Administration and Configuration Manual
Contents
1. P GFI LanGuard Scanning Profiles Editor ss Scanning Profiles Discuss this version Profile categories _ Vulnerability Assessment Options yy Network amp Software Audit Options Scanner Options Complete Combination Scans 4 Vulnerability Assessment TCP Ports UDP Ports System Information Devices Applications IF Network amp Software Audit Choose scan profile conditions V Enable TCP Port Scanning Profiles Ports Description Notes a 1 TCP Port Service Multiplexer A Ai Full Scan Active a 2 Compressnet Management Utility If this service is not ins Aj Full Scan Slow Networks a 3 Compressnet Compression Process a 5 Remote Job Entry If this service is not installed beware c 7 Echo a 11 Active Users If this service is not installed beware could 13 DAYTIME RFC 867 7 Quote of the Day a 18 Message Send Protocol If this service is not installed be o Character Generator Common Tasks a 20 FTP data If this service is not installed beware could be f a 21 FTP control command New scanning profile a 2 Secure Shell SSH Set Active a 23 Telnet protocol unencrypted text communications reg 2 Simple Mail Transfer Protocol SMTP a 35 Any private printer server protocol a 37 TIME protocol If this service is not installed beware could Help a 39 Resource Location Protocol RLP If this service is not ins Scanning Profiles a 41 Graphics If this service is not ins2. Representing configuration information of systems for testing Analyzing the system for the presence of the specified machine state vulnerability configuration patch state etc Reporting the results of this assessment The repositories are collections of publicly available and open content that utilize the language The OVAL community has developed three XML schemas to serve as the framework and vocabulary of the OVAL Language These schemas correspond to the three steps of the assessment process An OVAL System Characteristics schema for representing system information An OVAL Definition schema for expressing a specific machine state An OVAL Results schema for reporting the results of an assessment Content written in OVAL Language is located in one of the many repositories found within the community One such repository known as the OVAL Repository is hosted by MITRE Corporation It is the central meeting place for the OVAL Community to discuss analyze Store and disseminate OVAL Definitions Each definition in the OVAL Repository determines whether a specified software vulnerability configuration issue program or patch is present on a system The information security community contributes to the development of OVAL by participating in the creation of the OVAL Language on the OVAL Developers Forum and by writing definitions for the OVAL Repository through the OVAL Community Forum An OVAL Board consisti
3. 6142010 BIS2010 B162010 B172010 122010 6 15 2010 6202010 B21S010 B22 010 Screenshot 37 Vulnerability Trends Over Time for a single computer Computers by network role This chart is available only when selecting a domain or a workgroup and displays the number of audited computers grouped by network role Amongst other roles this graph identifies the number of servers and workstations per selected domain Computers By Network Role a Ml Server a computers EE Workstation 4 computers me NSA 1 com puter s Screenshot 38 Computers by network role 40 Analyzing Results GFI LanGuard Computers by operating system This chart is available only when selecting a domain or a workgroup and displays the number of audited computers grouped by the installed operating system Computers By Operating System z EE VVindows AP 4 computers MS Windows Server 2002 2 computers MS Windows Sever 20M x64 2 computer s Me HSA 1 computers Screenshot 39 Computers by operating system Computer details This section is available when selecting a single computer and enables you to view the selected computer details Computer Details a A Computer name WINSERVA T IF address 192 168 3 248 ga MAC 01 02 5F 5F 4D 53 Operating system Windows Server 003 2 Network role PDC Primary Domain Controller Virtual machine Microsoft Virtual PC Language EN Screenshot 40 Computer Details Scan activity This line graph is available onl
4. Use Dashboard and Activity Monitor to view agents activity Screenshot 3 Manage agents 3 Select Deploy Agents to select the target scan computers and click Next There are two methods of selecting target computers described below Table 1 Target selection OPTION DESCRIPTION Local Domain Deploy agents on all reachable computers within the same workgroup domain where LanGuard is installed Custom Deploy agents on specific computers or group of computers Add new rules to search or specify target scan computers For more information on how to add new rules refer to the Custom Agent Deployment section of the manual 4 Optional Select Authenticate using checkbox to specify alternate credentials 5 Optional Click Advanced Settings to configure automated network audit properties Table 2 below describes these automated network properties Table 2 Automated network audit properties TAB NAME DESCRIPTION General Configure the schedule for when GFI LanGuard automatically scans for new machines in the network perimeter where agents are enabled Audit schedule Configure how often the agent audits the host computer where the agent is installed Select the recurrence pattern and the time the audit will start Auto remediation Configure GFI LanGuard to automatically download and install missing patches and service packs Uninstall unauthorized applications on the scanned computers For more information on how to
5. Cancel Apply Screenshot 94 Database maintenance properties Scanned Computers tab To delete computers previously scanned 1 Click Configuration tab gt Database Maintenance Options gt Manage list of scanned computers 2 Select the computers to delete and click Delete selected computer s Deleting computers from the database is a one way operation that will also delete all computer related data from the database Once deleted this data is no longer available GFI LanGuard Configuring GFI LanGuard 91 6 6 4 Database maintenance Advanced options GFI LanGuard enables you to repair and compact the Microsoft Access database backend automatically to improve performance During compaction the database files are reorganized and records that have been marked for deletion are removed In this way you can regain used storage space During this process GFI LanGuard also repairs corrupted database backend files Corruption may occur for various reasons In most cases a Microsoft Access database is corrupted when the database is unexpectedly closed before records are saved for example due to a power failure unresponsive operations forced reboots and so on Properties Scanned Computers Saved Scan Results Retention Advanced E Please configure the database compaction options The below option is only available when using Microsoft Access as a database backend When using SOL Server MSDE as a database
6. A Remote Support via Remote Desktop Connection T Use this option to remotely connect to specific targets for maintenance purposes 192 166 3 26 E John Smith Logged on Pewa OG Windows Professional Screenshot 77 Remote desktop connection z To disconnect a machine select Remediation Center gt Remote Support via right click a machine from the list and select Disconnect 5 10 Remediation Jobs The Remediation Jobs section enables you to monitor the remediation actions in progress To open the Remediation Jobs click Remediate tab Remediation Jobs E Select a computer from the left panel to view the progress for that computer 74 Fixing Vulnerabilities GFI LanGuard Remediation Jobs Remediation jobs for selected computers Drag a column header here to group by that column Complete wit Security Service Packs D 04 08 2011 23 22 51 04 08 2011 23 22 59 04 08 2011 23 42 51 Complete wit Security Service Packs D 04 08 2011 23 22 42 04 08 2011 23 22 51 05 08 2011 00 04 57 amp Complete wit Security Service Packs D 04 08 2011 23 21 59 04 08 2011 23 22 09 04 08 2011 23 50 39 Count 3 Note Bold remediation jobs indicate that the job was started after the last audit The vulnerability level will be updated when the next audit is started Remediation job details de Downloads TEMP Failed PatchAgent is performing another remediation session on the target computer
7. 1 3 5 1 3 GFI LanGuard COMPONENMS cece cece cece cee e cee ceeceeeceeceeceeeceeees 1 4 Vulnerability management strategy cece cece ccc ecceeceeceeeeeeceeees 2 Managing Agents DoW WUPOGUCHION saccauncuancavaseueresocu E EEE EE E EE EES 2 Deploying AGEING x sacoccessccecca sececcenssdsaeaewadeaoasesdsuqenadsneencessaous Dad LONOU OCIS caccnccctecascactarceesetesaasneteesesaetesaesseteruecsatesausec Agent less Auditing Set AOU ON 2252 sccccruccanesenecanescncatresenecasesciectrcsanecesetenectresanees 3 2 Pertormine amanual QUGIE 1cdsissseccscsesdedscsesecsusessteiecetassenceesaeius 3 3 Scheduled scan sessessessessessessessessessessessessessessesoessessessesse 3 4 Setting up scheduled SCANS sssessesceesceeseesceesoeeceesoeesoreceesoeeo 9 Audit PESUIE SUMINALY eeri ENEE EEEE EEEE 3 6 Audit result details cater cncacincacneaicesaensaineacns ates aensanecncesaceoaensanieows 4 Analyzing Results AT OOU CHON sarine e E E E E AE E E E E E E E RE AL CONDUS VIW oes eena A EEIE Ao P Oy VON err E EE E EE EEE E AA NV lnerabilities VIEW seca ccecscscuc ponevaacecaeesas rennen E ATE 43 Patches ViCW 00ceseteosatoatadecesotedc a AA AO PORS VIC Weera renna cree ose oe AE AEE A E AOA 4 7 Software VIEW ssessessessesosessessesoesoesoesoessesoesoesoesoessesoesoeo 4 8 Hardware view sssssessessessessessessesosessessesoesoesoessesoessessesoeo 49 System INPONIMAUION sersssrr risie riren r EEEE O 4 1
8. 8 Managing Agents GFI LanGuard Agent Status Agent deployment status Agent status Pending install Deploy agent Disallow agent installation Agent activity settings Audit host computers every day at 17 00 PM Scanning profile Agent auto remediation settings Auto remediation is OFF Screenshot 5 Agent properties 4 From Agent Status tab enable disable agent deployment by clicking Deploy agent or Disallow agent installation 5 Click Change scan schedule to configure agent scan schedule and from Scanning profile select the active scan profile 6 Enable disable agent auto remediation Click Change settings to open Auto remediation settings dialog for that specific agent GFI LanGuard Managing Agents 9 Auto remediation settings Auto Remediation enables LanGuard to automatically download and install missing patches and service packs and uninstall unauthorized applicati on the scanned computers ving scan results from the agent Automatically download and deploy missing patches Automatically download and deploy missing service packs E Automatically uninstall unauthorized applications Configure autotemediation options tis recommended to have System Restore on for the system drive on the target computers Remediation actions are conducted from the LanGuard console computer where the patches are downloaded and distributed to remediation targets There are secunty updates that are
9. ACTION DESCRIPTION Remote Support via Remote Connect to a target machine and perform administrative tasks using Desktop Connection remote desktop connection For more information on how to connect remotely to a target machine refer to Using remote support section in this manual You can use GFI LanGuard filtering option to locate a machine For more _f information refer to Display results section in this manual 5 4 Deploy security patches and service packs To deploy missing security patches and service packs on specific computers 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Select Remediate tab gt Remediation Center 3 From the left panel select the computer or domain where you want to perform the remediation action 4 From the right panel click on Deploy Security Patches or Deploy Service Packs we Specify patches to deploy Bulletin Severity Date posted 7V Tite Apolie alll gt ff Not Available Critical 2011 07 12 Windows Malicious Software Removal Tool July 2011 KB890 Windows i MS511 054 Important 2011 07 12 Security Update for Windows 7 KB2555917 Windows eo Msilos Critical 2011 07 12 Security Update for Windows 7 KB2532531 Windows Fy ee namana ner z a a miom oaa om a m a ara Ia O oaar fer ee Ti me Count 50 Wel Screenshot 67 Select the updates to deploy 5
10. GFI Product Manual GFI LanGuard Administration and Configuration Manual GFI http www gfi com info gfi com The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose and non infringement GFI Software is not liable for any damages including any consequential damages of any kind that may result from the use of this document The information is obtained from publicly available sources Though reasonable effort has been made to ensure the accuracy of the data provided GFI makes no claim promise or guarantee about the completeness accuracy recency or adequacy of information and is not responsible for misprints out of date information or errors GFI makes no warranty express or implied and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document If you believe there are any factual errors in this document please contact us and we will review your concerns as soon as practical All product and company names herein may be trademarks of their respective owners GFI LanGuard 2011 is copyright of GFI SOFTWARE Ltd 1999 2011 GFI Software Ltd All rights reserved Last updated August 12 2011 Version LANSS ACM EN 01 00 01 Contents
11. Screenshot 139 Whois tool 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Utilities tab and select Whois in the left pane under Tools 3 In Query domain IP name dropdown menu specify the name IP or domain to reach 4 Optional From Common Tasks in the left pane click Edit Whois options or Options on the right pane to change the default options 5 Click Retrieve to start the process 142 Utilities GFI LanGuard ae 9 5 Enumerate computers 2 GFI LanGuard 2011 Die Tools z DNS Lookup Traceroute mw Whois 1 Enumerate Computers Enumerate Users a SNMP Audit a SNMP Walk mw SQL Server Audit Credentials Authenticate using Dashboard Scan Remediate Enumerate computers in domain i Currently logged on user gt d Remember credentials v Use per computer credentials Found 33 computers EIE DE E A A A A I A A A E E E E Da W un MOA GX GFL GFL GFI GFL GFL GFI GFL GFI GF GFI rD RRR RR R Operating System Windows Server 2003 Windows 7 Windows Server 2003 Windows Server 2003 Windows Server 2003 Windows Server 2008 R2 Windows XP Windows Server 2008 R2 Windows XP x64 Edition Windows Server 2003 Windows Server 2003 Windows Server 2003 Windows Server 2003 Windows Server 2003 Windows Server 2003 Window
12. TCP 445 File and printer System devices drivers gt DCOM 135 sharing Human Interface Devices DCOM dynamic Remote registry B gt WMI Mouse and keyboard Communication ports Serial and Parallel Floppy disk controllers Hard disk controllers 16 5 Software DATA DESCRIPTION PORTS PROTOCOL General Enumerates every application TCP 139 gt SMB applications installed on the scan target s gt TCP 445 gt File and printer sharing Remote registry Antispyware Lists antispyware applications TCP 139 gt SMB applications TCP 445 File and printer sharing Remote registry Patch Lists patch management TCP 139 SMB management petens TCP 445 File and printer applications sharing Remote registry Web browser Lists web browsers TCP 139 SMB applications TCP 445 gt File and printer sharing Remote registry Firewall Lists firewall applications TCP 139 SMB applications TCP 445 File and printer sharing Remote registry Antiphishing Lists antiphishing applications TCP 139 gt SMB applications TCP 445 File and printer sharing Remote registry VPN client Lists VPN client applications TCP 139 gt SMB applications TCP 445 File and printer sharing Remote registry Backup Lists backup applications TCP 139 SMB applications TCP 445 gt File and printer sharing Remote registry GFI LanGuard A
13. 126 C Complete Combination scans 77 Custom target properties 7 15 CVE 1 119 162 163 164 173 D deploycmd 149 150 151 Discovery schedule 6 DNS Lookup 139 140 173 E Email notifications 16 Enumerate computers 139 143 144 174 Enumerate users 139 145 174 H High security vulnerabilities 27 114 132 157 impex 149 151 152 164 174 Import and Export configuration 97 98 99 100 L Load scan results 24 Low security vulnerabilities 27 GFI LanGuard M Management console 3 5 24 26 37 60 63 98 100 139 142 145 146 148 149 151 156 Manual audit 11 Microsoft SQL Server 4 89 148 174 Missing Patches 20 24 28 38 44 57 65 67 73 83 113 114 125 173 Missing service packs 20 28 66 124 N NetBIOS 2 65 143 165 Network amp Software Audit 27 29 126 Null session 13 53 68 70 73 O OVAL 1 119 157 161 162 175 P Potential vulnerabilities 27 28 Private key file 52 156 Program updates 93 95 Proxy settings 55 93 94 Python script 153 159 175 R Remediation center 1 65 67 70 73 Remote desktop connection 67 73 Remote Support 1 73 74 S Save scan results 25 Scheduled audits 11 Script Debugger 3 154 175 Security sensors 1 SMTP Server 87 SNMP audit 139 146 SNMP walk 139 147 Index 183 SQL Server audit 139 148 175 SSH Module 2 155 156 T Traceroute 139 141
14. Introduction Introduces this manual and GFI LanGuard Managing Agents Provides information on how to deploy agents on your network Agent less Auditing Provides information on how to perform a manual and a scheduled scan without using GFI LanGuard agent This chapter also includes information on how to view audit results Analyzing Results Provides information on analyzing audit results using the status dashboard and the security sensors Fixing Vulnerabilities Provides information on how to fix vulnerabilities using automatic remediation remediation centre and remote support Configuring GFI LanGuard Provides information on how to customize and configure advanced settings in GFI LanGuard Reporting Provides information on how to generate audit result reports and a description of the report contents Introduction 1 CHAPTER DESCRIPTION Chapter 8 Scanning Profiles Provides information on the different scanning profiles in GFI LanGuard Chapter 9 Utilities Describes each utility in GFl LanGuard and how these can be used on your network Chapter 10 Using GFI LanGuard from the command line Describes the command line tools available in GFI LanGuard and how these can be used Chapter 11 Adding vulnerability checks Provides information on how to add vulnerability checks using VBscript and Python Also includes information on GFI LanGuard SSH module Chapter 12 GFI LanGuard certifications Provides information
15. Screenshot 136 The DNS Lookup tool GFI LanGuard Utilities 139 4 Under Common Tasks in the left pane click on Edit DNS Lookup options or click Options on the right pane and specify the information described in Table 50 below Table 50 DNS lookup options OPTION DESCRIPTION Basic Information Retrieve the host name and the relative IP address Host Information Retrieve HINFO details The host information known as HINFO generally includes target computer information such as hardware specifications and OS details Aliases Retrieve information on the A Records configured on the target domain MX Records Enumerate all the mail servers and the order i e priority in which they receive and process emails for the target domain NS Records Specify the name servers that are authoritative for a particular domain or sub domain Some DNS entries do not contain certain information for security reasons DNS Lookup Options General K Specify DMS Lookup information to be retrieved and the DNS server to be ct used Retrieve the Following information Basic information Host information Aliases Ms Records DNS Serveris to query Use default DNS server O Use alternative DNS server s Add Remove Screenshot 137 The DNS Lookup tool 5 Optional Specify the alternative DNS server that will be queried by the DNS Lookup tool or leave as default to use the default DNS server 6 Click R
16. Table 16 Hardware information from an audit Table 17 Software information from an audit Table 18 System information from an audit Table 19 Agent status Table 20 View by computers information Table 21 Authentication methods Table 22 Updates download status Table 23 Security updates download Table 24 Automatic remediation actions Table 25 Automatic remediation stages Table 26 Before deployment Table 27 After deployment Table 28 Advanced deployment options Table 29 Advanced deployment options Table 30 Warning messages Table 31 Remediation actions Table 32 Options available in Deploy Custom Software Table 33 Launch deployment options Table 34 Uninstall options Table 35 Options to manage scanning profiles Table 36 Schedule scan properties Table 37 Manage applicable schedule scans Table 38 Mail settings parameters Table 39 Database retention options Table 40 Proxy settings Table 41 Override options Table 42 Available reports Table 43 Customize report parameters Table 44 Report placeholders Table 45 Complete Combination scanning profiles Table 46 Vulnerability assessment scanning profiles Table 47 Network and Software audit scanning profiles Table 48 Vulnerability properties dialog Table 49 Applications Options Table 50 DNS lookup options Table 51 Insscmd command switches Table 52 Supported variables in inssmcd Table 53 deploycmd command switches Tabl
17. result refer to Ports section in this manual WORKGROUP 28 computers search Entire Network Rav SBY YPO BS VUE System Overview Computers History Vulnerabilities Patches Software Hardware Information Port Types Port List Mo Drag a column header here to group by that columr Wag COIUMN Neader Nere To group DY Mat column Tr Open UDP Ports 43290 i seca 7 a D Port Process No of computers TCP 25 3 eH TCP 80 il TCP 135 17 TCP 135 svchost exe 1 TCP 13 na TO 443 3 Tce 445 19 TCF 445 System 1 Count 67 Details a C Open TCP Port TCP 21 Type TCP Pot number 71 mW View computers having this port open Screenshot 49 Dashboard Ports 48 Analyzing Results GFI LanGuard 4 7 Software view Display more details on the installed applications found during a network audit When an application is selected from the Application List the Details section provides more information on the selected application For a description of terms used in this result refer to Software section in this manual WORKGROUP 28 computers Search Entire Network Vv F EL mn al ake RG z T CA 4 System Overview Computers History Vulnerabilities Patches Software Hardware Information Application Category Applications List rif All Applications 25 ed Anti re 1 Drag a column header here to group by that column mi EIEN a S Antiphi
18. service packs USB devices connected and more The vulnerability check timeouts in this profile are specifically preconfigured to suite the network traffic and transmission delays usually associated with LAN environments Full Scan Slow Use this scanning profile to retrieve system information as well as scan your network Networks for all supported vulnerabilities including open TCP UDP ports missing patches and service packs USB devices connected and more The vulnerability check timeouts in this profile are specifically preconfigured to suite the network traffic and transmission delays usually associated with WAN environments GFI LanGuard Scanning Profiles 113 8 2 2 Vulnerability Assessment Table 46 below describes in detail the scans involved in the Vulnerability Assessment scanning profile Table 46 Vulnerability assessment scanning profiles VULNERABILITY ASSESSMENT SCANNING PROFILES Top SANS 20 Vulnerabilities High Security Vulnerabilities Last Year s Vulnerabilities Only Web Missing Patches Critical Patches Last Month s Patches Only Service Packs Use this scanning profile to enumerate all vulnerabilities reported in the SANS top 20 list Use this scanning profile to enumerate open TCP UDP ports and high security vulnerabilities The list of TCP UDP ports and high security vulnerabilities that will be enumerated by this profile can be customized through the TCP UDP Ports tabs and the Vulnerabilit
19. 1 head to group by that Gad EE Dl p Security Updates EX Patch Auto Deployment D Application name Version Publisher Unauthorized on G ac ASFA nn a ASE i i i Alerting Options mo MSN Full Vulnerability Assessment i f Database Maintenance Options eis i Program Updates uTorrent Full Vulnerability Assessment General y Adobe Flash Player 10 ActiveX 10 1 82 76 Adobe Systems Incorporated T Version Information y Alchemy Catalyst 9 0 9 00 0000 Alchemy Software Develop oT amp Licensing Alchemy Publisher 3 0 3 00 0000 Alchemy Software Develop gt Camtasia Studio 7 7 1 0 TechSmith Corporation gt FastStone Capture 6 7 6 7 FastStone Soft t Common Tasks JE GFILanGuard 2011 oo o gt GFI Software Ltd Add a new application yj HTML Help Workshop Go to Applications auto uninstall 3 MadCap Lingo V4 4 0 0 MadCap Software y Microsoft NET Framework 4 Clie 4 0 30319 Microsoft Corporation Actions y Microsoft NET Framework 4Ext 4 0 30319 Microsoft Corporation JE Microsoft Office Enterprise 2007 14 4 78 10 Microsoft Corporation Remove selected application j Microsoft SQL Server 2005 Microsoft Corporation gt Microsoft SQL Server Compact 3 3 5 5692 0 Microsoft Corporation Count 31 Fd appleaten More information To validate an application for auto uninstall click on Auto Uninstall Validation node Screenshot 82 Configuring Applications inventory GFI LanGuard Configuring GF
20. 2011 Patch Management Added support for JAVA7000 Java Runtime Environment 7 0 x64 Read more 05 Aug 2011 Patch Management Added support for JAVA7000 Java Runtime Environment 7 0 Read more Screenshot 7 Launch manual scan 2 From the Home page select Launch a scan Launch a New Scan Scan Target Profile file customgroup 2011 8 4 18 29 59 txt k Full Scan Credentials Username Password Currently logged on user Sa os Use per computer credentials when available Remember credentials Screenshot 8 Manual scan settings 3 From the Scan Target drop down menu select the target computer or group of computers to scan Table 5 below describes the available options Table 5 Target options when auditing OPTION DESCRIPTION Local host Audit the local host where GFI LanGuard is installed Domain primary domain Audit the entire domain workgroup of the computer server where GFI LanGuard is installed For information on how to define custom target properties refer to the Custom target properties section in this manual File Audit computers specified in a saved text txt file For information on how to define custom target properties refer to the Custom target properties section in this manual 12 Agent less Auditing GFI LanGuard 4 From the Profile drop down menu select the scan profile that you want GFI LanGuard to action during the scan 5 From the
21. 5 Click on the Traceroute button to start the tracing process Traceroute will break down the path taken to a target computer into hops A hop indicates a stage and represents a computer that was traversed during the process The information enumerated by this tool includes the IP of traversed computers the number of times that a computer was traversed and the time taken to reach the respective computer An icon is also included next to each hop This icon indicates the state of that particular hop The icons used in this tool include v Indicates a successful hop taken within normal parameters AS Indicates a successful hop but time required was quite long amp Indicates a successful hop but the time required was too long X Indicates that the hop was timed out gt 1000ms GFI LanGuard Utilities 141 9 4 Whois Whois looks up information on a particular domain or IP address GFI LanGuard 2011 Co late gt lt e Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Tools Query domain IP address name ww microsoft com Options a DNS Lookup nf vio Stating Whois operation forww microsolteom Z Enumerate Computers 2 Enumerate Users oa SNMP Audit a SNMP Walk 2 SQL Server Audit Credentials Authenticate using Currently logged on user z sa Remember credentials V Use per computer credentials Connecting
22. 97 DSINMP AUGIUING scconscocsecunceose anaren nea EEANN Aaa EROE iS 146 96 1h a Cee ee E E EE N E RE EAR E ee ere 147 9 9 SOL Server AUdil os cag hee even eas as geese ees 148 10 Using GFI LanGuard from the command line 149 10 1 INTOdUCHON sersrerserrerees tar eTe EErEE go closer aig AEREE EEEa 149 10 2 Using the command line scanning tool Insscmd eXe cceeeeeees 149 10 3 Using the command line patch deployment tool deploycmd exe 150 10 4 Using the command line import and export tool impex exe 151 11 Adding vulnerability checks 153 TTT WACKOGUCEION o6cccnerccentcae nessa ces cm sesesaciesanewe srnesesaciesaoesesrsenesaceses 153 11 2 GFI LanGuard VBscript language ccc ccc cece cece cee ceeceeceeeceeceees 153 11 3 GFI LanGuard SSH Module ccc ec cneccneccneccneccnescssessseneseness 155 11 4 Python scripting casiiocsdess cence snsaecceeesseasmeescecesensseccesecseaadeneseceees 159 12 GFI LanGuard certifications 161 12t IWACPOOUCLIOU o4o2 cc ncceceee ec rirni EE N NEEE 161 122 ADUT OVA E neces cecucarncaecasetatueaisecereanssacceseuscercsnreconeasneseeeaeres 161 1255 PADOU CVE oee A EAEEREN 162 13 Miscellaneous 165 13 1 Enabling NetBIOS on a network COMputer sssssessseesoeescesceescesee 165 14 Troubleshooting 167 AT WAWOGUCHION sarerea EE A EA 167 14 2 Common ISSUES esseesssesseccseccseccseccseccseccseccseccsecosecssecsseeoo 167 14 3 The Troubleshooting wizard s
23. Add custom software dialog This dialog enables you to add an application to the list and if required configure parameters Edit Select an application and click this button to launch the Add custom software dialog This dialog enables you to modify the existing installation parameters Remove Select an application from the list and click this button to remove the application Import Click this button to import the applications parameters from an XML file Export Click this button to export the applications parameters to XML file e Specify the target computers where to deploy software 4 Computer name TE moo E TEMP mo E woi mo e w03 ie WINXPWEBWORKS Count 28 E Screenshot 72 Target computers for software deployment 4 Select the target computers where to deploy software Right click on a target computer to select between Check all Uncheck all options Gy Launch software deployment Deploy immediately Deploy on 09 08 201 at 01 52 50 Authenticate using Usemame Password Use per computer credentials when available Screenshot 73 Launch deployment options 6 Configure the authentication credentials to use Select between Currently logged user Alternative credentials A null session 70 Fixing Vulnerabilities GFI LanGuard 7 Select the preferred launch deployment option Table 33 below describes the available options Table 33 Launch deployment options OPTION DESCRIPTION Deploy on Sch
24. E N A 04 08 2011 21 22 04 08 2011 21 22 gt lt Not Set errors enc Not Installed L BAJ WORKGROUP E N A 04 08 2011 21 22 04 08 2011 21 22 X Not Set errors enc Not Installed _ GFI WORKGROUP E N A 04 08 2011 21 22 04 08 2011 21 22 gt lt Not Set errors enc Not Installed _ GFI WORKGROUP E N A 04 08 2011 21 28 04 08 2011 21 23 gt lt Not Set errors enc Not Installed l ARI WORKGROUP E N A 04 08 2011 21 30 04 08 2011 21 30 X Not Set errors enc Not Installed _ GX620 WORKGROUP E N A 04 08 2011 21 34 04 08 2011 21 34 gt lt Not Set errors enc Not Installed _ OW WORKGROUP E N A 04 08 2011 21 37 04 08 2011 21 37 X Not Set errors enc Not Installed E RES N A XX Not Set errors enc Not Installed PSGC1 WORKGROUP N A 04 08 2011 21 43 04 08 2011 21 43 gt lt Not Set errors enc Not Installed l RES WORKGROUP E N A 04 08 2011 21 54 04 08 2011 21 54 X Not Set errors enc Not Installed PSG E N A wf Not Set Not Installed L RES WORKGROUP E N A 04 08 2011 22 01 04 08 2011 22 01 X Not Set errors enc Not Installed a co le va l d Screenshot 45 Analyze results by computer Select this view to group audit results by computer From the drop down list select one of the options described in Table 20 below to view related information Table 20 View by computers information OPTION DESCRIP
25. Editorial Board includes representatives from numerous security related organizations such as security tool vendors academic institutions and governments as well as other prominent security experts The MITRE Corporation maintains CVE and moderates editorial board discussions 12 3 1 About CVE Compatibility CVE compatible means that a tool Web site database or service uses CVE names in a way that allows it to cross link with other repositories that use CVE names CVE compatible products and services must meet the four requirements 162 GFI LanGuard certifications GFI LanGuard CVE Searchable A user must be able to search for vulnerabilities and related information using the CVE name CVE Output Information provided must include the related CVE name s Mapping The repository owner must provide a mapping relative to a specific version of CVE and must make a good faith effort to ensure accuracy of that mapping Documentation The organization s standard documentation must include a description of CVE CVE compatibility and the details of how its customers can use the CVE related functionality of its product or service For an in depth understanding of CVE compatibility refer to the complete list of CVE requirements available at http cve mitre org compatible requirements html 12 3 2 About CVE and CAN CVE names also called CVE numbers CVE IDs and CVEs are unique common identifiers for publicly known inf
26. GFI LanGuard 83 To configure patch auto deployment 1 Click on the Configuration tab gt Security updates gt Patch Auto Deployment 2 In the right pane select the patches to auto deploy Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities P Patch Auto Deployment The Patches Auto Deployment option enables you to select which patches are approved for automatic patch deployment e w Approve security patches and service packs for auto deployment kG Auto Uninstall Validation atches that iously tested and do not issues i Updates Only approve p were previously Cause any issues Patch Auto Deployment gt Patch Auto Download To automatically approve patches and or service packs click here Drag a column header here to group by that column Approval Severity Bulletin ID Dateposted V Title Approved Critical HT4826 2011 08 03 Apple QuickTime 7 7 for Windows Approved SKYPE550113 2011 08 02 Skype 5 5 0 113 Approved Critical GC_13_0_782_107 2011 08 02 Google Chrome 13 0 782 107 S JAVA7000 2011 08 01 Java Runtime Environment 7 0 JAVA7000 2011 08 01 Java Runtime Environment 7 0 SKYPE550112 2011 07 28 Skype 5 5 0 112 FOXITR5020718 2011 07 21 Foxit Reader 5 0 2 0718 msi SFRS1 2011 07 20 Safari 5 1 ITUNES 104080 2011 07 20 iTunes 10 4 for Windows 64 bit ITUNES 104080 2011 07 20 iTunes 10 4 for Windows 32 bit ot Apr RPLAYER1201660 2011 07 13 RealPlayer tw 12 0 1 660 Wot Aporoven RPLAYE
27. LanGuard 6 8 2 Importing Configurations from file To import saved configurations 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 Dashboard Scan Remediate Import and Export Configurations Tools Mew Configuration Load Scan Results from Help Save Scan Results bed Auto Uninstall Va Exit c S Qara mher lndatacs Screenshot 103 Import and Export Configurations 2 Click the GFI LanGuard button gt File gt Import and Export Configurations 3 Select Import the desired configuration from a file and click Next 4 Specify the path from where to load configuration and click Next 5 Wait for the configuration tree to load and select the configurations to import Click Next to start import Import and Export Configurations Wizard Welcome to the Import and Export Configurations Wizard Use this wizard to import or export GFI LanGuard configurations What do you want to do Export the desired configurations to a file Export GFI LanGuard configuration to a file cfg Import the desired configurations from a file Import GFI LanGuard configurations from a file cfg Import the configurations from another instance Import GFI LanGuard configurations from another installation Screenshot 104 Import configurations from a file 6 Confirm the override dialog box by clicking Yes or No as required 7 A notify dialog will co
28. LanGuard For example the IP of the computer running LanGuard logon credentials and other related information Services Active services can be a potential security weak spot in your network system Any of these services can be a Trojan a virus or another type of malware that can seriously affect your system in a dangerous way Furthermore unnecessary applications and services that are left running on a system consume valuable system resources During the scanning process GFI LanGuard enumerates all services running on a target computer for you to analyze This way you can identify the services to stop Further to the freeing up of resources this exercise automatically hardens your network by reducing the entry points through which an attacker can penetrate into your system To access the list of services enumerated during a scan click Services sub node Processes Click amp Processes sub node to access the list of processes running on the target computer during a scan Remote time of day Click Remote TOD time of the day sub node to view the network time that was read from the target computer during the scan This time is generally set on network computers by the respective domain controller GFI LanGuard Agent less Auditing 35 4 Analyzing Results 4 1 Introduction The Dashboard section provides you with extensive security information based on data acquired during audits Amongst others the Dashboard s
29. Maintenance Options gt Manage saved scan results 2 To delete saved scan results select the particular result s and click Delete Scan s 3 To let GFl LanGuard manage database maintenance for you select Scans generated during the last to delete scan results which are older than a specific number of 90 Configuring GFI LanGuard GFI LanGuard days weeks or months or Scans per scan target per profile in number of to retain only a specific number of recent scan results 6 6 3 Database maintenance List of scanned computers GFI LanGuard maintains a global list of scanned computers for licensing purposes Any computers in excess of what is specified in the licensing information are not scanned GFI LanGuard enables systems administrators to delete scanned computers in order to release licenses that were previously utilized Properties Change Database Scanned Computers m Your curent GFI LAN guard license enables you to scan an unlimited l L number of different target IP addresses computers Number of different computersvlP addresses scanned to date 3 o Computer Last canned Scans TECHCOMSERYONE 192 168 353 239 9 3735 2071 TECHCOMSERYT WO 192 168 3 236 37272011 WFO 192 165 3526 37172011 WINOBE 192 168 343 370r 2011 WINZRSSOLVM 192 168 200 8 af4 72011 WIN Y SPARES 192 168 3 19 372201 Delete selected computer s
30. Program updates Screenshot 97 Configuring proxy server settings Screenshot 98 Configure updates at application startup Screenshot 99 The Check for Updates wizard Stage 1 Screenshot 100 The Check for updates Wizar Screenshot 101 Import and Export Configuration Screenshot 102 Export configurations to file Screenshot 103 Import and Export Configurations Screenshot 104 Import configurations from a file Screenshot 105 Import and Export Configurations Screenshot 106 Import setting Screenshot 107 Reporting tab Screenshot 108 Report sample Screenshot 109 Scheduled reports settings Screenshot 110 Customize the report parameters Screenshot 111 Customize the report parameters Screenshot 112 Launch the scanning profiles editor Screenshot 113 The Scanning Profile Editor Screenshot 114 Scanning Profiles properties Vulnerabilities tab options Screenshot 115 Select the vulnerability checks to be run by this scanning profile Screenshot 116 Vulnerability properties dialog General tab Screenshot 117 Vulnerability conditions setup tab Screenshot 118 Check properties wizard Screenshot 119 Edit vulnerability Screenshot 120 Advanced vulnerability scanning dialogs Screenshot 121 Scanning Profiles properties Patches tab options Screenshot 122 Select the missing patches to enumerate Screenshot 123 Searching for bulletin information Screenshot 124 Extended bulletin information Screenshot 125
