2. Installing GFI LANguard Network Security Scanner
Contents
1. Deploy immediately Screenshot 128 Monitoring the deployment process To view the patch deployment activity in progress click on the Deployment Status tab located next to the Sort by patches tab at the top of the right pane Uninstall patches already deployed on targets To uninstall patches or service pack previously installed on target computers 1 Perform a scan on the computer s from which you need to uninstall roll back patches previously deployed 2 From the scan results right click on listed computers and select Uninstall Microsoft updates gt Service packs from or Patches from gt This computer or Selected computers or All computers GFI LANguard Network Security Scanner 10B11 Patch management Deploying Microsoft Updates e 131 GFI LANguard N S S 8 0 T_ for x File Tools Configure Help New Scan Using Currently Logged On User Username Password el od Tools Explorer H Main Specify updates to uninstall and select Start to start the uninstallation of updates Options Config 4 gt Sort by computers Sort by patches Uninstallation status GFI LANguard N S S A Security Scanner Scanned computers Bulletin PP 4 Results Filtering RICHARDYM 53 MS07 016 928090 Windows Cumulative Security Update for Internet Explorer 6 fo Results Comparisor E im Patch Deployment suondo FR HA Deploy Microso Reportin2. Screenshot 43 Logged on users node The logged on user details enumerated by GFI LANguard N S S includes Logged on username if Logon date and time The time and date when the user logged on the target computer o 2 Elapsed time How long the user has been logged on this computer e Number of programs running The number of programs that the interactively logged on user was running at the time of the scan e Idle time How long the remote user s connection has been idle i e completely inactive e Open Files How many files are opened the remote user s connection e Client type The platform operating system that the remote user used to connect to the target computer o Transpor The name of the service that was used to initiate the remote connection between the remote computer and the target computer for example NetBios Smb Terminal Service Remote Desktop Detailed scan results Analyzing services GFI LANguard Network Security Scanner Active services can be a potential security weak spot in your network system Any of these services can be a Trojan a viruses or another type of malware which can seriously affect your system in a 4B5 Getting started Analyzing the security scan results e 45 dangerous way Further more unnecessary applications and services that are left running on a system consume valuable system resources Du
3. Screenshot 49 Computer s node Click on the Computer sub node to access particular details about the scanned target computer including e E MAC Shows the MAC address of the network card that the target computer is using to connect to the network Time To Live TTL Shows the maximum number of network hops allowed before a data packet expires is discarded Based on this value you can identify the distance i e the number of router hops between the computer running GFI LANguard N S S and the target computer that was just scanned Typical TTL values include 32 64 128 and 255 e Network Role Denotes whether the scanned target computer is a workstation or a server e J Domain Denotes the domain workgroup details When scanning targets which are part of a domain this field shows the list of trusted domain s If the scanned target computer is not part of a domain this field will show the name of the respective Workgroup e LAN Manager Shows the type of operating system and LAN Manager in use for example Windows 2000 LAN Manager 2 J Language Shows the language setting configured on the scanned target computer for example English GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 51 Detailed scan results Analyzing sessions GFI LANguard N S S 8 0 Mil x File Tools Configure Help New Scan iv
4. ccceeeceeeeeeeeeeeeeeeeeeeeeeeeaeaeeeeeeeeesaeaaeees 105 Configuring the attached devices SCANNING OPTIONS ccccceeceeeeeeeeeeeeeseeesaeeeeeees 106 Enabling disabling checks for installed network devices eeeeees 109 Compiling a network device blacklist whitelist cccccceeeeeeeeeeeeeeeeeeeeees 109 Configuring advanced network device scanning OptiOns cseeeeeeees 110 Enabling disabling checks for attached USB deVICES ccccceeeseeeeeeeeees 111 Compiling a USB devices blacklist Whitelist cccccceeceessssseeeeeeeeeeeeees 111 Configuring applications SCANNING OPTIONS cccceeeeeeeceeeeeeeeeeeeeeeeeeeaeeeeeeeeeeeeaeaaeees 112 Scanning installed applications ccceeeeseecceceseeeseeeeeeeeeesseeseeeeeeeeessuaeaeeeeeeeeseagesss 113 Enabling disabling checks for installed applications ceeeeeeeeeeeeeees 113 Compiling an installed applications blacklist whitelist cccsesseeeeeeeeees 114 Scanning SECUILY ADDIICALIONS sssrin E a 115 Enabling disabling checks for security applications ccceeeeeeesseeeeeeeeees 116 Customizing the list of security application for SCANNING cccceeeseeeeees 116 Configuring security applications advanced ONTiONS cccceeeeeeeeeeee ees 117 10 GFI LANguard N S S updates 119 ARO CUIG TOM eeatereacctteceactet a Ntcocetasentie E Sota murat co leenant te aetn
