditions or scripts GFI LANguard 9 user manual descripti
139. n screen instructions if applicable GFI LANguard 9 user manual Step 3 Fixing vulnerabilities e 47 4 3 1 Identifying the download queue status Update file name Bulletin Applicator EL Wwindows6 0 KB S51 OF 22 66 cab EL Wwindowsb 0 KB 953 33 x56 cab EL Wwindowsb 0 KB 961 695 266 cab Not Available 951072 Windows 508 047 353r 33 Windows MSO08 033 951 698 Windows MSO8 O030 351376 Windows MSO8 023 946881 Windows MSOF 040 929729 Windows EL Wwindowsb 0 KB 9517376 x86 cab EL windowsb 0 KB 946991 x56 cab E NDF1 1 p1 KB929729 706 686 4 Screenshot 41 Identifying the download queue status The icons next to each update file as well as the State column show the current download status These icons indicate the following states e E Downloaded Currently being downloaded E Not downloaded 4 3 2 Monitor the patch deployment process GFI LANguard File Tools Configure Help Network Audit Dashboard Configuration Utilities General Scan Analyze 4 Remediate Patch Management May Deploy Microsoft Patches amp Deploy Microsoft Patches AA l Deploy Microsoft Service Packs E Uninstall Microsoft Patches Da itant Mtsszz z e Nn Sortby computers Sortbypatches Deployment status 4 ESM_DEMO Application Management gt Preparing to copy 5 files Specify updates to apply and select Start to start the deployment of updates S Deploy Custom Software fA Un
140. name s IP or range of IPs of the target computer s on which the patch es will be deployed File Specify the file that you wish to deploy on the specified target s User and Optional Specify the alternative credentials that the Password scanning engine will use to authenticate to a target computer during patch deployment Alternatively you can use the UseComputerProfiles switch to use the authentication credentials already configured in the Computer Profiles Configuration gt Computer Profiles node warnuser Optional Include this switch if you want to inform the target computer user that a file patch installation is in progress Users will be informed through a message dialog that will be shown on screen immediately before the deployment session is started useraproval Optional Include this switch to request the user s approval before starting the file patch installation process This allows users to postpone the file patch installation process for later for example until an already running process is completed on the target computer stopservice Optional Include this switch if you want to stop specific services on the target computer before installing the file patch NOTE You cannot specify the services that will be stopped directly from the command line tool Services can only be added or removed through the management console customshare Optional Specify the target share where you wish to transfer the fi
141. neous GFI LANguard 9 user manual 10 Click OK button to close the dialog Maximum password age Properties Ei EJ Security Policy Setting E lasimum password age Password will expire ir E days cancel Ao _ Screenshot 118 Configuring GPO password expiry 11 From the right pane double click on the Maximum password age policy Select the Define this policy setting option and set the Password will expire in value to 42 days 12 Click on OK to close the properties dialog Minimum password age Properties Ei x Security Policy Setting Winmum password age e iW Define this policy setting Password can be changed after d days cancel Ao _ Screenshot 119 Configuring the minimum password age 13 From the right pane double click on the Minimum password age policy Then select the Define this policy setting option and set the Password can be changed after value to 2 14 Click on the OK button to close the dialog GFI LANguard 9 user manual Miscellaneous e 145 Minimum password length Properties Ei E4 Security Policy Setting Minimum password length M Define this policy setting Password must be at least g E characters cancel Ao _ Screenshot 120 Configuring the minimum number of characters in a password 15 From the right pane double click on the Minimum password length policy Select the Define this policy setting option and set the value o
142. nerabilities High security i i Vulnerabilities Medium security i ja Auto Remediation nif High Vulnerability Level Computers i Laff Missing Patches and Service Packs i i sve Missing Service Packs i Lanai Missing Critical Patches 5 6 Network amp Software Audit Open Ports i Open Shares iif Groups and Users i aael Computer Properties wal Hardware Audit ii Important Devices USB i ae important Devices Wireless Installed Applications iui Non Updated Security Software Lal Virtual Machines 4 mW p W Common Tasks Save filter results Print filter results Rename filter Delete filter Edit filter properties Heln Configuration kakade Discuss this version Utilities General P Filter Information Filter amp security scan details Filter name Full Report Scan target localhost 1 computer s meet filter conditions Scan profile Full scan Scan date 05 04 2009 01 39 08 PM Computer profiles On Items scanned 2629 Scan duration 8 minutes Summary Note click a detail item for quick navigation IP Address Vulnerability Hostname Operating Details Level System o TALE EU ESL E l E gt Ee 192 168 3 85 High ESM_DEMO windows ___ Vista G GF oe ta 2R RR 192 168 3 85 ESM_DEMO Windows Vista Service Pack 1 Note click a detail item for quick navigation fa Scan Errors 2 x 44 Vulnerability Assessment 20 x 44
143. neral Configurations x t I Scanning Profiles Computer s Logon method Username i E c heduled Se 7 Scheduled Scans Bae 192 160 ee Alternative credentials administrator N Computer Profiles si Mew B A Applications Inventory GB Auto Uninstall Validation Enable e Microsoft Updates jail Patch Auto Deployment Satin fill Patch Auto Download Alerting Options Database Maintenance Options bt J Program Updates Edit computer profile s properties Delete computer profile Enable selected profiles Disable selected profiles Help Comm tar nofila Screenshot 58 List of existing computer profiles To configure change the parameters of an existing computer profile 1 Click Configuration gt Computer Profiles 2 Right click the computer profile to configure and select Properties 3 Configure the required parameters and click OK to finalize your configuration 6 3 4 Enabling Disabling Profiles By default all the newly created computer profiles are disabled GFI LANguard will therefore not use these profiles during vulnerability scans unless you enable them To enable or disable profiles 1 Click Configuration gt Computer Profiles and select one or more profiles to be enabled disable 2 Right click on these profiles and select enable 6 disable S accordingly 6 4 Applications inventory GFI LANguard applications inventory provides a list of all applicat
144. ng Profiles Group by Type Name OVAL ID CVE E F Vulnerabilities i Abyss Web server Bufferoverflow e E A DNs i AFS Kerberos Support in OpenSSH Pos E LA FTF Alerter service enabled La Mail i All Servers eshop Online Shop System La Miscellaneous i All Servers AlStats a ldisp F Registry i All Servers Abe Timmerman zml cqi File z FE Rootkit i All Servers Adcyde build cai LA RPC i All Servers Adglimpse La Services i All Servers AHG s search cgi Search E bes Lai Software i All Servers Alex Heiphetz Group EzSho L Web FT all Servers Arts Store cgi g F Potential Vulnerabilities i All Servers Auktion cai i All Servers Brian Stanback bsquest cgi i All Servers Brian Stanback bslist cgi i All Servers Commerce cgi HT all Servers COWS CGI Online Worldwe EA T AN Servaro NCEhean wilmarshility zi 4 TT j H 2557 vulnerabities idee gt Adding editing or removing vulnerabilities from the above list applies the changes to all the profiles where the edited vulnerabilities are selected Screenshot 78 Select the vulnerability checks to be run by this scanning profile 2 In the right pane select the vulnerability checks that you wish to execute through this scanning profile 7 4 3 Customizing the properties of vulnerability checks All the checks listed in the Vulnerabilities tab have specific properties that determine when the check is triggered and what details will