31. Result Details sections in this manual 3 2 Performing a manual audit An effective audit can be done in three steps such as Configure scan properties configure scan targets and any relative properties required to scan the networked computers Analyze scan results identify the main network vulnerabilities discovered and the scan targets that require immediate attention Remediate vulnerabilities implement patches service packs or fixes to the scanned targets GFI LanGuard Agent less Auditing 11 3 2 1 Step 1 Configure target properties 1 Launch GFI LanGuard from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 GFI LanGuard 2011 Flej Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Welcome to GFI LanGuard 2011 GFI LanGuard 2011 is ready to audit your network for vulnerabilities Network Vulnerability Level What to do next View security status of the network Click on it for details View Dashboard Investigate network vulnerability status and audit results Manage Agents Enable agents to automate network security audit and to distribute scanning load across client machines Current Vulnerability Level is High Launch a Scan Manually set up and trigger a network security audit LATEST NEWS gt 05 Aug 2011 Patch Management Added support for GC_13_0_782_107 Google Chrome 13 0 782 107 Stable channel System le Read more 05 Aug
32. Scan Slow Networks Only limited security applications analysis can be performed remotely Agenttess scans need to temporarily run a small service on the remote machines to retrieve the relevant information V Enable full security applications audit for agent4ess scans The number of supported security applications is constantly updated Click here for the latest version of the list E Antivirus Software Generate high security vulnerabilities when No antivirus software is detected No Antivirus is not up to date Antivirus real time monitoring is turned off Antivirus is expired Antivirus has detected malware on the scanned system Delete Antispyware Software Generate high security vulnerabilities when No antispyware software is detected Antispyware product is not up to date Antispyware real time monitoring is turned off Antispyware product is expired Antispyware product has detected malware on the scanned system Firewall Software Generate high security vulnerabilities when No firewall is detected Firewall is disabled General Options HTTP FTP timeout when checking for product updates on remote sites seconds 60 sgg LanGuard Scripting 5555S 5 amp Screenshot 133 The Applications configuration page Advanced Options GFI LanGuard ships with a default list of anti virus and anti spyware applications that can be checked during security scanning The Advanced Options tab enables you to configur
33. Scanning Profiles properties TCP Ports tab options Screenshot 126 Scanning Profiles properties UDP Ports tab options Screenshot 127 Scanning Profiles properties System Information tab options Screenshot 128 The network devices configuration page Screenshot 129 Advanced network devices configuration dialog Screenshot 130 The Devices configuration page USB Devices tab options Screenshot 131 The applications configuration page Screenshot 132 The Applications tab Installed Applications tab options Screenshot 133 The Applications configuration page Advanced Options Screenshot 134 Security Applications Alert Configuration Screenshot 135 Scanning Profiles properties Scanner Options tab Screenshot 136 The DNS Lookup tool Screenshot 137 The DNS Lookup tool Screenshot 138 Trace route tool Screenshot 139 Whois tool Screenshot 140 Enumerate Computers tool Screenshot 141 The Enumerate Users tool dialog Screenshot 142 SNMP Audit tool Screenshot 143 SNMP Walk Screenshot 144 SQL Server Audit Screenshot 145 The new vulnerability check dialog Screenshot 146 The check triggering conditions dialog Screenshot 147 The check triggering conditions dialog Screenshot 148 Independent checks Python Script Test Screenshot 149 Searching for CVE information Screenshot 150 Local Areas Connection properties WINS tab Screenshot 151 Troubleshooter wizard Information details Screenshot 152 Troubleshoo
34. The vulnerability level User accounts Groups Ports Shares Registry entries Baseline Comparison Enables you to compare the results of all scan targets to a base computer From the drop down list select the base computers and click Generate The results are grouped by computer name and amongst others includes information on Registry Installed service packs Missing patches Vulnerability level 7 3 Generating reports GFI LanGuard enables you to generate one time reports or scheduled a reports The sections below describe both scenarios 7 3 1 One time reporting To generate a one time reports 1 Click Reports tab 3 From the left pane select if you want to report on the entire network or a specific scan target 3 From Reports select the report to generate 4 Select items to report on 5 Optional If you modified one of the default reports settings GFI LanGuard enables you to save those settings as a new report Click Save as new report 6 Click Generate report GFI LanGuard Reporting 105 Vulnerability Level Computer Details Operating System J Network Role Virtual Machine j Language Security Sensors Xx Missing Patches XA x Missing Service Packs vulnerabilities x Malware Protection Issues GFI LanGuard TEMP 197 168 3 20 00 15 5D 03 EC 86 Windows 7 Workstation Mo EN Firewall Issues Unauthorized Applications Audit Status Cr
35. Unix Checks i F Unix File Test E Unix Inetd Test E Unix Process Test 2 Unix RPC Service Test 3 Fi Unix Uname Test 4 Solaris Checks Linux Checks gt Independent Checks Check description Executes a 55H script on the target computer and returns a boolean value or a string Screenshot 147 The check triggering conditions dialog 7 Select Unix checks gt SSH Script Test node and click on Next button to continue setup 8 Click Choose file and select the custom SSH Script file that will execute during this check For this example select myscript sh Click Next to proceed 9 Select the relative condition setup in the wizard to finalize script selection Click Finish to exit wizard 10 Click OK to save new vulnerability check Testing the vulnerability check script used in our example Scan your local host computer using the scanning profile where the new check was added 1 Log on to a Linux target computer and create a file called test file This check will generate a vulnerability alert if a file called test file is found 2 Launch a scan on the Linux target where you created the file 3 Check you scan results 158 Adding vulnerability checks GFI LanGuard 11 4 Python scripting GFI LanGuard also supports a new type of vulnerability checks Python Script Test This type of check is available under the Independent Checks type Check properties Step 1 of 3
36. a backend you need to manually set maintenance plans according to your company policies Compact Mow Database compact and repair frequency One time only Even weeks Next operation 3 15 2011 le 22115 PM Cancel Apply Screenshot 95 Database Maintenance properties Advanced tab To compact and repair a Microsoft Access database backend 1 Click Configuration tab gt Database Maintenance Options gt Database maintenance plan 2 To manually launch a repair and compact process on a Microsoft Access database backend click Compact Now 3 To automate the repair and compact process on an Microsoft Access database backend select One time only to schedule a onetime Microsoft Access database repair and compact or Every to execute a repair and compact process on a regular schedule Specify the date time and frequency in days weeks or months at which the compact and repair operations will be executed on your database backend 92 Configuring GFI LanGuard GFI LanGuard 6 6 5 Database maintenance Retention options Database retention options enable you to keep your database clean and consistent by configuring GFI LanGuard to automatically delete unwanted scan results and scan history information while retaining important ones To configure retention settings 1 Click Configuration tab gt Database Maintenance Options gt Database backend settings gt Retention tab 2 Configure the options described
37. after that scan A technical report containing the summary of the information retrieved during the last scan A technical report containing all the information during the last scan The report contains full details for the scanned target A technical report containing all the information related to auto remediations performed after the last scan Shows all changes detected during the last scan Shows all unauthorized applications installed on target machines found during an audit Amongst others the report includes information on Antivirus Anti spyware Applications inventory GFI LanGuard REPORT NAME DESCRIPTION Unauthorized Lists all unauthorized applications installed scan targets Applications Antivirus Applications Shows information related to the antivirus installed on scan targets Scan History An overview of the network security audits performed over time Amongst others the report includes information on Most scanned computers Least scanned computers Auditing status History listing Remediation History Shows information related to remediation actions performed on target computers Amongst others the report includes information on Remediation actions per day Remediation distribution by category Remediation list grouped by computers Network Security Shows the changes done on scan targets between audits Amongst others the History report includes changes related to
38. are configurable on a scan profile by scan profile basis Make sure to enable security applications scanning in all profiles where this is required E The number of supported security applications is constantly updated Click the link available in order to get the latest version of the list Configuring security applications advanced options To configure alerting triggers for installed security applications in a particular scanning profile 1 From Network amp Security Audit Options tab click Applications sub tab 2 Click Advanced Options tab 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 Select Enable scanning for installed applications on target computer s checkbox 5 Agent less scans Select Enable full security applications audit for agent less scans checkbox 136 Scanning Profiles GFI LanGuard Antivirus Software Generate high security vulnerabilities when No antivirus software is detected Antivirus is not up to date Yes Antivirus real time monitoring is turned off Antivirus is expired Yes Antivirus has detected malware on the scanned system Yes Antispyware Software Generate high security vulnerabilities when No antispyware software is detected Yes Antispyware product is not up to date Yes Antispyware real time monitoring is turned off Yes Antispyware product is expired Yes Antispyware product has detected malware on the scanned system Yes Firewall S
39. assigned to you when you first register your license keys in our Customer Area at http customers gfi com 14 7 Build notifications We strongly suggest that you subscribe to our build notifications list This way you will be immediately notified about new product builds To subscribe to our build notifications visit http www gfi com pages productmailing htm 172 Troubleshooting GFI LanGuard 15 Glossary TERM Active Directory AD Anti spyware Anti virus Apache web server Applications auto uninstall Auto download Auto patch management Auto remediation Backdoor program Batch files Blacklist Bluetooth Bulletin Information CGI requests Common Gateway Interface Common Vulnerabilities and Exposures CVE Dashboard Demilitarized Zone deploycmd exe DMZ DNS DNS Lookup tool Domain Name System GFI LanGuard DESCRIPTION A technology that provides a variety of network services including LDAP like directory services See Active Directory A software countermeasure that detects spyware installed on a computer without the user s knowledge A software countermeasure that detects malware installed on a computer without the user s knowledge An open source HTTP server project developed and maintained by the Apache software foundation An action that enables the auto uninstall of applications that support silent uninstall from GFI LanGuard A GFI LanGuard technology that automat
40. be restarted for the tasks to complete Restart now 0 Remind me in 0 Restart on Don t bother me again Screenshot 64 Reboot shut down options The table below describes the available options Table 29 Advanced deployment options Restart now Reboots shuts down the computer immediately after completing an administrative task Remind me in Specify a time interval in minutes when to remind the end user Restart on Specify the date and time when the machine reboots shuts down Don t bother me again The user is not prompted again 5 2 5 Define auto remediation messages GFI LanGuard allows you to specify warning messages for auto remediation operations You can customize predefined messages and set the language according to the target computer s language To specify warning messages 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Remediate tab gt Remediation Center Select a remediation action from the right panel and click Options 3 From Before Deployment tab select Warn user before deployment show a message 4 Click Messages GFI LanGuard Fixing Vulnerabilities 63 Warning messaqes Customize the messages shown to the user during deployments according to target computer s language Messages When not waiting for user approval Waming GF Lan suard is pefoming administrative tasks i
41. by performing a dictionary attack using the values stored in its default dictionary A tool used to probe your network nodes and retrieve SNMP information A form of malware intended to collect information from a computer without notifying the user A tool used to test the password vulnerability of the sa account i e root administrator and any other SQL user accounts configured on the SQL Server A module used to determine the result of vulnerability checks through the console text data produced by an executed script This means that you can create custom Linux UNIX vulnerability checks using any scripting method that is supported by the target s Linux UNIX OS and which outputs results to the console in text Acronym for Transmitting Control Protocol This protocol is developed to allow applications to transmit and receive data over the internet using the well known computer ports A service that allows connecting to a target computer and managing its installed applications and stored data A tool used to identify the path that GFI LanGuard followed to reach a target computer A form of malware that contains a hidden application that will harm a computer An acronym for User Datagram Protocol these used to transfer UDP data between devices In this protocol received packets are not acknowledged The Uniform Resource Locator is the address of a web page on the world wide web A Serial bus standard widely used to conne
42. configure auto remediation refer to Automatic Remediation section in this manual 6 Managing Agents GFI LanGuard 6 Click Next and Finish to complete agent deployment Alternate credentials must have administrative permissions on the scan targets It is recommended to enable System Restore on the target scan computers if Auto remediation is enabled in GFI LanGuard 2 2 1 Custom agent deployment The Custom option in the Deploy Agents wizard enables the creation of rules enabling you to search for specific computers To launch the Add new rule dialog Deploy Agents Step 1 of 3 Define target Select the agent deployment target Computers Select target computers Credentials Local domain Finish Custom Add new rule Clear rule list Computer name is W51121 1 Remove Screenshot 4 Deploy agent wizard 1 Select Custom from the Deploy Agents wizard 2 Click Add new rule Table 3 below describes the available options Table 3 Add new rule DESCRIPTION Rule type Enables you to specify the target computers to scan Select Computer name is manually enter a computer name or import the names from a saved text txt file Domain name is select computers from one or more reachable domains Organization unit is select computers from one or more reachable organization units Add Add specified computer name to list Remove Remove selected computer from list GFI LanGuard Manag
43. credentials section in this manual Email Optional Specify the email address on which the resulting report s will be sent at the end of this scan Reports will be emailed to destination through the mail server currently configured in the Configuration tab gt Alerting Options node of the management console DontShowStatus Optional Include this switch if you want to perform silent scanning In this way the scan progress details will not be shown I Optional Use this switch to show the command line tool usage instructions Ea Always enclose full paths and profile names within double quotes For example path or path name or C temp test xml GFI LanGuard Using GFI LanGuard from the command line 149 The command line target scanning tool allows you to pass parameters through specific variables These variables will be automatically replaced with their respective value during execution Table 52 below describes the supported variables Table 52 Supported variables in inssmcd SUPPORTED VARIABLE DESCRIPTION INSTALLDIR During scanning this variable will be replaced with the path to the GFI LanGuard installation directory TARGET During scanning this variable will be replaced with the name of the target computer SCANDATE During scanning this variable will be replaced with the date of scan SCANTIME During scanning this variable will be replaced with the time of scan For example how to launch t
44. document The information is obtained from publicly available sources Though reasonable effort has been made to ensure the accuracy of the data provided GFI makes no claim promise or guarantee about the completeness accuracy recency or adequacy of information and is not responsible for misprints out of date information or errors GFI makes no warranty express or implied and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document If you believe there are any factual errors in this document please contact us and we will review your concerns as soon as practical GFI LanGuard Index 185
45. f Progress details Microsoft SQL Server 2005 Express Edition Service Pack 4 KB2463332 failed Windows 7 Service Pack 1 KB9 6932 failed belli Windows 7 Service Pack 1 KB976932 failed W703 Completed H E Progress details Ea Windows 7 Service Pack 1 KB9 6932 completed Eg Windows 7 Service Pack 1 KB976932 completed Auto remediation status No agents with autotemediation enabled No scheduled scans with autotemediation enabled Screenshot 78 Remediation jobs 5 To stop a deployment action right click a remediation job entry and select Cancel selected deployment GFI LanGuard Fixing Vulnerabilities 75 6 Configuring GFI LanGuard 6 1 Introduction GFI LanGuard enables you to run vulnerability scans straight out of the box using the default settings configured prior to shipping If required you can also customize these settings to suit any particular vulnerability management requirements that your organization might need You can customize and configure various aspects of GFI LanGuard including scan schedules vulnerability checks scan filters and scan profiles 6 2 Scheduled Scans Scheduled scans enable you to automate the process of performing regular scans auditing and remediation procedures g GFI LanGuard 2011 cm E lt Die Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Configurations a x p Ag
46. first deleted Imports data from XML file to database When specified only vulnerabilities newer than the newest vulnerability in the database will be imported Exports Imports all scanning profiles Exports Imports all vulnerabilities Exports Imports all ports Exports Imports the specified scanning profile Exports Imports all vulnerabilities of the specified category Exports Imports the specified vulnerability VULNCAT must be specified Exports Imports all ports of the specified type Exports Imports the specified port PORTTYPE must be specified If an item already exists in the target XML database that item will be skipped If an item already exists in the target XML database that item will be overwritten If an item already exists in the target XML database that item will be renamed to lt value gt If PROFILE or VULN was specified port information merged with that item is a port or renamed by prefixing its name with lt value gt in any other case Example to export a specific alert impex xml regcheck xml vuln Blaster Worm vulncat Registry Vulnerabilities Example To import a whole XML file impex xml regcheck xml im The Impex executable can be located in the GFI LanGuard installation folder If the specified lt xmlfile gt lt dbfile gt lt name gt lt category gt or lt value gt contain any 5 space character the whole value must be placed between double quotes It is
47. free physical virtual memory available Storage details including information regarding the storage of a target machine such as floppy disk drive CD ROM and hard drives Display adapters including information regarding the display and video devices of a target machine such as the device manufacturer gt Other devices including information of devices that does not fall under the mentioned categories above such as keyboard ports mouse and human interface devices Software Click Software to view all details involved in the software audit The software audit amongst others displays information such as application name publisher version Table 17 below describes the hardware information groups Table 17 Software information from an audit ICON DESCRIPTION K amp General Applications Enumerates installed software on scan targets k Antivirus Applications Lists installed antivirus engines on scan targets O Instant Messenger Applications Lists all detected instances of Instant messenger Fm applications on scan targets ro Patch Management Applications Specifies information of installed patches on scan targets L 4 tod Web Browser Applications Contains scanned targets that have Internet browsers installed 25 Firewall Applications Enumerates information on installed Firewall applications on scan i targets Anti phishing Applications Lists information of installed ant
48. htm 4 GFI LanGuard can be set to automatically download missing patches and service packs discovered during a network security scan For more information refer to the Configuring Microsoft updates section in this manual GFI LanGuard Fixing Vulnerabilities 65 a Remediation Center p Remediation Jobs Malware Protection fe fe fe Screenshot 66 Remediation center Deploy Security Patches Use this option to deploy Missing patches detected on your network Deploy Service Packs Deployment of service packs was done or is In progress since last security audit was made Uninstall Security Patches Use this option to uninstall patches currently deployed on network Uninstall Service Packs Use this option to uninstall service packs currently deployed on network Deploy Custom Software Use this option to deploy third party scripts and applications Uninstall Applications Uninstall unauthorized applications detected on network Use this option to fix problems identified with malware protection software in you network Remote Support via Remote Desktop Connection Use this option to remotely connect to specific targets for maintenance purposes 5 From the left panel expand and locate a computer or a domain to perform remediation actions The available remediation actions are described below Table 31 Remediation actions ACTION DESCRIPTION Deploy Security Patches Deploy Service Packs Uninstall Softwa
49. local firewall To scan a machine for viruses and spyware the target machine must have anti _f virus and anti spyware installed t Remediation Center y Remediation Jobs Malware Protection Use this option to fix problems identified with malware protection software in you network ww Specify which action to execute on which computers Remediation name el Enable firewall Count 1 vw Specify the target computers and software where to execute the action B Computer name Operating system Application name 1m Windows 7 Microsoft Windows Firewall Count 1 e Launch deployment Deploy immediately aa A Deployon 09 08 2011 at 01 57 49 F Authenticate using Usemame Password Currently logged on user a T oa Use per computer credentials when available Screenshot 75 Malware protection 72 Fixing Vulnerabilities GFI LanGuard To remediate malware protection vulnerabilities 1 Select Remediate tab gt Remediation Center and click Malware Protection 2 Select the action computer combination 3 Configure the authentication credentials to use select from Currently logged user Alternative credentials A null session 4 Select Deploy immediately to immediately uninstall any applications selected or provide a date time combination in the Deploy on field 5 Click Remediate Now to uninstall application
50. or manual updates refer to Program updates section in this manual gt Dashboard Scan Remediate_ Activity Monitor Reports Configuration Utilities Discuss this version zay Aata Product Updates Activity 4 Security Updates Download Monitor GFI LanGuard product updates activity Re J Scheduled update session 05 08 2011 14 51 34 Done ee a Patch Management Definitions Succeeded Common Tasks Timest 7 08 2011 1 Go to Scheduled updates options 4 D a ided New 4 oa m 3 E p 9 Scheduled update session 04 08 2011 14 51 20 Done n Bey Patch Management Definitions Succeeded 9 File name lanss pepee a ofthe Temata 03 08 2011 16 00 24 ae Description Added New Patches Expand Los Scheduled update session 03 08 2011 21 18 49 Done Collapse E y Patch Management Definitions Succeeded and all fH f Microsoft Patch Detection Data Succeeded Collapse alll a yf Patch Management Prerequisites Succeeded P Timestamp 29 07 2010 10 40 30 ta i GFI LANguard Vulnerabilities Update Succeeded Screenshot 58 Product updates activity 56 Analyzing Results GFI LanGuard 5 Fixing Vulnerabilities 5 1 Introduction GFI LanGuard enables you to automatically fix some of the issues identified during your network audit using the built in tools that ship with the product Available actions include Table 24 Automatic remediation actions OPTION DESCRIPTION Auto
51. patch management Downloads missing updates and deploys them over the network Applications auto uninstall Auto uninstall of applications that support silent uninstall The process involves a test phase called validation during which an application is uninstalled automatically to identify if silent uninstall is supported by target application If it is all the other instances on the network are automatically uninstalled during a scan 5 2 Automatic Remediation Automatic Remediation enables you to automatically download and deploy missing patches as well as uninstall unauthorized applications during scheduled operations To uninstall software a 3 stage process is required in order to identify whether the selected application supports silent uninstall Table 25 Automatic remediation stages STAGE DESCRIPTION Stage 1 Select the application to auto uninstall Stage 2 Ensure that application supports silent uninstall Test this by trying to remotely uninstall the application This is the validation process Stage 3 Setup a scheduled audit that will remove the unauthorized application This is done automatically using agents or manually agent less approach Auto remediation and un installation of un authorized applications only work with scanning profiles that detect missing patches and or Installed applications By default Microsoft updates are not enabled for automatic deployment Manually approve each patch as it is teste
52. patches may be recalled due to newly discovered vulnerabilities or problems caused by the installation of these updates such as conflict issues with present software or hardware Examples of updates recalled by the manufacturer include patches MS03 045 and MS03 047 for Exchange that were released by Microsoft on October 15 2006 Both patch deployment and patch rollback operations are managed by an agent service that manages all file transfers between GFI LanGuard and remote targets This service is installed automatically on the remote target computer during the patch deployment process The Remediation Center enables you to fix security issues found during a network scan by deploying or uninstalling applications from target machines To access the Remediation Center select Remediate tab gt Remediation Center To deploy missing patches on scan targets ensure that GFI LanGuard is running under an account that has administrative privileges Important notes 1 Ensure that the NetBIOS service is enabled on the remote target computer For more information on how to enable NetBIOS refer to the Enabling NetBIOS on a network computer section in this manual 2 A complete list of Microsoft products for which GFI LanGuard can download and deploy patches is available at http kbase gfi com showarticle asp id KBID001820 3 Non Microsoft software update patches supported by GFI LanGuard is available at http www gfi com lannetscan 3pfullreport
53. scan process to complete 8 2 5 Creating a new scanning profile The Scanning Profiles Editor allows you to create new scanning profiles To create a new custom scanning profile 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click the GFI LanGuard button gt Configuration tab gt Scanning Profile Editor Dashboard Scan Remediate Entre Network 25 com a se TON Search Agents Management Scanning Profiles Editor Ctrl P Scheduled Scans Application Inventory Auto Uninstall Validation Security Updates Alerting Options Database Maintenance Options Program Updates Proxy Settings Screenshot 112 Launch the scanning profiles editor 3 In Scanning Profiles Editor from Common Tasks click New scanning profile GFI LanGuard Scanning Profiles 115 saming 0 Riel L Vulnerability Assessment Options c Network amp Software Audit Options Scanner Options Profile categories Complete Combination Scans Vulnerability Assessment A Vulnerabilities Patches A Full Vulnerability Assessment A Full Scan Active Common Tasks New scanning profile Set Active Rename Delete Help Scanning Profiles LanGuard Scripting Choose scan profile conditions Enable vulnerability scanning Group by Type w LB Vulnerabilities LA Potential Vulnerabilities ene A
54. some operations performed during the scanning process need to open Internet connections Cancel Apply Screenshot 97 Configuring proxy server settings 3 Select Override automatic proxy detection configure the options described below Table 40 Proxy settings OPTION DESCRIPTION Connect directly to the Internet A direct internet connection is available Connect via a proxy server Internet access is through a proxy server Update the Server name and port number using this format lt server gt lt port gt Proxy server requires Optional Enter username and password if required by the proxy authentication server 94 Configuring GFI LanGuard GFI LanGuard 6 7 2 Configure GFI LanGuard auto updates options GFI LanGuard can check for the availability of software updates at every program startup To disable enable this feature 1 Click on Configuration tab gt Program Updates From Common Tasks select Edit program updates options Program Updates Options General Ba Configure your default program updates options such as updates 5 schedule or provide an alternattve download location Enable scheduled updates Recurrence pattern daily at 1450 00 Even 1 daps Ever weekday Download updates from the GFI Web site Download updates from an alternative location Caneel _ An Screenshot 98 Configure updates at application startup 2 Select unselect Check for
55. to the Database maintenance options section in this manual To load saved scan results from the database backend or from XML files 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click the GFI LanGuard button gt File gt Load Scan Results from gt Database 24 Agent less Auditing GFI LanGuard Database source General f F Select the scan result to use for the required operation Target Frofile T Date Completed Motes file customgroup 2 Full Scan eo 201 12 59 39 Yeg T file customgroup 2 Full Scan ao 2011 12 58 55 Yeg T localhost Full Scan areor 2011 1418 17 eS hg localhost Full Scan weo 20 14 10 38 No hag localhost Full Scan azar 20 14 10 16 Mo Shown scans performed by agents Lancel Screenshot 21 Reloaded scan results 3 Select the saved scan result and click OK z The right pointing arrow indicates that the scan did not complete successfully 3 5 3 Save and load scan result in XML format Scan results are an invaluable source of information for systems administrators GFI LanGuard results are stored in a Microsoft SQL Server or a Microsoft Access database In addition scan results can also be exported to XML To save scan results to XML file 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click on Sc
56. 0 1 82 76 Adobe Systems Incorporated H Alchemy Catalyst 9 0 9 00 0000 Alchemy Software Develop A Alchemy Publisher 3 0 3 00 0000 Alchemy Software Develop Camtasia Studio 7 7 1 0 TechSmith Corporation 3 FastStone Capture 6 7 6 7 FastStone Soft 10 1 2011 08 02 GFI LanGuard 2011 GFI Software Ltd Add a new application HTML Help Workshop Go to Applications auto uninstall A MadCap Lingo V4 4 0 0 MadCap Software Microsoft NET Framework 4 Clie 4 0 30319 Microsoft Corporation Actions Microsoft NET Framework 4Ext 4 0 30319 Microsoft Corporation 12 0 4518 10 Configure selected application 14 Remove selected application Microsoft SQL Server 2005 Microsoft Corporation Microsoft Office Enterprise 2007 Microsoft Corporation Microsoft SQL Server 3 3 5 5692 0 Microsoft er ma Pa moma mo A Met Ea m D 31 Find ication coat More information To validate an application for auto uninstall click on Auto Uninstall Validation node Screenshot 59 Application inventory 2 From the right panel locate the application to configure as unauthorized and under Unauthorized on click Click to configure link 58 Fixing Vulnerabilities GFI LanGuard Configure application wizard Step 1 of 2 Mark application as unauthorized Select the profiles under which the application will be unauthorized Configure application Alchemy Catalyst 9 0 Version 9 00 0000 Publisher Alche
57. 0 Display results sccssisscnsceducesccasucsescedssseseecnsorsecieseersaceseaseetesenses 4 11 Configure credentials sssessseseesceesossceesoresoesceesoreseesceesoseee A12 Monitorning ACUIVILY cesssrsssssisressseist ose dine raen suneseaccusoseceteneeeeecnes Fixing Vulnerabilities Dl MMOdUCTION ccc tcncecccssnaseuas ose eeneeenssenas EN EANTA 9 2 AULOMALIC REMECIAUION ss sirriiseirerrirenrri n ori epenn ENE EE 5 3 Remediation center ssescescesoesoesoesoesoesoesoesoesoeseseeeseeseesee 5 4 Deploy security patches and service packs sssssssssseesoeescesceeseeeo 5 5 Uninstall software patches and service packs ssssseesseescesceeseee 5 6 Deploy custom software sssessssseesceescesccesocescoesoeesoeescesceesoeee 5 7 Uninstall custom GPDIICALIONS oxissstedcicsaieicccsstadeiacstniaiesatedetausieens 5 8 Malware protection actions ssssesceescescceesocescesecesoeescesceesoeee 9 9 Using remote SUD DONE sersrsresrorscosseierererr one erir rrr 5 10 Remediation JODS srisirisisiviirosdssicisrcioniitadi idiaren niia ianei Introduction 1 1 Introduction to GFI LanGuard ssssscssssescsssccssseccoseccsseeccseeeeo 1 2 About this manual 37 37 43 45 46 47 48 49 50 51 51 52 53 6 Configuring GFI LanGuard 77 Ol MNEFOGUCTION a E E E E AE E E E 11 6 2 Scheduled SCAS ererririe rritin EAEEREN EAEEREN ORS 11 6 3 APDUCATIONS INVENLONY sirerisrsivestii ir prErr aree NEEN n Era eE 79 6 4 Configuring s
58. 11 07 13 RealPlayer tw 12 0 1 660 Gc_12 0_742_122 Critical GC_12_0_7 2011 07 12 Google Chrome 12 0 742 122 St Scanning Profiles mso8 069 Important 954430 2011 07 12 Security Update for Microsoft XML LanGuard Scripting O MS08 069 Low 954430 2011 07 12 Security Update for Microsoft XML msos 069 Important 954430 2011 07 12 Security Update for Microsoft XML msi1 052 Moderate 2544521 2011 07 12 Security Update for Internet Explc M ms11 052 Moderate 2544521 2011 07 12 Security Update for Internet Exple 4 ii p 4 m p Advanced File lanss_10_patchmngmt mdb Version 3 Last updated on 04 08 2011 14 51 20 9191 patches Find bulletin Find Find next Search by bulletin name e g M502 017 or QNumber e g Q311967 Screenshot 121 Scanning Profiles properties Patches tab options Enabling disabling missing patch detection checks To enable missing patch detection checks in a particular scanning profile 1 From the Vulnerability Assessment Options tab click Patches sub tab 2 Select the scanning profile that you wish to customize from the left pane under Profiles 3 In the right pane select Detect installed and missing service packs patches option B Missing patch scanning parameters are configurable on a scan profile by scan profile basis Make sure to enable missing patch scanning in all profiles where missing patch scanning is required 124 Scanning Profiles GFI LanGuard Customizing the list of software pat
59. 11 21 16 25 5 General Hf T Version Information paa i G Licensing Check For Updates Screenshot 96 Program updates This tool enables GFI LanGuard to detect the latest vulnerabilities and maintain its scanning performance Configure GFI LanGuard to auto download updates released by GFI to improve functionalities in GFI LanGuard These updates also include checking GFI web site for newer builds Updates can be enabled disabled by selecting the checkbox in the Auto download column GFI LanGuard Configuring GFI LanGuard 93 GFI LanGuard can download all Unicode languages This includes but is not limited to English German French Italian Spanish Arabic Danish Czech Finnish Hebrew Hungarian Japanese Korean Dutch Norwegian Polish Portuguese Portuguese Brazilian Russian Swedish Chinese Chinese Taiwan Greek and Turkish 6 7 1 Configure GFI LanGuard Proxy settings To manually configure proxy server settings for internet updates 1 Click on Configuration tab gt Program Updates 2 From Common Tasks select Edit proxy settings GF LanGuard Proxy Settings General ze Use this option to manually provide your proxy server settings W Override automatic proxy detection f Connect directly to the Internet f Connect via a proxy server 192 168 11 11 8080 iw Proxy server requires authentication User name administra tor Passy or d a e Note Patch file download scheduled updates and
60. 21 Edit vulnerability This vulnerability will be triggered when the below conditions are met AND Not Independent HTTP Banner Test ANC Windows Group Test ANDO Sf Independent Python Script Test E Object Script File msse_ayvs upd py Attribute Result Operator equals e Value MailScript Description Executes a Python script and returns a boolean value ad bette clear _ Screenshot 119 Edit vulnerability 5 If more than one condition is set up define conditional operators and click OK to finalize your configuration settings 6 Optional Click Advanced in the Vulnerabilities tab to launch the advanced vulnerabilities scanning options 122 Scanning Profiles GFI LanGuard Advanced Vulnerabilities Properties General Specify advanced vulnerabilities options Yulnerability Scan Options Internal checks Weak passwords FTP anonymous access allowed Administrator account exists Users that never logged on New vulnerabilities are enabled by default Yes Show vulnerabilities with errors during ewaluatio Mo CGI Probing Settings Send CGI request through proxy Mo Proxy IP address Proxy port coated Cancel Apply Screenshot 120 Advanced vulnerability scanning dialogs The options in Advanced Vulnerabilities Options are used to Configure extended vulnerability scanning features that check your target computers for weak passwords anonymou
61. 33 Pte ETE pon eee Switch on secunty auditing policies Specify which auditing policies are to be tumed on The recommended auditing policies have been selected by default Auditing Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Select Nest to tum on the selected auditing policies Ob Ee OBE amp amp Bl Screenshot 28 The audit policy administration wizard 2 Select unselect auditing policies accordingly and click Next to deploy the audit policy configuration settings on the target computer s EAT anani Amahan Nira Application of security auditing policies results The results of the application of the secunty auditing to all computers Before re attempting to apply the policies please ensure that communication betwee this computer and the target computer is possible and that you have aie privileges to access the secunty policies of these computers Screenshot 29 Results dialog in audit policy wizard 3 At this stage a dialog will show whether the deployment of audit policy settings was successful or not To proceed to the next stage click Next Click Back to re deploy settings on failed computers 4 Click Finish to finalize configuration 34 Agent less Auditing GFI LanGuard Groups users Rogue outdated or default user accounts can be exploited by malicious or unauthor