5. Average ti 40k 127 0 0 1 localhost 0 0 o00 0 S DNS Lookup Traceroute 24 Traceroute S whois Enumerate Computers pN Enumerate Users S Snmp Audit amp Snmp Walk S SQL Server Audit UPPe errr rrr errr errr rrr eee Screenshot 148 Trace route tool Click on the Tools button and select the Tools gt Traceroute tool to identify the path that GFI LANguard N S S followed to reach a target computer To use this tool 1 Inthe Trace dropdown specify the name IP or domain to reach 152 e 14B15 Tools GFI LANguard Network Security Scanner 2 Click on the Traceroute button to start the tracing process Traceroute will break down the path taken to a target computer into hops A hop indicates a stage and represents a computer that was traversed during the process The information enumerated by this tool includes the IP of traversed computers the number of times that a computer was traversed and the time taken to reach the respective computer An icon is also included next to each hop This icon indicates the state of that particular hop The icons used in this tool include ov Indicates a successful hop taken within normal parameters A Indicates a successful hop but time required was quite long h Indicates a successful hop but the time required was too long X Indicates that the hop was timed out gt 1000ms GFI LANguard N S S 8 0 OL x File To
6. Web This group contains the vulnerabilities discovered on web servers such as misconfiguration issues Supported web servers include Apache Netscape and Microsoft I 1 S The information listed in this section includes o if H Ef Vulnerability check name for example Imported_IIS FrontPage Check GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 35 36 e 4B5 Getting started Analyzing the security scan results o Description A short description of the respective vulnerability o ID URL The ID of the relevant Microsoft Knowledge Base article s and the URL to more detailed information on the vulnerability Services This group contains vulnerabilities discovered in active services as well as the list of unused accounts that are still active and accessible on scanned targets Registry This group contains vulnerabilities discovered in the registry settings of a scanned network device The details shown in this category include links to support documentation as well as a short description of the respective vulnerability Software This group contains vulnerabilities found in software installed on the scanned network device s The details shown in this category include links to supporting documentation as well as a short description of the vulnerability Rootkit This group includes details of vulnerabilities discovered
7. Specify credentials to use For scan job Credentials Description f Currently logged on user Perform the scan in the security context of the currently logged Alternative credentials on user De mane Passwandi a NULL session C 55H Private Key User mame kev hile t f W Use data From computer profiles M Show this dialog at application startup Pak sn A Screenshot 19 Specify the scan credentials 6 Specify the authentication details to be used during this scan Click on the Scan button to initiate the scanning process Configuring scan ranges GFI LANguard N S S enables you to configure ranges and exclusions to scan ranges for IP addresses to scan These are set up in the computer or range field within the new scan wizard Scan ranges Ranges are configured through the use of the character Through this character users can for example key in e 192 168 0 1 165 This will scan all the available addresses from 192 168 0 1 to 192 168 0 165 Scan range exclusions Scan range exclusions are configured through the use of the and characters Ex e 192 168 0 1 165 e 192 168 0 13 In the example above all the available computers which IP address is in the 192 168 0 1 to 192 168 0 165 range will be scanned except for 192 168 0 13 which will be excluded GFI LANguard Network Security Scanner 3B4 Getting started Performing an audit e 23 Quick start scans
8. Custom scan Let me choose what bo scan Help me choose J Show this dialog at application startup eee Screenshot 13 New scan wizard On launching GFI LANguard N S S for the first time you are presented with the new scan wizard This assists you in performing your first network scans using GFI LANguard N S S For more information on how to start a new scan please refer to the Performing the first security scans section in the Getting started Performing an audit chapter of this manual 16 e 2B3 Navigating the management console GFI LANguard Network Security Scanner 4 Getting started Performing an audit Introduction Security scans enable systems administrators to identify and assess possible risks within a network Through GFI LANguard N S S this is performed automatically without all the unnecessary repetitive and time consuming tasks related to performing them manually In this chapter you will discover how to perform security scans using default and custom settings how to start scans directly from the toolbar and how to configure scan ranges To perform a security audit the scanning engine requires you to specify three primary parameters 1 Target computer s to scan for security issues 2 Scanning profile to use specifies vulnerability checks tests to be done against the specified targets 3 Authentication details to be used to log on to the target computer s For a thorough security