145. ning Profiles GFI LANguard 9 user manual 7 12 Configuring the security scanning options Use the Scanner Options tab to configure the operational parameters of the security scanning engine These parameters are configurable on a scan profile by scan profile basis and define how the scanning engine will perform target discovery and OS Data querying GFI LANguard Scanning Profiles Editor File Scanning Profiles Profile categories Vulnerability Assessment Options jj Network amp Software Audit Options Complete Combination Scans babada Scanner Options K Vulnerability Assessment Specify network discovery and other parameters on how the scanner is to discover machines and output debug KE Network amp Software Audit information Network Discovery Methods Profiles NetBIOS queries amp Full Vulnerability Assessment SNMP queries Ai Full Scan Ping sweep mi Full Scan Sow Networks Custom TCP discovery e g 21 25 80 Piy ea Network Discovery Options Scanning delay default 100 ms Network discovery query responses timeout default 500 m Number of retries default 1 Indude non responsive computers Network Scanner Options Scanning threads count Common Tasks NetBIOS Query Options New scannin ile Scope ID SNMP Query Options Set Active a 7 Load SNMP enterprise numbers Delete Community strings e g public private Global Port Query Options Help TCP port scan query timeout def
146. numerated network devices Enumerate virtual network devices Screenshot 92 Advanced network devices configuration dialog From the Network Devices tab you can also specify the type of network devices checked by this scanning profile and reported in the scan results These include wired network devices wireless network devices software enumerated network devices and virtual network devices To specify which network devices to enumerate in the scan results 1 From the Network amp Security Audit Options tab click Devices sub tab 2 Click on the Network Devices tab opens by default 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 Click Advanced at the bottom of the page 5 Set the required options to Yes and on completion click OK to finalize your settings GFI LANguard 9 user manual Scanning Profiles e 107 GFI LANguard Scanning Profiles Editor File Scanning Profiles Profile categories 1 Complete Combination Scans Vulnerability Assessment BF Network amp Software Audit Profiles amp Full Vulnerability Assessment amp Full Scan amp Full Scan Slow Networks A My Scanning profile 7 10 Scanning for USB devices 1 4 Network amp Software Audit Options Vulnerability Assessment Options TCP Ports UDP Ports System Information Devices Applications Choose scan profile conditions V Enable scanning for
147. ny Vulnerability Assessment node to view the security vulnerabilities identified on the target computer grouped by type and severity as follows e High Security Vulnerabilities e Low Security Vulnerabilities e Potential vulnerabilities e Missing Service Packs e Missing Patches 3 5 1 High Med Low Security vulnerabilities Click on the High Security Vulnerabilities or Low Security Vulnerabilities sub nodes for a list of weaknesses discovered while probing a target device These vulnerabilities are organized into the following groups ice ele Description Mail FTP RPC Lists vulnerabilities discovered on FTP servers DNS servers and DNS and SMTP POP3 IMAP mail servers Links to Microsoft Knowledge Miscellaneous Base articles or other support documentation are provided Web Lists vulnerabilities discovered on web servers such as misconfiguration issues Supported web servers include Apache Netscape and Microsoft I I S GFI LANguard 9 user manual Step 2 Analyzing the security scan results e 19 Services Lists vulnerabilities discovered in active services as well as the list of unused accounts that are still active and accessible on scanned targets Registry Lists vulnerabilities discovered in the registry settings of a scanned network device Links to support documentation and short vulnerability descriptions are provided Software Lists vulnerabilities found in software installed on the scanned network device s Links to
148. o the GFI LANguard scripting documentation located in Start menu gt Programs gt GFI LANguard 9 0 GFI LANguard 9 user manual Adding vulnerability checks via custom conditions or scripts e 137 11 Miscellaneous 11 1 Introduction In this section you will find information on e How to enable NetBIOS on a network computer e Installing the Client for Microsoft Networks component on Windows 2000 or higher e Configuring Password Policy Settings in an Active Directory Based Domain e Viewing the Password Policy Settings of an Active Directory Based Domain 11 2 Enabling NetBIOS on a network computer 1 Log on to the target computer with administrative rights 2 Navigate to Control Panel and access Networking options or Network or Sharing Centre 3 Right click on Local Area Connection icon of the NIC card that you wish to configure and select Properties 4 Click on Internet Protocol TCP IP and select Properties 5 Click on the Advanced button 6 Click on the WINS tab GFI LANguard 9 user manual Miscellaneous e 139 Advanced TCP IP Settings IP Settings DNS WINS Options WINS addresses in order of use TF LMIH S7S lookup is enabled it applies to all connections For which TCPIIP is enabled M Enable LMHOSTS lookup Import LMHOSTS MetBIos setting Default Use NetBIOS setting from the DHCP server If static IP address is used or the DHCP server does not provide NetBIOS setting en
149. on This string is formatted as follows SetDescription New description e ISCRIPT_FINISHED This string marks the end of every script execution The SSH module will keep looking for this string until it is found or until a timeout occurs If a timeout occurs before the HSCRIPT FINISHED string is generated the SSH module will classify the respective vulnerability check as failed NOTE It is imperative that every custom script outputs the HSCRIPT FINISHED string at the very end of its checking process 10 3 2 Adding a vulnerability check that uses a custom shell script In the following example we will create a vulnerability check for Linux based targets which uses a script written in Bash The vulnerability check in this example will test for the presence of a dummy file called test file Step 1 Create the script 1 Launch your favorite text file editor 2 Create a new script using the following code bin bash if e test file then echo TRUE else echo FALSE Y eal eco A SCRIPT PINT SHE DY 3 Save the file in lt GFI LANguard 9 0 installation folder path gt Data Scripts myscript sh Step 2 Add the new vulnerability check 1 Open the GFI LANguard management console 2 Click on the Configuration tab expand the Scanning Profiles and click on the Vulnerability Assessment sub node 3 From the middle pane select the category in which the new vulnerability check will be
150. ormation details page select one of the following options e Automatically detect and fix known issues Use this option to automatically have the troubleshooting wizard detect and fix issues which already have been notified and fixed by GFI support NOTE This is the recommended option e Gather only application information and logs Use this option to gather logs to send to GFI support 4 Click Next to continue Troubleshooter Wizard Gathering Information xsi Known Issues The troubleshooter will check you installation for common issues b Details vi Checks connectivity with update server fyf Checks if the latest build is installed vi Checks if the user LN55_MONITOR_USR exists on this computer fyi Checks if the user LNSS_MONITOR_USR has administrator privileges vi Checks if the Attendant Service user has administrator privileges v Checks if the LNSSCommunicator COM object can be instantiated Checks if the RepServer COM object can be instantiated vi Checks if the CRMI COM object can be instantiated vi Checks if the Attendant Service is installed on this computer vi Checks if the Attendant Service is running on this computer vi The scanning profiles database is available Finished all checks lt Back Next gt Cancel Screenshot 125 Troubleshooter wizard Gathering information about known issues 4 The troubleshooter wizard will retrieve all the information required to solve
151. osoft Access based database backend you must regularly repair and compact it two functions that GFI LANguard allows you to automate During compaction the database files are reorganized and records that have been marked for deletion are removed In this way you can regain precious storage space During this process GFI LANguard also repairs corrupted database backend files Corruption may occur for various reasons In most cases a Microsoft Access database is corrupted when the database is unexpectedly closed before records are saved for example due to a power failure hung up processes forced reboots etc Properties Change Database Saved Scan Results Scanned Computers Advanced Please configure the database compaction options f i ill p d The below option is only available when using Microsoft Access as 4 database backend When using SQL Servers MSDE as a database a backend you need to manually set maintenance plans according to your company policies Compact Now Database compact and repair frequency One time only Even weeks Next operation 5122009 le 11 53 34AmM GK Cancel Anal Screenshot 71 Database Maintenance properties Advanced tab To compact and repair a Microsoft Access based database backend 1 Click on Configuration Database maintenance plan 2 To manually launch a repair and compact process on a Microsoft Access database backend click on the Compact