62. 55 25 error s 3 computer s 13 minutes 43 seconds o minutes 56 seconds 4 minutes 1 second 13 minutes 2 seconds 1 computer s 0 computers 0 computers 2 computer s Agent less Auditing 23 3 5 1 Vulnerability level rating The vulnerability level is a rating given by GFI LanGuard to each computer after it is scanned The rating indicates the vulnerability level of a computer network depending on the number and type of vulnerabilities and or missing patches found Vulnerability level The average vulnerability level for this Scanning session is High ae Wee Screenshot 20 Vulnerability level meter High vulnerability ratings are the result of identified vulnerabilities and or missing patches that are classified as high risk When a number of computers are scanned in a single audit session a measurement of the global vulnerability level is based on a weighted sum of the vulnerabilities detected on the computers scanned The Vulnerability level is indicated using color coded graphical bar A red colour code indicates a high vulnerability level while a green colour code indicates a low vulnerability level 3 5 2 Loading saved scan results from database By default saved scan results are stored in a database GFI LanGuard stores the results data of the last 10 scans performed per scanning profile You can configure the number of scan results that are stored in a database file For more information refer
63. Auditing GFI LanGuard From Scan Results Overview expand a computer node to access results retrieved during the scan Security scan results are organized in two sub nodes tagged as Vulnerability Assessment Network amp Software Audit While a scan is in progress each computer node has an icon that categorizes the response time Table 13 below describes the different icons used by GFI LanGuard to categorize the response time The first icon indicates that the scan is queued while the second icon indicates that the scan is in progress Table 13 Response time icons Fal A Fast response Less than 25ms EZI ka Medium response Between 25ms and 100ms a Slow response More than 100ms 3 6 1 Vulnerability assessment El Scan target filescustomgroup_ 2011 8 4 18 29 59 txt r a M El 192 168 3 237 WIN2K3SERV Windows fe G 192 168 3 28 W703 Windows 7 Gold a E 4 Vulnerability Assessment Jy High Security Vulnerabilities 3 d Medium Security Vulnerabilities 17 iy Low Security Vulnerabilities 11 W Missing Service Packs 2 Missing Patches 42 m 3 Network amp Software Audit H M GP 192 168 3 35 W701 Windows 7 Screenshot 23 The Vulnerability Assessment node Click on any Vulnerability Assessment node to view the security vulnerabilities identified on the target computer grouped by type and severity as follows High Security Vulnerabilities Low Security Vulnerabilities Potential v
64. Credentials drop down menu select the log on method used by GFI LanGuard to log onto the scan targets Table 6 below describes the available log on methods Table 6 Logon and audit options OPTION DESCRIPTION Currently logged on user Use the current logged on user credentials when logging on scan targets Alternative credentials Use custom credentials Key in the user name and password to use A null session Log onto scan targets using a null session The user will log onto the target machine as an anonymous user A private key file Log onto UNIX machines using SSH A user name and password is required 6 Optional Select Use per computer credentials when available to logon target machines using the credentials specified in the Dashboard For more information on how to configure computer credentials using the dashboard refer to Configure credentials section in this manual 7 Optional Select Remember credentials to use the configured credentials as default when performing an audit 8 Click Scan to start auditing the selected targets For more information on Scanning Profiles refer to the Scanning Profiles section _f in this manual The credentials provided need to have administrator privileges in order for GFI f LanGuard to log on to the target computers and carry out the network audit 3 2 2 Step 2 Analyze scan results One of the key steps in a network security audit is to analyze scan results and identify the
65. Customize the list of TCP Ports through Add Edit or Remove The list of supported TCP UDP Ports is common for all profiles Deleting a port from the list will make it unavailable for all scanning profiles GFI LanGuard Scanning Profiles 127 8 4 2 Configuring UDP port scanning options GF LanGuard Scanning Profiles Editor o S xs Scanning Profiles Discuss this version Profile categories L Vulnerability Assessment Options yy Network amp Software Audit Options Scanner Options K Complete Combination Scans po Vulnerability Assessment TCP Ports UDP Ports System Information Devices Applications Network amp Software Audit Choose scan profile conditions v Enable UDP Port Scanning Profiles Ports Description Notes a Full Vulnerability Assessment a 2 Compressnet Management Utility a Full Scan Active a 3 Compressnet Compression Process a gt Remote Job Entry 7 Echo a 11 Active Users 13 DAYTIME RFC 867 oa 17 Quote of the Day 1s Message Send Protocol 19 Character Generator z Secure Shell SSH a 35 Any private printer server protocol a 37 TIME protocol 39 Resource Location Protocol RLP a 41 Graphics a 42 nameserver ARPA Host Name Server Protocol a 43 whois a TACACS Login Host protocol a 52 XNS Xerox Network Services Time Protocol Sc eS A 53 Domain Name System DNS LanGuard Scripting a 54 XNS Xerox Network Services Clearinghouse a 56 XNS Xerox Network Service
66. Desktop Protocol SANS Scan profiles Script Debugger SNMP SNMP Auditing tool SNMP Walk tool Spyware SQL Server Audit tool SSH Module TCP ports Terminal Services Traceroute tool Trojans UDP ports Uniform Resource Locator Universal Serial Bus URL USB VBScript Virus Web server GFI LanGuard DESCRIPTION A standard that promotes open and publicly available security content and standardizes the transfer of this information across the entire spectrum of security tools and services See Open Vulnerability and Assessment Language A background service that handles the deployment of patches service packs and software updates on target computers A high level computer programming scripting language A protocol developed by Microsoft to enable clients to connect with the user interface of a remote computer An acronym for System Administration Networking and Security research organization An institute that shares solutions regarding system and security alerts A collection of vulnerability checks that determine what vulnerabilities are identified and which information will be retrieved from scanned targets A GFI LanGuard module that allows you to write and debug custom scripts using a VBScript compatible language Acronym for Simple Network Management Protocol a technology used to monitor network devices such as routers hubs and switches A tool that reports weak SNMP community strings
67. ETWORK AND SOFTWARE AUDIT SCANNING PROFILES Trojan Ports Port Scanner Software Audit Full TCP amp UDP Scan Only SNMP Ping Them All 114 Scanning Profiles Use this scanning profile to enumerate open TCP UDP ports that are commonly exploited by known Trojans The list of TCP UDP ports to be scanned can be customized through the TCP Ports and UDP Ports tabs respectively Only the TCP UDP ports commonly exploited by known Trojans are scanned by this profile Network auditing operations as well as enumeration of other open TCP UDP ports and missing patches are not performed by this profile Use this scanning profile to enumerate open TCP UDP ports including those most commonly exploited by Trojans The list of ports that will be enumerated by this profile can be customized through the TCP UDP ports tab Use this scanning profile to enumerate all software applications installed on scan targets This includes security software such as anti virus and anti spyware Use this scanning profile to audit your network and enumerate all open TCP and UDP ports Use this scanning profile to perform network discovery and retrieve information regarding hardware devices routers switches printers etc that have SNMP enabled This enables you to monitor network attached devices for conditions that require administrative attention Use this scanning profile to audit your network and enumerate all computers that are currently connected and r
68. From the list of missing patches service packs select the updates to deploy Right click on the list to access Check Uncheck all options e Specify computers where to deploy each patch Computer name Language Operating system Windows 7 amp w703 English Windows 7 Count 2 Screenshot 68 Deploying missing patches on selected computers 6 From the list of target computers select the target computers where to deploy patches service packs Right click on list to access Check Uncheck all options GFI LanGuard Fixing Vulnerabilities 67 wy Launch deployment Deploy immediately Options Remediate Deploy on 05 08 2011 at 01 50 18 Authenticate using Usemame Password Currently logged on user sa 7 Use per computer credentials when available Screenshot 69 Deploy patches 7 Select the preferred launch deployment option Choose Deploy on to schedule patch service pack deployment to a later date time Specify date and time Choose Deploy immediately to start the deployment immediately Click Remediate Now 8 Configure the authentication credentials to use select between Currently logged user Alternative credentials A null session 9 Follow any on screen instructions if applicable 5 4 1 Patch deployment warning message Deploying patches triggers a warning message on targets computer to inform users about the installation process Depending on the patch deploy
69. I LanGuard 79 To indicate an application as unauthorized 1 Click on Configuration tab gt Applications inventory sub node 2 From the list of applications detected on the right double click the application to set as unauthorized Configure application wizard Step 1 of 2 Mark application as unauthorized cy Select the profiles under which the application will be unauthorized Configure application FastStone Capture 6 5 Version 6 5 Publisher FastStone Soft Unauthorized applications are classified in scan results as High Security Vulnerability To mark this application as unauthorized select the scanning profiles which will classify this software as High Security Vulnerability Scanning profiles Fa Full Scan Full Scan Slow Networks My Profile F Software Audit E System Information 4 Tellme more lt Back Hext gt Cancel Screenshot 83 Unauthorized application scanning profile 3 Select the scanning profile for which this application will be set as unauthorized and click Next 4 GFI LanGuard can associate partial names with entries already in the list As a result the system will prompt you to confirm whether to apply the same changes also to applications partially have the same name 5 Click Finish to finalize settings 6 3 1 Adding a new unauthorized application To add a new application manually without using the inventory 1 Click Configuration tab gt Applications in
70. LanGuard Bulletin Info Bulletin Bulletin ID Mok Available QNumber 890830 Date 2011 02 08 Severity Undefined Title Windows Malicious Software Removal Tool 64 February 2011 KB 90830 Description After the download this bool runs one time to check your computer For infection by specific prevalent malicious software including Blaster Sasser and Mydoom and helps remove any infection that is found IF an infection is Found the tool vall display a status report the next time that you start your computer A mew version of the tool will be offered every month IF you want to manually run the tool on your computer you can download a copy From the Microsoft Download Center or you can run an online version from Applies To Windows Server 2003 Windows Server 2005 Datacenter Edition Windows XP x64 Edition Windows Vista http Microsoft com Fudink LinklId 39987 Screenshot 24 Missing Service pack Bulletin info dialog 3 6 2 Network amp Software Audit Scan Results Overview W Scan target fileccustomgroup_2011_8 4 18 29 _59 tbct a ES 192 168 3 237 WINAK3SERV Windows j M GP 192 168 3 28 W703 Windows 7 Gold a og Vulnerability Assessment E Network amp Software Audit System Patching Status E ami Ports i Open TCP Ports 6 Open UDP Ports 7 lik Hardware Gl fy Software H Qi System Information cl v GP 192 168 3 35 W701 Windows 7 Screenshot 25
71. LanGuard 2011 gt GFI LanGuard 2011 2 Click Utilities tab and select Enumerate Computers in the left pane under Tools 3 In the Enumerate computers in domain dropdown select the desired domain 4 From Common Tasks in the left pane click Edit Enumerate Computers options or Options on the right pane GFI LanGuard Utilities 143 5 Select whether to enumerate computers from Active Directory or Windows Explorer 6 Click Retrieve to start the process For an Active Directory scan you will need to run the tool under an account that has access rights to the Active Directory 9 5 1 Starting a security scan The Enumerate Computers tool scans your entire network and identifies domains and workgroups as well as their respective computers After enumerating the computers in a domain or workgroup you can use this tool to launch a security scan on the listed computers To start a security scan directly from the Enumerate Computers tool right click on any of the enumerated computers and select Scan You can also launch a security scan and at the same time continue using the Enumerate Computers tool This is achieved by right clicking on any of the enumerated computers and selecting Scan in background 9 5 2 Deploying custom patches You can use the Enumerate Computers tool to deploy custom patches and third party software on the enumerated computers To launch a deployment process directly from this tool 1 Sele
72. List E Network Devices 24 ping py i s py a pias aj Pro ie 1 Drag a column header here to group by that column eg Fee en Mb Motherboards 1 O Hardware name Type Vendor No of computers pad aaa Microsoft ISATAP Adapter Virtual devices Microsoft 1 Display Adapters 1 l _ Local Drives 4 Se Microsoft ISATAP Adapter Unknown Microsoft 1 Other Devices 45 Ba Microsoft ISATAP Adapter 2 Virtual devices Microsoft 1 AL Memory 1 Se Microsoft Virtual Machine Bus Net Physical de Microsoft i Se Microsoft Virtual Machine Bus Net Physical de Microsoft 1 Bai Microsoft Virtual Machine Bus Net Unknown Microsoft 1 Ge RAS Async Adapter Software e Microsoft 1 Bai Teredo Tunneling Pseudo Interface Unknown Microsoft 1 me WAN Miniport IKEv2 Virtual devices Microsoft 1 Bai WAN Miniport IKEv Unknown Microsoft 1 Count 24 Details Ma Network Device Microsoft ISATAP Adapter F Typ Virtual devices Hersteller Microsoft View affected computers View unaffected computers Screenshot 51 Dashboard Hardware 50 Analyzing Results GFI LanGuard 4 9 System Information The System Information tab displays information associated with the operating system of a scan target s For a description of terms used in this result refer to System Information section in this manual WORKGROUP 238 computers Search Entire Network E s i A i i F GE F Overview Computers History Vulnerabilities Patch
73. Office PowerPoint 2007 Sooo a i Count 9 Ee Details A High Security Vulnerability Al Servers Adcycle build ici Type Web Date 20 November 2000 Product Adcycle Description Build cgi if it has execute pemission and is in the cgi directory passwords can be compromised and remote users can delete your data References CVE 2000 1161 SecurtyFocus 1969 View affected computers View unaffected computers Screenshot 47 Dashboard Vulnerabilities 46 Analyzing Results GFI LanGuard 4 5 Patches view Display more details on the missing installed patches and service packs found during a network audit When a patch service pack is selected from the List the Details section provides more information on the selected patch service pack From the Details section click View computers having this patch missing to display a list of computers having the selected patch missing For a description of terms used in this result refer to System Patching Status section in this manual WORKGROUP 28 computers Search Entire Network a ri AO Be ORG yi a k i System Overview Computers History Vulnerabilities Patches Software Hardware Information Fatch Types Patch List LJ Missing Patches 50 ein pi ii nine r rag column neader Nere To group ty mat column Ta W Missing Service Packs 2 i i TEREIIES 9 Installed Patches 50 4 Patch name Date posted Severity Applies to No of computers Installed S
74. Only the applications in the Specify names of applications that are authorized for installation These list below applications will be ignored during a security scan 134 Scanning Profiles GFI LanGuard OPTION DESCRIPTION All applications except the Specify the names of the applications that are unauthorized for ones in the list below installation Applications not in this list will be ignored during a security scan 6 In the Ignore Do not list save to db applications from the list below options key in applications by clicking Add Any application listed is white listed Include only one application name per line Advanced application scanning options GFI LanGuard Scanning Profiles Editor coe e Scanning Profiles Discuss this version Profile categories L Vulnerability Assessment Options jy Network amp Software Audit Options Scanner Options E9 Vulnerability Assessment TCP Ports UDP Ports System Information Devices Applications KE Network amp Software Audit Choose scan profile conditions V Enable scanning for installed applications on target computer s Profiles Unauthorized Applications Advanced Options af Full Vulnerability Assessment Use GFI LanGuard to detect installed security software and ensure that they are using the latest definition files Where applicable GFI LanGuard willl also Aj Full Scan Active check that important settings are enabled e g real time scanning A Full
75. R1201660 2011 07 13 RealPlayer ko 12 0 1 660 Count 9195 m Advanced options Actions Approve selected patches Remove approval for selected patches Show Bulletin ID D kd E 9a 1 Find patch Configure scheduled scans that trigger auto deployment of patches and service packs Screenshot 87 Patch auto deployment 84 Configuring GFI LanGuard GFI LanGuard Advanced Options To configure auto remediation 1 Click Configuration tab Security Updates gt Patch Auto Deployment and from Common Tasks click Advanced options Advanced Options General Configure patch approval for auto remediation advanced options J Send mail when new patches or service packs are available Enable patches and service packs auto approval J Automatically approve all Micrasott patches Automatically approve all Microsatt service packs v Automatically approve all non Microgoftt patches By enabling patches and service packs auto approval all missing patches and service packs will automatically be deployed to target computers after scheduled scans Cancel Apply Screenshot 88 Patch Auto Deployment Advanced Options 2 Select the appropriate check boxes and click OK to save changes Manage applicable scheduled scans The Manage applicable scheduled scan option enables you to configure scheduled scans that trigger auto deployment of pa
76. Recurrence pattem daily at 02 04 34 Daily recurrence pattem Every 1 days oO Alerting amp Saving Settings E Export to file i Glick on the Export Settings button to customize the report storage options and specify the file format and destination folder where this report will be AE stored Export Settings Send by mail Click on the Alerting Options button to customize and configure the general alerting options A Add Schedule Screenshot 109 Scheduled reports settings 3 From Schedule report template select the report template to generate 4 Optional Key in a valid report name and description 5 Select your scan targets 6 Configure the frequency of when the report is generated 7 Optional Select Export to file and click Export settings to save the schedule report settings and use them with another report GFI LanGuard Reporting 107 8 Optional Select Send by email and click Alerting options to send the report by email and configure alerting options For information about Alerting options refer to Configuring alerting options J section in this manual Scheduled reports options To configure additional scheduled reports settings 1 Click Scheduled reports options 2 Click Alerting Options to configure email settings to use to send reports 3 Click Storage Options to specify the format and the location where generated reports are saved By default all generated rep
77. Scan target l Will uninstall Scan description View agents with autotemediation Edit selected scan Create a new scheduled scan View all scheduled scans How can a scheduled scan appear in this list Screenshot 86 Manage applicable schedule scans 2 From Manage applicable schedule scans dialog click one of the options described in Table 37 below Table 37 Manage applicable schedule scans OPTION DESCRIPTION Edit selected scan Modify the selected schedule scan For more information on how to edit an existing scheduled scan refer to Scheduled Scans section in this manual Create a new scheduled scan Add a new scheduled scan using the new scheduled scan wizard For more information on how to set up a new scheduled scan refer to Setting up a scheduled scan section in this manual View all scheduled scans Manage scheduled scans For more information on how to edit an existing scheduled scan refer to Scheduled Scans section in this manual 6 4 Configuring security updates 6 4 1 Patch Auto deployment settings GFI LanGuard ships with a patch auto deployment feature that enables you to automatically deploy missing patches and service packs in all 38 languages supported by Microsoft products GFI LanGuard also supports patching of third party Non Microsoft patches For a complete list of supported third party applications visit http www gfi com lannetscan 3pfullreport htm GFI LanGuard Configuring
78. Select the type of check Specify what do you want to check From the list below Check type Independent Checks F Independent CGI Abuse Test F Independent DNS Banner Test Independent Family Test F Independent File MDS Test F Independent FTF Banner Test 2 Independent HTTP Banner Test 2 Independent POPS Banner Test oo J Independent Port Open Test ot iP Independent Python Script Test F Independent SMTP Banner Test F Independent 55H Banner Test F Independent TCP Banner Test Check description Executes a Python script and returns a boolean value lt Back Nexk gt Cancel Screenshot 148 Independent checks Python Script Test For more information on Python scripting refer to the GFI LanGuard scripting documentation located in Start menu gt Programs gt GFI LanGuard 2011 GFI LanGuard Adding vulnerability checks 159 12 GFI LanGuard certifications 12 1 Introduction GFI LanGuard is OVAL and CVE certified 12 2 About OVAL Open Vulnerability and Assessment Language OVAL is an international information security community standard to promote open and publicly available security content and to standardize the transfer of this information across the entire spectrum of security tools and services OVAL includes a language used to encode system details and an assortment of content repositories held throughout the OVAL community The language standardizes the three main steps of the assessment process
79. Solution GFI LanGuard uses a different approach than other port scanners to detect open ports To view the status of a port and determine if the port is closed or opened 1 Click Start gt Programs gt Accessories gt Command Prompt 2 Key in netstat an and press Enter 3 The generated list displays all computer active connections For more information refer to http www microsoft com resources documentation windows xp a l proddocs en us netstat mspx mfr true 14 3 The Troubleshooting wizard The GFI LanGuard troubleshooting wizard is a tool designed to assist you when encountering technical issues related to GFI LanGuard s use To use the GFI LanGuard troubleshooting wizard 1 Launch the troubleshooting wizard from the Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 Troubleshooter 2 Click Next in the introduction page Troubleshooter Wizard Gathering Information Information Details Please select the information to gather The troubleshooter should Automatically detect and fix known issues Recomme 6 Gather only application information and logs Note Use this option when the problem is already located and only support files are needed Screenshot 151 Troubleshooter wizard Information details GFI LanGuard Troubleshooting 169 3 In the Information details page select one of the following options d
80. TION General information Select this option to display information on the Domain name Operating system Service pack installed Last scan date and time Operating system language NOTE Server and VM columns enable you to identify if the selected computer is a server or a virtual machine respectively Agent Details Select this option to view the agent status This option enables you to identify if an agent is installed on a computer and if yes displays the type of credentials being used by the agent GFI LanGuard Analyzing Results 43 OPTION DESCRIPTION Vulnerabilities View the number of vulnerabilities found on a computer grouped by severity Severity of a vulnerability can be High Medium Low Potential For a full description of each rating refer to Vulnerability assessment section in this manual Patching status View the number of Missing patches Missing service packs Installed patches Installed service packs Open ports View the number of Open TCP ports Open UDP ports Backdoors Software View the number of Antiphishing engines Antispyware engines Antivirus engines Backup applications Data loss prevention applications Device access and desk encryption applications Firewalls Installed applications Instant messengers Peer to peer applications Unauthorized applications Virtual machines VPN clients Web browsers Hardware View informati
81. The network and software audit node Click Network amp Software Audit to view security vulnerabilities identified on scanned targets Here vulnerabilities are grouped by type and severity as follows System Patching Status Ports Hardware Software System Information GFI LanGuard Agent less Auditing 29 System Patching Status Click System Patching Status to view all missing and installed patches on a target machine Table 15 System patching status Missing Patches Missing software patches Installed Service Installed service packs Packs Installed Patches Installed software patches Scan Results Details System Patching Status Select one of the following system patching status categories bellow e Missing Service Packs 2 Allows you to analyze the missing service packs information e Missing Patches 42 Allows you to analyze the missing patches information 2 installed Service Packs 2 Allows you to analyze the installed service packs information 2 Installed Patches 49 Allows you to analyze the installed patches information Screenshot 26 System patches status Ports Click Ports to view all open TCP and UDP ports detected during a scan If a commonly exploited port is discovered to be open GFI LanGuard marks it in red B Some software products may use the same ports as known Trojans For additional security GFI LanGuard identifies these ports as a threat Apart from detecting
82. U USB devices 1 113 115 130 132 184 Index V VBscript 2 153 155 175 Vulnerability Assessment 1 27 97 114 117 124 153 155 Vulnerability level rating 24 Vulnerability management strategy 4 W Whois 139 142 176 GFI LanGuard USA CANADA AND CENTRAL AND SOUTH AMERICA 15300 Weston Parkway Suite 104 Cary NC 27513 USA Telephone 1 888 243 4329 Fax 1 919 379 3402 ussales gfi com ENGLAND AND IRELAND Magna House 18 32 London Road Staines Middlesex TW18 4BP UK Telephone 44 0 870 770 5370 Fax 44 0 870 770 5377 Sales afi com EUROPE MIDDLE EAST AND AFRICA GFI House San Andrea Street San Gwann SGN 1612 Malta Telephone 356 2205 2000 Fax 356 2138 2419 Sales gfi com AUSTRALIA AND NEW ZEALAND 83 King William Road Unley 5061 South Australia Telephone 61 8 8273 3000 Fax 61 8 8273 3099 Sales gfiap com Disclaimer 2011 GFI Software All rights reserved All product and company names herein may be trademarks of their respective owners The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind either express or implied including but not limited to the implied warranties of merchantability fitness for a particular purpose and non infringement GFI Software is not liable for any damages including any consequential damages of any kind that may result from the use of this
83. VER 192 168 3 246 TECHCOMSERVTWO 192 168 3 236 AF TCBACKUP 192 168 3 247 G W702 192 168 200 6 W703 192 168 3 50 By WINXPVS 192 168 3 244 m U TCDOMAINB H TCDOMAINA FA WINSERVA 192 168 3 248 x XPO1 192 168 3 245 fy XPO 1592 168 3 81 m Lit MASTERDOMAIN Screenshot 54 Computer Domain list 4 11 Configure credentials Regardless of the network size systems administrators typically have to use different sets of credentials for different computers Systems such as Linux based environments often use of special authentication methods such as public key authentication Such methods generally also require special custom logon credentials for example private key files instead of the conventional password strings The GFI LanGuard Dashboard enables you can configure a different set of logon credentials for each computer to scan The scanning engine will use the specified credentials to authenticate on target computers 1 From GFI LanGuard home page select View Dashboard 2 From the left panel right click a computer or domain and select Properties 52 Analyzing Results GFI LanGuard Properties Agent Statuz A View computer details and configure credentials Ly Computer details Mame TECHLOMSERYT WO Type Workstation Credentials Status No credentials defined All operations will run in the contest of the currently logged on user Authenticate using Alternative cred
84. _ No es Screenshot 153 Troubleshooter fixed known issues 6 The troubleshooter will fix any known issues that it encounters Select Yes if your problem was fixed or No if your problem is not solved to search the GFI Knowledge base for information 14 4 Knowledge Base GFI maintains a Knowledge Base which includes answers to the most common problems The Knowledge Base always has the most up to date listing of technical support questions and patches To access the Knowledge Base visit http kbase gfi com 14 5 Web Forum User to user technical support is available via the web forum The forum can be found at http forums gfi com 14 6 Request technical support If you have referred to this manual and our Knowledge Base articles and you still cannot solve issues with the software contact the GFI Technical Support team by filling in an online support request form or by phone Online Fill out the support request form on http support gfi com supportrequestform asp Follow the instructions on the page to submit your support request Phone To obtain the correct technical support phone number for your region visit http www gfi com company contact htm We will answer your query within 24 hours or less depending on your time zone GFI LanGuard Troubleshooting 171 Before you contact our Technical Support team ensure that you have your Customer ID available Your Customer ID is the online account number that is
85. agement Added support for JAVA7000 Java Runtime Environment 7 0 Read more Screenshot 2 Home page GFI LanGuard Managing Agents 5 2 From the Home menu select Manage Agents GFI LanGuard 2011 a og Ex gt Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discussthis version Configurations YA Manage Agents MPY igenis Management G R Scanning Profiles Enable agents to automate network security audit and to distribute scanning load across client machines ll Scheduled Scans GFI LanGuard is able to audit entire networks in just few minutes through the use of agents When deployed ona computer the start collecting system information on a regular basis making sure that you always have an up to date network security status every time application is opened Tell me more r A Deploy Agents Alerting Options Initiate agents deployment on specified target computers E Database Maintenance Options I General View and modify general agents settings iy List of computers with corresponding agent status Com Status Last results J TEMP Notinstalled WIN Not installed W703 Notinstalled a W701 Notinstalled GFI Not installed a BAJA Not installed GFI Not installed ki GFI Not installed ARIE Not installed ki GX620 Not installed ki OWE Not installed ki RES Not installed ki PSGC1 Not installed Agents Settings
86. ai All Servers Aglimpse fT All Servers AHG s search cgi Search E fT All Servers Alex Heiphetz Group EZSho All Servers Arts Store cgi All Servers Auktion cgi All Servers Brian Stanback bsguest cgi fT All Servers Brian Stanback bslist cgi all Servers Commerce cgi All Servers COWS CGI Online Worldwe All Servers DCShop vulnerability All Servers Directory Manager Executi All Servers Directory traversal vulnera All Servers Directory php Allows Arbitr all Servers Free Online Dictionary M1 2 all Servers aet32 exe 4 wm 6273 vulnerabilities Find vulnerability by Name b ad Find Scanner Options OVAL ID Lo JE ae Discuss this version CVE ID Security Focus ID Mf 8062 a CVE 2002 0575 4560 CVE 200 1 1014 3340 CVE 2001 0561 2705 CVE 200 1 1209 3759 CVE 2000 1161 1969 2026 CVE 2002 2113 3985 CVE 2000 1092 2109 CVE 200 1 0305 2385 CVE 200 1 0212 2367 CVE 200 1 0099 2159 CVE 200 1 0100 2160 CVE 2001 0210 2361 3915 CVE 2001 0821 2889 CVE 200 1 0804 3028 CVE 2002 0434 4278 CVE 2001 0461 CVE 1999 0885 770 it n Edit Remove Adding editing or removing vulnerabilities from the above list applies the changes to all the profiles where the edited vulnerabilities are selected Screenshot 114 Scanning Profiles properties Vulnerabilities tab options 8 3 1 Configure Vulnerabilities To enable
87. al Select Deploy on configure the date and time when you want to uninstall the selected application patch 6 Configure the authentication credentials to use select between Currently logged user Alternative credentials A null session N Click Remediate Now to start the uninstall process 5 6 Deploy custom software Apart from security updates and patches GFI LanGuard also enables you to remotely deploy third party or custom software network wide Software that can be remotely deployed includes Security applications such as anti virus anti spyware solutions and software firewalls Third party software updates and patches such as anti virus anti spyware signature file updates Custom code such as scripts and batch files Desktop applications such as Microsoft Office 2007 and more GFI LanGuard Fixing Vulnerabilities 69 To specify which software to deploy 1 Click on Remediate tab gt Remediation Center 2 Click Deploy Custom Software we Specify the software to be deployed Software location Parameters Auxiliary file C WsersYohn Smith Desktop PythonScript tet z m q jg C Wsers John Smith Desktop vBScript txt No Remove Import Screenshot 71 List of software to be deployed 3 Use the options described in Table 32 below to add the applications to deploy Table 32 Options available in Deploy Custom Software OPTION DESCRIPTION Add Click this button to launch the
88. all validation in this manual GFI LanGuard Fixing Vulnerabilities 59 5 2 3 Auto remediation options To edit the general deployment options after a scan 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Remediate tab Remediation Center Select a remediation action from the right panel and click Options Wam user before deployment show a message Wait for user s approval Stop services before deployment Copy software to deploy to tanget computers via Administrative shares Custom share Remember settings Screenshot 61 Before deployment options 3 Configure Before Deployment options described below Table 26 Before deployment OPTION DESCRIPTION Warn user before deployment Displays a message on the target machine to warn the user before show message deploying software Wait for user s approval Waits for user approval before deploying software Messages Click Messages to select the end user s computer language and define the warning message For more information refer to Define auto remediation messages section in this manual Administrative shares Make a copy of the software on the default network shares Custom shares Make a copy of the software in a custom share Key in the folder name in the text box 60 Fixing Vulnerabilities GFI LanGuard OPTION DESCRIPTION Remember settings Saves your configured s
89. an 3 Launch a new scan or load a scan from the database 4 Click the GFI LanGuard button gt File gt Save Scan Results 5 Locate the destination where you want to save the XML and click Save GFI LanGuard Agent less Auditing 25 To load saved scan results from an XML file 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click the GFI LanGuard button gt File gt Load Scan Results from gt XML File 3 Locate the scan results to load and click OK 3 6 Audit result details On scan completion the Results section displays a graphical representation of the vulnerability level including the scan result in more detail To access the Results section 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Wait for a scan to complete or load a result from the database file 3 Click Scan GFI LanGuard 2011 o eE gt lt Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Launch a New Scan Scan Target Profile file customgroup_2011_8 4 18 29 59 txt v Full Scan Credentials Username Password Currently logged on user v sa ae Sean V Use per computer credentials when available Remember credentials Scan Results Overview Scan Results Details Ef Saved Scan Result file customgroup_2011_8_4_18_29_59 txt S
90. another email address From The sender email address GFI LanGuard will use this email account to send the required emails Server Defines the server through which emails are routed This can be either an FQDN Fully Qualified Domain Name or an IP Address Port Defines the IP port through which emails are routed Default value is 25 SMTP Server Select this option if the SMTP server requires a username and password to requires login authenticate 4 Click on the Verify Settings button to verify email settings 5 Click OK to finalize settings GFI LanGuard Configuring GFI LanGuard 87 6 6 Database maintenance options GFI LanGuard ships with a set of database maintenance options through which you can maintain your scan results database backend in good shape For example you can improve product performance and prevent your scan results database backend from getting excessively large by automatically deleting scan results that are older than a specific number of months If you are using a Microsoft Access database backend you can also schedule database compaction Compaction enables you to repair any corrupted data and to delete database records marked for deletion in your database backend ensuring the integrity of your scan results database 6 6 1 Selecting a database backend GFI LanGuard supports both Microsoft Access and Microsoft SQL Server 2000 or higher based database backend Storing scan results in a MS Access database ba
91. applications GFI LanGuard Configuring GFI LanGuard 81 Application auto uninstall validation GFI LanGuard 2011 co E mE gt lt e Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version ao s gt Application Auto Uninstall Validation p Agents Management I8 Scanning Profiles os Use the validation feature to identify which unauthorized applications can be automatically uninstalled by GFI LanGuard ivi Scheduled Scans Sg i Applications Inventory T Select unauthorized applications for validation and dick Validate button gt Security Updates ist 4 Alerting Options Validation status Application name Version Publisher Installed on FA Database Maintenance Options iy Program Updates General P Version Information k 4 Licensing Count 0 lt 2 AAR Vv gt Go to Scheduled scans Validation fails on some of your applications Let us know Validate 4 nm j Click Manage applicable scheduled scans button to set scheduled scans which will automatically uninstall validated applications Actions Manage applicable scheduled scans Validate selected application More information To mark applications detected during past scans as unauthorized click on Applications Inventory node Screenshot 85 Application auto uninstall validation Application auto uninstall validation enables you to validate the uninstallati
92. arget computer scanning from the command line tool For this example we will be assuming that a scan with the following parameters is required 1 Perform a security scan on a target computer having IP address 130 16 130 1 2 Output the scan results to c out xml i e XML file 3 Generate an HTML report and save it in c result html 4 Send the HTML report via email to lanss 127 0 0 1 The command line tool instruction for this particular security scan is lnsscmd exe 130 16 130 1 Profile Default Output c out xml Report c result Atml email Inss 127 0 0 1 10 3 Using the command line patch deployment tool deploycmd exe The deploycmd exe command line patch deployment tool allows you to deploy Microsoft patches and third party software on remote targets directly from the command line or through third party applications batch files or scripts The deploycmd exe command line tool supports the following switches deploycmd target file FileName username UserName password Password UseComputerProfiles warnuser useraproval stopservices customshare CustomShareName reboot rebootuserdecides shutdown deletefiles timeout Timeout sec Table 53 deploycmd command switches Target Specify the name s IP or range of IPs of the target computer s on which the patch es will be deployed File Specify the file that you wish to deploy on the specified target
93. browse button and locate the text file Click OK to apply changes NOTE When submitting a list of target computers from file ensure that the file contains only one target computer name per line Domain name is Search and add computers that are members of a domain Select the domains from the list and click OK IP address is Search and add computers by IP address Select This computer to add the local host or Scan another computer to add a remote computer Key in the IP address if required and click OK GFI LanGuard Agent less Auditing 15 RULE TYPE DESCRIPTION IP address range is Search and add computers within an IP range Select Scan an IP address range and key in the IP range or select CIDR subnet and key in the range using CIDR notation NOTE The Classless Inter Domain Routing CIDR provides an alternative way of specifying an IP address range The notation is as follows lt Base address gt lt IP network prefix gt Example 192 168 0 0 16 Organization unit is Search and add computers within an organizational unit Click Select and from the list select the Organizational units Click OK 2 To identify the rule for future use key in a valid name in Group name and click OK 3 3 Scheduled scan A scheduled scan is a network audit that is scheduled to run automatically on a specific date time and at a specific frequency Scheduled scans can be set to execute once or periodically Scheduled scan status is monitored using t
94. byss Web server Bufferoverfiow AFS Kerberos Support in OpenSSH Pos Alerter service enabled All Servers e shop Online Shop System All Servers A1Stats 1disp m All Servers Abe Timmerman zml cgi File All Servers Adcyde build cgi All Servers Aglimpse All Servers AHG s search cgi Search E All Servers Alex Heiphetz Group EZSho All Servers Arts Store cai All Servers Auktion cgi All Servers Brian Stanback bsguest cgi All Servers Brian Stanback bslist cgi fT All Servers Commerce cgi All Servers COWS CGI Online Worldwe All Servers DCShop vulnerability All Servers Directory Manager Executi All Servers Directory traversal vulnera 1 Al Servers Directory php Allows Arbitr All Servers Free On ine Dictionary V EN all Servers aet32 exe CVE ID CVE 2002 0575 CVE 2001 1014 CVE 2001 0561 CVE 2001 1209 CVE 2000 1161 CVE 2002 2113 CVE 2000 1092 CVE 2001 0305 CVE 2001 0212 CVE 2001 0099 CVE 2001 0100 CVE 2001 0210 CVE 2001 0821 CVE 2001 0804 CVE 2002 0434 CVE 2001 0461 CVE 1999 0885 4 4 1i Find yunerabity Find Find next a Adding editing or removing vulnerabilities from the above list applies the changes to all the profiles where the edited vulnerabilities are selected 6273 vulnerabilities Screenshot 113 The Scanning Profile Editor 4 Specify
95. cal or domain workgroup gt TCP 139 SMB Sroups TCP 445 File and printer sharing Remote registry 180 Appendix Data Processed by GFI LanGuard GFI LanGuard DATA DESCRIPTION PORTS PROTOCOL Users Logged on users Sessions Services Processes Remote TOD time of day GFI LanGuard Lists local or domain workgroup users Lists locally and remotely logged on users Lists the active sessions at the time of the scan Lists every service discovered during a scan Lists every active process discovered during a scan Lists the current time and uptime of the scanned target s gt gt gt gt TCP 139 TCP 445 TCP 139 TCP 445 TCP 139 TCP 445 TCP 139 TCP 445 TCP 139 TCP 445 TCP 139 TCP 445 Appendix Data Processed by GFI LanGuard 181 gt gt SMB File and printer sharing Remote registry SMB File and printer sharing Remote registry SMB File and printer sharing Remote registry SMB File and printer sharing Remote registry SMB File and printer sharing Remote registry SMB File and printer sharing Remote registry Index A Agent less audit 4 11 Attendant service 3 16 Audit result summary 23 Audit schedule 6 Auto remediation 6 79 B Bulletin Info 28 125
96. can completed H Saved Scan Result file customgroup_2011 a S3 192 168 3 28 W703 Windows 7 Gold a Summary of scan results generated during this network audit 4 Vulnerability Assessment amp High Security Vulnerabilities 8 amp Medium Security Vulnerabilities 17 iy Low Security Vulnerabilities 11 Missing Service Packs 2 The average vulnerability level for this scanning session is High Missing Patches 42 aa lt Oddaa 4g Network amp Software Audit M 192 168 3 35 W701 Windows 7 4 Vulnerability Assessment m Vulnerability level Results statistics li Network amp Software Audit Audit operations processed 10279 audit operations processed 2 192 168 3 237 WIN2K3SERV Windo Missing security updates 44 44 CriticaVHigh 0 Vulnerability Assessment Other vulnerabilities 42 8 Critical High lg Network amp Software Audit Potential vulnerabilities 3 T Ports Installed applications 13 0 unauthorized 3 Os System Information Open ports 55 a amp NetBIOS Names 8 A Computer Errors Errors encountered during scan 25 error s 4 p b i Times Scanner Activity Window x Screenshot 22 Detailed view tab Scan Results Displays information related to the scanned computer or domain Overview Scan Results Details Displays information related to the scan performed on target computer including vulnerabilities found system patching status etc 26 Agent less
97. cessed 10279 audit operations processed 2 192 168 3 237 WIN2K3SERV Windo Missing security updates 44 44 CriticaV High i Vulnerability Assessment Other vulnerabilities 42 8 CriticaVHigh lg Network amp Software Audit Potential vulnerabilities 3 aI a Ports Installed applications 13 0 unauthorized Os System Information Open ports 55 a NetBIOS Names 8 A Computer Errors Errors encountered during scan 25 error s Vulnerability level Results statistics 4 e Times Scanner Activity Window Screenshot 9 Scan result details 3 From the Scan tab analyze the scan results from the provided views described below Table 7 Scan Results SECTION DESCRIPTION Scan Results Overview Provides summarized information about the last scan Information provided includes Scanned target names The number and type of vulnerabilities detected during the scan Scan Results Details This section enables users to select a scan target from the Scan Results Overview section in order to display detailed information about every vulnerability detected on the selected computer For more information about scan results refer to Audit Result Summary Audit Result Details and Analyzing Results sections in this manual To load saved scan results go to File gt Load Scan Results from gt J Database XML file 3 2 3 Step 3 Remediate vulnerabilities GFI LanGuard enables you to imm
98. cessing and auditing to be done on target machines once an audit is finished the result is sent to GFI LanGuard Agents will Reduce scanning time Minimize bandwidth consumption Provide real time results AN Agents can only be deployed on Microsoft Windows operating systems 2 2 Deploying agents To configure agent s deployment 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 GFI LanGuard 2011 o Em gt lt Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Welcome to GFI LanGuard 2011 GFI LanGuard 2011 is ready to audit your network for vulnerabilities Network Vulnerability Level What to do next View security status of the network Click on it for details View Dashboard Investigate network vulnerability status and audit results Manage Agents Enable agents to automate network security audit and to distribute scanning load across client machines E Current Vulnerability Level is High Launch a Scan Manually set up and trigger a network security audit a LATEST NEWS Yo 05 Aug 2011 Patch Management Added support for GC_13_0_782_107 Google Chrome 13 0 782 107 Stable channel System le Read more Y 05 Aug 2011 Patch Management Added support for JAVA7000 Java Runtime Environment 7 0 x64 Read more Yo 05 Aug 2011 Patch Man
99. ches to be scanned To specify which missing security updates will be enumerated and processed by a scanning profile 1 From the Vulnerability Assessment Options tab click Patches sub tab 2 Select the scanning profile to customize from the left pane under Profiles Bulletin names ms02 051 ms502 051 ms04 008 mso4016 ms04 016 mso04 016 ms04 016 ms04 016 ms504 016 ms504 016 ms04 016 ms04013 ms04 018 ms04 018 Ms04 024 0 Q m ms05 006 ms05 009 ms05 032 ms05 032 ms05 032 YF mso5 032 505 032 lt lt Ls E Ls Cs Cs Es st Es Screenshot 122 Select the missing patches to enumerate Severity Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate Moderate ONumber 324380 324380 832359 839643 839643 839643 839643 839643 839643 839643 839643 823393 A bs 823353 639645 833989 887981 Boer 2 e90046 e90046 890046 890046 e90046 Date posted 2005 02 19 2005 03 25 2005 02 19 2004 06 10 2004 06 10 2004 06 11 2004 07 26 2004 12 15 2005 03 25 2005 09 12 2007 08 14 2006 04 11 2006 04 11 2006 04 11 2005 02 17 2004 10 12 2005 02 08 2005 02 08 2007 05 08 2007 05 08 2007 05 08 2007 05 08 2007 05 08 Title 0324380 Security Update Windows 2000 a 324380 Security Update Win
100. ckend To store scan results in a Microsoft Access database 1 Click Configuration tab gt Database Maintenance Options gt Database backend settings Properties Change Database Scanned Computers Saved Scan Results Retention MEIE Curent GFI LAN guard database backend settings Database type MS Access File path C Program atas GFIALAN guard 10scanresults rm New GFI L Mguard database backend settings Indicate below the new type of database backend to use MS Access MS SOL Server Please specify the path where the new database backend is to be located C ProgramD atas GFI LAN guard 10 scanresults mdb Browse Cancel Screenshot 91 The database maintenance properties dialog 88 Configuring GFI LanGuard GFI LanGuard 2 Select the MS Access option and specify the full path including the file name of your Microsoft Access database backend E The specified database file is created if it does not exist If the specified database file already exists and belongs to a previous version of GFI LanGuard you are asked to over write the existing information 3 Click OK to finalize settings Storing scan results in an MS SQL Server database To store scan results in a Microsoft SQL Server database 1 Click Configuration tab gt Database Maintenance Options gt Database backend settings Properties Change Database Scanned Computers Saved Scan Results Retention 40 1 Curen
101. cketObject As Object Dim strComputer As String Dim cr As String strcomputer 127 0 0 1 cr chr 13 chr io Set wmi GetObject C winmgmts amp strcomputer amp root cimv2 For Each socketObject In_wmiinst If socketobject displayname message echo servicename echo socketobject ag ata echo Service ststau echo socketObject state cr a a Running Then main true End I Next End Function Ready Ln 2 Coll NUM Screenshot 1 GFI LanGuard script debugger Use this module to create scripts for custom vulnerability checks through which you can custom scan network targets for specific vulnerabilities GFI LanGuard script debugger is accessible from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard Script Debugger GFI LanGuard Introduction 3 1 4 Vulnerability management strategy GFI recommends you to follow the sequence below for an effective vulnerability management strategy 1 Configure Agents For more information refer to Managing Agents section in this manual 2 Analyze For more information refer to Analyzing results section in this manual 3 Remediate For more information refer to Fixing vulnerabilities section in this manual Using agents is highly recommended because they provide real time result analysis and reduce network bandwidth consumption Agent less audit is also available in GFl LanGuard This enables you to perform audits manually or repeatedly
102. console after completion of a scan This string is formatted as follows AddListltem parent node actual string parent node Includes the name of the scan results node to which the result will be added actual string Includes the value that will be added to the scan results node E Each vulnerability check is bound to an associated scan result node This means that AddListltem results are by default included under an associated default vulnerability node In this way if the parent node parameter is left empty the function will add the specified string to the default node SetDescription This string triggers an internal function that will overwrite the default description of a vulnerability check with a new description This string is formatted as follows SetDescription New description ISCRIPT_FINISHED This string marks the end of every script execution The SSH module will keep looking for this string until it is found or until a timeout occurs If a timeout occurs before the SCRIPT_FINISHED string is generated the SSH module will classify the respective vulnerability check as failed z It is imperative that every custom script outputs the SCRIPT_FINISHED string at the very end of its checking process 156 Adding vulnerability checks GFI LanGuard 11 3 2 Adding a vulnerability check that uses a custom shell script In the following example we wil
103. ct devices to a host computer See Uniform Resource Locator See Universal Serial Bus A Visual Basic Scripting language is a high level programming language developed by Microsoft A form of malware that infects a computer The aim of a virus is to harm a computer by corrupting files and applications A virus is a self replicating program and can copy itself all over the computer system A server that provides web pages to client browsers using the HTTP protocol Glossary 175 TERM DESCRIPTION White list A list of USBs or Network devices names that are not considered as dangerous When a USB Network device name contains a white listed entry while scanning a network GFI LanGuard will ignore the device and consider it as a safe source Whois tool A tool that enables you to look up information on a particular domain or IP address Wi Fi See Wireless LAN Wireless LAN A technology used commonly in local area networks Network nodes use data transmitted over radio waves instead of cables to communicate with each other XML See Extensible Markup Language 176 Glossary GFI LanGuard 16 Appendix Data Processed by GFI LanGuard 16 1 Introduction When auditing networks GFI LanGuard enumerates the information described below from the specified scan target s 16 2 System Patching Status Missing service Discovers missing Microsoft and gt TCP 139 gt SMB packs non Microsoft service packs gt TCP 445 gt File and printer g
104. ct the computers that require deployment 2 Right click on any of the selected computers and select Deploy Custom Patches 9 5 3 Enabling auditing policies The Enumerate Computers tool also allows you to configure auditing policies on particular computers This is done as follows 1 Select the computers on which you want to enable auditing policies 2 Right click on any of the selected computers and select Enable Auditing Policies This will launch the Auditing Policies configuration Wizard that will guide you through the configuration process 144 Utilities GFI LanGuard 9 6 Enumerate users GFI LanGuard 2011 ee gt lt e Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Tools Enumerate users in domain WORKGROUP v Options z DNS Lookup m Traceroute User name Full name Description Pass Passw z Whois Enumerate Computers z SNMP Audit a SNMP Walk z SQL Server Audit Credentials Authenticate using Currently logged on user X Remember credentials vJ Use per computer credentials Common Tasks Edit enumerate users options Screenshot 141 The Enumerate Users tool dialog To scan the Active Directory and retrieve the list of all users and contacts included in this database 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Utiliti
105. curity Updates Downloads The Security Updates Downloads screen enables you to monitor pause cancel or change priority to all the scheduled patch downloads 54 Analyzing Results GFI LanGuard GFI LanGuard 2011 co mee Plel Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities _ Discuss this version aay Monitor A Security Updates Download az Security Updates Download Monitor and manage the security updates which are currently being downloaded amp Remediation Operations Product Updates Activity The 2007 Microsoft Office Sui GROLI10thszHzFVqUXi_d The 2007 Microsoft Office Sui QyoGKGOZd2xWVMXhz The 2007 Microsoft Office Sui wG8Zo_ACaajxxtSm9yC The 2007 Microsoft Office Sui CKIXYRbZ4VOOB_Zz_BoR The 2007 Microsoft Office Sui JWOFY3zf0osXgqtWBkAr The 2007 Microsoft Office Sui SZrdNPaPLpoP 1LXiFofbV The 2007 Microsoft Office Sui w 1Frxcnmn 5StmsT SqfW Windows 7 Service Pack 1 K eVYWwa50oztlScosEk6e Windows 7 Service Pack 1 K iW1VsW19CXhhg3j2u7s7 Microsoft SQL Server 2005 E Pause all downloads Cancel selected downloads Change download priority O O O o a Screenshot 57 Security updates download The icon in the first column indicates the download status Table 22 below describes the different status Table 22 Updates download status ICON DESCRIPTION Downloaded Update downloaded
106. d or set all Microsoft updates as approved AN Always test patches in a test environment before deployment 5 2 1 Automatically deploy missing updates To deploy missing patches automatically follow the instructions below before configuring a scan with auto remediation options Approve the patches to deploy automatically 1 From the Configuration tab navigate to Security Updates gt Patch Auto Deployment 2 Select the patches to approve for auto deployment Optionally set the automatic patch approval options by selecting To automatically approve patches and or service packs click here option For more information refer to the Auto deployment settings section in this manual GFI LanGuard Fixing Vulnerabilities 57 5 2 2 Automatically uninstall unauthorized applications To uninstall unauthorized applications automatically follow the instructions below before setting up a scan with auto remediation options To define unauthorized applications list 1 From the Configuration tab select Applications inventory sub node PP le l Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Configurations Applications Inventory gi Use this listof applications detected during pastscans to add unauthorized applications to scan profiles 1 ee bee CR Auto Uninstall Validation P Set ini Full Vulnerability Assessment no uTorrent Full Vulnerability Assessment Adobe Flash Player 10 Activex 1
107. dent File MDS Test F Independent FTP Banner Test 2 Independent HTTP Banner Test F Independent POPS Banner Test F Independent Port Open Test F Independent Python Script Test F Independent SMTP Banner Test 2 Independent SSH Banner Test ew Independent TCP Banner Test _ Check description Windows Checks Cancel Screenshot 146 The check triggering conditions dialog 7 Select Independent checks gt VBScript node and click Next button to continue setup 8 Click Choose file and select the custom VBscript file that will be executed by this check For this example select myscript vbs Click Next to proceed 9 Select the relative condition setup in the wizard to finalize script selection Click Finish to exit wizard 10 Click OK to save new vulnerability check Testing the vulnerability check script used in example Scan your local host computer using the scanning profile where the new check was added In Scan tab gt Results a vulnerability warning will be shown in the Vulnerability Assessment node of the scan results 11 3 GFI LanGuard SSH Module GFI LanGuard includes an SSH module which handles the execution of vulnerability scripts on Linux UNIX based systems The SSH module determines the result of vulnerability checks through the console text data produced by an executed script This means that you can create custom Linux UNIX GFI LanGuard Adding vulnerability checks 155 vulnerability c
108. dialog s If static IP is being used or the DHCP server does not provide NetBIOS setting select the Enable NetBIOS over TCP IP option GFI LanGuard Miscellaneous 165 14 Troubleshooting 14 1 Introduction The troubleshooting chapter explains how you should go about resolving any software issues that you might encounter It explains the use of the GFI LanGuard troubleshooting wizard The main sources of information available to users are The manual most issues can be solved by reading this manual The GFI Knowledge Base http kbase gfi com The GFI technical support site http support gfi com The GFI Web forum http forums gfi com Contacting the GFI technical support team by email at support gfi com Contacting the GFI technical support team using our live support service at http support gfi com livesupport asp Contacting our technical support team by telephone 14 2 Common Issues Table 55 GFI LanGuard common issues ISSUE SOLUTION DESCRIPTION ENCOUNTERED When trying to Description access the This issue may occur when the following two conditions are met Change database a l l tab while GFI LanGuard is installed on Windows 2000 SP4 with MDAC 2 5 SP 3 configuring an And SQL database a Failed to connect to database error is encountered The database backend is Microsoft SQL having the database instance name different from the SQL machine name Solution In
109. downloaded patches are stored click the Patch Repository tab and specify the required details 5 To change the timeframe during which patch downloads are performed click on the Timeframe tab and specify the required details GFI LanGuard can use patch files downloaded by Microsoft WSUS when deploying missing patches and service packs on target computers To use Microsoft WSUS downloaded files select Use files downloaded by Microsoft WSUS when available and specify the Microsoft WSUS downloaded patches location 6 Click OK to finalize settings 86 Configuring GFI LanGuard GFI LanGuard 6 5 Configuring alerting options To configure alerting options 1 Click Configuration tab gt Alerting options 2 Click the link in the right pane Alerting Options Properties Daily digest Specify SMTP server and email address details For email notifications JA after each scheduled scan adrministrator nrydomain com manager my domain com From languardi mydormain com Server localhost Port 25 SMTP Server requires login User name administrator Password SSCCCCCRECCRE ESE Verify Settings Screenshot 90 Configuring Alerting Options 3 Key in the parameters described in Table 38 below Table 38 Mail settings parameters OPTION DESCRIPTION To The recipient email address Emails send by GFI LanGuard are received by this email address CC Key in another email address in this field if you need to send a copy to
110. dows XP Security Update for Windows Media Services KB832359 Security Update for DirectX 8 0 KB839643 Security Update for Direct 9 0 KB839643 Security Update for DirectX 8 1 KB839643 Security Update for Windows XP KB839643 Security Update for DirectX 9 0 KB839643 Security Update for Windows Server 2003 KB839643 Security Update for Direct 8 2 KB3839643 Security Update for DirectX 7 0 KB839643 Cumulative Security Update for Outlook Express 5 5 SP2 KB823353 Cumulative Security Update for Outlook Express 6 KB823353 Cumulative Security Update for Outlook Express 6 SP 1 KB823353 Security Update for Windows Server 2003 KB839645 Security Update for Internet Explorer 6 Service Pack 1 KB833989 Security Update for Windows SharePoint Services KB38798 1 Security Update for Windows Messenger KB amp 87472 Security Update for Windows Server 2003 KB amp 90046 Security Update for Windows Server 2003 64 bit Itanium Edition KB Security Update for Windows Server 2003 x64 Edition KB890046 Security Update for Windows XP KB890046 Security Update for Windows XP x64 Edition KB890046 3 In the right pane select unselect which missing patches are enumerated by this scanning profile Searching for bulletin information Find bulletin miur f m ri r kd Fal Fan wt Oa Be Search by bulletin name e g MS02 017 or QNumber e g 0311967 Screenshot 123 Searching for bulletin information To search fo
111. e 54 impex command switches Table 55 GFI LanGuard common issues Table 56 Information gathering options List of screenshots Screenshot 1 GFI LanGuard script debugger Screenshot 2 Home page Screenshot 3 Manage agents Screenshot 4 Deploy agent wizard Screenshot 5 Agent properties Screenshot 6 Agent auto remediation Screenshot 7 Launch manual scan Screenshot 8 Manual scan settings Screenshot 9 Scan result details Screenshot 10 Custom target properties Screenshot 11 New Scheduled Scan dialog Screenshot 12 Scheduled scan frequency Screenshot 13 Select scanning profile Screenshot 14 Remote logon credentials Screenshot 15 Scheduled scan auto remediation options Screenshot 16 Scheduled scan reporting options Screenshot 17 Review scheduled scan job Screenshot 18 Scheduled scan status Screenshot 19 Scan summary Screenshot 20 Vulnerability level meter Screenshot 21 Reloaded scan results Screenshot 22 Detailed view tab Screenshot 23 The Vulnerability Assessment node Screenshot 24 Missing Service pack Bulletin info dialog Screenshot 25 The network and software audit node Screenshot 26 System patches status Screenshot 27 All UDP and TCP ports found during a scan Screenshot 28 The audit policy administration wizard Screenshot 29 Results dialog in audit policy wizard Screenshot 30 View Dashboard Screenshot 31 Network Security Level Screenshot 32 Computer Vulnerab
112. e contains Screenshot 130 The Devices configuration page USB Devices tab options To compile a list of unauthorized unsafe USB devices 1 From the Network amp Security Audit Options tab click the Devices sub tab 2 Click USB Devices tab 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 In the right pane specify which devices you want to classify as high security vulnerabilities in the space provided under Create high security vulnerability for USB devices which name contains For example if you enter the word iPod you will be notified through a high security vulnerability alert when a USB device whose name contains the word iPod is detected To create a USB device white list specify which USB devices you want to ignore during network vulnerability scanning in the space provided under Ignore Do not list save to db devices which name contains 132 Scanning Profiles GFI LanGuard E Only include one USB device name per line 8 4 5 Configuring applications scanning options The Applications tab enables you to specify which applications will trigger an alert during a scan B GFI LanGuard Scanning Profiles Editor o E rx m Scanning Profiles Discuss this version Profile categories L Vulnerability Assessment Options yy Network amp Software Audit Options Scanner Options Complete Combination Scans 4 Vulnerability Assessment TCP Por
113. e per computer credentials when available Cd Tell me more Screenshot 14 Remote logon credentials 8 Optional Specify Remote logon credentials and click Next Remote logon credentials can be either one of the following Table 10 Remote logon credentials OPTION DESCRIPTION GFI LanGuard 10 Performs the scan using the credentials specified while installing GFI Attendant Service account LanGuard 2011 Alternative credentials Specify alternate credentials to connect to the scan computers NOTE Ensure the supplied credentials have administrative privileges SSH Private Key Key in a username and select the key file used to logon to UNIX LINUX based systems Use per computer Use predefined credentials for the scan being configured For more credentials when available information refer to Configure credentials section in this manual GFI LanGuard Agent less Auditing 19 New scheduled scan Step 6 of 8 Specify auto remediation options Please configure automatic remediation options Auto remediation Description Automatically download and deploy missing patches Automatically uninstall unauthorized Automatically download and deploy missing service packs applications When this option is enabled LanGuard will Automatically uninstall unauthorized applications automatically uninstall unauthorized Configure auto emediation options applications detected which are validated for View applications wh
114. e the options described below Table 28 Advanced deployment options OPTION DESCRIPTION Number of deployment threads Key in the number of threads to use when deploying software The number of threads determines the number of simultaneous deployment Deploy patches under the Select this option to use a custom administrative account to log and following administrative deploy patches on target machines Key in a valid username and account password The account selected must have Log on as service privilege on the target computers For more information on how to configure an account with log on as service privilege refer to http technet microsoft com en us library cc739424 WS 10 aspx 62 Fixing Vulnerabilities GFI LanGuard OPTION DESCRIPTION Deploy patches with their Deploy patches on target machines using the original patches name If original names this option is not selected GFI LanGuard will give a unique name for each patch 6 Click OK to apply changes 5 2 4 End user reboot and shut down options When configuring After Deployment settings in Auto remediation options you can configure GFI LanGuard to notify and let the user decide when to reboot or shut down the computer after completing an administrative task The below dialog opens on the user s computer and enables him her to select one of the following options GFI LanGuard Administrative tasks have been performed by GFI LanGuard Your computer needs to
115. e when GFI LanGuard will generate high security vulnerability alerts if it detects certain configurations of a security application Alerts are generated when No anti virus anti spyware or firewall is detected A fake anti virus or anti spyware is detected Anti virus or anti spyware definitions are not up to date Anti virus or anti spyware real time monitoring is turned off Anti virus or anti spyware product is expired GFI LanGuard Scanning Profiles 135 Anti virus or anti spyware product detects malware on the scanned computer s Firewall is disabled gt HTTP FTP timeout when checking for product updates on remote sites This option generates an alert if the number of seconds defined for timeout is exceeded Enabling disabling checks for security applications To enable checks for installed security applications in a particular scanning profile 1 From the Network amp Security Audit Options tab click on the Applications sub tab 2 Click on the Advanced Options tab 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 Select Enable scanning for installed applications on target computer s checkbox 5 Agent less scans Select Enable full security applications audit for agent less scans checkbox z Agent less scans temporarily runs a small service on the remote computers in order to retrieve the relevant information En Security applications scanning
116. ection enables you to determine the current network vulnerability level the top most vulnerable computers and the number of computers in the database To display the Dashboard section 1 Launch GFI LanGuard management console and from the Home page select View Dashboard GFI LanGuard 2011 em gt lt e Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version ge Unfiltered TEMP 192 1 68 3 20 Search Entire Network EA S Entire Network a a es ma Be e SRS gt Lis Local Domai ily w4 4 rr MASTERDO Overview Computers History Vulnerabilities Patches Ports Software Hardware i paaie E rcoomano Q RRA Vulnerability Level Security Sensors Computer Details x Missing Patches A Computer Name TEMP T IP Address 192 168 3 20 Ba MAC Address 00 15 5D 03 EC 8B 9 missing Service Packs Operating System Windows 7 SP Gold Z Network Role Workstation o J Is Virtual Machine No x a Z Language English United States Top 5 Issues to Address Malware Protection Issues Scan Activity Windows 7 Service Pack 1 KB976932 Adobe Flash Player 10 3 181 34 9 Security Update for Microsoft NET Framework 4 on Windows XP Window 9 Security Update for Windows 7 KB2511455 Update for Windows 7 KB2552343 Common Tasks Manage agents Add more comput Scan and refresh Custom scan Agent Status Agent Not Installed B Den
117. ecurity UPdateS cece cece cece cece eee eeeceeceeceeeceeceees 83 6 5 Configuring alerting OPtiONS cece cee cece ec ceeceeeeeeceeceeeceeceees 87 6 6 Database maintenance options ssssseescesseesscesoeescesoeesceeseesee 88 O7 Pro aM UDCAbeS 2 vasc2cssccescccaseacucatcaseneseest AA 93 6 8 Importing and Exporting Settings sssesseeseesseesoeescesocesceeseesee 97 7 Reporting 103 Tek MOUTON oE E E E EEEE 103 lak ANID VOD OMS ae rE E E EEE EIE EENE EIEE EEIE ENE EEEE UER 103 la Generata FODOIS erertorris Te r ctdecsourtesaseensdoasosssed eae sieeeeuuesedas 105 FA STOW T DO eer REET 108 FD TUM TOKE SCarCRINO sec cacscsewicwwsniemesiee nasiewieeesalcwweecaceaseacessewdevecsavess 110 8 Scanning Profiles 113 Gell MOTU ON e nceeeee eaee AAE EE A EET 113 8 2 Scanning profile description essesseesceeseesceesoeesoreceesceeseseoe 113 8 3 Configure Vulnerabilities Assessment options sssseessessessceescesee 117 8 4 Configure Network amp Software Audit optionS ssssessssseesceeseesee 126 8 5 Configuring the security scanning options ssssssseescesseesceesceeee 137 9 Utilities 139 LT Modi GON eee E E E E EE ES 139 I DNS 919 0 0 rE EEEE EEE ene E E E E E EOE EEEE EEN 139 Deo ACTOU e E E E EE E E eeseenes 141 2A WAO eE E A E A 142 9 5 Enumerate computerS ssessssessoeescoeseooessosescoeseooeesoeessceeecees 143 9 6 Enumerate USE S cares dan cenmecaceuiie cans eNe a E aE aS aN 145
118. edentials Setup Top 5 Issues to Address scan Activity Windows 7 Service Pack 1 KB976932 gt Adobe Flash Player 10 3 181 34 l 0 WJ Cumulative Security Update for Internet o2 08 2011 o4 o8 2011 Explorer amp for Windows KE2520545 0308 2011 05 08 2011 Security Update for Microsoft NET Framework 4 on Windows XP Windows Se Security Update for Windows 7 Remediaton Activity KB2511455 6 Agent Status 5 i 0 i Not Installed 03062011 05 06 2011 0408 2011 Vulnerability Trend Over Time a e a High Medium Low his 0208 2011 03708 2011 0408 2011 05 08 2011 Screenshot 108 Report sample 106 Reporting GFI LanGuard 7 3 2 Scheduled reports GFI LanGuard enables you to automate reporting functions by scheduling reports To schedule reports 1 Click Reports tab 2 From Actions select New scheduled report GFI LanGuard Scheduled Reports Manage GFI LanSuard Scheduled Reports Add New Scheduled Report Add Schedule Report Template Schedule Report Name Schedule for report Computer Security Overview Schedule Report Description An executive summary report showing computer vulnerability level agent status and audit status vulnerability trends over time computer details and summary Target Domains amp Computers Select target computers for the scheduled report J Scheduling Settings Enable schedule Aun fhe Aeoodt every day af Gee One time only on 05 08 2011 Hr at MHH
119. ediately remediate the detected vulnerabilities through the Remediate tab For more information on remediating vulnerabilities refer to Fixing Vulnerabilities section in this manual 14 Agent less Auditing GFI LanGuard 3 2 4 Custom target properties Target rules are custom rules used by GFI LanGuard to find a target computer or a domain Click Scan tab gt define button to launch Custom target properties dialog Custom target properties Computers Group is Define a custom group of computers Group name customgroup 2011_3 1_11_29 26 Add any computer that satishes one of the following rules Add new rule Clear rule list Computer name is Remove Computer name ig Remove Computer name ts Hemove Computer name is techcomserstwo Remove raram Far Fa aa r B heen rr P arana Except for the computers that satisfy the following rules Add new rule Clear rule list Computer name is 192 168 100 243 Remove Computer name is 192 168 100 158 Remove Screenshot 10 Custom target properties To create a new target rule 1 Click Add new rule and configure search criteria Table 8 below describes the available rule types Table 8 Custom target properties RULE TYPE DESCRIPTION Computer name is Search and add computers by name Key in a valid computer name and click Add for each computer Click OK to apply changes Computers file list is Search and add computers from a text file Click the
120. edule patch service pack deployment to a later date time Remediate Start deployment immediately now 8 To view the deployment progress click Remediation Jobs from the right panel For more information refer to Remediation Jobs section in this manual 5 7 Uninstall custom applications Using this feature you can control the installed applications on which computers and uninstall any unauthorized applications present on network computers To uninstall applications 1 Select Remediate tab gt Remediation Center and click Uninstall Applications a a Remediation Center i in Remediation Jobs Uninstall Applications ie Uninstall unauthorized applications detected on network oa 2 we Specify which applications to uninstall to which computers D Application a A Version Publisher Uninstall string User Adobe Flash Player 10 ActiveX 10 1 82 76 Adobe Systems Incorporated C Windows system32 Mac cil Alchemy Catalyst 9 0 3 00 0000 Alchemy Software Develop MsiEwec exe quiet noresta e mi Alchemy Publisher 3 0 3 00 0000 Alchemy Software Develop MsiExec exe quiet noresta Count 25 Qe Specify the target computers where to uninstall applications Computer name A Operating system Windows 7 Count 1 ky Launch uninstall Option Uninstall Uninstall immediately Uninstallon 05 08 2011 at 01 57 00 Authenticate using semame Passw
121. entials Uzemame administrator e a Password Screenshot 55 Configuring computer credentials 3 From the Credentials section select Authenticate using checkbox to configure the authentication method Table 21 below describes the available authentication methods Table 21 Authentication methods OPTION DESCRIPTION Currently logged on user Uses the currently logged on user credentials when logging on target machines Alternative credentials Uses custom credentials Key in the user name and password to use A null session Logs in target machines using a null session User will log into the target machine as an anonymous user A private key file Uses SSH private key authentication Linux based systems A username and a key file are required 4 Click OK 4 12 Monitoring activity Scheduled Activity is all the GFI LanGuard operations that have been set up to trigger at a later date and time To view current activity 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Activity Monitor tab GFI LanGuard Analyzing Results 53 bejba Utilities Discuss this version GFI LanGuard 2011 Dataa ad Dashboard Scan Remediate Activity Monitor Reports Configuration Activity Monitor 3 Security Updates Download amp Remediation Operations Product Updates Activity 2 Security Scans 4s Provides visibility