152. osoft Updates l il Patch Auto Deployment Validation status Application name Version Put iP Patch Auto Download seed Alerting Options if Database Maintenance Options lage Program Updates W Common Tasks Manage applicable scheduled scans A T n Go to lications inventory Go to Scheduled scans Validation fails on some of your applications Let us know V alidate Actions 7 Click Manage application uninstall schedule button to set scheduled scans which will Vi alidate selected application automatically uninstall validated applications Manage application uninstall schedule Help More information To mark applications detected during past scans as unauthorized click on Applications Inven Removing unauthorized software automat Screenshot 61 Application auto uninstall validation Application auto uninstall validation enables you to validate the uninstallation procedure for the applications which are to be automatically uninstalled by GFI LANguard This is a requirement prior to the actual uninstallation process and no applications are un installed during scans unless verified NOTE For more information on how to mark applications as unauthorized and therefore enable their uninstallation refer to the Applications inventory section in this manual 1 Click on Configuration gt Applications Inventory gt Auto Uninstall Validation 2 In the right pane
153. ote of the Day Message Send Protocol If this service is not installec Character Generator FTF data If this service is not installed beware cou FTF control command Secure Shell SSH Telnet protocol unencrypted text communications Simple Mail Transfer Protocol SMTP Any private printer server protocol TIME protocol If this service is not installed beware Resource Location Protocol RLP If this service is m 41 Graphics If this service is not installed beware could Delete Help Scanning Profiles LANguard Scripting nameserver ARPA Host Name Server Protocol Tn wz F Ei Ei Ei Ei Ei Ei Ei Fa 4 Advanced Ad e Edit one If you add edit or remove a port the changes will be applied to all the p Screenshot 88 Scanning Profiles properties TCP Ports tab options 7 6 1 Enabling disabling TCP Port scanning To enable TCP Port Scanning in a particular scanning profile 1 From the Network amp Security Audit Options tab click TCP Ports sub tab 2 Select the scanning profile that you wish to customize from the left pane under Profiles 3 Select Enable TCP Port Scanning option 7 6 2 Configuring the list of TCP ports to be scanned To configure which TCP ports will be processed by a scanning profile during vulnerability scanning select the required ports 1 From Network amp Security Audit Options tab click TCP Ports sub tab 2 Select scanning prof
154. oyment process Important notes GFI LANguard 9 user manual Step 3 Fixing vulnerabilities e 45 1 To successfully deploy missing patches ensure that GFI LANguard is running under an account that has administrative privileges 2 Ensure that the NetBIOS service is enabled on the remote target computer For more information on how to enable NetBIOS refer to the Enabling NetBIOS on a network computer section in this manual 3 A complete list of Microsoft products for which GFI LANguard can download and deploy patches is available at http kbase gfi com showarticle asp id KBID001820 4 GFI LANguard can be set to automatically download missing patches and service packs discovered during a network security scan For more information refer to the Configuring Microsoft updates section in this manual 4 3 Deploying missing updates S GFI LANguard File Tools Configure Help Network Audit Dashboard Configuration Utilities General Scan Analyze 4 Remediate cb Mariagement My Deploy Microsoft Patches Deploy Microsoft Patches A 2 Deploy Microsoft Service Packs Specify updates to apply and select Start to start the deployment of updates E Uninstall Microsoft Patches w Uninstall Microsoft Service Packs See Satbypakhes Deployment staks S Deploy Custom Software 4 Uninstall Applications T Specify the target computers where to deploy patches Computer name Language Notes Other Options V esm_pemo English Re
155. p a scheduled scan Scanning mode which allows you to audit target computers at configurable time intervals For more information on how to set scheduled scans refer to Scheduled scans section in this manual Important notes 1 If Intrusion Detection Software IDS is running during scans GFI LANguard will set off a multitude of IDS warnings and intrusion alerts in these applications If you are not responsible for the IDS system make sure to inform the person in charge about any planned security scans 2 In most cases vulnerability scans will generate different event log entries across diverse systems e g UNIX logs and web servers logs will all detect GFI LANguard scans as intrusion attempts triggered from the computer running GFI LANguard 3 To successfully execute a scan GFI LANguard must remotely logon to target computers with administrator privileges 4 For large network environments a Microsoft SQL Server MSDE database backend is recommended instead of the Microsoft Access database 5 When submitting a list of target computers from file ensure that file contains only one target computer name per line 2 3 Quick Scan During a quick scan GFI LANguard will analyze target computers and retrieve setup information and missing updates including e Missing Microsoft Office patches e Missing Microsoft Windows service packs e System information Software including OS details and settings open ports and open shares
156. private printer server protocol v A 37 TIME protocol Set Active l 7 39 R Location P RLP Rename a esource Location Protocol RLP Delete v a 41 Graphics v Q 42 nameserver ARPA Host Name Server Protocol J i Help a 43 whois v a 49 TACACS Login Host protocol Scanning Profiles v a 52 XNS Xerox Network Services Time Protocol LANquard Scripting v a 53 Domain Name System DNS a 54 XNS Xerox Network Services Clearinghouse a oe ee ia Se art eee x ea W 4 wm Advanced Add If you add edit or remove a port the changes will be applied to all the profiles Screenshot 89 Scanning Profiles properties UDP Ports tab options 7 7 1 Enabling disabling UDP Port scanning To enable UDP Port Scanning in a particular scanning profile 1 From the Network amp Security Audit Options tab click UDP Ports sub tab 2 Select scanning profile to customize from the left pane under Profiles 3 Select Enable UDP Port Scanning option 7 7 2 Configuring the list of UDP ports to be scanned To configure which UDP ports will be processed by a scanning profile during vulnerability scanning select the required ports 1 From the Network amp Security Audit Options tab click UDP Ports sub tab GFI LANguard 9 user manual Scanning Profiles e 103 2 Select the scanning profile to customize from the left pane under Profiles 3 Select the UDP ports that will be analyzed by this scanning profile 7 7
157. ption to scan targets enumerated in a specific text file e Scan a domain or workgroup Select this option to scan all targets connected to a domain workgroup Specify the respective target computer s details and click Next D GFI LANguard 9 user manual Step 1 Performing an audit e 11 New scheduled scan ee Step 3 of 7 Set the triggering time Set the triggering time for this scheduled scan job Triggering time Description Trigger scan Set the triggering time for this i scheduled scan job C One time only Every 1 gt Days Nextscan 4 30 2009 4 35 36PM E Wait for offline machines to connect to the network 2 Tell me more as Screenshot 8 Scan frequency 5 Specify date time frequency of scheduled scan and click Next 6 Specify the scan profile to be used in the scan 7 Click Next 8 Specify logon credentials and click Next New scheduled scan Step 6 of 7 Specify auto remediation options Please configure automatic remediation options Auto remediation Description E Automatically download and deploy missing patches Auto Remediation options enable LANguard to E Automatically download and deploy missing service packs automatically download and install missing patches and service packs and uninstall i unauthorized applications on the scanned Automatically uninstall unauthorized applications computers Configure auto remediation options View applications which this sc