122. ents Management f Scan Target Last Scanned Next Scan Profile Remediation Description i 2 8 domain WORK 09 08 2011 00 36 33 10 08 2011 21 21 02 Full TCP amp UDP No 2 Scheduled Scans i pep 40 _ aay es file 201108042 09 08 2011 00 36 26 10 08 2011 21 19 26 High Security V No ns gt pars or localhost 09 08 2011 00 36 24 10 08 2011 21 19 14 Full Scan No 5 8 Security Updates localhost 09 08 2011 00 36 33 10 08 2011 01 33 34 Full Scan No foo fy Patch Auto Deployment Common Tasks New scheduled scan Go to Alerting options Actions Start scheduled scan now Edit scheduled scan s properties Delete scheduled scan Enable selected scans Screenshot 79 Scheduled scans 6 2 1 Reviewing editing or deleting scan schedules Scan schedules can be reviewed edited or deleted from Configuration tab gt Scheduled Scans node bl RN IO Screenshot 80 Scheduled scan toolbar All scans are listed in the review page together with the relevant information Use the scheduled scan toolbar to perform the actions described in Table 35 below Table 35 Options to manage scanning profiles COMPLETE COMBINATION SCANS SCANNING PROFILES Add new scan Display the New scheduled scan wizard and create a new scheduled scan m Delete Use this button to delete the selected scheduled scan GFI LanGuard Configuring GFI LanGuard 77 COMPLETE COMBINATION SCANS SCANNING PROFILES t Pro
123. erate local groups No Enumerate logged on users No Enumerate users logged on locally Yes v Screenshot 127 Scanning Profiles properties System Information tab options To specify what System Information is enumerated by a particular scanning profile 1 From the Network amp Security Audit Options tab click System Information sub tab 2 Select the scanning profile that you wish to customize from the left pane under Profiles 3 From the right pane expand the Windows System Information group or Linux System Information group accordingly 4 Select which Windows Linux OS information is retrieved by the security scanner from scanned targets For example to enumerate administrative shares in scan results expand the Enumerate shares option and set the Display admin shares option to Yes 8 4 4 Configuring Devices scanning options Use the Devices tab to enumerate network devices Together with device enumeration you can further configure GFI LanGuard to generate high security vulnerability alerts whenever a USB or Network device is detected This is achieved by compiling a list of unauthorized blacklisted Network and USB devices that you want to be alerted GFI LanGuard Scanning Profiles 129 P GFI LanGuard Scanning Profiles Editor GO EA Scanning Profiles Discuss this version Profile categories _ Vulnerability Assessment Options yy Network amp Software Audit Options Scanner Options Com
124. ers Enumerate Users SNMP Audit SNMP Walk SQL Server Audit 9 2 DNS lookup DNS lookup resolves domain names into the corresponding IP address and retrieves particular information from the target domain for example MX record etc To resolve a domain host name 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Utilities tab and select DNS Lookup in the left pane under Tools 3 Specify the hostname to resolve in the Hostname IP to resolve textbox GFI LanGuard 2011 o mE gt lt Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Tools Hostname IP to resolve Www MICROSOFT COM v Options 1 DNS Lookup ee Starting DNS Lookup Request for www MICROSOFT COM 02 10 49 B gt Enumerate Computers a Enumerate Users Performing DNS Lookup operation through DNS Server 10 44 100 1 ob SNMP Audit Resolving host WWW MICROSOFT COM _ Please wait a SNMP Walk SQL Server Audit Basic information results CNAME toggle www ms akadns net CNAME g www ms akadns net CNAME Ib1 www ms akadns net A 207 46 131 43 Ib www ms akadns net Credentials te MX Records results Authenticate using CNAME toggle www ems akadns net Currently logged CNAME o www ms akadns net onus CNAME Ib1 www ms akadns net Remember credentials V Use per computer credentials
125. ervice Domain name Domain controllers File server service MAC address Time to live TTL Network role Domain gt gt gt gt gt gt Users sharing entire hard drives shares that have weak or incorrectly configured access permissions Startup folders and similar system files that are accessible by unauthorized users or through user accounts that do not have administrator privileges but are allowed to execute code on target computers Unnecessary or unused shares Incorrectly configured lockout control Password strength enforcement policies Security holes or breaches Hardware and software settings such as which drivers and applications will be automatically launched at system startup Rogue computers Wrong configurations Rogue computers Wrong configurations GFI LanGuard CATEGORY INFORMATION PROVIDED HELPS TO IDENTIFY ag Groups 3 Users 2 Logged On Users u EEE a Services 4p Processes Remote TOD time of day Security audit policy Account operators Administrators Backup operations Guest Full name Privilege Flags Login List of logged on users Lists hosts remotely connected to the target computer during scanning List of active services List of active processes Time of remote workstation server or laptop W
126. ervice Packs 3 o APSB11 18 Adob 2011 06 28 iti Adobe Flash Playe 1 MS07 025 Securi 2007 05 15 Important Office 1 S MS07 036 Securi 2007 07 10 Important Office 1 S MS07 036 Securi 2007 07 10 Important Office 1 S MS07 O37 Securi 2007 07 10 Important Office 1 S MS07 042 Securi 2007 08 14 Important Office 1 ii BAAD Mmd o oe m n Cam fa Fas Tom O ia Go O C fa fa Yr Count 50 F Missing Patch APSB11 18 Adobe Hash Player 10 3 181 34 Remediate a Bulletin ID APSB11 18 QNumber APSB11 18 Date 26 June 2011 Severity ity Titical Applies to Adobe Fash Player 10 Description This release contains fises for critical vulnerabilities identified in Security Bulletin APSB11 18 All users are encouraged to update to the new players version 10 3 181 34 URL http irva adobe com support secunty bulletins apsb 11 18 html Note Before distributing this software in you network make sure you agree and comply with Adobe license More details here http www adobe conlicensing Screenshot 48 Dashboard Patches GFI LanGuard Analyzing Results 47 4 6 Ports view Display more details on the open ports found during a network audit When a port is selected from the Port List the Details section provides more information on the selected port From the Details section click View computers having this port open to display a list of computers having the selected port open For a description of terms used in this
127. es Ports Software Hardware ae Information System Information Types System Information List Mi Services 171 Drag a column header here to group by that column tela Ea an rd Processes 45 E System information name No of computers Users 5 p f ADMIN a A Logged On Users 6 id BR User Groups 19 mS 4 gm IPCs 5 a Music 1 a prints 1 EAI Print_to_PDF 1 a Users 3 Count 38 Details R Shares ADMINS Show computers that have this item Show computers that do not have this item Screenshot 52 Dashboard System information 4 10 Display results GFI LanGuard includes a filtering option that allows you to quickly find a computer or domain and immediately display the results To display the result for a particular domain or computer 1 Click Dashboard tab 2 From the left panel select the filtering criteria Select between the pre defined criteria or click Advanced filtering to add additional criteria GFI LanGuard Analyzing Results 51 Mr Unfiltered E Vulnerability level E Operating System Last scan time E Agent status Network role F All network roles Workstation Ww Server Screenshot 53 Dashboard filtering criteria 3 From the left panel select the computer domain The dashboard automatically updates the results on selection yy Unfiltered amp Entire Network By Localhost W702 192 168 200 6 H Local Domain WORKGROUP AF SGLPRODUCT 192 168 3 105 Ba TCSQLSER
128. es tab and select Enumerate Users in the left pane under Tools 3 In the Enumerate users in domain dropdown menu select the desired domain 4 From Common Tasks in the left pane click Edit Enumerate Users options or Options on the right pane to filter the information to extract and display only the users or contacts details In addition you can optionally configure this tool to highlight disabled or locked accounts 5 Click Retrieve to start the process This tool can enable or disable enumerated user accounts Right click on the account and select Enable Disable account accordingly GFI LanGuard Utilities 145 9 7 SNMP Auditing GFI LanGuard 2011 ba a a gt lt e Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Tools IP address or range of IP addresses for computer s running SNMP 192 168 3 20 hd Options z DNS Lookup z Traceroute IP Address Comp public private all pri router cisco admin proxy write access root et Whois 192 168 3 20 Enumerate Computers Enumerate Users SNMP Aucit a SNMP Walk m SQL Server Audit Credentials Authenticate using Currently logged on user hd Remember credentials v Use per computer credentials 100 Screenshot 142 SNMP Audit tool This tool identifies and reports weak SNMP community strings by performing a dictionary attack using the values stored in its default dictionary file snm
129. escribed below Table 56 Information gathering options OPTION DESCRIPTION Automatically detect and fix Recommended Configure GFI LanGuard to automatically detect and fix known issues issues Gather only application Gather logs to send to GFI support information and logs 4 Click Next to continue Troubleshooter Wizard Gathering Information The troubleshooter will check your installation for common issues Details a g Could not connect to the GFI LanGuard 2011 update server i 4 Possible reasons you are not connected to the Intemet your proxy set wi Checks if the Attendant Service user has administrator privileges i wl Checks if the LNSSCommunicator COM object can be instantiated F fw Checks if the CRMI COM object can be instantiated fv Checks if the Attendant Service is installed on this computer fy Checks if the Attendant Service is running on this computer y The scanning profiles database is available v The scan results database is available ee rT Screenshot 152 Troubleshooter wizard Gathering information about known issues 5 The troubleshooter wizard will retrieve all the information required to solve common issues Click Next to continue 170 Troubleshooting GFI LanGuard Troubleshooter Wizard Known Issues Fixing issues Done Freed all of the issues which can be automatically solved Does this solve the problem s you were having Yes
130. etrieve to start the process 140 Utilities GFI LanGuard 9 3 Traceroute Traceroute identifies the path that GFI LanGuard followed to reach a target computer 2 GFI LanGuard 2011 n fon ex Dlie Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Tools Trace domain IP address name www microsoft com v Options a DNS Lookup Hop Itera IP Address Hostname Time ms Best time Average Worst tim Whois Xi 1 0 0 0 0 Request timed out 1000 1000 1000 00 1000 a i x2 1 0 0 0 0 Request timed out 1000 1000 1000 00 1000 Enumerate Users 3 1 0 0 0 0 t timed out 1000 1000 1000 00 1000 SNMP Audit x a a SNMP Walk w SQL Server Audit Credentials Authenticate using Currently logged on user 1 200 Remember credentials 1 000 Z Use per computer credentials Common Tasks Milliseconds re Oo Edit traceroute options Ready Screenshot 138 Trace route tool To use the traceroute tool 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Utilities tab and select Traceroute in the left pane under Tools 3 In the Trace domain IP name dropdown specify the name IP or domain to reach 4 Optional Under Common Tasks in the left pane click on Edit Traceroute options or click Options on the right pane to change the default options
131. ettings and uses them during the next remediation job Auto remediation options Reboot shut down options O Do not reboot shut down the computers Reboot the target computers Shut down the target computers Reboot shut down schedule Immediately after deployment Atthe next occurence of 00 23 37 When between 00 23 37 and 00 23 37 Show notification before shut down for 5 minutes with message Your computer will reboot in five minutes Please plan your work accordingly Delete copied files from remote computers after deployment Screenshot 62 After deployment options 4 Click After Deployment tab Configure After Deployment options described below Table 27 After deployment OPTION DESCRIPTION Do not reboot shutdown the Select this option to leave scan target s turned on after remediating computer vulnerabilities Reboot the target computers Reboots the computers after remediating vulnerabilities Shut down the target Target machine will shut down after deploying software computers Immediately after deployment Reboots shuts down computers immediately after remediating vulnerabilities At the next occurrence of Specify the time when the computers reboot shut down When between This option enables you to specify two time values If the remediation job is completed between the specified times the computer s will reboot shut down immediately Otherwise the reboot shut down operation i
132. g Total physical memory Free physical memory Total virtual memory Free virtual memory Lists every storage device discovered during a scan Storage devices include Hard disks Virtual hard disks Removable disks Floppy drives CD DVD drives Lists video cards discovered during a scan 178 Appendix Data Processed by GFI LanGuard TCP 139 TCP 445 DCOM 135 DCOM dynamic TCP 139 TCP 445 DCOM 135 DCOM dynamic TCP 139 TCP 445 DCOM 135 DCOM dynamic TCP 139 TCP 445 DCOM 135 DCOM dynamic TERIB TCP 445 DCOM 135 DCOM dynamic TCP 139 TCP 445 DCOM 135 DCOM dynamic We Wee TCP 445 DCOM 135 DCOM dynamic gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt SMB File and printer sharing Remote registry WMI SMB File and printer sharing Remote registry WMI SMB File and printer sharing Remote registry WMI SMB File and printer sharing Remote registry WMI SMB File and printer sharing Remote registry WMI SMB File and printer sharing Remote registry WMI SMB File and printer sharing Remote registry WMI GFI LanGuard DATA DESCRIPTION PORTS PROTOCOL Other devices Lists generic devices discovered TCP 139 SMB SFiS seet Tekuci
133. ght pane to create a network device blacklist specify which devices you want to classify as high security vulnerabilities in the space provided under Create a high security vulnerability for network devices which name contains For example if you enter the word wireless you will be notified through a high security vulnerability alert when a device whose name contains the word wireless is detected To create a network device white list specify which devices you want to ignore during network vulnerability scanning in the space provided under Ignore Do not list save to db devices which name contains E Only include one network device name per line Configuring advanced network device scanning options Advanced Network Devices Properties General cm Specify advanced network devices options Enumerate Network Devices Enumerate wired network devices Enumerate wireless network devices Enumerate software enumerated network devices Enumerate virtual network devices Screenshot 129 Advanced network devices configuration dialog GFI LanGuard Scanning Profiles 131 From the Network Devices tab you can also specify the type of network devices checked by this scanning profile and reported in the scan results These include wired network devices wireless network devices software enumerated network devices and virtual network devices To specify which network device
134. gned for performance reliability and scalability which caters for medium to large networks GFI LanGuard consists of the following components GFI LanGuard management console The management console enables you to configure and use GFI LanGuard 2011 It also enables you to analyze audit results GFI LanGuard attendant service GFI LanGuard attendant is the background service that manages all scheduled operations including scheduled network security scans patch deployment and remediation operations GFI LanGuard agent deployment GFI LanGuard provides you with the facility to use agents These enable real time result analysis and reduce network bandwidth consumption Depending on how you configure GFI LanGuard agents are deployed automatically on newly discovered machines or on manually selected computers For more information on GFI LanGuard Agents refer to Managing Agents chapter in this manual GFI LanGuard patch agent service GFI LanGuard patch agent is the background service that handles the deployment of patches service packs and software updates on target computers GFI LanGuard Script Debugger The GFI LanGuard Script Debugger is the module that allows you to write and debug custom scripts using a VBScript compatible language ScriptDbg Script1 o a File Edit View Debug Watches Options Window Help Using Currently logged on user Username Password epe BB Functio main Dim wmi As Object Dim so
135. he Activity Monitor tab gt Security Scans Scheduled scans also enable Automatic download and deployment of missing updates detected during a scheduled audit Email notifications on network threats detection Consecutive scan comparison reports generation and email distribution Automatic uninstallation of unauthorized applications 3 3 1 When to use scheduled Scans GFI recommends scheduled scans When GFI LanGuard Agent is not deployed on the target computer To automatically perform periodical regular network vulnerability scans using same scanning profiles and parameters To automatically trigger scans after office hours and generate alerts and auto distribution of scan results via email To automatically trigger auto remediation options Example Auto download and deploy missing updates For more information on auto remediation and deployment options refer to 4 Automatic Remediation section in this chapter Ensure that the GFI LanGuard Attendant service is running otherwise scheduled _f operations will fail to start To view GFI LanGuard Attendant service click Start gt Run key in services msc and press Enter Locate GFI LanGuard Attendant Service and ensure that Status is Started 16 Agent less Auditing GFI LanGuard 3 4 Setting up scheduled scans 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Configu
136. hecks using any scripting method that is supported by the target operating system 11 3 1 Keywords The SSH module can run security scanning scripts through its terminal window When a security scan is launched on Linux UNIX based target computers vulnerability checking scripts are copied through an SSH connection to the respective target computer and run locally The SSH connection is established using the logon credentials i e username and password SSH Private Key file specified prior to the start of a security scan The SSH module can determine the status of a vulnerability check through specific keywords present in the text output of the executed script These keywords are processed by the module and interpreted as instruction for the GFI LanGuard Standard keywords identified by the SSH module include TRUE FALSE AddListltem SetDescription ISCRIPT_FINISHED Each of these keywords triggers an associated and specific process in the SSH Module The function of each keyword is described below TRUE FALSE These strings indicate the result of the executed vulnerability check script When the SSH module detects a TRUE it means that the check was successful FALSE indicates that the vulnerability check has failed AddListltem This string triggers an internal function that adds results to the vulnerability check report i e scan results These results are shown in the GFI LanGuard 2011 management
137. highly recommended not to use the Impex tool if GFI LanGuard application LanGuard exe or LanGuard scanning profiles scanprofiles exe are running For example VULN Apache Apache doc directory It is recommended that if the vulnerabilities are imported into another installation that installation will have the same build number as the one the database has been exported from 152 Using GFI LanGuard from the command line GFI LanGuard 11 Adding vulnerability checks 11 1 Introduction Scripts that identify custom vulnerabilities can be created using any VBScript compatible scripting language By default GFI LanGuard ships with a script editor that you can use to create your custom scripts New checks must be included in the list of checks supported by GFI LanGuard Use the Vulnerability Assessment tab to add new checks to the default list of vulnerability checks on a scan profile by scan profile basis GFI LanGuard also supports Python scripting For more information on GFI LanGuard Python scripting refer to this section in this manual Only expert users should create new vulnerability checks Scripting errors and wrong configurations in a vulnerability check can result in false positives or provide no vulnerability information at all 11 2 GFI LanGuard VBscript language GFI LanGuard supports and runs scripts written in VBscript compatible languages Use VBscript compatible languages to create custom scripts that can be
138. i phishing engines on scan targets GFI LanGuard Agent less Auditing 31 ICON DESCRIPTION System Information VPN Client Applications scan targets Includes information on installed Virtual Private Network clients on Peer To Peer Applications Shows installed Peer To Peer applications on scan targets Click System Information to view all details related to the operating system installed on a target machine Table 18 below describes the system information groups Table 18 System information from an audit CATEGORY INFORMATION PROVIDED HELPS TO IDENTIFY R Shares Password Policy i Security Audit Policy a Registry NETBIOS Names x Computer 32 Agent less Auditing gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt gt Share name Share remark extra details on the share Folder which is being shared on the target computer Share permissions and access rights NTFS permissions and access rights Minimum password length Maximum password length Minimum password expiry date Force logoff Password history Audit account logon events Audit account management Audit directory service access Audit logon events And more Registered owner Registered organization Product name Current build number Workstation s
139. ically downloads missing patches and service packs in all 38 languages A GFI LanGuard technology that automatically downloads missing Microsoft updates and deploys them over the network A GFI LanGuard technology that automatically downloads and deploy missing patches If an application is blacklisted in GFl LanGuard auto remediation will uninstall the application from the target computer during scheduled operations An alternative method used to access a computer or computer data over a network A text files containing a collection of instructions to be carried out by an operating system or an application A list of USBs or Network devices names that are considered as dangerous When a USB Network device name contains a blacklisted entry while scanning a network GFI LanGuard will report the device as a security threat High security vulnerability An open wireless communication and interfacing protocol that enables exchange of data between devices Contains a collection of information about a patch or a Microsoft update Used in GFI LanGuard to provide more information on an installed patch or update Information includes Bulletin id title description URL and file size See Common Gateway Interface A communication script used by web servers to transfer data to a client internet browser A list of standardized names for vulnerabilities and other information security exposures The aim of CVE is to standardize the names for a
140. ich this scan will uninstall auto uninstall There are security updates that are not approved for auto deployment Itis recommended to have System Restore on for the system drive on the target computers ei Tell me more Screenshot 15 Scheduled scan auto remediation options 9 From the auto remediation dialog select the required options and click Next Table 11 below describes the list of available options Table 11 Auto remediation options OPTION DESCRIPTION Automatically download and deploy Automatically download and deploy missing patches on target missing patches machines Automatically download and deploy Automatically download and deploy missing service packs on missing service packs target machines Automatically uninstall unauthorized If this option is selected all applications validated as applications unauthorized will be uninstalled from the scanned computer unauthorized applications are defined in Application Inventory For more details see Application auto uninstall Configure auto remediation Automatically remove unauthorized applications from target machines Unauthorized applications are defined in the Application Inventory For more details see Application auto uninstall View applications which this scan will Click the link to launch the Applications which will be uninstall uninstalled dialog This will list all the applications that will be uninstalled when the scheduled scan is fin
141. ies tab respectively Use this scanning profile to enumerate network vulnerabilities that emerged during the last 12 months Use this scanning profile to identify web server specific vulnerabilities This includes scanning and enumerating open TCP ports that are most commonly used by web servers such as port 80 Only TCP ports commonly used by web servers are scanned by this profile Network auditing operations as well as enumeration of vulnerabilities and missing patches are not performed using this profile Use this scanning profile to enumerate missing patches The list of missing patches that will be enumerated by this profile can be customized through the Patches tab Use this scanning profile to enumerate only missing patches that are tagged as critical The list of critical patches that will be enumerated by this profile can be customized through the Patches tab Use this scanning profile to enumerate only missing patches that were released last month The list of missing patches that will be enumerated by this profile can be customized through the Patches tab Use this scanning profile to enumerate missing service packs The list of service packs that will be enumerated by this profile can be customized through the Patches tab 8 2 3 Network amp Software Audit Table 47 below describes in detail the scans involved in the Network and Software audit scanning profile Table 47 Network and Software audit scanning profiles N
142. if Auto remediate Missing Patches option is enabled for the scheduled scan NOTE this placeholder is used only for post scheduled scan reports Used in the report if Auto remediate Missing Service Packs option is enabled for the scheduled scan NOTE this placeholder is used only for post scheduled scan reports Used in the report if Auto remediate Uninstall Applications option is enabled for the scheduled scan NOTE this placeholder is used only in post scheduled scan reports 7 5 Full text searching The full text search feature returns results in a structured and configurable manner Any returned results offer clickable links for further details To use the full text search feature 1 Click Reports tab and Search sub tab 2 Enter you search item and click Search 110 Reporting GFI LanGuard S Exa B alej Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this versic XK Unfiltered TEMP 192 168 320 TEMP E vV Entire Network Settings Search W Localhost TEMP gt iS Local Domain WO gt it MASTERDOMAIN TEMP Search Hide advanced search options IE TCDOMAIND 1 results found Advanced Search Group results by Information Category Search history Computer Search Search only Vulnerabilities Patching Status Missing Patches Installed Patches Network amp Software Audit Computer Information Logged on Users Processes Software Tru
143. ify a valid login name Use Edit SOL server audit options to edit audit options Remember credentials v Use per computer credentials Screenshot 144 SQL Server Audit 3 In the Audit MS SQL Server dropdown menu specify the IP address of the SQL Server that you wish to audit 4 From Common Tasks in the left pane click Edit SQL Server Audit options or Options button on the right pane to edit the default options such as performing dictionary attacks on all the other SQL user accounts 5 Click Audit to start the process 148 Utilities GFI LanGuard 10 Using GFI LanGuard from the command line 10 1 Introduction In this chapter you will discover how to use the three command line tools bundled with GFI LanGuard lnsscmd exe deploycmd exe and impex exe These command line tools allow you to launch network vulnerability scans and patch deployment sessions as well as importing and exporting profiles and vulnerabilities without loading up the GFI LanGuard management console Configured through a set of command line switches the complete list of supported switches together with a description of the respective function is provided below 10 2 Using the command line scanning tool Insscmd exe The Insscmd exe command line target scanning tool allows you to run vulnerability checks against network targets directly from the command line or through third party applications batch files and scripts The Ins
144. ile before it is installed reboot Optional Parameter Include this switch if you want to reboot the target computer after file patch deployment rebootuserdecides Optional Parameter Include this switch to allow the current target computer user to decide when to reboot his computer after patch installation shutdown Optional Parameter Include this switch if you want to shutdown the target computer after the file patch is installed deletefiles Optional Parameter Include this switch if you want to delete the source file after it has been successfully installed timeout Optional Parameter Specify the deployment operation timeout This value defines the time that a deployment process will be allowed to run before the file patch installation is interrupted Optional Use this switch to show the command line tool s usage instructions For example how to launch a patch deployment process from the command line tool For this example we will be assuming that a patch deployment session with the following parameters is required 1 Deploy a file called patchA001002 XXxX 2 On target computer TMJohnDoe 3 Reboot the target computer after successful deployment of the file The command line tool instruction for this particular patch deployment session is deploycmd TMJohnDoe file patchA001002 XXX reboot 10 4 Using the command line import and export tool impex exe The Impex tool is a command l
145. ility Distribution Screenshot 33 Most Vulnerable Computers Screenshot 34 Agent Status when selecting a domain workgroup Screenshot 35 Audit status chart Screenshot 36 Vulnerability Trends Over Time for a domain workgroup Screenshot 37 Vulnerability Trends Over Time for a single computer Screenshot 38 Computers by network role Screenshot 39 Computers by operating system Screenshot 40 Computer Details Screenshot 41 Scan activity Screenshot 42 Remediation activity Screenshot 43 Top 5 issues to address Screenshot 44 Result statistics Screenshot 45 Analyze results by computer Screenshot 46 Dashboard History Screenshot 47 Dashboard Vulnerabilities Screenshot 48 Dashboard Patches Screenshot 49 Dashboard Ports Screenshot 50 Dashboard Software Screenshot 51 Dashboard Hardware Screenshot 52 Dashboard System information Screenshot 53 Dashboard filtering criteria Screenshot 54 Computer Domain list Screenshot 55 Configuring computer credentials Screenshot 56 Action Center Scheduled Activity Screenshot 57 Security updates download Screenshot 58 Product updates activity Screenshot 59 Application inventory Screenshot 60 Mark application as unauthorized Screenshot 61 Before deployment options Screenshot 62 After deployment options Screenshot 63 Advanced deployment options Screenshot 64 Reboot shut down options Screenshot 65 Warning messages Screenshot 66 Remediat
146. ility will be triggered when the below conditions are met AND El Not maj A f Independent HTTP Banner Test Fle Attribute Banner Operator pattern match e Value Server AbyssiO 1 00 1 0 S 0 E Windows Group Test Object 22552 Attribute Group Operator exists Value Description tetrieves and examines the HTTP banner From the target computer add Edt Delete clear C Gane Gd Screenshot 117 Vulnerability conditions setup tab To add a vulnerability check condition 1 Click Add 120 Scanning Profiles GFI LanGuard Check properties Step 1 of 3 Select the type of check Specify what do you want to check From the list below Check type Independent Checks F Independent CGI Abuse Test F Independent DNS Banner Test F Independent Family Test J Independent File MDS Test 2 Independent FTP Banner Test F Independent HTTP Banner Test F Independent POPS Banner Test oe J Independent Port Open Test ot Independent Python Script Test 2 Independent SMTP Banner Test J Independent 55H Banner Test F Independent TCP Banner Test Check description Executes a Python script and returns a boolean value Screenshot 118 Check properties wizard 2 Select the type of check to be configured and click Next 3 Define the object to examine and click Next 4 Set attributes desired parameters and click Finish to finalize your settings GFI LanGuard Scanning Profiles 1
147. in Table 39 below Table 39 Database retention options Keep scans generated during the Keep scan results generated during the specified number of last days weeks months Keep scans per scan target per Specify the number of scan results to keep for every scan target by profile number of every scan profile Never delete history Select this option if you want to keep all scan history Keep history for the last Keep scan history for the specified number of days weeks months 3 Click OK to finalize settings 6 7 Program updates GFI LanGuard 2011 Co E eE Dlie Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Configurations gt z Program Updates pe E Agents Management Program updates enable GFI LanGuard to detect the latest vulnerabilities and maintain outstanding scanning performance A Inventory L Auto Uninstall Validation Auto download Type of update Last Update Check Last Download Last Update Version i Security Updates Check for newer builds Never 20110802 A Patch Auto Deployment Patch Management Definitions 05 08 2011 14 50 26 05 08 2011 14 51 34 4 i kel Patch Auto Download Microsoft Patch Detection Data 05 08 2011 14 50 26 03 08 2011 21 18 49 1 Alerting Options Patch Management Prerequisites 05 08 2011 14 50 26 03 08 2011 21 12 06 1 iE Database Maintenance Options GFI LANguard Vulnerabilities Update 05 08 2011 14 50 26 03 08 20
148. ine tool that can be used to Import and Export profiles and vulnerabilities from GFI LanGuard Network Security Scanner The parameters supported by this tool are the following impex H XML xmlfile DB dbfile EX MERGE IM ONLYNEWER PROFILES VULNS PORTS PROFILE name VULNCAT cat VULN name PORTTYPE type PORT number SKIP OVERWRITE RENAME value Table 54 impex command switches H running without Displays help information parameters XML lt xmlfile gt This parameter specifies the name of the imported or exported XML file lt xmlfile gt needs to be replaced with the name of the file the profile is being exported to NOTE This parameter is mandatory to import or export alerts GFI LanGuard Using GFI LanGuard from the command line 151 OPTION DESCRIPTION DB lt dbfile gt EX MERGE IM ONLYNEWER PROFILES VULNS PORTS PROFILE lt name gt VULNCAT lt category gt VULN lt name gt PORTTYPE lt type gt PORT lt number gt SKIP OVERWRITE RENAME lt value gt Where lt dbfile gt is the database file to be used during the import export operation If this is not specified the default operationsprofiles mdb file will be used Exports data from database to XML file Default option If this is specified when the target XML for export already exists the file will be opened and data will be merged otherwise the XML file is
149. ing Agents 7 OPTION DESCRIPTION Select Select where to deploy agents from a list of reachable computers Import Specify location of a saved text txt file with the list of computer names where to deploy agents Export Export the defined list of computers and save it for future use Only include single computer names per line in the import file 3 Click OK once the rule is defined to save and continue with Deploy Agents wizard 2 3 Configuring Agents 2 3 1 Agents settings To configure additional agents settings 1 From Configuration tab select Agents Management 2 Click Agents Settings 3 Optional Table 4 below describes the available agent settings Table 4 Agents settings Auto uninstall Set the number of days after which GFI LanGuard Agents automatically uninstall themselves if the host computer is unresponsive for the set period of days Agents report using Specify the communication ports used by GFI LanGuard and GFI LanGuard Agents 4 Click OK to save and close dialog a Communication on TCP port 135 and 1070 must be enabled in Windows firewall for GFI LanGuard Agents to send data to GFI LanGuard 2 3 2 Customizing agents Agents can be modified through the Properties dialog To access agent properties 1 Click Configuration tab gt Agents Management 2 From the right pane right click an agent and select Properties 3 Optional From General tab specify the authentication method
150. ion center Screenshot 67 Select the updates to deploy Screenshot 68 Deploying missing patches on selected computers Screenshot 69 Deploy patches Screenshot 70 Uninstall security patches Screenshot 71 List of software to be deployed Screenshot 72 Target computers for software deployment Screenshot 73 Launch deployment options Screenshot 74 Uninstall applications Screenshot 75 Malware protection Screenshot 76 Remote desktop connection Screenshot 77 Remote desktop connection Screenshot 78 Remediation jobs Screenshot 79 Scheduled scans Screenshot 80 Scheduled scan toolbar Screenshot 81 Scheduled Scan properties Screenshot 82 Configuring Applications inventory Screenshot 83 Unauthorized application scanning profile Screenshot 84 Applications inventory wizard Screenshot 85 Application auto uninstall validation Screenshot 86 Manage applicable schedule scans Screenshot 87 Patch auto deployment Screenshot 88 Patch Auto Deployment Advanced Options Screenshot 89 Configuring Patch Auto download Properties Screenshot 90 Configuring Alerting Options Screenshot 91 The database maintenance properties dialog Screenshot 92 Microsoft SQL Server database backend options Screenshot 93 Database maintenance properties Managed saved scan results tab Screenshot 94 Database maintenance properties Scanned Computers tab Screenshot 95 Database Maintenance properties Advanced tab Screenshot 96
151. irectory a mgmt 4 4 mib 2 N transmission dotl dBridge 5 appletalk gt mon E at gt snmpDot3MaumMat 9 etherMIB dotSSrMiB 39 egp gt entityMIB 9 henumTC gt ianaAddressF amilyNumbers 9 ianaifType gt ianaRitProtoMIB gt icmp gt ipMIB interfaces gt ifMIB E ip gt ipMRouteStdMlB Reports Configuration Utilities Retrieve Options WW Name we Lo Discuss this version Value To probe your network nodes and retrieve SNMP information for example OID s 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Utilities tab and select SNMP Walk in the left pane under Tools 3 In the IP address dropdown menu specify the IP address of the computer that you wish to scan for SNMP information 4 From Common Tasks in the left pane click Edit SNMP Walk options or Options on the right pane to edit the default options such as providing alternative community strings 5 Click Retrieve to start the process A SNMP activity is normally blocked at the router firewall so that internet users cannot SNMP scan your network Malicious users can use information enumerated through SNMP scanning to hack your network systems Unless this service is required it is highly recommended to disable it GFI LanGuard Utilities 147 9 9 SQL Server Audit This too
152. ished 20 Agent less Auditing GFI LanGuard New scheduled scan Step 7 of 8 Configure reporting options Choose which reporting options you would like to enable for this scheduled scan Reporting options Description oe mn You may enable emailing and or saving of the a scan reports and choose the data to include in E Save the scan report to disk the report C ProgramData GFI LanGuard 10 Reports Choose scan report content Comparison data and auto remediation details E Full scan results data a g Configure alerting options Alerting options are not configured Scans for large networks will generate a large report ej Tell me more Screenshot 16 Scheduled scan reporting options 10 Optional Configure Reporting options as described below Table 12 Reporting options OPTION DESCRIPTION Email the scan report Send a report by email at the end of each scheduled scan Save the scan report to disk Save a report to disk at the end of each scheduled scan Comparison data and auto remediation Include details of auto remediation actions performed and details result comparison with previous security scans NOTE Comparison is done between scans with same scan target s and scanning profile Full scan results data Include full scan result details Configure alerting options Optional Click Configure alerting options to specify sender recipient details For information on configuring alerting op
153. ited with symbol for example TITLE NAME You can edit the HTML format edit HTML style move and delete placeholders to further customize the e mail body of generated reports The default template location is C ProgramData GFl LanGuard 10 Templates template_mailbody xml GFI LanGuard Reporting 109 Take into consideration that GFI LanGuard can only manage known placeholders listed below with their predefined role Placeholders are usable in all scheduled report types Table 44 below describes the customizable placeholders Table 44 Report placeholders PLACEHOLDER DESCRIPTION TITLE Email title for the generated report NAME Scheduled report name DESCRIPTION Scheduled report description TARGET Targets computers domains represented in the LAST_RUN NEXT_RUN PROFILE DURATION ITEMS_COUNT AUTOREMED_MISSINGPATCHES AUTOREMED_MISSINGSPS AUTOREMED_UNINSTAPPS scheduled report Last run date and time of the scheduled report Next run date and time of the scheduled report Note this placeholder is used only for daily digest reports Scanning profile used whilst running the scheduled scan Note this placeholder is used only for post scheduled scan reports Scheduled scan duration NOTE this placeholder is used only for post schedules scan reports Collected items count NOTE this placeholder is used only for post scheduled scan reports Used in the report
154. ized users to gain access to restricted areas of your IT infrastructure The Guest account for example is just one commonly exploited accounts more often than not this account is left configured within a system and even worse without changing the default password settings Malicious users have developed applications that can automatically re enable the Guest account and grant it administrative rights This empowers users to gain access to sensitive areas of the corporate IT infrastructure GFI LanGuard collects information on all user accounts and user groups currently enabled on scanned targets This information is organized in the scan results under two separated nodes To access the list of user accounts identified during on a target computer click z Users sub node Use the information enumerated in this sub node to inspect the access privileges assigned to each user account To gain access to the list of user groups configured on a target computer click 3 Groups sub node Users should not use local accounts to log on to a network computer For better security users should log on to network computers using a Domain or an Active Directory account Sessions Click Sessions sub node to access the list of hosts that were remotely connected to the target computer during scanning z The information included in this sub node also includes the remote connection details of the scanning sessions just performed by GFI
155. l allows you to test the password vulnerability of the sa account i e root administrator and any other SQL user accounts configured on the SQL Server During the audit process this tool will perform dictionary attacks on the SQL server accounts using the credentials specified in the passwords txt dictionary file However you can also direct the SQL Server Audit tool to use other dictionary files You can also customize your dictionary file by adding new passwords to the default list To perform a security audit on a particular Microsoft SQL server installation 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Utilities tab and select SQL Server Audit in the left pane under Tools GFI LanGuard 2011 o aE gt lt Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Tools Audit MS SQL Server Ef TEMP SQLEXPRESS Audit Options a DNS Lookup tm Enumerate Computers z Enumerate Users Error You must specify a valid login name Use Edit SQL server audit options to edit audit options a SNMP Audit 5 rponn Andit Starting SOL audit for Gx620 Credentials Starting SQL audit for TESTMCH AUTO11MMSS_SSEINSTANCE Currently logged on user Error You must specify a valid login name Use Edit SQL server audit options to edit audit options Error You must spec
156. l create a vulnerability check for Linux based targets which uses a script written in Bash The vulnerability check in this example will test for the presence of a dummy file called test file Step 1 Create the script 1 Launch your favorite text file editor 2 Create a new script using the following code bin bash if e test file then echo TRUE else echo FALSE fi echo ISCRIPT FINISHED 3 Save the file in lt GFI LanGuard 2011 installation folder path gt Data Scripts myscript sh Step 2 Add the new vulnerability check 1 Open the GFI LanGuard 2011 management console 2 Click Configuration tab expand the Scanning Profiles and click Vulnerability Assessment sub node 3 From the middle pane select the category in which the new vulnerability check will be included for example High Security Vulnerabilities 4 In the new window add a new vulnerability by clicking Add in the middle pane 5 Go through the General Description and Reference tabs while specifying the basic details such as the vulnerability name short description security level and OVAL ID if applicable 6 Choose the Conditions tab and click Add button This will bring up the check properties wizard GFI LanGuard Adding vulnerability checks 157 Check properties Step 1 of 3 Select the type of check Specify what do you want to check From the list below Check type gt Windows Checks gt
157. ll publicly known vulnerabilities and security exposures See Common Vulnerabilities and Exposures A graphical representation that indicates the status of various operations that might be currently active or that are scheduled A section of a network that is not part of the internal network and is not directly part of the Internet Its purpose typically is to act as a gateway between internal networks and the internet A GFI LanGuard command line tool used to deploy Microsoft patches and third party software on target computers See Demilitarized Zone See Domain Name System A utility that converts domain names into the corresponding IP address and retrieves particular information from the target domain A database used by TCP IP networks that enables the translation of hostnames into IP numbers and to provide other domain related information Glossary 173 TERM Enumerate computers tool Enumerate users tools Extensible Markup Language File Transfer Protocol FTP GFI EndPointSecurity GFI LanGuard ReportPack GPO Group Policy Object ICMP pings IDS impex exe Internet Control Message Protocol Internet Information Services Linux Insscmd exe Local Host Mail server Malware Microsoft Access database Microsoft IIS Microsoft SQL Server Microsoft Windows service packs Microsoft WSUS MS Access MS SQL NETBIOS Netscape 174 Glossary DESCRIPTION A utility that identifies d
158. lnerability check 1 Right click on the vulnerability to customize select Properties 2 Customize the selected vulnerability check from the tabs described in Table 48 below Table 48 Vulnerability properties dialog TAB NAME DESCRIPTION General Use this tab to customize the general details of a vulnerability check including vulnerability check name vulnerability type OS family OS version Product Timestamp and Severity Conditions Use this tab to configure the operational parameters of this vulnerability check These parameters will define whether a vulnerability check is successful or not For information on how to configure vulnerability check conditions refer to the Vulnerability check conditions setup section in this manual Description Use this tab to customize the vulnerability check description References Use this tab to customize references and links that lead to relevant information in the OVAL CVE MS Security Security Focus and SANS TOP 20 reports 3 Click on OK to save your settings GFI LanGuard Scanning Profiles 119 Vulnerability check conditions setup The Conditions tab enables you to add or customize conditions which define whether the computer or network being scanned is vulnerable or not It is therefore of paramount importance that any custom checks defined in this section are set up by qualified personnel that are aware of the ramifications of their actions Edit vulnerability This vulnerab
159. me Version Publisher T Ares TH MSN T uTorrent Add Edit l Remove Ignore Do not list save to db applications in the list below Application name Version Publisher LanGuard Scripting Screenshot 132 The Applications tab Installed Applications tab options To enable installed applications scanning in a particular scanning profile 1 From the Network amp Security Audit Options tab click on the Applications sub tab 2 Click on the Unauthorized Applications sub tab 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 Select the Enable scanning for installed applications on target computer s checkbox B Installed applications scanning are configurable on a scan profile by scan profile basis Make sure to enable installed applications scanning in all profiles where this is required Compiling installed applications blacklist white list To compile installed applications blacklist white list 1 From the Network amp Security Audit Options tab click Applications sub tab 2 Select Unauthorized Applications sub tab 3 Select the scanning profile to customize from the left pane under Profiles 4 From the right pane select Enable scanning for installed applications on target computer s checkbox 5 Specify the applications that are authorized for installation Table 49 below describes the available options Table 49 Applications Options DESCRIPTION
160. ment configuration one of two messages is shown These messages are fully customizable enabling you to display any information suitable to your requirements For information refer to Auto remediation options section in this manual 5 5 Uninstall software patches and service packs To roll back deployed patches and service packs 1 Select Remediate tab gt Remediation Center 2 From the left panel select the computer or domain where you want to perform the remediation action 3 From the right panel select Uninstall Security Patches or Uninstall Service Packs 68 Fixing Vulnerabilities GFI LanGuard Remediation Center Remediation Jobs Uninstall Security Patches Use this option to uninstall patches currently deployed on network ey T SR patches to uninstall Par Bulletin leans Date posted Y Title Applies to Not Available Critical 2011 03 23 Update for Windows 7 KB2524375 Windows Count 1 ve Specify os where to uninstall each patch wl Pe Computer name A Language Operating system Windows 7 Count 1 eo Launch deployment Deploy on 09 08 2011 at 01 52 26 Authenticate using Usemame Password Currently logged on user a Use per computer credentials when available Screenshot 70 Uninstall security patches 4 Select the patches or service packs to uninstall from selected targets 5 Option
161. most vulnerable areas that require immediate attention The Scan Results Overview and Scan Results Details sections provide this information To analyze scan results 1 Launch GFI LanGuard from Start gt Programs gt GFI LanGuard 2011 GFI LanGuard 2011 2 Launch a scan or load a scan from a saved file GFI LanGuard Agent less Auditing 13 GFI LanGuard 2011 aliis lend Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Launch a New Scan Scan Target Profile file customgroup_2011 8 4 18 29 59 txt ama Full Scan Credentials Username Password Currently logged on user v sa v Use per computer credentials when available Remember credentials Scan Results Overview Scan Results Details Ef Saved Scan Result file customgroup_2011_8_4_18_29_59 txt Scan completed H gt Saved Scan Result file customgroup_2011 a G 192 168 3 28 W703 Windows 7 Gold a Summary of scan results generated during this network audit 4 Vulnerability Assessment amp High Security Vulnerabilities 8 amp Medium Security Vulnerabilities 17 iy Low Security Vulnerabilities 11 W Missing Service Packs 2 The average vulnerability level for this scanning session is High W Missing Patches 42 aa Wee 4 Network amp Software Audit 192 168 3 35 W701 Windows 7 oj Vulnerability Assessment iy Network amp Software Audit Audit operations pro
162. my Software Development Ltd Unauthorized applications are dassified in scan results as High Security Vulnerability To mark this application as unauthorized select the scanning profiles which will dassify this software as High Security Vulnerability Scanning profiles W Full Scan Full Scan Slow Networks Fa Software Audit E System Information 9 Tell me more Screenshot 60 Mark application as unauthorized 3 Select the scanning profile that will classify the application as High Security Vulnerability and click Next 4 Review the currently affected applications screen and click Finish to finalize settings Refer to the Applications inventory section in this manual for more information on defining unauthorized applications Validate applications to uninstall remotely 1 From the Configuration tab select Applications inventory gt Auto Uninstall Validation sub node 2 In the right pane select an application to validate and click Validate 3 In the Application auto uninstall validation wizard click Next and select the computer where to test the application auto uninstall Click Next 4 Provide the authentication details for the validation operation and click Next 5 Review the Auto uninstall validation wizard information and click Start to validate application auto uninstall For more information on auto uninstall validation refer to Application auto uninst
163. nfirm that exporting is completed 8 Click OK to finish GFI LanGuard Configuring GFI LanGuard 99 6 8 3 Import settings from another instance of GFI LanGuard 1 Launch the latest GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click the GFI LanGuard button gt File gt Import and Export Configurations to launch the Import and Export Configurations wizard Dashboard Scan Remediate Import and Export Configurations Tools New Configuration Load Scan Results from Help Save Scan Results ie Auto Uninstall Va Exit c S Cerimbhe ladata Screenshot 105 Import and Export Configurations 3 Select Import the configuration from another instance and click Next 4 Click Browse to select the GFI LanGuard installation folder The default location is lt Local Disk gt Program Files GFI LanGuard lt Version gt Click Next Import and Export Configurations Wizard Welcome to the Import and Export Configurations Wizard Use this wizard to import or export GFI LanGuard configurations E What do you want to do Export the desired configurations to a file Export GFI LanGuard configuration to a file cfa Import the desired configurations from a file Import GFI LanGuard configurations from a file cfg Import the configurations from another instance Import GFI LanGuard configurations from another installation Screenshot 106 Impo
164. ng of representatives from a broad spectrum of industry academia and government organizations from around the world oversees and approves the OVAL Language and monitors the posting of the definitions hosted on the OVAL Web site This means that the OVAL which is funded by US CERT at the U S Department of Homeland Security for the benefit of the community reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals worldwide GFI LanGuard GFI LanGuard certifications 161 12 2 1 GFI LanGuard OVAL Support GFI LanGuard supports all checks defined in the XML file issued by OVAL with the exception of HP UX checks GFI LanGuard does not support HP UX based machines and therefore it is beyond the scope of this product to include these checks within its check definition database 12 2 2 About OVAL Compatibility OVAL Compatibility is a program established to develop consistency within the security community regarding the use and implementation of OVAL The main goal of the compatibility program is to create a set of guidelines that will help enforce a standard implementation An offshoot of this is that users are able to distinguish between and have confidence in compatible products knowing that the implementation of OVAL coincides with the standard set forth For a product or service to gain official OVAL Compatibility it must adhere to the Requirements and Recommendati
165. nitiated by Scomputemame Susemame Your computer may need to restart for the tasks to complete When waiting for user approval Waming GFI LanGuard is pefoming administrative tasks initiated by Scomputemame Susemame Your computer may need to restart for the tasks to complete Please save your work and select OK to continue Screenshot 65 Warning messages 5 Specify the options described below Table 30 Warning messages DESCRIPTION Language Select the language the message language When not waiting for user Use or customize the pre defined message that launches on the end approval user s computer when GFI LanGuard is not waiting for approval When waiting for user approval Use or customize the pre defined message that launches on the end user s computer when GFI LanGuard is waiting for approval 5 2 6 Agent auto remediation In an agent based environment automatic remediation options can be set per every deployed agent This enables you to configure every agent with specific auto remediation options to suit your requirements For information about configuring agent auto remediation refer to Customizing agents section in this manual 64 Fixing Vulnerabilities GFI LanGuard 5 3 Remediation center Apart from automatically downloading patches and service packs GFI LanGuard can also deploy these updates network wide as well as recall any patches that were deployed z While an infrequent occurrence
166. not approved for auto deployment Screenshot 6 Agent auto remediation 7 Select Automatically download and deploy missing patches to enable automatic remediation for missing patches 8 Select Automatically download and deploy missing service packs to enable automatic remediation for missing service packs 9 Select Automatically uninstall unauthorized applications to enable automatic remediation for unauthorized applications 10 Optional Click Configure auto remediation options to further customize remediation options For information about auto remediation options refer to Auto remediation _f options section in this manual For information about unauthorized applications refer to Automatically uninstall 4 unauthorized applications section in this manual 10 Managing Agents GFI LanGuard 3 Agent less Auditing 3 1 Introduction Agent less auditing is the process of performing audits on target computers without using agents Two types of audits can be done using this approach Manual audits Perform audits on target computer s once Scheduled audits Perform audits on a target computer s repeatedly ona schedule On completion of an agent less audit GFI LanGuard enables you to analyze the audit results This section provides information on how to configure manual audits scheduled audits and analyze the results For more information on how to analyze results refer to Audit Result Summary and Audit
167. nshot 46 Dashboard History GFI LanGuard Analyzing Results 45 4 4 Vulnerabilities view Display more details on the vulnerabilities found on a network and the number of affected computers When a vulnerability is selected from the Vulnerability List the Details section provides more information on the selected vulnerability From the Details section click View affected computers or View unaffected computers to display a list of affected and unaffected computers For a description of terms used in this result refer to Vulnerability assessment WORKGROUP 28 computers Search Entire Network E lt 7 aa a FS i BD A A Ea A iS j S ervi j ee a System Overview Computers History Vulnerabiliti Patches Ports Software Hardware Information Vulnerability Types Vulnerability List f Y High Security Vulnerabilities 5 eee epee pepe Drag a column neader here to group by that column y Medium Security Vulnerabilities 18 i SES TRIESLA dl Low Security Vulnerabilities 11 Vulnerability name Froduct No of computers Potential Vulnerabilities 4 W Missing Patches 50 ft Missing Service Packs 2 i Firewall Vulnerabilities 1 All Servers Adcyde build cgi Adcyde All Servers Brian Stanback bsgue All Servers Brian Stanback bslist cgi All Servers DCShop vulnerability DCShop All Servers Free On ine Dictionary Leif M Wright ad cai OVAL 12219 Untrusted search p Microsoft
168. ntial vulnerabilities Select 4s Potential vulnerabilities sub node to view scan result items classified as possible network weaknesses Although not classified as vulnerabilities these scan result entries still require particular attention since malicious users can exploit them during malicious activity For example during vulnerability scanning GFI LanGuard enumerates all modems installed and configured on target computers If unused modems are of no threat to your network If connected to a telephone line these modems can however be used to gain unauthorized and unmonitored access to the Internet Users can potentially bypass corporate perimeter security including firewalls anti virus website rating and web content blocking This exposes the corporate IT infrastructure to a wide range of threats including hacker attacks GFI LanGuard considers installed modems as possible threats and enumerates them in the Potential Vulnerabilities sub node Missing Service Packs Patches Click Missing Service Packs or e Missing Patches sub node to check any missing software updates or patches Ea GFI LanGuard can identify missing service packs and patches on various products _ For a complete list of supported products visit http kbase gfi com showarticle asp id KBID002573 Bulletin information To access bulletin information right click on the respective service pack and select More details gt Bulletin Info 28 Agent less Auditing GFI
169. o ent Set credentials 4 mW p Screenshot 30 View Dashboard Oooog Click here to learn more about agents Firewall Issues Unauthorized Applications Audit Status Credentials Setup 0 H H H 01 08 02 08 03 08 04 08 05 08 06 08 07 08 08 08 08 08 10 08 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 Last Scan 09 08 2011 00 43 44 Remediation Activity 02 08 03 08 04 08 05 08 0S 08 07 08 OBOE 008 10 08 2011 2011 2011 2011 2011 2011 2011 2011 2011 Last Remediation 04 08 2011 23 22 51 2 From the Dashboard tab select one of the options described in the following sections 4 1 1 Overview The Dashboard Overview is a graphical representation of the security level vulnerability level of a single computer domain or entire network When a computer or domain is selected the results related to the selected computer domain are automatically updated in the dashboard Below is a description of each section found in the dashboard GFI LanGuard Analyzing Results 37 Network security level Network Security Level Medium Screenshot 31 Network Security Level This rating indicates the vulnerability level of a computer network depending on the number and type of vulnerabilities and or missing patches found A high vulnerability level is a result of vulnerabilities and or missing patches which average severity is categorized as high Computer vulnerability distributi
170. oftware Generate high security vulnerabilities when No firewall is detected Yes Firewall is disabled Yes General Options HTTP FTP timeout when checking for product updates on remote sites seconds 60 Screenshot 134 Security Applications Alert Configuration 6 From the bottom right pane select the trigger you want to configure and choose between Yes or No from the drop down menu next to the respective alert trigger B Security applications scanning are configurable on a scan profile by scan profile basis Make sure to enable security applications scanning in all profiles where this is required 8 5 Configuring the security scanning options Use Scanner Options tab to configure the operational parameters of the security scanning engine These parameters are configurable on a scan profile by scan profile basis and define how the scanning engine will perform target discovery and OS Data querying GFI LanGuard Scanning Profiles 137 Scanning Profiles S K Vulnerability Assessment K Network amp Software Audit Profiles a Full Vulnerability Assessment A Full Scan Active M Full Scan Slow Networks Common Tasks New scannin le Set Active Rename Delete Help Scanning Profiles LanGuard Scripting Discuss thi L Vulnerability Assessment Options c Network amp Software Audit Options Scanner Options Specify network discovery and other
171. oftware Audit Choose scan profile conditions V Detect installed and missing service packs patches Profiles Bulletins to be checked for Full Vulnerability Assessment Group by Severity w Bulletin names Severity QNumber Date posted Title Aj Full Scan Active a All Patches SKYPE550113 SKYPE550113 2011 08 02 Skype 5 5 0 113 a A Full Scan Slow Networks V Lig Critical SKYPE550112 SKYPE550112 2011 07 28 Skype 5 5 0 112 M a Important FOXIMR5020718 FOXITR502 2011 07 21 Foxit Reader 5 0 2 0718 msi V C Moderate ITUNES 104080 ITUNES104 2011 07 20 iTunes 10 4 for Windows 32 bit IY Cig Low ITUNES 104080 ITUNES104 2011 07 20 iTunes 10 4 for Windows 64 bit V C Undefined SFRS51 Critical SFR51 2011 07 20 Safari 5 1 RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer br 12 0 1 660 RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer cn 12 0 1 660 RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer de 12 0 1 660 Common Tasks RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer en 12 0 1 660 RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer es 12 0 1 660 New scanning profie RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer fr 12 0 1 660 Set Active RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer it 12 0 1 660 RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer ja 12 0 1 660 RPLAYER 1201660 RPLAYER12 2011 07 13 RealPlayer ko 12 0 1 660 Help RPLAYER 1201660 RPLAYER12 20
172. og key in a valid report name and an optional description 5 Click OK E The new report is created in the report node selected in step 1 7 4 1 Customizing report logos GFI LanGuard enables you to use your company custom logo in the built in reports included in the product Any inserted logos are placed in the header or footer of the report depending on the name Customize report header logo 1 Create select your image 2 Resize image to Width 624 Height 25 3 Rename the image to headerlogo png 4 Copy paste image in Computer gt Local Disk C gt ProgramData gt GFI gt LanGuard 10 gt Graphics gt Logo z For OS versions prior to Windows Vista paste image in My Computer gt C gt Documents and Settings gt All Users gt Application Data gt GFI gt LanGuard 10 gt Graphics gt Logo Customize report footer logo 1 Create select your image 2 Resize image to Width 109 Height 41 3 Rename the image to footerlogo png 4 Copy paste image in Computer gt Local Disk C gt ProgramData gt GFI gt LanGuard 10 gt Graphics gt Logo E For OS versions prior to Windows Vista paste image in My Computer gt C gt Documents and Settings gt All Users gt Application Data gt GFI gt LanGuard 10 gt Graphics gt Logo 7 4 2 Customize email report format For each scheduled email report type there is a predefined HTML format file that includes placeholders delim
173. omains and workgroups on a network A tools that enables the scanning of the Active Directory and the retrieval of the list of all users and contacts included in this database An open text standard used to define data formats GFI LanGuard uses this standard to import or export scanned saved results and configuration A protocol used to transfer files between computers See File Transfer Protocol A security solution developed by GFI that helps organizations to maintain data integrity by preventing unauthorized access and transfers from removable devices A reporting application developed by GFI to generate graphical reports based on results generated by GFI LanGuard See Group Policy Object An Active Directory centralized management and configuration system that controls what users can and cannot do on a computer network See Internet Control Message Protocol See Intrusion Detection Software A Command line tool used to Import and Export profiles and vulnerabilities from GFI LanGuard A protocol used by network devices to send network related errors A set of Internet based services created by Microsoft Corporation for internet servers An open source operating system that is part of the Unix operating systems family A GFI LanGuard command line tool that allows running vulnerability checks against network targets In networking the local host is the computer you are currently using One can reference to the local host b
174. on EE High 4 computers EE Hedum 0 computers me Low 0 computers NA 0 computers Screenshot 32 Computer Vulnerability Distribution This chart is available only when selecting a domain or a workgroup and displays the distribution of vulnerabilities on your network This chart enables you to determine how many computers have high medium and low vulnerability rating Most vulnerable computers Most vulnerable Computers aj WINSERVATS2 169 3 246 C P04 192 168 3 81 E TWINSPLAN TEDOMAINA COMI al APOT 1 F2 169 3 245 Screenshot 33 Most Vulnerable Computers This list is available only when selecting a domain or a workgroup and shows the most vulnerable computers discovered during the scan The icon color on the left indicates the vulnerability level 38 Analyzing Results GFI LanGuard Agent status When selecting a domain or workgroup a chart showing the overall agent status of all computers within the domain workgroup is displayed This enables you to determine the number of agents installed or pending installation on the selected domain workgroup Agent Status R 100 gt W Installin progress 39 4 commputer s Screenshot 34 Agent Status when selecting a domain workgroup When selecting a single computer this section displays an icon representing the agent Status The icons are described in Table 19 below Table 19 Agent status ICON STATUS NAME DESCRIPTION Not installed Agent is not in
175. on ials Cached Logon Creden Screenshot 43 Top 5 issues to address Results statistics This section is available only when selecting a single computer and displays an overview of the audit result Amongst others the result enables you to identify the number of missing patches number of installed applications open ports and running services Results Statistics Missing secunty updates 20 20 Critical High Installed applications 124 0 unauthorized Open ports 20 Shares 8 Network devices amp 0 blacklisted Services 112 ij Processes 4 Screenshot 44 Result statistics 42 Analyzing Results GFI LanGuard 4 2 Computers view WORKGROUP 26 computers a hm Q Search Entire Network g i Ee Overview Computers History Vulnerabilities Patches Software Hardware Pacem Addtional hdomatonCaesees e aaa Drag a co leader here to group by that column tag EA ae e Computer General Information iig Domain nn OS SP Last Discovery Last Audit Credentials Agent i wms workcroup Windows7 Gold 04 08 2011 18 35 04 08 2011 18 35 w NotSet Not Installed E orem workcroup Windows Gold 09 08 2011 00 43 09 08 2011 00 37 Not Set Not Installed J _ RES WORKGROUP E N A 04 08 2011 21 59 04 08 2011 21 59 X Not Set errors enc Not Installed _ W701 WORKGROUP E N A 04 08 2011 22 52 04 08 2011 22 52 X Not Set errors enc Not Installed l GFI WORKGROUP
176. on GFI LanGuard certifications These include OVAL and CVE Chapter 13 Miscellaneous Provides information on how to enable NetBIOS on network computers Chapter 14 Troubleshooting Provides information all the necessary information on how to deal with common problems encountered while using GFI LanGuard Glossary Glossary Defines technical terms used within GFI LanGuard Appendix Data processed by GFI LanGuard Provides information on the data processed by GFI LanGuard including ports and protocols used 1 2 1 Terms and conventions used in this manual The following table contains a description of the common terms and conventions used in this manual TERM DESCRIPTION Additional information and references essential for the operation of GFI LanGuard gt Important notifications and cautions regarding potential issues that are commonly encountered Step by step navigation instructions to access a function Bold text Indicate a control within the user interface such as nodes menus and buttons lt Italic text gt Replace text within angle brackets Such as file paths and custom parameters Indented code The indented text indicates that the text is a programming code In some programming languages indentation is important For any technical terms and their definitions as used in this manual refer to the Glossary chapter 2 Introduction GFI LanGuard 1 3 GFI LanGuard components GFI LanGuard s architecture is desi
177. on a schedule For more information on Agent less auditing refer to Agent less auditing section in this manual Important notes 1 In most cases vulnerability scans generate different event log entries across diverse systems Example UNIX logs and web server logs will all detect GFI LanGuard scans as intrusion attempts triggered from the computer running GFI LanGuard 2 For large network environments a Microsoft SQL Server MSDE database backend is recommended instead of the Microsoft Access database For more information on how to configure the database backend refer to Selecting a database backend section in this manual 3 When submitting a list of target computers from file ensure that file contains only one target computer name per line If Intrusion Detection Software IDS is running during an audit GFI LanGuard AN will set off a multitude of IDS warnings and intrusion alerts in these applications If you are not responsible for the IDS system make sure to inform the person in charge about any planned security audits A N To perform an audit GFI LanGuard must remotely logon to target computers with administrator privileges Agent deployment can only be done on Microsoft Windows operating systems 4 Introduction GFI LanGuard 2 Managing Agents 2 1 Introduction GFI LanGuard can be configured to deploy live agents automatically on newly discovered machines or on manually selected computers Agents enable data pro
178. on on Number of disk drives Free disk space Memory size Number of processors Other hardware System information View information on 44 Analyzing Results The number of shared folders Number of groups Number of users Logged users Audit policy status GFI LanGuard 4 3 History view Select this view to group audit results by date for a specific computer To configure the history starting date or history period click the link provided WORKGROUP 28 computers Search Entire Network A a eR yi D i System Overview Computers History Vulnerabilities Patches Software Hardware hd History Overview for Last Week View Settings wel OA GF amp 100 A a A Full Sereen am W703 192 168 3 28 Windows 7 Gold TEMP 192 168 320 Windows 7 g Applications 05 08 2011 01 34 The version of the application Microsoft SUL Server VSS Whiter has changed 01 34 The version of the application Microsott SQL Server Setup Support Files English has changed 01 34 The version of the application Microsoft SQL Server Native Client has changed amp Automatic Remediation Details 04 08 2011 23 22 Real time remediation performed installed service pack Windows 7 Service Pack 1 KB976932 23 22 Real time remediation performed installed service pack Microsoft SQL Server 2005 Express Edition Service Pack 4 KB24633321 i Pagel of 4 i dk fl 100 Scree
179. on procedure for the applications which are to be automatically uninstalled by GFI LanGuard This is a requirement prior to the actual uninstallation process and no applications are un installed during scans unless verified Oo Oo KR W N For more information on how to mark applications as unauthorized and therefore enable their uninstallation refer to Applications inventory section in this manual Click Configuration tab gt Applications Inventory gt Auto Uninstall Validation From the right pane select an application to validate and click Validate In the Application auto uninstall validation wizard click Next Select the computer where to test the application auto uninstall and click Next Provide the authentication details for the validation operation and click Next Review the Auto uninstall validation wizard information and click Start 82 Configuring GFI LanGuard GFI LanGuard Managing scheduled scans The Manage applicable scheduled scans button enables you to review or edit scheduled scans which will perform the validated applications auto install To manage a scheduled scan 1 From the Auto Uninstall validation pane click Manage applicable scheduled scans Manage applicable schedule scans Manage applicable schedule scans This is a list of all scheduled scans that may uninstall at least an application validated for auto uninstall or create a new scheduled scan Applicable scheduled scans 2
180. ons for OVAL Compatibility and complete the formal OVAL Compatibility Process OVAL Compatibility means that GFI LanGuard incorporates OVAL in a pre defined standard way and uses OVAL for communicating details of vulnerabilities patches security configuration settings and other machine states 12 2 3 Submitting OVAL listing error reports Any issues with the GFI LanGuard or the listing of the OVAL checks included with GFI LanGuard should be reported to GFI through its official support lines Refer to the Troubleshooting section within this manual for more information regarding email phone or web forum support channels GFI Software Ltd will endeavor to look into any issues reported and if any inconsistency or error is ascertained it will issue updates to fix such issues Vulnerability check updates are usually released on monthly basis 12 3 About CVE CVE Common Vulnerabilities and Exposures is a list of standardized names for vulnerabilities and other information security exposures Its aim is to standardize the names for all publicly known vulnerabilities and security exposures CVE is a dictionary which aim is to facilitate data distribution across separate vulnerability databases and security tools CVE makes searching for information in other databases easier and should not be considered as a vulnerability database by itself CVE is a maintained through a community wide collaborative effort known as the CVE Editorial Board The
181. op Onine Shop System AlStets a idisp Abe Timmerman zmi cgi File Adcyde buid og Agimpse AHG s search oco Search E Alex Heiphetr Group EzSho Arts Stor cgi Aum Gon cg Bran Stanback baist ogi Commerce cgi COWS CGI Online Worldive DCSheap vulnerability Directory Menager Execul In by Hame T CVE ID CVE a002 0575 CVE 200 1 1014 CVE 2001 0346 1 CVE 2001 1205 CVE 2000 1161 CVE a002 2115 CVE 2000 1092 CVE 2001 0305 CVE 2001 0212 CVE 2001 D099 CVE 2001 0100 CVE 2001 0210 CVE 200 1 0821 ba a Adding editing or removing vulnerabiites from the above list applies the changes to all the profiles where the edited vulnerabilities are selected Screenshot 115 Select the vulnerability checks to be run by this scanning profile 2 In the right pane select the vulnerability checks to execute through this scanning profile 118 Scanning Profiles GFI LanGuard Customizing the properties of vulnerability checks All the checks listed in the Vulnerabilities tab have specific properties that determine when the check is triggered and what details will be enumerated during a scan Edit vulnerability Genera Name Abyss Web server Bufferoverflovy O5 Family windows OS Version Windows 7 Product Abyss Web Server Timestamp 6 30 2003 Severity i High Screenshot 116 Vulnerability properties dialog General tab To change the properties of a vu
182. open ports GFI LanGuard uses service fingerprint technology to analyze the service s that are running behind the detected open port s With service fingerprint GFI LanGuard can detect if malicious software is using the detected open port m Ports FP Select one of the following port categories bellow sage Open TCP Ports 6 Allows you to analyze the TCP open ports ee Open UDP Ports 6 Allows you to analyze the UDP open ports Screenshot 27 All UDP and TCP ports found during a scan 30 Agent less Auditing GFI LanGuard Hardware Click Hardware to view all details discovered by the hardware audit The hardware audit amongst others displays information such as MAC addresses IP addresses device type device vendor etc Table 16 below describes the hardware information groups Table 16 Hardware information from an audit ICON DESCRIPTION Network Devices including information of all physical virtual and software enumerated devices iP Local Drives including information on local drives such as available disk space and file system type J LF Processors including information regarding the processor of a target machine such as vendor name and processor speed Motherboard including information regarding the motherboard of a target machine such as product name manufacturer version and serial number Memory details including information regarding the memory allocation of a target machine such as