158. r Bufferoy Ag Full Scan Slow Networks ot E A Potential Vulnerabilities i AFS Kerberos Support in Op il Alerter service enabled i All Servers e shop Online ily All Servers AiStats a 1disr i All Servers Abe Timmermar i All Servers Adcyde build ij All Servers Aglimpse it All Servers AHG s search c iN All Servers Alex Heiphetz i All Servers Arts Store cgi ij All Servers Auktion cgi i All Servers Brian Stanback it All Servers Brian Stanback il All Servers Commerce cgi i all Servers COWS CGI Onli i HM All Gervercet MO Cheam wile Wil F 3 A A AEA A R Common Tasks New scanning profile Set Active Delete Help F Fi F Ei Ed Ed w E F 4 Scanning Profiles LANguard Scripting t 2557 vulnerabilities Find vulnerability by Name w Adding editing or removing vulnerabilities from the above list applies the edited vulnerabilities are selected Screenshot 76 The Scanning Profile Editor 2 In the Scanning Profiles Editor click New scanning profile 3 Specify the name of the new profile and select Copy all settings from an existing profile to clone settings from an existing profile 4 Click OK to save settings The new scanning profile is added under Profiles in the left pane 92 e Scanning Profile
159. rabilities GFI LANguard 9 user manual 4 3 3 Stopping active downloads File Tools Network Audit Dashboard Configure Help Configuration Utilities General S Scan Analyze 94 Remediate Patch Management d Deploy Microsoft Patches amp Deploy Microsoft Service Packs E Uninstall Microsoft Patches E Uninstall Microsoft Service Packs Application Management S Deploy Custom Software EZ Sort by computers Sortby patches Deployment status Deploy Microsoft Patches Specify updates to apply and select Start to start the deployment of updates r Specify the target computers where to deploy patches TA Uninstall Applications Other Options am Remote Desktop Connections Credentials Authenticate using Computer name esm_DEmMo Language Notes English Specify which patcl Remember credentials Use computer profiles Common Tasks Deployment options Go to Patch auto download options Edit proxy settings Update file name EX Windows6 0 KB951 EL windows6 0 KB952 EX Wwindows6 0 KB951 EX Windows6 0 KB951 EX Wwindows6 0 KB946 SSiSSs8 Download file Cancel download Downlead all checked files Cancel all downloads Check all Uncheck all Refresh states More details Open web location Properties NDP1 1sp1 KB92972s A00 exe tae iulletin Jot Available 951072 4508 047 953733 4508 03
160. rd application languard exe or LANguard scanning profiles scanprofiles exe are running NOTE 3 If the specified lt xmlfile gt lt dbfile gt lt name gt lt category gt or lt value gt contain any space character the whole value must be placed between double quotes Example VULN Apache Apache doc directory NOTE 4 It is recommended that if the vulnerabilities are imported into another installation the other installation have the same build number as where the vulnerabilities database has been exported 130 e Using GFI LANguard from the command line GFI LANguard 9 user manual 10 Adding vulnerability checks via custom conditions or scripts 10 1 Introduction Scripts that identify custom vulnerabilities can be created using any VBScript compatible scripting language By default GFI LANguard ships with a script editor that you can use to create your custom scripts New checks must be included in the list of checks supported by GFI LANguard Use the Vulnerability Assessment tab to add new checks to the default list of vulnerability checks on a scan profile by scan profile basis GFI LANguard also supports Python scripting For more information on GFI LANguard Python scripting refer to the section in this manual NOTE Only expert users should create new vulnerability checks Scripting errors and wrong configurations in a vulnerability check can result in false positives or provide no vulnerability information at all
161. results that are stored in a database file For more information refer to the Database maintenance options section in this manual To load saved scan results from the database backend or from an XML files 1 Click on the Analyze gt Scan Results 2 Under Common Tasks in the left pane click Load scan results from database 3 8 Saving scan results scan results are an invaluable source of information for systems administrators GFI LANguard results are stored in a MS SQL Server or an MS Access database In addition scan results can also be exported to XML 3 8 1 Saving scan results to XML file To save scan results to XML file 1 Go to Network Audit gt Analyze 2 Launch a new scan or click on load the saved scan result from database to load the results you want to export to XML 3 Click on Save scan results to XML file and specify XML file where results will be saved 4 Click Save to finalize your configuration 30 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual 3 8 2 Loading saved scan results from XML To load saved scan results from an XML file 1 Click on the Analyze gt Scan Results 2 Under Common Tasks in the left pane click Load saved scan results from XML 3 Locate the scan results to load and click OK 3 9 Scan filters scan results typically present a substantial amount of information You might however at times require only specific information to achieve a parti
162. rogress of the installation GFI LANguard 9 user manual Step 3 Fixing vulnerabilities e 53 F GFI LANguard File Tools Configure Help koee Discuss this version Network Audit Dashboard Configuration Utilities General Scan Analyze 94 Remediate Patch Management ky Deploy Microsoft Patches EX Deploy Microsoft Service Packs E Uninstall Microsoft Patches fe Uninstall Microsoft Service Packs Application Management 3 Deploy Custom Software TA Uninstall Applications Other Options Sm Remote Desktop Connections Credentials Authenticate using Currently logged on user A Deploy Custom Software _ AF Specify the custom software e g custom scripts which will be deployed to target computers Deployment Configuration Deployment Status 192 168 131 65 gt Connecting to the remote registry p Stopping the Remote Registry service on the remote machine v Remote Registry service stopped gt Preparing to copy 1 files gt Copying process started gt Copying update exe 1 65 MB V Copying process completed v Batch file copy OK gt NT machine Starting the GFI LANguard Patch agent service on the remote machine gt Service is not installed Installing the service gt Copying the files needed v Service installed Remember credentials V Use computer profiles Common Tasks Edit d ent options Help Deploying custom software
163. s Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use OBE ee Select Next to tum on the selected auditing policies lt Back Net gt Cancel Screenshot 19 The audit policy administration wizard 2 Select unselect auditing policies accordingly and click Next to deploy the audit policy configuration settings on the target computer s 26 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual G LANguard Administration Wizard Application of security auditing policies results The results of the application of the secunty auditing policies to all computers Results Computer Result yf ESM_DEMO Success Before re attempting to apply the policies please ensure that communication between this computer and the target computer is possible and that you have administrative privileges to access the secunty policies of these computers lt Back Neat gt Cance Screenshot 20 Results dialog in audit policy wizard 3 At this stage a dialog will show whether the deployment of audit policy settings was successful or not You can choose to re deploy settings on failed computers by clicking on the Back button To proceed to the next stage click Next 4 Click Finish to finalize your configuration Re Groups users Rogue obsolete or default user accounts can be exploited by malicious or unaut
164. s GFI LANguard 9 user manual 7 4 Configuring vulnerabilities GFA LANguard Scanning Profiles Editor File Scanning Profiles Profile categories Vulnerability Assessment Options jj Network amp Softw_ _ KE Vulnerability Assessment LA Vulnerabilities Lg Patches BF Network amp Software Audit Choose scan profile conditions Profiles Enable vulnerability scanning A Full Vulnerability Assessment Group by Type Name ay Full scan z E LA Vulnerabilities F iN Abyss Web server Bufferoy My Full Scan ail are a E A Potential Vulnerabilities 7 it AFS Kerberos Support in Of El i Alerter service enabled E g1 All Servers e shop Online E i All Servers AlStats aldisr Fal i All Servers Abe Timmermar F i All Servers Adcycle build F il All Servers Aglimpse F il All Servers AHG s search c Common Tasks Fi g1 All Servers Alex Heiphetz Fal g1 All Servers Arts Store cgi FFE i All Servers Auktion cgi Race 7j i All Servers Brian Stanback Delete Fi i All Servers Brian Stanback Fl i All Servers Commerce cgi Help Edl ij All Servers COWS CGI Onli Ss w IFFI ith All Gorvores TiC Ghan wa ilmar A F New scannin ile Scanning Profiles LANquard Scripting my t 2557 vulnerabilities Add Edt Remove Find vulnerability by Name ae Adding editing or removing vulnerabilities from the above list applies the edited vulnerabilities are selected