183. ord Currently logged on user sa Use per computer credentials when available Screenshot 74 Uninstall applications 2 Select the applications to uninstall and the computers to uninstall from The list of applications displayed relies on the unauthorized applications set up for the scanning profile in use For more information on how to set up and validate applications to uninstall refer to the Applications inventory and Application auto uninstall validation sections in this manual GFI LanGuard Fixing Vulnerabilities 71 3 Configure the authentication credentials to use Select from Currently logged user Alternative credentials A null session 4 Select the preferred uninstall option described in Table 34 below Table 34 Uninstall options DESCRIPTION Uninstall on Schedule patch service pack uninstallation to a later date time Uninstall immediately Uninstall the selected applications immediately 5 Click Uninstall Now to uninstall applications based on your configuration 6 To view the un installation progress click Remediation Jobs from the right panel For more information on Remediation Jobs refer to Remediation Jobs section in this manual 5 8 Malware protection actions Use the Malware Protection section to remediate vulnerabilities related to malware protection identified on target computers Amongst others this section enables you to scan target machines for spyware viruses and enable
184. ormation security vulnerabilities CVE names have entry or candidate status Entry status indicates that the CVE name has been accepted to the CVE List while candidate status also called candidates candidate numbers or CANs indicates that the name is under review for inclusion in the list Each CVE name includes the following CVE identifier number i e CVE 1999 0067 Indication of entry or candidate status Brief description of the security vulnerability or exposure Any pertinent references i e vulnerability reports and advisories or OVAL ID For an in depth understanding of CVE names and CANS refer to http cve mitre org cve identifiers index html 12 3 3 Searching for CVE entries in GFI LanGuard CVE entries can be searched from the Scanning profiles node within the Configuration tab Find bulletin Fani mi Search by bulletin name e g MS02 017 or QNumber e g 0311967 Screenshot 149 Searching for CVE information To search for a particular CVE bulletin 1 Specify the bulletin name for example CVE 2005 2126 in the search tool entry box included at the bottom of the right pane 2 Click on Find to start searching for your entry 12 3 4 Obtaining CVE names CVE entry names can be obtained through the GFI LanGuard user interface from within the Scanning profiles node within the Configuration tab By default the CVE ID is displayed for all the vulnerabili
185. orts are stored as PDF in _f C ProgramData GFI LanGuard 10 Reports For information about Alerting options refer to Configuring alerting options J section in this manual 7 4 Custom reports GFI LanGuard enables you to create new reports based on an existing report 1 From the Reports tab select the existing report 2 From the report sample in the right panel click Customize report Generate Report Report tems Fiters Grouping amp Sorting Select the items to include in the report Computers Listing by Severity Sean Errors Vulnerability Assessment Installed Patches and Service Packs Ports Hardware Software Computer Details y Q Filtering Grouping and Sorting options are available for this report only when a single report item is selected and only for some of the above listed report items Save as new report Screenshot 110 Customize the report parameters 3 Configure the parameters described in Table 43 below Table 43 Customize report parameters Report Items Select the report items that will be included in the report Check Uncheck the report items Filters Filter the report results Select the criteria and key in a value to be used as a filter Grouping amp Sorting Use this tab to configure sorting or grouping of report results Select the group and the sorting order Ascending or Descending 108 Reporting GFI LanGuard 4 Click Save as new report and in the Add report dial
186. owarticle asp id KBID003125 Description Updates will not work if GFI LanGuard machine does not have a direct connection to the internet Solution To solve this issue do one of the following Configure GFI LanGuard machine to have direct internet access Install another instance of GFI LanGuard on a machine with internet access and configure GFI LanGuard to check for updates from the new installation For more information refer to http kbase gfi com showarticle asp id KBID002062 Description Scanning might slow down or blocked if a firewall is installed on GFI LanGuard machine Solution Configure the firewall to allow the following components in outbound connections lt Program Files GFl LanGuard gt LanGuard exe lt Program Files GFl LanGuard gt lnsscomm exe lt Program Files GFl LanGuard gt lnssatt exe lt Program Files GFl LanGuard gt update exe Description GFI LanGuard uses the Windows mechanism to retrieve the machines within a workgroup In this mechanism a Master Browser computer will create and store a list of all computers In some cases the Master Browser role can fail resulting in GFI LanGuard not retrieving computers information To solve this issue refer to http kbase gfi com showarticle asp id KBID003483 GFI LanGuard ISSUE SOLUTION DESCRIPTION ENCOUNTERED GFI LanGuard Description found open ports that another port scanner found l closed
187. p pass txt You can add new community strings to the default dictionary file by using a text editor for example notepad exe You can also direct the SNMP Audit tool to use other dictionary files To achieve this specify the path to the dictionary file that you want to from the tool options at the right of the management console To perform SNMP audits on network targets and identify weak community strings 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click Utilities tab and select SNMP Audit in the left pane under Tools 3 In the IP of computer running SNMP dropdown specify the IP to reach 4 From Common Tasks in the left pane click on Edit SNMP Audit options or Options on the right pane to edit the default options 5 Click Retrieve to start the process 146 Utilities GFI LanGuard 9 8 SNMP Walk GFI LanGuard 2011 Pie Tools z DNS Lookup 2 Traceroute z Whois Enumerate Computers m Enumerate Users a SNMP Audit gt z SQL Server Audit Credentials Authenticate using Currently logged on user hd gt d Remember credentials v Use per computer credentials Screenshot 143 SNMP Walk Dashboard IP address Description 4 4 iso Scan Remediate Activity Monitor 127 0 0 1 ObjectID 1 3 6 1 2 1 1 iso org dod_internet mgmt mib 2 system 44 org 4 4 dod s internet 9 d
188. parameters on how the scanner is to discover machines and output debug information Network Discovery Methods NetBIOS queries SNMP queries Ping sweep Custom TCP discovery e g 21 25 80 Network Discovery Options Scanning delay default 100 ms 100 Network discovery query responses timeout default 500 m 500 Number of retries default 1 1 Indude non responsive computers No Network Scanner Options Scanning threads count 3 NetBIOS Query Options Scope ID SNMP Query Options Load SNMP enterprise numbers Community strings e g public private Global Port Query Options TCP port scan query timeout default 1500 ms UDP port scan query timeout default 600 ms WMI Options WMI timeout default 20000 ms SSH Options SSH Timeout default 15000 ms Scanner activity window Type of scanner activity output Display received packets Display sent packets OS Information Retrieval Options Create custom share if administrative shares are disabled Yes Start remote reaistrv Screenshot 135 Scanning Profiles properties Scanner Options tab Configurable options include timeouts types of queries to run during target discovery number of scanning threads count SNMP scopes for queries and more GFI LanGuard 138 Scanning Profiles 9 Utilities 9 1 Introduction Use the Utilities tab to access the following list of default network tools DNS Lookup Traceroute Whois Enumerate Comput
189. perties Review and edit the properties of the selected scan i Enable Disable Toggle the status of the selected scan between enabled and disabled This enables you to activate suspend a scanning schedule without deleting the scheduled scan Scan now Trigger the selected scheduled scan This button overrides the scheduled scan date time settings and executes an immediate scan 6 2 2 Scheduled scan properties The scheduled scan properties page enables you to configure all the parameters of the scheduled scans To use the scheduled scan properties tab 1 Go to Configuration tab gt Scheduled Scans 2 Select the scheduled scan and click the Scheduled Scan Properties Tiles 2011080421 2047 list tet Properties Scan target file 20110804212047 list txt Scanning profile Description High security checks Scan schedule One time only on 04 08 2011 at 21 20 59 Recurrence pattern at 91 19 36 Every 1 days Every weekday Screenshot 81 Scheduled Scan properties 78 Configuring GFI LanGuard GFI LanGuard 3 Modify the options described below Table 36 Schedule scan properties TAB NAME DESCRIPTION General Make changes to scan target setting type of scanning profile and scan frequency Logon Credentials Use this tab to specify logon credentials used when scanning the specified target Auto remediation Use this tab to configure the remediation options applicable to the scan being config
190. plete Combination Scans ae 2 Vulnerability Assessment TCP Ports UDP Ports System Information Devices Applications KE Network amp Software Audit Choose scan profile conditions v Enable scanning for hardware devices on target computer s Profiles Network Devices USB Devices a Full Vulnerability Assessment Configure which Network devices you want to mark as dangerous and which you want to have ignored in your scan results Devices which will be Aj Full Scan Active marked as dangerous will have a high security vulnerability notification in the scan results Devices which are on the ignore list will not be listed or A Full Scan Slow Networks ee ee Create a high security vulnerability for network devices which name contains NIC Ignore Do not list save to db devices which name contains Rename Delete Help Scanning Profiles LanGuard Scripting Screenshot 128 The network devices configuration page GFI LanGuard can also exclude from the scanning process specific USB devices that you consider safe Such devices can be a USB mouse or keyboard This is achieved through a safe white list of USB devices to ignored during scanning Similarly you can create a separate scanning profile that enumerates only Bluetooth dongles and wireless NIC cards connected to your target computers In this case however you must specify Bluetooth and Wireless or WiFi in the unauthorized network and USB li
191. ppendix Data Processed by GFI LanGuard 179 16 6 System Information DATA DESCRIPTION PORTS PROTOCOL Shares Lists all shares discovered during gt TCP 139 gt SMB a scan arere information gt TCP 445 gt File and printer include sharing Share name Remote registry Share remark Share path Share permissions Password policy Lists password policy TCP 139 SMB Sele reien gt TCP 445 File and printer sharing Remote registry Security audit Security audit policy configuration TCP 139 gt SMB dale TCP 445 File and printer sharing Remote registry Registry Lists selected information from TCP 139 SMB the system registry Amongst gt TCP 445 gt File and printer others enumerated information sharing includes gt Registry owner Remote registry Current build number Current type Current version Vendor identifier Software type NetBIOS names Lists NetBIOS names of the TCP 139 gt SMB scanned target s This node gt TCP 445 gt File and printer includes sharing Workstation service Remote registry Domain name File server services Browser service elections Computer Lists computer identifiers gt TCP 139 SMB ireke TCP 445 File and printer MAC address sharing Time to live Remote registry Network role OS Serial number Language Machine type physical or virtual Groups Lists lo
192. r a particular bulletin 1 From Vulnerability Assessment Options gt Vulnerabilities gt Find bulletin specify the bulletin name for example MS02 017 or QNumber for example Q311987 in the search tool entry box included at the bottom of the right pane 2 Click Find to search for your entry GFI LanGuard Scanning Profiles 125 Bulletin Into Bulletin Bulletin ID M503 026 CMumber 823980 Date 2003 09 09 Severity Undefined Title MM503 026 Security Update For Windows Server 2003 623950 Description A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it This security issue is the vulnerability that is exploited by the blaster worm You can help protect your computer by installing this update From Microsoft After you install this item you may have to restart your computer Applies To Windows Server 2003 Windows Server 2003 Datacenter Edition http tiga microsoft com Fuwink LinkId 18046 Screenshot 124 Extended bulletin information 8 4 Configure Network amp Software Audit options The scanning profiles that ship with GFI LanGuard are already pre configured to run a number of network and software audit checks on selected target You can however disable scanning as well as customize the list of network and software audits executed during a scan 8 4 1 Configuring TCP port scanning options
193. ration tab gt Scheduled Scans 3 From Common Tasks select New scheduled scan New scheduled scan Step 1 of 8 Define target type Select the type of targets to be scanned and describe this scan Scan type Description 6 Scan a single computer Scan a list of computers Scan a range of computers The list may indude computer names IP addresses and even ranges of computers Scan a list of computers O Scan computers in text file Scan a domain or workgroup Scan job description eh Tell me more Screenshot 11 New Scheduled Scan dialog 4 Select one of the options described in Table 9 below and click Next Table 9 New scheduled scan type OPTION DESCRIPTION Scan a single computer Scan local host or one specific computer Scan a range of computers Scan a number of computers defined through an IP range For more information refer to http kbase gfi com showarticle asp id KBID002749 Scan a list of computers Manually create a list of targets import targets from file or select targets from network list Scan computers in text file Scan targets enumerated in a specific text file Scan a domain or Scan all targets connected to a domain workgroup workgroup 5 Depending on the option selected in the previous step specify the respective target computer s details and click Next GFI LanGuard Agent less Auditing 17 Step 3 of 8 Set the triggering time Set the triggering time for
194. rations from file To export the configurations 1 Launch GFI LanGuard management console from Start gt Programs gt GFI LanGuard 2011 gt GFI LanGuard 2011 2 Click the GFI LanGuard button gt File gt Import and Export Configurations Dashboard Scan Remediate Import and Export Configurations Tools Mew Configuration Load Scan Results from Save Scan Results Ctrl 5 l ted 6 Auto Uninstall Va Frat Al Fa c h Darah Indotoe Screenshot 101 Import and Export Configuration 3 Select Export the desired configuration to a file and click Next 4 Specify the path were to save the exported configuration and click Next Import and Export Configurations Wizard Welcome to the Import and Export Configurations Wizard Use this wizard to import or export GFI LanGuard configurations E What do you want to do Export the desired configurations to a file Export GFI LanGuard configuration to a file cfg Import the desired configurations from a file Import GFI LanGuard configurations from a file cfg 9 Import the configurations from another instance Import GFI LanGuard configurations from another installation Screenshot 102 Export configurations to file 5 Wait for the configuration tree to load and select the configurations to export Click Next to start export 6 A notify dialog will confirm that exporting is completed 7 Click OK to finish 98 Configuring GFI LanGuard GFI
195. re Patches Uninstall Service Packs Deploy Custom Software Uninstall Applications Malware Protection 66 Fixing Vulnerabilities Deploy missing patches discovered when auditing target computers For more information on how to deploy patches refer to Deploy security patches and service packs section in this manual Deploy missing service packs found when auditing target computers For more information on how to deploy service packs refer to Deploy security patches and service packs section in this manual Uninstall software patches from target computers For more information on how to uninstall software patches refer to Uninstall software patches and service packs section in this manual Uninstall service packs from target computers For more information on how to uninstall service packs refer to Uninstall software patches and service packs section in this manual Deploy custom applications and scripts on target computers For more information on how to deploy custom software refer to Deploy custom software section in this manual Uninstall applications from target computers For more information on how to manually uninstall applications from target computers refer to Uninstall custom applications section in this manual Perform Malware protection actions on target computers For more information on how to perform Malware protection actions refer to Malware protection actions section in this manual GFI LanGuard
196. reenshot 18 Scheduled scan status For more information on Scheduled Scans refer to the Scheduled Scans section in this manual 22 Agent less Auditing GFI LanGuard 3 5 Audit result summary On completion of a network security scan it is important to identify the areas that require immediate attention The correct analysis and interpretation of information collected enables you to achieve this goal To view the progress and results of an audit 1 Wait for a scan to complete or load a result from the database file For more information on how to load results from the database refer to Loading saved scan results from database section in this manual 2 Click Scan Scan completed Vulnerability level The average vulnerability level for this scanning session is High ae anaana Results statistics Audit operations processed Missing security updates Other vulnerabilities Potential vulnerabilities Installed applications Open ports Errors Errors encountered during scan Times Computers scanned Total scan time Average scan time per machine Minimum scan time Maximum scan time Vulnerability level listing High Medium Low Top 1 most vulnerable computers G wro Screenshot 19 Scan summary GFI LanGuard Summary of scan results generated during this network audit 10279 audit operations processed 44 44 Critical High 42 8 Critical High 3 13 0 unauthorized
197. rong configurations Security flaws due to rogue or obsolete user groups Rogue obsolete or default user accounts Authorized and unauthorized users currently logged on computers Authorized and unauthorized remote connections Rogue or malicious processes redundant services Rogue or malicious processes Time inconsistencies and regional settings Wrong configurations An important part of any security plan is the ability to monitor and audit events on your network These event logs are frequently referenced to identify security holes or breaches Identifying attempts and preventing them from becoming successful breaches of your system security is critical In Windows you can use Group Policies to set up an audit policy that can track user activities or system events in specific logs To keep track of your system auditing policy GFI LanGuard collects the security audit policy settings from target computers and includes them in the scan result To access more information on the result click on Security Audit Policy sub node Apart from gaining knowledge on the current audit policy settings you can also use GFI LanGuard to access and modify the audit policy settings of your target computers To achieve this 1 From the Scan Results Overview panel right click on the respective target computer and select Enable auditing on gt This computer Selected computers All computers GFI LanGuard Agent less Auditing
198. rt setting 5 Select which settings you want to import and click Next 100 Configuring GFI LanGuard GFI LanGuard 6 While importing GFI LanGuard will ask you whether you want to override or keep your settings Select an option from Table 41 below Table 41 Override options Yes Override the current setting with the imported setting No Keep the current setting and ignore the imported setting Auto Rename Rename the imported settings and keep the current settings 7 Click OK when the import is ready GFI LanGuard Configuring GFI LanGuard 101 7 Reporting 7 1 Introduction The Reporting tab enables you to generate technical IT level and management non IT level reports based on network security audits carried out by GFI LanGuard This chapter describes how to manage the reports in GFI LanGuard a bobas Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities _ Discuss this version K Unfiltered Entire Network 30 computers Search Entire Network Ev Entire Network Settings Search at Localhost T gt SE Local Domain General Reports gt US MASTERDOM View print schedule customize LanGuard reports Wi TCDOMAIND Network Security Overview An executive summary report showing network vulnerability level most vulnerable computers agent status and audit status vulnerability trends over time information on operating systems servers and workstations Vulnerabili
199. run against your network targets Security auditing scripts can be developed using the script editor that ships with GFI LanGuard This built in script editor includes syntax highlighting capabilities as well as debugging features that support you during script development Open the script editor from Start gt Programs GFI LanGuard 2011 gt LanGuard Script Debugger E For more information on how to develop scripts using the built in script editor refer to the Scripting documentation help file included in Start gt Programs gt GFI LanGuard 2011 gt LanGuard Scripting documentation En GFI does not support requests related to problems in custom scripts You can post any queries that you may have about GFI LanGuard forums at http forums gfi com Through this forum you are able to share scripts problems and ideas with other GFI LanGuard users 11 2 1 Adding a vulnerability check that uses a custom VB vbs script To create new vulnerability checks that use custom VBscripts Step 1 Create the script Step 2 Add the new vulnerability check The following are examples of how this is done GFI LanGuard Adding vulnerability checks 153 Step 1 Create the script 1 Launch the Script Debugger from Start gt Programs gt GFI LanGuard 2011 gt LanGuard Script Debugger 2 Go on File gt New 3 Create a script For this example use the following sample script code Function Main echo Script has run successf
200. s User and Password Optional Specify the alternative credentials that the scanning engine will use to authenticate to a target computer during patch deployment Alternatively you can use the UseComputerProfiles switch to use the authentication credentials already configured in the Dashboard For more information on how to configure computer credentials using the dashboard refer to Configure credentials section in this manual warnuser Optional Include this switch if you want to inform the target computer user that a file patch installation is in progress Users will be informed through a message dialog that will be shown on screen immediately before the deployment session is started 150 Using GFI LanGuard from the command line GFI LanGuard SWITCH DESCRIPTION useraproval Optional Include this switch to request the user s approval before starting the file patch installation process This allows users to postpone the file patch installation process for later for example until an already running process is completed on the target computer stopservice Optional Include this switch if you want to stop specific services on the target computer before installing the file patch NOTE You cannot specify the services that will be stopped directly from the command line tool Services can only be added or removed through the management console customshare Optional Specify the target share where you wish to transfer the f
201. s Use the Saved Scan Results tab to maintain your database backend and delete saved scan results that are no longer required Deletion of non required saved scan results can be achieved manually as well as automatically through scheduled database maintenance During scheduled database maintenance GFI LanGuard automatically deletes saved scan results that are older than a specific number of days weeks or months You can also configure automated database maintenance to retain only a specific number of recent scan results for every scan target and scan profile Properties Change Database Scanned Computers Saved Scan Results Retention Ay al ul E A Remove scan results fom database or mark scan results which should be excluded from automatic database cleanup Saved scan results in database backend Target Profile Y Date localhost Full Scan 22011 14 oF AE 1352 166 5 45 Full Scan 3720 2017 14 31 00 132 166 5 73 Full Scan 3 20 2011 14 15 35 localhost Full Scan 3719 2011 14 37 39 192 168 3 43 Full Scan 31972011 14 31 05 192 168 3 73 Full Scan 3419 2017 14 15 40 localhost Full Scan 31672011 18 20 45 Delete scans Mark scans as read only NOTE Scan results marked as read only will not be removed by the database results cleanup operations Cancel Apply Screenshot 93 Database maintenance properties Managed saved scan results tab To manage saved scan results 1 Click on the Configuration tab gt Database
202. s Authentication a 58 XNS Xerox Network Services Mail a 67 Bootstrap Protocol BOOTP Server also used by Dynami a 68 Bootstrap Protocol BOOTP Client also used by Dynamic a 69 Trivial File Transfer Protocol TFTP ss Kerberos 5 A m an eye ee ee ey DE E SERRE ee E T Advanced Add A If you add edit or remove a port the changes will be applied to all the profiles Screenshot 126 Scanning Profiles properties UDP Ports tab options Enabling disabling UDP Port scanning To enable UDP Port Scanning in a particular scanning profile 1 From the Network amp Security Audit Options tab click UDP Ports sub tab 2 Select scanning profile to customize from the left pane under Profiles 3 Select Enable UDP Port Scanning option Configuring the list of UDP ports to be scanned To configure the UDP ports to process select the required ports 1 From the Network amp Security Audit Options tab click UDP Ports sub tab 2 Select the scanning profile to customize from the left pane under Profiles 3 Select the UDP ports that will be analyzed by this scanning profile Customizing the UDP ports list 1 From the Network amp Security Audit Options tab click UDP Ports sub tab 2 Select the scanning profile to customize from the left pane under Profiles 3 Customize the list of UDP Ports through Add Edit or Remove The list of supported UDP ports is common for all profiles Deleting a port from J the list will make i
203. s FTP access and unused user accounts Configure how GFI LanGuard handles newly created vulnerability checks Configure GFI LanGuard to send CGI requests through a specific proxy server This is mandatory when CGI requests will be sent from a computer that is behind a firewall to a target web server that is outside the firewall For example Web servers on a DMZ The firewall will generally block all the CGI requests that are directly sent by GFI LanGuard to a target computer that is in front of the firewall To avoid this set the Send CGI requests through proxy option to Yes and specify the name IP address of your proxy server and the communication port which will be used to convey the CGI request to the target GFI LanGuard Scanning Profiles 123 8 3 2 Configuring patches The Patches tab specifies the security updates checked during vulnerability scanning The patches checked are selected from the complete list of supported software updates by default included in this tab This list is automatically updated whenever GFI releases a new GFI LanGuard missing patch definition file GFI LanGuard Scanning Profiles Editor Scanning Profiles ee C fa Discuss this version Profile categories KE Complete Combination Scans _ Vulnerability Assessment Options jj Network amp Software Audit Options Scanner Options 1 Vulnerability Assessment F Vulnerabilities L Patches IF Network amp S
204. s Server 2003 Windows Server 2003 Windows XP Windows XP Windows XP Windows XP Linux iruiw Activity Monitor y WORKGROUP Type Server Workstation Server Server Server Server Workstation Server Workstation Server Server Server Server Server Server Server Server Workstation Workstation Workstation Workstation Server Ceorwer Domain WORKGROUP Screenshot 140 Enumerate Computers tool Reports Lo Configuration Utilities Discuss this version Retrieve Options mW The enumerate computers utility identifies domains and workgroups on a network During execution this tool will also scan each domain workgroup discovered so to enumerate their respective computers The information enumerated by this tool includes The domain or workgroup name The list of domain workgroup computers The operating system installed on the discovered computers Any additional details that might be collected through NetBIOS Computers are enumerated using one of the following methods From Active Directory This method is much faster and will include computers that are currently switched off From Windows Explorer This method enumerates computers through a real time network scan and therefore it is slower and will not include computers that are switched off To enumerate computers 1 Launch GFI LanGuard management console from Start gt Programs gt GFI
205. s based on your configuration 6 To view the action progress click Remediation Jobs from the right panel For more information on Remediation Jobs refer to Remediation Jobs section in this manual 5 9 Using remote support Through Remote Support you can control remote computers using Terminal Services and Remote Desktop Protocol Remote Support enables you to install missing patches service packs and custom software through a remote connection a3 Remediation Center Remediation Jobs C Remote Support via Remote Desktop Connection Use this option to remotely connect to specific targets for maintenance purposes Computer list gt R l Double click on a computer to open a Remote Desktop connection to it IPaddress Comp Operating system Remote desktop Be 1927 168 3 WINXPW Unknown G 192 168 3 W703 Windows 7 Enabled B 192 168 3 W701 Unknown 192 168 3 TEMP Windows 7 Enabled 7 BM 192 168 3 TECHCO Unknown Screenshot 76 Remote desktop connection To connect remotely to a target machine 1 Click Remediate tab and from the left panel select a computer or domain workgroup 2 Expand Remote Support via Remote Desktop Connection from the right panel 3 Depending on your selection the list contains the available computers that allow remote desktop connection 4 Double click a machine from the list to connect GFI LanGuard Fixing Vulnerabilities 73
206. s postponed until the next entrance into the specified time interval Let the user decide Click Preview to view a screenshot of the dialog in the user manual This dialog opens on the end user s computer after remediating vulnerabilities For more information refer to End user reboot and shut down options section in this manual GFI LanGuard Fixing Vulnerabilities 61 OPTION DESCRIPTION Show notification before shut Shows a custom message on the end user s computer for a specified down for number of minutes before reboot shut down Delete copied files from Deletes the downloaded patches service packs after they are remote computers after deployed deployment Remember settings Saves your configured settings and uses them during the next remediation job Auto remediation options Number of deployment threads E H max 10 WARNING Deploying with more than 5 threads may render the Ul unresponsive until the deployment operation is complete Deploy patches under the following administrative account domain wser or user FODWN format Password Note Only select this option if you want to run the installation packages on the target computers under an account other than the Local System account If you need to select this option make sure that the specified account has the Log on as service privilege on the target computers Screenshot 63 Advanced deployment options 4 Optional Select Advanced tab Configur
207. s to enumerate in the scan results 1 From the Network amp Security Audit Options tab click Devices sub tab 2 Click on the Network Devices tab opens by default 3 Select the scanning profile that you wish to customize from the left pane under Profiles 4 Click Advanced at the bottom of the page 5 Set the required options to Yes Click OK to finalize your settings Scanning for USB devices _ GF LanGuard Scanning Profiles Editor o l Em Scanning Profiles Discuss this version Profile categories _ Vulnerability Assessment Options yy Network amp Software Audit Options Scanner Options KE Complete Combination Scans J Vulnerability Assessment TCP Ports UDP Ports System Information Devices Applications KE Network amp Software Audit Choose scan profile conditions v Enable scanning for hardware devices on target computer s Profiles gt Network Devices USB Devices a Full Vulnerability Assessment Configure which USB devices you want to mark as dangerous and which you want to have ignored in your scan results Devices which will be A Full Scan Active marked as dangerous will have a high security vulnerability notification in the scan results Devices which are on the ignore list will not be listed or Aj Full Scan Slow Networks saved to the database Create a high security vulnerability for USB devices which name contains iPod iPad iPhone Ignore Do not list save to db devices which nam
208. scmd exe command line tool supports the following switches lnsscmd Target profile profileName report reportPath output pathToxmlFile user username password password UseComputerProfiles email emailAddress DontShowStatus Table 51 Insscmd command switches SWITCH DESCRIPTION Target Specify the IP range of IPs or host name s to be scanned Profile Optional Specify the scanning profile that will be used during a security scan If this parameter is not specified the scanning profile that is currently active in the GFI LanGuard will be used NOTE In the management console the default i e currently active scanning profile is denoted by the word Active next to its name To view which profile is active expand the Configuration tab gt Scanning Profiles node Output Optional Specify the full path including filename of the XML file where the scan results will be saved Report Optional Specify the full path including filename of the HTML file where the scan results HTML report will be output saved User and Password Optional Specify the alternative credentials that the scanning engine will use to authenticate to a target computer during security scanning Alternatively you can use the UseComputerProfiles switch to use the authentication credentials already configured in the dashboard For more information on how to configure computer credentials using the dashboard refer to Configure
209. shing 1 E Application name Version Publisher No of computers say Firewall 1 e es OEE EE iF E Adobe Flash Player 10 ActiveX 40 1 82 76 Adobe Systems a VPN Client 1 a 1 Web Browser 1 kal Alchemy Catalyst 9 0 3 00 0000 Alchemy Softwa 1 B Disk Encryption 1 Hl Alchemy Publisher 3 0 3 00 0000 Alchemy Softwa i E Patch Management 3 fa Camtasia Studio 7 7 1 0 TechSmith Corp 1 FastStone Capture 6 7 6 7 FastStone Soft 1 aq GFI LanGuard 2011 10 1 2011 0802 GFI Software Ltd 1 fq HTML Help Workshop 1 jg MadCap Lingo V4 4 0 0 MadCap Software 1 fal Microsoft NET Framework 4 4 0 30319 Microsoft Corpo 2 Count 23 Details kal Application Adobe Flash Player 10 ActiveX Version 10 1 82 76 Publisher Adobe Systems Incorporated View computers with Adobe Hash FI 10 Activex installed View computers without Adobe Hash PI 10 Activex installed Screenshot 50 Dashboard Software GFI LanGuard Analyzing Results 49 4 8 Hardware view Display more information on the hardware found during a network audit Select hardware from the List to display more details For a description of terms used in this result refer to Hardware section in this manual WORKGROUP 26 computers Search Entire Network ae RG il a BS System Overview Computers History Vulnerabilities Patches Software Hardware Information Hardware Types Hardware
210. sssssescesseesoeescesoeesoeseeesoeeseesee 169 TAA Knowledge BaSC xc idcsccccinsssudeeveseuencststedessewesencstateteesosesemsesateds 171 14 9 WED 6 OF UIs ocacennoososexecendaueesetacuseseseaesacetumesenesenuseseteeesacus nee 171 14 6 Request technical SUPPOrt ccecceeccecceeccecceccceccesceeccescesceecs 171 14 7 Build notifications seessssescssscccsseccosecccsseccoseeccsseccoseeecseee 172 15 Glossary 173 16 Appendix Data Processed by GFI LanGuard 177 Io ATodUC ON c2cccccccccscacccesaonccenevosacuscaoneaacasenscecesutessneeeneaensces 177 16 2 System Patching StAUUS irsrsierirsrir riren r n a 177 Taoa PO ee A A E T 177 16 4 THANG WANG vaca daeueciecaseaseeccancsaiesakewssacsacusinastwustecareusreaveesuasmeuan 178 16 5 SOMWANlC ssn seoceccesnsvecnsevecensednececncteccesdetneueeatesdeedeteetbeseancees 179 16 6 System Information sssesssessesceesseesoescessoseseesoeesoreceesceeseeeoe 180 Index 183 List of tables Table 1 Target selection Table 2 Automated network audit properties Table 3 Add new rule Table 4 Agents settings Table 5 Target options when auditing Table 6 Logon and audit options Table 7 Scan Results Table 8 Custom target properties Table 9 New scheduled scan type Table 10 Remote logon credentials Table 11 Auto remediation options Table 12 Reporting options Table 13 Response time icons Table 14 GFI LanGuard Vulnerability groups Table 15 System patching status
211. stall Microsoft Data Access Components MDAC 2 6 or later on the GFI LanGuard machine and try again MDAC can be downloaded from http www microsoft com downloads details aspx FamilylD 6c050f e3 c 95 4b d b037 185d0506396c amp displaylang en GFI LanGuard Troubleshooting 167 ISSUE SOLUTION DESCRIPTION ENCOUNTERED Incomplete results and errors when scanning remote machines GFI LanGuard program updates not working Firewall installed on GFI LanGuard is blocking connection with target computers GFI LanGuard is failing to retrieve workgroup computers when using Enumerate Computers 168 Troubleshooting Description Errors similar to the following may be encountered Failed to open test key to remote registry The scan will not continue Access Denied Could not connect to remote SMB server These errors may be encountered because The remote machine has an account similar to the one used by GFI LanGuard to log in as an administrator The user account used by GFI LanGuard does not have administrative privileges Solution To solve this issue do one of the following Log on the GFI LanGuard machine and configure GFI LanGuard to use an alternate domain administrator account Delete the local user account on the remote machine Launch GFI LanGuard executable with Run As using a Domain Administrator account For more information refer to http kbase gfi com sh
212. stalled on the target machine Pending Installation is pending A status can be pending when the machine is installation offline or the agent is being installed Pending uninstall Uninstallation is pending A status can be pending when the machine is offline or the agent is being uninstalled Installed Agent is installed on the target machine Audit status This chart is available only when selecting a domain or workgroup and enables you to identify how many audits have been performed on your network grouped by time Audit Status EE lsi 24 Hours 0 computers E Last Week 2 com puter s EE Last Month 1 com puter s EE Older 0 computers Screenshot 35 Audit status chart GFI LanGuard Analyzing Results 39 Vulnerability trends over time When a domain or workgroup is selected this section displays a line graph showing the change of vulnerability level over time grouped by computer count Vulnerability Trend Over Tire F T ta hist Wadium Low gi i WA wa MA NE Se VE VA V92 VIU VIV MS VE Vy VY ME VV ME WY VW VA O17 01i O17 01i Di1 011 Of 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 2011 Time 5 p a Screenshot 36 Vulnerability Trends Over Time for a domain workgroup When a single computer is selected this section displays a graph showing the change of vulnerability level over time for the selected computer Vulnerability Trend Over Time ii 10 Vulnerability Level
213. sted Domains Remote TOD Hardware Sessions Password Policy Ports Shares Security Audit Policy Users Drives Registry Groups Services Virtualization Technology Scan Errors legal G3 GP A 100 A BP Uy a FullScreen ea History 2011 08 03 21 09 55 Computer Information A new computer has been discovered TEMP 192 168 3 20 Windows 7 TJS TOO JEU Common Tasks A Manage agents Add more computers 4 dey quawnseoq bal oe Scan and refresh informal Custom scan Set credentials a Pagelofl id 4 gt bi Screenshot 111 Customize the report parameters 3 Optional Click Advanced search to configure filters to narrow your search results to something more specific 4 Analyze the search results from the results section at the bottom GFI LanGuard Reporting 111 8 Scanning Profiles 8 1 Introduction GFI LanGuard enables you to scan your IT infrastructure for particular vulnerabilities using pre configured sets of checks known as scanning profiles Scanning profiles enable you to scan your network targets and enumerate only specific information For example you may want to use a scanning profile that is set to be used when scanning the computers in your DMZ as opposed to your internal network In practice scanning profiles enable you to focus your vulnerability scanning efforts on toa specific area of your IT infrastructure such as identifying only missing security upda
214. sts of your scanning profile All the device scanning configuration options are accessible through the two sub tabs contained in the devices configuration page These are the Network Devices tab and the USB Devices tab Use the Network Devices sub tab to configure the attached network devices scanning options and blacklisted unauthorized white listed safe devices lists Use the USB Devices sub tab to configure the attached USB devices scanning options and unauthorized safe devices lists Enabling disabling checks for all installed network devices To enable network device including USB device scanning in a particular scanning profile 1 From the Network amp Security Audit Options tab click Devices sub tab 2 Click Network Devices tab 3 Select the scanning profile to customize from the left pane under Profiles 4 From the right pane select Enable scanning for hardware devices on target computer s Network device scanning is configurable on a scan profile by scan profile basis Make sure to enable network device scanning in all profiles where this is required 130 Scanning Profiles GFI LanGuard Compiling a network device blacklist white list To compile a network device blacklist white list for a scanning profile 1 From the Network amp Security Audit Options tab click Devices sub tab 2 Click Network Devices tab 3 Select the scanning profile to customize from the left pane under Profiles 4 In the ri
215. successfully Downloading Update is being downloaded Failed An error occurred while downloading the update Pending Update is queued for download Oroeg Cancelled User canceled update download Right click an entry and select one of the options described in Table 23 below Table 23 Security updates download OPTION DESCRIPTION Configure Patch Auto Download Enables or disables auto patch download and used to configure where the patches are stored For more information refer to Patch Auto download settings section in this manual Edit proxy settings Configure the proxy settings used by GFI LanGuard to connect to the Internet For more information refer to Configure GFI LanGuard Proxy settings section in this manual Change download priority Change the download priority Select between High normal or low priority Cancel selected downloads Stop and remove the selected download Pause all downloads Temporarily pause all downloads Remediation Operations The remediation operations screen enables you to monitor as well as cancel all the scheduled remediation features within GFI LanGuard For more information on how to fix vulnerabilities refer to Fixing vulnerabilities section in this manual GFI LanGuard Analyzing Results 55 Product Updates Activity The Product updates activity screen enables you to monitor or edit GFI LanGuard scheduled or manual updates For more information on how to set up scheduled
216. t 104 Reporting An executive summary report showing Computer vulnerability level Agent status Audit status Vulnerability trends over time Computer summary and details Shows statistical information related to the vulnerabilities detected on target computers Vulnerabilities can be grouped by Computer name Vulnerability severity Timestamp Category Lists statistical information related to missing security updates found on scanned computers A technical report showing information retrieved during an audit Amongst others the report contains information on Vulnerabilities Open ports Hardware and software A summary of scan target information including Operating system information Agent status Vulnerabilities severity Amongst other computer related details this report includes information on The network role of a scan target The domain name that the scan target is a member of Registry Shares Users and groups Illustrates information related to the hardware found during an audit Lists all the shared folders found during an audit The results are grouped by computer name Lists all the open ports found during an audit The result are grouped by port type TCP and UDP A technical report showing information retrieved during a specified scan The report contains full details of the scanned computers and also auto remediations performed
217. t DCOM 135 aine DCOM dynamic Remote registry Windows update agent Missing patches Discovers missing Microsoft and eR 39 SMB TOT eVGs ave patoes TCP 445 File and printer gt DCOM 135 aang DCOM dynamic Remote registry Windows update agent Installed service Lists installed Microsoft and non TCP 139 SMB packs Microsoft service packs gt TCP 445 gt File and printer gt DCOM 135 sharing DCOM dynamic Remote registry Windows update agent Installed patches Lists installed and non Microsoft TCP 139 gt SMB Micosi l patdi TCP 445 File and printer gt DCOM 135 snaring gt DCOM dynamic Remote registry Windows update agent 16 3 Ports Open TCP ports Checks for open TCP ports All enabled ports in Windows sockets the scan profile Open UDP ports Checks for open UDP ports All enabled ports in Windows sockets the scan profile GFI LanGuard Appendix Data Processed by GFI LanGuard 177 16 4 Hardware DATA DESCRIPTION PORTS PROTOCOL Network devices Local drives Processors Motherboards Memory details Storage details Display adapters Lists physical and virtual network adapters Lists drives discovered on scanned target s Local drives include Hard disks CD DVD drives Floppy drives Lists processors discovered during a scan Lists motherboards discovered during a scan Returns memory information of scanned target s includin
218. t GFI LAN guard database backend settings 4 Database type MS Access File path C Program atas GFIALAN guard 10 scanresults rr New GFI LAN guard database backend settings Indicate below the new type of database backend to use MS Access MS SOL Server Please specify the name or IF of the machine containing the SOL Server MSDE database to use Server WIN ZK ESOLYVMASGLEXPRESS Use NT authority credentials Use the below SULAMSDE credentials to log into the database backend User name say Password TITIiIittiiiitiiitt Cancel Apoy Screenshot 92 Microsoft SQL Server database backend options 2 Select the MS SQL Server option and choose the SQL Server that will be hosting the database from the provided list of servers discovered on your network 3 Specify the SQL Server credentials or select the Use NT authority credentials option to authenticate to the SQL server using windows account details 4 Click OK to finalize your settings GFI LanGuard Configuring GFI LanGuard 89 E If the specified server and credentials are correct GFI LanGuard will automatically log on to your SQL Server and create the necessary database tables If the database tables already exist it will re use them z When using NT authority credentials make sure that GFI LanGuard services are running under an account that has both access and administrative privileges on the SQL Server databases 6 6 2 Managing saved scan result
219. t unavailable for all scanning profiles 128 Scanning Profiles GFI LanGuard 8 4 3 Configuring System Information options GFI LanGuard Scanning Profiles Editor o eE Scanning Profiles Discuss this version Profile categories _ Vulnerability Assessment Options yy Network amp Software Audit Options Scanner Options K Complete Combination Scans Vulnerability Assessment KE Network amp Software Audit Choose scan profile conditions TCP Ports UDP Ports System Information Devices Applications Windows System Information Profiles Retrieve basic OS information by SMB Yes ay Request server information Yes i Full Scan Active Identify PDC Primary Domain Controller No 5 Sa a ca Identify BDC Backup Domain Controller No Enumerate trusted domains No Enumerate shares No Display admin shares Yes Display hidden shares Yes Enumerate local users No Enumerate groups No Enumerate logged on users No Enumerate users logged on locally Yes Mens Enumerate users logged on remotely Yes Set Active Enumerate disk drives No Rename Request remote time of day No Delete Request information from remote registry Yes Enumerate services No Help Enumerate sessions No Read password policies No Scanning Profiles Ps ee Enumerate remote processes No Security audit policy No Identify virtualization technology No Linux System Information Retrieve basic OS information Yes Enumerate local users No Enum
220. talled beware could be t LanGuard Scripting a 42 nameserver ARPA Host Name Server Protocol 4 WHOIS protocol TACACS Login Host protocol a 52 XNS Xerox Network Services Time Protocol If this servi Domain Name System DNS a 54 XNS Xerox Network Services Clearinghouse If this servi a 56 XNS Xerox Network Services Authentication 3 m ra ae ee ee T Advanced Add Edit Remove ae If you add edit or remove a port the changes will be applied to all the profiles Screenshot 125 Scanning Profiles properties TCP Ports tab options 126 Scanning Profiles GFI LanGuard Enabling disabling TCP Port scanning To enable TCP Port Scanning in a particular scanning profile 1 From the Network amp Security Audit Options tab click TCP Ports sub tab 2 Select the scanning profile that you wish to customize from the left pane under Profiles 3 Select Enable TCP Port Scanning option Configuring the list of TCP ports to be scanned To configure which TCP ports will be processed by a scanning profile 1 From Network amp Security Audit Options tab click TCP Ports sub tab 2 Select scanning profile to customize from the left pane under Profiles 3 Select TCP ports to analyze with this scanning profile Customizing the list TCP ports 1 From the Network amp Security Audit Options tab click TCP Ports sub tab 2 Select the scanning profile that you wish to customize from the left pane under Profiles 3
221. tches and service packs For more information on how to use the Manage applicable scheduled scan feature refer to Managing scheduled scans section in this manual 6 4 2 Patch Auto download settings GFI LanGuard ships with a patch auto download feature that enables the automatic download of missing patches and service packs in all 38 languages supported by Microsoft products In addition you can also schedule patch auto download by specifying the timeframe within which the download of patches is performed GFI LanGuard Configuring GFI LanGuard 85 To configure patch auto download 1 Click Configuration tab gt Security updates gt Patch Auto Download 2 From the right pane click the link Patch 4uto download Properties General Patch Repository Timeframe Configure patches auto download options 4 Enable patch auto download Select patches to download All patches MOTE Download all patches For deployment Only needed patches NOTE Download only required patches as determined by previous scans Number of download threads OK Cancel Apply Screenshot 89 Configuring Patch Auto download Properties 3 In the General tab select between All patches or Only needed patches Selecting All patches downloads all patches issued by Microsoft regardless of whether these are required for deployment The Only needs patches option downloads only patches required for deployment 4 To change the location where the
222. ter wizard Gathering information about known issues Screenshot 153 Troubleshooter fixed known issues 1 Introduction 1 1 Introduction to GFI LanGuard GFI LanGuard is a security scanning network auditing and remediation solution that enables you to scan and protect your network through Identification of system and network weaknesses via a comprehensive vulnerability check database This includes tests based on OVAL CVE and SANS Top 20 vulnerability assessment guidelines Auditing of all hardware and software assets on your network enabling you to create a detailed inventory of assets This goes as far as enumerating installed applications as well as devices connected on your network Automatic download and remote installation of service packs and patches for Microsoft operating systems and third party products as well as automatic un installation of unauthorized software 1 2 About this manual This manual is a comprehensive guide aimed at assisting you in configuring and using GFI LanGuard It builds on the instructions in the GFI LanGuard Getting Start Guide and describes the use and configuration required to achieve the best possible results The GFI LanGuard Getting Started Guide is available from http www gfi com lannetscan manual This manual contains the following chapters Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 GFI LanGuard CHAPTER DESCRIPTION
223. tes The benefit is that you have less scan results data to analyze tightening up the scope of your investigation and quickly locate the information that you require more easily Through multiple scanning profiles you can perform various network security audits without having to go through a reconfiguration process for every type of security scan required 8 2 Scanning profile description Out of the box GFI LanGuard includes an extensive list of scanning profiles as described below 8 2 1 Complete Combination scans Table 45 below describes in detail the scans involved in the Complete Combination scanning profile Table 45 Complete Combination scanning profiles COMPLETE COMBINATION SCANNING PROFILES Full Vulnerability Use this scanning profile to enumerate particular network vulnerabilities such as Assessment open TCP UDP ports commonly exploited by Trojans as well as missing patches and service packs The list of vulnerabilities enumerated by this profile can be customized through the Vulnerabilities tab Installed USB devices and applications are not enumerated by this profile This profile will scan for all vulnerabilities This includes vulnerabilities which have an associated Microsoft patch to them and which are considered missing patches Full Scan Active Use this scanning profile to retrieve system information as well as scan your network for all supported vulnerabilities including open TCP UDP ports missing patches and
224. the name of the new profile and optionally select Copy all settings from an existing profile to clone settings from an existing profile 5 Click OK to save settings The new scanning profile is added under Profiles in the left pane 116 Scanning Profiles GFI LanGuard 8 3 Configure Vulnerabilities Assessment options The scanning profiles that ship with GFI LanGuard are already pre configured to run a number of vulnerability checks on selected target You can however disable vulnerability scanning as well as customize the list of vulnerability checks executed during a scan GF LanGuard Scanning Profiles Editor Scanning Profiles Profile categories 3 Vulnerability Assessment Network amp Software Audit A Vulnerabilities Patches Choose scan profile conditions V Enable vulnerability scanning Profiles amp Full Vulnerability Assessment Aj Full Scan Active Aj Full Scan Slow Networks Group by Type w H Iv F Vulnerabilities v F Potential Vulnerabilities Scanning Profiles LanGuard Scripting 4 il Advanced L Vulnerability Assessment Options L Network amp Software Audit Options Name Abyss Web server Bufferoverflow AFS Kerberos Support in OpenSSH Pos fT Alerter service enabled All Servers e shop Online Shop System All Servers A1Stats a 1disp All Servers Abe Timmerman zml cgi File All Servers Adcyde build c
225. this scheduled scan job Triggering time Description Set the triggering time for this scheduled scan job One time only on 04 08 2011 at O Reawrene pate dst Every 1 days Every weekday Wait for offline machines to connect to the network If nonexistent systems are specified in the scan target the scan will not finish until the user manually stops it from Activity Monitor gt Security Scans Tell me more Screenshot 12 Scheduled scan frequency 6 Specify date time frequency of scheduled scan and click Next Step 4 of amp Select scan profile Select parameters to use for scan job Scan job operation Discover open TCP UDP ports commonly exploited by Trojans M Full TCP amp UDP Scan Ay Only SNMP E Ping Them All ay Share Finder My Uptimes M Disks Space Usage amp System Information Ay Hardware Audit ay Network Discovery NOTE Scan profiles contain pre set parameters used by the Tell me more Screenshot 13 Select scanning profile 18 Agent less Auditing GFI LanGuard 7 Specify the scanning profile and click Next Step 5 of amp Remote logon credentials Specify credentials to use to log on to remote targets Credentials Description GFI LanGuard 10 Attendant Service account Use data from computer profiles Alternative credentials User name Administrator Password PCCCCC CCR ERE SSH Private Key Us
226. ties that have a CVE ID GFI LanGuard GFI LanGuard certifications 163 12 3 5 Importing and exporting CVE Data CVE data can be exported through the impex command line tool For more information on the impex command line tool refer to the Using impex exe the command line import and export tool section within this manual 164 GFI LanGuard certifications GFI LanGuard 13 Miscellaneous 13 1 Enabling NetBIOS on a network computer 1 In Microsoft Windows 7 and Microsoft Windows Vista navigate to Control Panel gt Network and Internet gt Network and Sharing Center gt Change adapter settings In Microsoft Windows XP click Control Panel Network Connections 2 Right click on Local Area Connection and select Properties 3 Click Internet Protocol TCP IP and select Properties 4 Click Advanced gt WINS Advanced TCP IP Settings BP Setings ons wms WINS addresses in order of use If LMHOSTS lookup is enabled it applies to all connections for which TCP IP is enabled F Enable LMHOSTS lookup NetBIOS setting Default Use NetBIOS setting from the DHCP server If static IP address is used or the DHCP server does not provide NetBIOS setting enable NetBIOS over TCP IP Enable NetBIOS over TCP IP Disable NetBIOS over TCP IP Screenshot 150 Local Areas Connection properties WINS tab 5 Select the Default option from the NetBIOS Setting area 6 Click OK and exit the Local Area Properties
227. tions refer to Configuring alerting options section in this manual GFI LanGuard Agent less Auditing 21 New sapere T Step 8 of amp Review scheduled scan job Please review the settings for this scheduled scan job Scheduled scan summary Target localhost Triggering time Occurs every day at 01 36 05 Scanning profile Full Scan Credentials GFI LanGuard 10 Attendant Service account Automatically download and deploy missing patches and service packs and uninstall unauthorized applications Warning Alerting options are not configured email reports will not be sent Auto remediation ej Tell me more Screenshot 17 Review scheduled scan job 13 Click OK and Finish By default all new scheduled scans are disabled To enable select Configuration tab gt Scheduled Scans and click on the button Confirm that the new scheduled scans are successfully set by clicking on Activity Monitor tab gt Security Scans New scheduled scans are listed in the queue D N Security Scans Provides visibility tothe queue progress and status of all scans a EU Target Profile Start time Y Status Remaining time El domain WORKGROUP Full TCP amp UDP Scan 04 08 2011 21 21 32 running 0 7 30 minutes g file 20 110804212047 list txt High Security Vulnerabilities 04 08 2011 21 21 31 completed N A l localhost Full Scan 04 08 2011 21 21 31 running 0 1 5 minutes files 04 08 2011 18 35 10 completed N A Sc
228. to the queue progress and status of all scans localhost 03 08 2011 21 09 55 Common Tasks Filter security scans Go to Scheduled scans Actions Stop selected scans View remediation details View scan results details rx file customgroup 2011 8 4 18 2 localhost domain WORKGROUP localhost localhost file 20 110804212047 list txt domain WORKGROUP localhost localhost Full Scan Full Scan Full TCP amp UDP Scan Full Scan Full Scan High Security Vulnera Full TCP amp UDP Scan Full Scan Full Scan 04 08 2011 18 35 10 04 08 2011 21 21 31 04 08 2011 21 21 32 05 08 2011 01 33 57 09 08 2011 00 36 32 09 08 2011 00 36 34 09 08 2011 00 36 35 09 08 2011 00 36 47 09 08 2011 00 43 22 completed completed incomplete completed completed completed incomplete incomplete incomplete Screenshot 56 Action Center Scheduled Activity 3 From the left pane select one of the following views Security Scans Security Updates Downloads Remediation Operations Product Updates Activity This section describes each option in more details Security Scans The Security Scans section enables monitoring of all the security scans that are currently in progress To stop a scan right click the security scan and select Stop selected scans option For more information on how to set up a new scheduled scan refer to Setting up a scheduled scan section in this manual Se
229. ts UDP Ports System Information Devices Applications IF Network amp Software Audit Choose scan profile conditions v Enable scanning for installed applications on target computer s Profiles Unauthorized Applications Advanced Options p Full Vulnerability Assessment Specify which installed applications are authorized un authorized and which you do not need to be notified about Aj Full Scan Active MM Full Scan Slow Networks NOTE When an application is not authorized a high security vulnerability warning will be generated Specify which applications are authorized to be installed Only the applications in the list below All applications except the ones in the list below Application name Version Publisher T Ares TH MSN Common Tasks TA uTorrent New scanning profile Set Active Add Edit Remove Ignore Do not list save to db applications in the list below Application name Version Publisher LanGuard Scripting Screenshot 131 The applications configuration page Through this tab you can also configure GFI LanGuard to detect and report unauthorized software installed on scanned targets and to generate high security vulnerability alerts whenever such software is detected Scanning installed applications By default GFl LanGuard also supports integration with particular security applications These include various anti virus and anti spyware software During security scanning GFI LanGuard checks the correct config
230. ty Status Shows statistical information related to the vulnerabilities detected on target computers Vulnerabilities can be grouped by computer name vulnerability severity timestamp and category Scheduled Reports Common Tasks Ca Scheduled Reports List Manage agents FR Scheduled Reports Options PS a Full Audit Add more computer Sa lg o meres se A technical report containing all the information retrieved Scan and refresh in anan Ga during an audit Amongst others the repot contains Custom scan E New schedule ie a information on vulnerabilities open ports hardware and Set credentials lt om Screenshot 107 Reporting tab 7 2 Available reports Table 42 below describes the available reports in GFI LanGuard Table 42 Available reports REPORT NAME DESCRIPTION Network Security An executive summary report showing Overview Network vulnerability level Most vulnerable computers Agent status Audit status Vulnerability trends over time Information on operating systems Servers and workstations GFI LanGuard Reporting 103 REPORT NAME DESCRIPTION Computer Security Overview Vulnerability Status Missing Security Updates Full Audit Computer Summary Computers Detailed Hardware Audit Open Shares Open Ports Scan Based Full Audit Last Scan Summary Last Scan Details Last Auto remediation Last Scan Security Changes Software Audi
231. ully Main true End Function 4 Save the script in lt LanGuard installation folder path gt Data Scripts myscript vbs Step 2 Add the new vulnerability check 1 Open the GFI LanGuard management console 2 Click Configuration tab and select Scanning Profiles 3 Click Vulnerability Assessment sub node and from the middle pane select the category in which the new vulnerability check will be included for example High Security Vulnerabilities Edit vulnerability General Name All Servers feshop Online Shop System Type web G5 Version Windows 7 Pro Product Timestamp 9 15 2001 al Severity 1 PE Cancel Apply Screenshot 145 The new vulnerability check dialog 4 In the new window add a new vulnerability by clicking Add in the middle pane 154 Adding vulnerability checks GFI LanGuard 5 Go through the General Description and References tabs while specifying the basic details such as the vulnerability name short description security level and OVAL ID if applicable 6 Click the Conditions tab and click on the Add button This will bring up the check properties wizard Check properties Step 1 of 3 Select the type of check Specify what do you want to check From the list below Check type 4 Independent Checks n J Independent CGI Abuse Test F Independent DNS Banner Test Independent Family Test Indepen
232. ulnerabilities Missing Service Packs Missing Patches High Med Low Security vulnerabilities Click on the d High Security Vulnerabilities or 4s Low Security Vulnerabilities sub nodes for a list of weaknesses discovered while auditing a target device Table 14 below describes these groups Table 14 GFI LanGuard Vulnerability groups Mail FTP RPC DNS Shows vulnerabilities discovered on FTP servers DNS servers and and Miscellaneous SMTP POP3 IMAP mail servers Links to Microsoft Knowledge Base articles or other support documentation are provided GFI LanGuard Agent less Auditing 27 GROUP DESCRIPTION Web Lists discovered vulnerabilities on web servers such as wrong configuration issues Supported web servers include Apache Netscape and Microsoft I 1 S Services Lists vulnerabilities discovered in active services as well as the list of unused accounts that are still active and accessible on scanned targets Registry Registry settings of a scanned network device are listed Links to support documentation and short vulnerability descriptions are provided Software Enumerates software installed on the scanned network device s Links to Supporting documentation and short vulnerability descriptions are provided Rootkit Enumerates discovered vulnerabilities because of having a rootkit installed on the scanned network device s Links to supporting documentation and short vulnerability descriptions are provided Pote
233. unning GFI LanGuard NETWORK AND SOFTWARE AUDIT SCANNING PROFILES Share Finder Use this scanning profile to audit your network and enumerate all open shares either hidden or visible No vulnerability checks are performed by this profile Uptimes Use this scanning profile to audit your network and identify how long each computer has been running since the last reboot Disks Space Use this scanning profile to audit your network and retrieve system information on Usage available storage space System Use this scanning profile to retrieve system information such as operating system Information details wireless virtual physical network devices connected USB devices connected installed applications and more Hardware Audit Use this scanning profile to audit your network and enumerate all hardware devices currently connected to your network computers Network Use this scanning profile to enumerate any IP enabled device connected to your Discovery network 8 2 4 Which scanning profile shall use Select the scanning profile based on the Scope of your vulnerability analysis that is what you want to achieve out of your vulnerability scan Based on these factors you can determine the type of vulnerability checks to be performed and the information that you want to retrieve from your scan targets Time you have at your disposal for target vulnerability scanning The more vulnerability checks you run the longer it will take the
234. updated that you can also update by checking Update ALL files or packages without update Packages x Patch Management Definitions Microsoft Patch Detection Data Patch Management Prerequisites GFI LANguard Vulnerabilities Update Checked packages details lanss_ 10 patchmngmtprerequisites cab Version 1 Thursday July 29th 2010 Patch Management Prerequisites lanss_10_vulns cab Version 5 Friday July ist 2011 New Vulnerability database V Update ALL files induding the ones already updated Screenshot 100 The Check for updates Wizar 5 Select the updates and click Next 6 Click Start to start the update process 6 7 4 Product Updates Activity GFI LanGuard maintains a comprehensive log of all updates activity This information can be reviewed by clicking Activity Monitor tab gt Product Updates Activity node This enables you to keep track of which updates are successfully or not 6 8 Importing and Exporting Settings GFI LanGuard allows configurations import and export through Import and Export Configurations in the File menu Configurations that can be Imported Exported include Scanning Profiles Vulnerability Assessment Ports TCP UDP Results Filtering Reports Auto Remediate Settings Auto Uninstall and Patch settings Options Database Backend Alerting Schedule scan and Internal Settings GFI LanGuard Configuring GFI LanGuard 97 6 8 1 Exporting Configu
235. updates at application startup to enable disable auto update checks at application startup 3 Select unselect enable scheduled updates to configure the frequency of update checks 4 Specify whether GFI LanGuard download updates from GFI website or from an alternative location 5 Click OK to finalize settings 6 7 3 Starting program updates manually To start GFI LanGuard program updates manually 1 Click on Configuration tab gt Program Updates 2 From Common Tasks click Check for updates GFI LanGuard Configuring GFI LanGuard 95 5 Update GFI LanGuard 2011 Choose which action to do in the next step You can choose to update the application files or to download all the update files to a specific path used further as an alternative update location Update application files from the following location Location GFI web site 6 Alternative location D Download all update files from GFI web site to this path Cancel Screenshot 99 The Check for Updates wizard Stage 1 2 Specify the location from where the required update files will be downloaded 3 Optional Change the default download path select Download all update files to this path to provide an alternate download path to store all GFI LanGuard updates 4 Click Next to proceed with the update 96 Configuring GFI LanGuard GFI LanGuard Update GFI LanGuard 2011 Choose which packages to update Disabled items represents packages already
236. uration of virus scanner s or anti spyware software and that the respective definition files are up to date Application scanning is configurable on a scan profile by scan profile basis and all the configuration options are accessible through the two sub tabs contained in the Applications tab These are the Unauthorized Applications sub tab and the Advanced Options sub tab GFI LanGuard Scanning Profiles 133 Enabling disabling checks for installed applications GFlLanGuard Scanning Profiles Editor o mE Scanning Profiles Discuss this version Profile categories L Vulnerability Assessment Options jy Network amp Software Audit Options Scanner Options K Complete Combination Scans ae o Vulnerability Asse i TCP Ports UDP Ports System Information Devices Applications K Network amp Software Audit Choose scan profile conditions V Enable scanning for installed applications on target computer s Unauthorized Applications Advanced Options ad Full Vulnerability Assessment Specify which installed applications are authorized un authorized and which you do not need to be notified about Aj Full Scan Active A Full Scan Slow Networks NOTE When an application is not authorized a high security vulnerability warning will be generated Specify which applications are authorized to be installed Only the applications in the list below All applications except the ones in the list below Application na
237. ured This includes downloading and installing missing patches and service packs and unauthorized software un installation Reporting Configure reporting options used for the selected scheduled scan Advanced Use this tab to specify whether GFI LanGuard should wait for offline computers to connect to the network This enables GFI LanGuard to postpone the scan on these machines and keep track of targets pending a scan For example laptops or other mobile devices that are not connected to the network As soon as these are connected scanning will start 4 Click OK to finalize your configuration 6 3 Applications inventory GFI LanGuard applications inventory provides a list of all applications detected during past scans The list is used to specify unauthorized applications You can also manually add applications to the list You can do this by specifying the entire name as well as a partial name specify generic names or part of an application name GFI LanGuard automatically scans the list of applications and detects partial names GFI LanGuard 2011 Co Em del Dashboard Scan Remediate Activity Monitor Reports Configuration Utilities Discuss this version Configurations Applications Inventory a Agents Management gi Use this listof applications detected during pastscans to add unauthorized applications to scan profiles Se im Applications Inventory p lt j Auto Uninstall Validation 30
238. ventory sub node 2 From Common Tasks click Add a new application 3 In the welcome screen click Next 80 Configuring GFI LanGuard GFI LanGuard Add unauthorized application wizard Step 1 of 4 Specify application details Specify 4 generic application name and optional details such as publisher and version Specify a complete or partial application name by which this application can be identified Application name My Application Note Partial application names are accepted Optionally you can provide the Following details Version Number 1 0 Publisher Si Publisher Tell me more lt Back Cancel Screenshot 84 Applications inventory wizard 4 Specify application name Optionally provide the version number and publisher name Click Next 5 Select the scanning profiles that will detect unauthorized applications Example Full Scan and click Next 6 Specify whether changes made will effect applications which have partial full name match Click Next to continue 7 Review Add application wizard information and click Finish to finalize configuration 6 3 2 Application auto uninstall Application auto uninstall entails that applications marked as unauthorized for specific scanning profiles are first validated for a successful uninstall on a test machine Subsequently a scheduled scan based on the scanning profile for which the application is marked as unauthorized is configured to auto uninstall
239. vulnerability scanning 1 From the Vulnerability Assessment Options tab click Vulnerabilities sub tab 2 Select the scanning profile to customize from the left pane under Profiles 3 In the right pane select Enable Vulnerability Scanning option B performed in the security audits carried out by this scanning profile GFI LanGuard Vulnerability scanning is configured on a scan profile by scan profile basis If in a particular profile this option is not selected no vulnerability tests will be Scanning Profiles 117 Customizing the list of vulnerabilities to be scanned To specify which vulnerabilities will be enumerated and processed by a scanning profile during a security audit 1 From Vulnerability Assessment Options tab select the scanning profile to customize from the left pane under Profiles Vulnerability Assessment Options LA Vulnerabilities jj Patches Choose scan profile conditions Group by Type LA vulnerabilities vV A ONS m A FrP M A Mail m LA Registry jw LA Rosthit m GA RPC M LA Services e L Software v GA Web m i A Potential Vulnersbalties Name AFS Kerberos Support in OpenSSH Pos f Al Servers All Servers All Servers All Servers All Servers all Servers 1 All Servers it All Servers it All Servers All Servers All Servers All Servers all Servers H All Servers fi All Servers e sh
240. y using the reserved IP address 127 0 0 1 In this manual the Local host is the machine were GFI LanGuard is installed The server that manages and stores client s emails Composed from malicious and software malware is a general term used for all software developed to harm and damage a computer system Viruses worms and Trojans are all type of malware A Microsoft desktop relational database management system included in the Microsoft Office package Microsoft Access is normally used for small databases See Internet Information Services A Microsoft relational database management system Microsoft included extra functionality to the SQL Server transaction control exception handling and security so that Microsoft SQL server can support large organizations A collection of updates and fixes provided by Microsoft to improve an application or an operating system An acronym for Microsoft Windows Server Update Services This service enables administrators to manage the distribution of Microsoft updates to network computers See Microsoft Access database See Microsoft SQL Server An acronym for Network Basic Input output This system provides services to allow applications on different computers within a network to communicate with each other A web browser originally developed by Netscape Communications Corporation GFI LanGuard TERM Open Vulnerability and Assessment Language OVAL Patch agent Python scripting Remote
241. y when selecting a single computer and enables you to view the number of scans audits performed on the selected computer In addition enables you to verify if scheduled scans are being performed Scan Activity B14 2010 Bi 162010 B1R2010 Bi AN2010 KZA a00 B24010 Last scan Tuesday June 2727 2010 Screenshot 41 Scan activity GFI LanGuard Analyzing Results 41 Remediation Activity This line graph is available only when selecting a single computer and enables you to view the number of remediation activities performed on the selected computer In addition this graph enables you to verify that auto remediation is performed Remediation Activity oF 2 SORE PEEP PETC PETE Ce TPE E TCE ETE CeCPePererrererereerereerereree ye Sener re rer ee reer rere rere reer eter ere er ener er rererereerererrerereetets SSEterr rere rreee teeter rere errr rer ee ree terre errr ererer etre rrr rrer ret tr ret ty z z FS1V2010 Wiri KAD KI aa Pa LH Last Remediation Monday August 027 2010 Screenshot 42 Remediation activity Top 5 Issues to Address This section is available only when selecting a single computer and displays the top five issues to address for the selected computer Top 5 Issues to Address x Windows Malicious Software Removal Tool July 2010 KB 890830 Securty Update for SQL Server 2005 Service Pack 3 KB9 7089 9 Q Microsoft SQL Server 2005 Express Edition Service Pack 3 KB955706 Shutdown without log
Download Pdf Manuals
Related Search