165. s o Download Ch Never 20090430 i Alerting Options ra p 7 aA E Database Maintenance Options G 5 4 2009 aloe PM 5 4 2009 5 17 13 PM 12 i Program Updates Vu 5 4 2009 5 05 44 PM Never 1 Pa 5 4 2009 5 05 44 PM 5 4 2009 5 06 13 PM 3 Att 5 4 2009 5 05 44 PM Never 1 Sc 5 4 2009 5 05 44 PM 5 4 2009 5 06 22 PM 2 lt w Tr 5 4 2009 5 05 44 PM 5 4 2009 5 06 24 PM 1 Common Tasks Py 5 4 2009 5 05 44 PM 5 4 2009 5 06 27 PM 1 82 e Configuring GFI LANguard Edit program updates options Edit proxy settings Microsoft patches and service packs Help Auto download Microsoft updates in selected language packs for network wide Program updates lt lt Automatically downloaded by GFI LANguard gt gt Check For Updates Screenshot 72 Program updates Out of the box GFI LANguard supports multilingual patch management for all Unicode compliant languages Through multilingual patch management you can download and deploy missing Microsoft product updates discovered during a security scan in a variety of different languages The security scanning engine identifies missing Microsoft patches and service packs by referencing the Microsoft Software Update files These files contain the latest complete list of product updates currently provided by Microsoft and are available in all languages supported by Microsoft products Use the GFI LANguard Program Update tool in th
166. scheduled scan that will have the option to automatically deploy all approved missing Microsoft updates Within the scheduled scan define what computers will be scanned for missing Microsoft updates and the frequency Step 3 Review scheduled scan status Select Dashboard gt Scheduled Operations to review the status of scheduled scans and auto remediation operations 4 7 2 Automatically uninstall unauthorized applications To automatically uninstall unauthorized applications follow the instructions below before setting up a scan with auto remediation options Step 1 Define unauthorized applications list 1 From the Configuration tab select Applications inventory sub node 2 In the right pane click the application to unauthorized under the heading unauthorized on column 3 Select a scanning profile to mark the application as unauthorized for that profile Click Next to continue 4 Review the currently affected applications screen and click Finish to finalize settings Refer to the Applications inventory section in this manual for further on defining unauthorized applications Step 2 Validate the applications to remotely uninstall 1 From the Configuration tab select Applications inventory gt Auto Uninstall Validation sub node 2 In the right pane select an application to validate click Validate button 3 In the Application auto uninstall validation wizard click Next in the Welcome screen and select the
167. se backend settings 4 Database type MS Access i File path C Program Files GFI LANguard 9 040 ataecanrest New GFI L Nguard database backend settings Indicate below the new type of database backend to use MS Access MS SOL Server Please specify the name or IF of the machine containing the SOL Server MSDE database to use Server winkee ats ery Use NT authority credentials Use the below SOL MSDE credentials to log into the database backend User name johnDoe EMANN Password OF Cancel Screenshot 68 Microsoft SQL Server database backend options 2 Select the MS SQL Server option and choose the SQL Server that will be hosting the database from the provided list of servers discovered on your network 3 Specify the SQL Server credentials or select the Use NT authority credentials option to authenticate to the SQL server using windows account details 4 Click on OK to finalize your settings NOTE 1 If the specified server and credentials are correct GFI LANguard will automatically log on to your SQL Server and create the necessary database tables If the database tables already exist it will re use them NOTE 2 When using NT authority credentials make sure that GFI LANguard services are running under an account that has both access and administrative privileges on the SQL Server databases 6 8 4 Database maintenance Managing saved scan results Use the Saved Scan Results tab to maintain your
168. sed on OVAL CVE and SANS Top 20 vulnerability assessment guidelines e Auditing of all hardware and software assets of your network enabling you to create a detailed inventory of assets This goes as far aS enumerating installed applications as well as USB devices connected on your network e Enabling automatic download and remote installation of service packs and patches for Microsoft operating systems and third party products as well as automatic un installation of unauthorized software 1 2 GFI LANguard components GFI LANguard is built on an architecture that allows for high reliability and scalability which caters for both medium to larger sized networks GFI LANguard consists of the following components GFI LANguard management console The management console is the GUI through which all GFI LANguard administration and functionality is accessed including e Triggering of network security scans patch deployment and vulnerability remediation sessions e Viewing of saved and real time security scan results e Configuration of scan options scan profiles and report filters e Use of specialized network security administration tools GFI LANguard attendant service GFI LANguard attendant is the background service that manages all scheduled operations including scheduled network security scans patch deployment and remediation operations GFI LANguard patch agent service GFI LANguard patch agent is the background service tha
169. select an application to validate click Validate button 3 In the Application auto uninstall validation wizard click Next in the Welcome screen and select the computer on which to test the application auto uninstall Click Next to continue 4 Provide the authentication details for the validation operation and click Next to continue 5 Review the Auto uninstall validation wizard information and click Start to validate application auto uninstall 6 5 2 Managing scheduled scans The Manage applicable scheduled scans button enables you to review or edit scheduled scans which will perform the validated applications auto install To manage a scheduled scan 1 From the Auto Uninstall validation pane click Manage applicable scheduled scans button 70 e Configuring GFI LANguard GFI LANguard 9 user manual Manage applicable schedule scans Manage applicable schedule scans pi This is a list of all scheduled scans that may uninstall at least an application validated for auto uninstallor AS create a new scheduled scan Applicable scheduled scans Scan target Profile Will uninstall Scan description Glick on Ceste a new scheduled scan io congue an gopfcable scheduled scan Edit selected scan Create a new scheduled scan View all scheduled scans How can a scheduled scan appear in this list aa Screenshot 62 Manage applicable schedule scans 2 From the Manage applicable schedule scans dialog perform
170. ser LON format Note Only select this option if you want to run the installation packages on the target computers under an account other than the Local System account If you need to select this option make sure that the specified account has the Log on as service privilege on the target computers F Deploy patches with their original names Remember settings Screenshot 36 Advanced deployment options 5 Click Advanced tab to configure advanced deployment options including e the number of patch deployment threads that will be used e deployment timeout e authentication credentials for the deployment agent service 4 2 Patch management Apart from automatically downloading Microsoft patches and service packs GFI LANguard can also deploy these updates network wide as well as recall any patches that have already been deployed Patches are generally recalled due to newly discovered vulnerabilities or problems caused by the installation of these updates such as conflict issues with present software or hardware Examples of updates recalled by the manufacturer include patches MS03 045 and MSO03 047 for Exchange that was released by Microsoft on October 15 2006 Both patch deployment and patch rollback operations are managed by an agent service which handles all file transfers between GFI LANguard and the remote targets This service is installed automatically on the remote target computer during patch depl
171. sing NOTE GFI LANguard can identify missing service packs and patches on various Microsoft products For a complete list of supported products visit http kbase gfi com showarticle asp id KBID002573 Bulletin information To access bulletin information right click on the respective service pack and select More details gt Bulletin Info 20 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual Bulletin Info Bulletin Bulletin ID Title Description Applies To URL File File Name File Size File URL MS09 007 ONumber 9960225 Date 2009 03 10 Severity Important Security Update for Windows Vista KB960225 A security issue has been identified that could allow an attacker to misrepresent a system action or behavior without the knowledge of the user You can help protect your system by installing this update from Microsoft After you install this update you may have to restart your system This update is provided to you and licensed under the Windows Vista License Terms Windows Vista Screenshot 17 Missing Service pack Bulletin info dialog 3 6 Detailed scan results Network amp Software Audit Scan Results Overview i Scan target localhost a W 197 168 3 85 ESM_DEMO Windows Vista Service Pack 1 a _ Vulnerability Assessment T Network amp Software Audit an ce W System Patching Status a Ports W Hardware q Software Qi System Information
172. swords anonymous FTP access and unused user accounts e Configure how GFI LANguard will handle newly created vulnerability checks e Configure GFI LANguard to send CGI requests through a specific proxy server This is mandatory when CGI requests will be sent from a computer that is behind a firewall to a target web server that is outside the firewall for example Web servers that are on a DMZ The firewall will generally block all the CGI requests that are directly sent by GFI LANguard to a target computer that is in front of the firewall To avoid this set the Send CGI requests through proxy option to Yes and specify the name IP address of your proxy server and the communication port which will be used to convey the CGI request to the target GFI LANguard 9 user manual Scanning Profiles e 99 7 5 Configuring patches GFILANguard Scanning Profiles Editor fs fom Px File Scanning Profiles Profile categories Vulnerability Assessment Options 4j Network amp Software Audit Options Scanner 0 _ B ee anemer LA Vulnerabilities 3 Patches Network amp Software Audit Choose scan profile conditions Profiles v Detect installed and missing service packs patches A Full Vulnerability Assessment Patch language filter English 7 a Full Scan NOTE Configure supported languages in LANguard gt Configuration gt Program Updates amp Full Scan Slow Networks Bulletins to be checked for
173. t computer following deployment operation To edit the general deployment options 1 Under Common Tasks in the left pane click Deployment options GFI LANguard 9 user manual Step 3 Fixing vulnerabilities e 43 Deployment Options eral Advanced Before deployment Warn user send a message Wait for user s approwal Stop services before deployment ee eee a VICES i Copy software to deploy to target computer via Administrative shares C Custom share After deployment Do not reboot shut down the computer s Reboot the target computer s et the user decide when to reboot gt S Fa Shut down the target computer s Delete copied files from remote computers after deployment Computer filters Remember settings Screenshot 35 General deployment options 2 Configure the Before deployment options 3 Configure the Copy software to deploy to target computer via option by selecting between administrative or a custom shares 4 Configure the After deployment options 44 e Step 3 Fixing vulnerabilities GFI LANguard 9 user manual Deployment Options General Advanced Number of deployment threads 5 max 10 WARNING Deploying with more than 5 threads may render the UI unresponsive until the deployment operation is complete Deployment timeout seconds 600 B L Deploy patches under the following administrative account domarnuger or u
174. t handles the deployment of patches service packs and software updates on target computers GFI LANguard Script Debugger GFI LANguard 9 user manual Introduction e 1 The GFI LANguard Script Debugger is the module that allows you to write and debug custom scripts using a VBScript compatible language C ScriptDbg anon_ftp_upload oe C fa File Edit View Debug Watches Options Window Help Using Currently logged on user Username Password isik SES Ftp Anonymous Upload Function main Dim strRequest As String Dim strResponse As String Dim socketObject As Object Dim result As Boolean result false ip getparameter Computer IP port 21 Chr i3 chr 10 rem _ip Socket setTimeout 5000 5000 Set SocketoObject Socket OpenTcP ip port If Not SocketObject is Nothing Then strResponse Ssocketobject recv 1024 If Len strResponse gt 0 Then If Instr 1 strResponse 220 gt 0 Then socketoObject send user anonymous cr strResponse socketObject recv 1024 If Len strResponse gt 0 Then If Instr 1 strResponse 331 gt 0 Then socketObject send pass Inss qfi c strResponse socketobject recv 1o0 If Len strResponse gt 0 Then If In5tr 1 strResponse 2 i j Ln 17 Col 38 NUM Screenshot 1 GFI LANguard script debugger Use this module to create scripts for custom vulnerability checks through which you can custom scan network targets for specific vulnerabilities GFI LANguard script
175. t panel select Security Scans Patch Downloads Remediation Options or Updates History and trigger any of the operations from the left panel as required The Scheduled activity options are described below Scheduled Security Scans The scheduled security scans screen enables monitoring of all the scheduled security scans which are currently in progress which have been successfully or unsuccessfully completed A scheduled scan can be stopped by right clicking the security scan and selecting Stop selected scan s option For more information on how to set up a new scheduled scan refer to Setting up a scheduled scan section in this manual Microsoft Updates Downloads The Microsoft Updates Downloads screen enables you to monitor pause cancel or change priority all the scheduled patch downloads For more information on how to configure scheduled patch downloads refer to Auto download settings section in this manual 60 e GFI LANguard dashboard GFI LANguard 9 user manual Remediation Operations The remediation operations screen enables you to monitor as well as cancel all the scheduled remediation features within GFI LANguard For more information on how to set up scheduled remediation operations refer to Automatic Remediation section in this manual Product Updates Activity The Product updates activity screen enables you to monitor or edit GFI LANguard scheduled or manual updates For more information on how to set up scheduled
176. t setting type of scanning profile to use description and scan frequency e Logon Credentials tab Use this tab to specify logon credentials to be used when scanning the specified target e Advanced tab Use this tab to specify whether GFI LANguard should wait for offline computers to connect to the network This enables GFI LANguard to postpone the scan on these machines and keep track of targets pending a scan e g laptops or other mobile devices which are not connected to the network As soon as these devices are connected back to the network scanning will take place e Auto Remediation tab Use this tab to configure the remediation options applicable to the scan being configured This includes 64 e Configuring GFI LANguard GFI LANguard 9 user manual downloading and installing missing patches and service packs and unauthorized software un installation 6 3 Computer profiles When working in both large and smaller sized networks you will inevitably have to log in with different sets of credentials on different computers Systems such as Linux based systems often make use of special authentication methods such as public key authentication Such authentication methods generally require special custom logon credentials such as private key files instead of the conventional password strings Through computer profiles you can specify a different set of logon credentials for every target computer The scanning engine can then re
177. t you might encounter It explains the use of the GFI LANguard troubleshooting wizard The main sources of information available to users are The manual most issues can be solved by reading this manual The GFI Knowledge Base http kbase gfi com The GFI technical support site htip support gfi com The GFI Web forum http forums gfi com Contacting the GFI technical support team by email at support qafi com Contacting the GFI technical support team using our live support service at http support gfi com livesupport asp Contacting our technical support team by telephone 13 2 The Troubleshooting wizard The GFI LANguard troubleshooting wizard is a tool designed to assist you when encountering technical issues related to GFI LANguard s use To use the GFI LANguard troubleshooting wizard 1 Launch the troubleshooting wizard from the Start gt Programs gt GFI LANguard 9 0 gt GFI LANguard Troubleshooter 2 Click Next in the introduction page GFI LANguard 9 user manual Index e 153 Troubleshooter Wizard Welcome Information Details Please select the information to gather The troubleshooter should Automatically detect and fix known issues Recommended 6 Gather only application information and logs Note Use this option when the problem is already located and only support files are needed ai es Cee Screenshot 124 Troubleshooter wizard Information details 3 In the Inf
178. ters in text file 5 Scan a domain or workgroup yi Current configuration settings lt i Fake as Cancel Screenshot 5 Target computer categories 5 Select one of the following options and click Next e Scan a single computer Select this option to scan local host or one specific computer e Scan a range of computers Select this option to scan a number of computers defined through an IP range For more information refer to http kbase gfi com showarticle asp id KBID002749 e Scan a list of computers Select this option to import list of targets from file or to select targets from network list e Scan computers in text file Select this option to scan targets enumerated in a specific text file e Scan a domain or workgroup Select this option to scan all targets connected to a domain workgroup Specify the respective target computer s details and click Next O gt GFI LANguard 9 user manual Step 1 Performing an audit e 9 Custom scan wizard m Sm Step 5 of S Remote logon credentials Specify credentials to use to log on to remote targets aN Credentials Description Currently logged on user Perform the scan in the security context of the currently logged on user Alternative credentials a NULL session O SSH Private Key FE Use data from computer profiles Tell me more x Current configuration settings Radke san Cancel Screenshot 6 Specify the scan job creden
179. tials 7 Specify the authentication details to use during this scan 8 Click Scan to start the audit process 2 6 Setting up a scheduled scan A scheduled scan is a network audit which is scheduled to run automatically on a specific date time and at a specific frequency scheduled scans can be set to execute once or periodically scheduled scan status can be monitored via Dashboard gt Scheduled Operations tab Scheduled scans can also be configured to Automatically download and deploy missing Microsoft updates detected during the scheduled audit Trigger Email notifications on detection of network threats Generate consecutive scan comparison reports and distribute these automatically via email Automatically uninstall unauthorized applications When to use Scheduled Scans It is recommended to use scheduled scans To automatically perform periodical regular network vulnerability scans using same scanning profiles and parameters To automatically trigger scans after office hours and generate alerts and auto distribution of scan results via email To automatically trigger auto remediation options e g Auto download and deploy missing updates NOTE For more information on auto remediation options refer to the Automatic remediation 10 e Step 1 Performing an audit GFI LANguard 9 user manual NOTE To enable routine scanning of network targets as part of an established network auditing program such as auditing for l
180. tion on a particular domain or IP address GFI LANguard a fon x File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Tools Query domain IP address name hd Retrieve Options a DNS Lookup Traceroute Whois Enumerate Computers tm Enumerate Users ae SNMP Audit a SNMP Walk m SQL Server Audit Credentials Authenticate using Currently logged on user Remember credentials v Use computer profiles Edit Common Tasks Edit whois options Help Whois Screenshot 102 Whois tool 1 Click on the Utilities tab and select Whois in the left pane under Tools 2 In the Query domain IP name dropdown specify the name IP or domain to reach 3 Under Common Tasks in the left pane click on Edit Whois options or Options button on the right pane to change the default options 4 Click on the Retrieve button to start the process GFI LANguard 9 user manual 8 5 Enumerate computers GFI LANguard 9 user manual F GF LANguard adba File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General A Tools Enumerate computers in domain x DNS Lookup Traceroute Name Operating System Whois Enumerate Computers m Enumerate Users a SNMP Audit a SNMP Walk wm SQL Server Audit Credentials Authenticate using Currently logged on user v Reme
181. tions 1 From the main menu click on File gt Import and Export Configurations 2 Select Import the desired configuration from a file and click Next 3 Specify the path from where to load configuration and click Next 4 Wait for the configuration tree to load and select the configurations to import Click Next to start import 5 Confirm the override dialog box by clicking Yes or No as required 6 A notify dialog will confirm that exporting is completed 7 Click OK to finish NOTE To import configurations from an existing installation of GFI LANguard select Importing Configurations from another instance GFI LANguard 9 user manual Configuring GFI LANguard e 81 6 10 Program updates 7 Scanning Profiles i need B Scheduled Scans ee Computer Profiles S i Applications Inventory i iL S Auto Uninstall Validation 3A Microsoft Updates i fy Patch Auto Deployment Check for updates GFI GFI LANguard updates GFI L Nguard updates include various checks for patches and builds that 4 Automatically download the required Microsoft Language packs F GF LANguard a File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General Configurations Program Updates Program updates enable GFI L4Nquard to detect the latest vulnerabilities and maintain outstanding a p A aa Auto download Type Last Update Check Last Download Last Update Version P hook mea
182. to Open remote de Screenshot 15 Detailed scan results Information in result pane oO Scan target node Displays information related to scan targets in terms of scan range and whether scan result was retrieved from database 2 Scan computer node Displays information related to the scanned computer Indicates if scan was successful and shows OS details 18 e Step 2 Analyzing the security scan results GFI LANguard 9 user manual Scan details node Displays information related to the scan performed on target computer including vulnerabilities found system patching status etc Scan results details Displays the details of the scan results This includes vulnerability or missing patch name level of patch vulnerability detailed vulnerability missing patch details connected device information etc Expand the Scanned computers node to access the results retrieved during the scan Security scan results are organized in 2 sub nodes tagged as e Vulnerability Assessment e Network amp Software Audit 3 5 Detailed scan results Vulnerability assessment Scan Results Overview jj Scan target 192 168 3 85 192 168 3 86 a J 192 168 3 85 ESM_DEMO Win W oy Vulnerability Assessment d High Security Vulnerabilities 1 ib Low Security Vulnerabilities 5 iy Potential Vulnerabilities 1 W Missing Service Packs 10 W Missing Patches 26 Screenshot 16 The Vulnerability Assessment node Click on a
183. uditing Policies configuration Wizard that will guide you through the configuration process 120 e Utilities GFI LANguard 9 user manual 8 6 Enumerate users F GF LANguard cbas File Tools Configure Help Discuss this version Network Audit Dashboard Configuration Utilities General A O Tools Enumerate users in domain v Options z DNS Lookup a Traceroute User name Full name Description z Whois x Enumerate Computers SNMP Walk mw SQL Server Audit Credentials Authenticate using Currently logged on user Remember credentials vJ Use computer profiles Edit Common Tasks Edit enumerate users options Help Enumerate users Screenshot 104 The Enumerate Users tool dialog To scan the Active Directory and retrieve the list of all users and contacts included in this database 1 Click on the Utilities tab and select Enumerate Users in the left pane under Tools 2 In the Enumerate users in domain dropdown select the desired domain 3 Under Common Tasks in the left pane click on Edit Enumerate Users options or Options button on the right pane to filter the information to be extracted and display only the users or contacts details In addition you can optionally configure this tool to highlight disabled or locked accounts 4 Click on the Retrieve button to start the process From this tool you can also enable or disable any user account that has been enumerated T
184. ured email reports ani will mot be sent N ed Tell me more Screenshot 10 Review scheduled scan job 13 Optional Click on Configuring alerting options and specify sender recipient details GFI LANguard 9 user manual Step 1 Performing an audit e 13 Scheduled Scans Reporting options _ Specify where to save scan results to XML or HTML reports For result comparison operations GFI LANguard saves all scan results to the database backend You can configure GFI LANguard to output the scheduled scan results also to XML or HTML report files in a directory on the hard drive Save as XML files WARNING Saving scheduled scan results to XML can take several minutes for large scans and can cause performance degradation E Save scheduled scan results to XML file o qitete Wennrte Wie Ta ik epar tc Piht ee save as HIML reports Generate and save scan result html reports to DK etancel Apap Screenshot 11 Scheduled Scans Reporting options 14 Optional Click on Configure scheduled scan reporting options to configure scheduled scans reporting a Specify whether scan results are saved as HTML or XML b Click on Results Notification tab and select o Full Scan to include all data collected during the scheduled scan o Results Comparison to create a report which lists only the differences if any identified between the last scheduled scan results and the preced
185. uses service fingerprint technology to analyze the service s that are running behind the detected open port s Through service fingerprinting you can ensure that no hijack operation has taken place on that port For example you can verify that behind port 21 of a particular target computer there is an FTP server running and not an HTTP server 3 6 3 Hardware Expand the Hardware sub node to view a hardware audit categorized as follows Category Information provided Network Devices e MAC address Physical Virtual Wireless e IP address Software enumerated devices e Device type e Vendor e Hostname e DHCP Set e DNS Server e Status USB Devices e Device name e Description e Manufacturer gt Local Drives e Drive letter e Total disk space e Available disk space i Processors e Vendor e Processor speed GFI LANguard 9 user manual i Motherboard y Memory details Storage details fy Display adapters gt Other devices 3 6 4 1 Software Product name Manufacturer Version BIOS name BIOS vendor BIOS version BIOS release date BIOS Serial Number Physical memory Free physical memory Virtual memory Free virtual memory Description Manufacturer Interface type Media type Partitions Size Drive s Manufacturer Monitor Current video mode HID System devices Keyboard Ports COM amp LPT ports Floppy disk controllers Mouse Multimedia Hard disk controllers Computer Stor
186. uter during security scanning Alternatively you can use the UseComputerProfiles switch to use the authentication credentials already configured in the Computer Profiles Configuration gt Computer Profiles node Email Optional Specify the email address on which the resulting report s will be sent at the end of this scan Reports will be emailed to destination through the mail server currently configured in the Configuration gt Alerting Options node of the management console DontShowStatus Optional Include this switch if you want to perform silent scanning In this way the scan progress details will not be shown Optional Use this switch to show the command line tool usage instructions NOTE Always enclose full paths and profile names within double quotes i e path or profile name for example Default c temp test xml The command line target scanning tool allows you to pass parameters through specific variables These variables will be automatically replaced with their respective value during execution Supported variables include Supported Description VEUETI INSTALLDIR During scanning this variable will be replaced with the path to the GFI LANguard installation directory TARGET During scanning this variable will be replaced with the name of the target computer SCANDATE During scanning this variable will be replaced with the date of scan SCANTIME During scanning this variab
187. wireless virtual physical network devices connected USB devices connected installed applications and more GFI LANguard 9 user manual Hardware Audit Use this scanning profile to audit your network and enumerate all hardware devices currently connected to your network computers 7 2 4 Which scanning profile shall use Select the scanning profile based on the 1 The scope of your vulnerability analysis i e what you want to achieve out of your vulnerability scan Based on these factors you can determine the type of vulnerability checks to be performed and the information that you want to retrieve from your scan targets 2 Time you have at your disposal for target vulnerability scanning The more vulnerability checks you run the longer it will take the scan process to complete GFI LANguard 9 user manual Scanning Profiles e 91 7 3 Creating a new scanning profile To create a new scanning profile 1 Click Configuration tab gt Scanning Profiles and go to Scanning profiles management B GFI LANguard Scanning Profiles Editor g g File Scanning Profiles Profile categories Vulnerability Assessment Options jj Network amp Softw YC ete Combination Scans A oe eer LA Vulnerabilities C Patches BF Network amp Software Audit Choose scan profile conditions Profiles Enable vulnerability scanning A Full Vulnerability Assessment Group by Type w Name N Full scan cl E A Vulnerabilities i Abyss Web serve
188. y node This enables you to keep track of which updates were completed successfully or not GFI LANguard 9 user manual Configuring GFI LANguard e 85 7 Scanning Profiles 7 1 Introduction GFI LANguard enables you to scan your IT infrastructure for particular vulnerabilities using pre configured sets of checks known as scanning profiles Scanning profiles enable you to scan your network targets and enumerate only specific information For example you may want to use a scanning profile that is set to be used when scanning the computers in your DMZ as opposed to your internal network In practice scanning profiles allow you to focus your vulnerability scanning efforts on to a specific area of your IT infrastructure such as identifying only missing security updates The benefit is that this way you have less scan results data to analyze tightening up the scope of your investigation and quickly locate the information that you require more easily With multiple scanning profiles you can perform various network security audits without having to go through a reconfiguration process for every type of security scan required 7 2 Scanning profile description Out of the box GFI LANguard includes an extensive list of scanning profiles as described below 7 2 1 Complete Combination scans Complete Combination scanning profiles Full Use this scanning profile to enumerate particular network Vulnerability vulnerabilities such as open TCP
189. y not installed on this computer Download and Install ReportPack Screenshot 33 GFI LANguard ReportPack not installed 3 If the GFI LANguard ReportPack is not installed you will be prompted to auto download and install the reporting package Click on the Download and Install ReportPack button to proceed Fie Took Configure Help Network Audit Dashboard Configuration Scan Analyze b Remediate Analyze D Scan Resuts Rests Fteng E Resuts Companson gt a Exeaive Reports TE Operating System and Service Pack Distribution m b Common Tasks Save mpot Print repot A P wee T zT is n aza Discuss this version Utilities General Network Vulnerability Summary Report m domain Pnmary domain 14 Nov 2008 18 42 Scan reference Scan cate amp time Hosts Severity Level Distribution Top 10 Vulnerable Hosts by Severity IP Address Host Name Severity low High Med Low 192 183 327 RICHARD 7 3 9 192 168 34 ANDREMUSCAT PC 20 2 5 192 168 3 26 SBORG 0 0 7 192 168 0 15 TREEBEARD 0 0 2 z 192 168 3 36 JASON 1 0 2 192 168 3 30 TMJASON_XP 1 0 1 Ta Vala i 192 168 3 141 MIROS 0 0 1 Severity Count High E B Medium 5 4 Low L 25 i 21 Hosts Vulnerability Level Distribution lak ai Vulnerability Level Host Count Hgh 2 Medium 0 gt Screenshot 34 GFI LANguard with installed ReportPack 4 From the left pane select the reports you run GFI L
Download Pdf Manuals
Related Search
Related Contents
Intel IB935 User's Manual Harbor Freight Tools 91129 User's Manual HP StorageWorks Command View SDM Installation & User Guide 印刷用PDF Manual - LTM Music- https://telegra.ph/Wire-Size-Calculator-From-Voltage-Drop-c7b8c8bf-11-16
- https://telegra.ph/Wire-Size-Calculator-From-Voltage-Drop-a376edcd-11-16
- https://telegra.ph/Calculate-Current-from-Voltage-Drop-a32b8f0a-11-16
- https://telegra.ph/Calculate-Current-from-Voltage-Drop-2da8649a-11-16
- https://telegra.ph/Calculate-Current-from-Voltage-Drop-c5febbf9-11-16
- https://telegra.ph/Concrete-Volume-Calculator-for-Steps-e79b3589-11-16
- https://telegra.ph/un-equal-angle-steel-weight-calculator-3fab7abf-11-07
- https://telegra.ph/Calculat-Wire-Area-From-Voltage-Drop-a845e851-11-18
- https://telegra.ph/DC-Voltage-Drop-Calculator-fbd65b5a-11-18
- https://telegra.ph/Calculat-Wire-Area-From-Voltage-Drop-68be3184-11-18