9. GFI LANguard Network Security Scanner J Publisher Shows the manufacturer details 4B5 Getting started Analyzing the security scan results e 47 General applications group The General applications group contains the list of general purpose applications installed on a scanned target computer These include all software programs which are not classified as anti virus or anti spyware products such as Adobe Acrobat Reader and GFI LANguard N S S Details enumerated in the General Applications group include e amp Application name e L Version Shows the version number of the application e 4 Publisher Shows the manufacturer details Detailed scan results Analyzing network devices Unmonitored network devices especially wireless ones are becoming a main source of information leakage in organizations Special care must be given to ensure that only authorized wireless devices are connected to your network infrastructure GFI LANguard N S S 8 0 Mil Ei File Tools Configure Help New Scan v t Using Currently Logged On User Username Password HIE Ee Tools Explore _ Scan Target flocalhost e Profile file Ful sc Scan 7 scan fa Main 2 Configuration lt 4 gt GFI LANguard N S S Scanned Computers Scan Results A E Scan target localhost g aj gm Physical devices a g Results Filtering E 192 168 3 30 TMJAS ij mit Intel R PRO 1000 MT Net
10. Use this option to enumerate all the vulnerabilities and missing patches on the entire local domain This option can be time consuming e Custom scan Use this option to enumerate system information without including vulnerabilities and missing patches On choosing this option you will be directed to the new default scan wizard For more information on how to start a new default scan please refer to the Performing a security scan using default settings section in this chapter of the manual Following a network security scan it is important to identify which areas and systems require immediate attention For more information refer to the Getting started Analyzing the security scan results chapter in this manual r Performing a security scan using default settings For a default scan you must only specify which target computer s you wish to audit and GFI LANguard N S S will automatically e Authenticate to the targets using the currently logged on user account credentials i e the credentials under which GFI LANguard N S S is currently running e Use a thorough list of default vulnerability checks that are preconfigured in the Full scanning profile This is one of the default scanning profiles that ships with GFI LANguard N S S GFI LANguard Network Security Scanner 3B4 Getting started Performing an audit e 19 To perform a default scan 1 Click on New Scan button Step 1 of 5 Select scan job typ
11. Wireless devices e amp Virtual devices e E Software enumerated devices Each group includes various details about the device detected including 48 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner e J MAC Address e IP Address es e Device Type e Hostname e Domain J DHCP details o WEP were available e SSID were available e F Gateway e J Status Detailed scan results Analyzing USB devices GFI LANguard N S S 8 0 File Tools Configure Help New Scan iv TS t G Using Currently Logged On User Username Password x Tools Explorer A Main GFI LANguard N S S E E Security Scanner Lg Results Filtering lt Result comparison GB amp Patch Deployment m Deploy Microsoft Updates 3 Deploy Custom Software SRE Reporting VE GFI Report Center GFI LANguard N S S 8 0 F fast Configuration lt 4 gt Pile Es IM scan tage a Pete fFatscon E scanned Computers on 68 3 30 TMJAS J Description USB Root Hub Vulnerabilities 113 J Manufacturer Standard USB Host Controller Potential Yulner abilities 3 2 Vendor System patching status 5 USB Composite Device E E gt System information Z Description USB Composite Device snares 7 J Manufacturer Standard USB Host Controller lt gt Applications 101 d Ty 2 Vendor mat Network devices 7
12. ays Vulnerabilities Database Product databaseengine updates Specity which updates to check for at startup GFI LAN guard H 5 5 Dictionaries Update Microsoft Software Updates C Microsoft Software Updates C Microsoft Software Updates C Microsoft Software Updates C Microsoft Software Updates Arabic Version C Microsoft Software Updates Microsoft Software Updates Microsoft Software Updates C Microsoft Software Updates C Microsoft Software Updates English Version German version French Version Italian Version Spanish Version Danish Version Czech Version Finnish Version Hebrew Yersion zi f Download updates from the GFI Web site C Download updates from an alternative location o Build Updates If Check for newer builds at startup Screenshot 119 Program Updates Properties dialog 1 Select the Configuration button right click and expand the General node 2 Right click the Program Updates sub node and select Properties This will bring up the Program Updates Properties dialog 3 Select the updates to be downloaded and specify the location from where the selected program updates will be downloaded 4 Click OK to finalize your settings GFI LANguard Network Security Scanner 9B10 GFI LANguard N S S updates e 123 11 Patch management Deploying Microsoft Updates Introduction Apart from automatically downloading Microsoft patch
13. Microsott Software Updates English Version Microsott Software Updates German Version Microsott Software Updates French Version Microsott Software Updates Italian Wersion Microsott Software Updates Spanish Version wl hdieros ok SC athaara I ndates Arahi arsine of b The selected language files are downloaded and updated periodically trom GFI site GFI LAN guard Network Security Scanner 8 0 automatically checks for updates at application startup Install tield Back Cancel Screenshot 9 Specify patch languages 9 Select the patch management languages that will be supported by GFI LANguard N S S and click Next 10 Specify the installation path for GFI LANguard N S S and click Next 11 Click Finish to finalize the installation 12 e 1B2 Installing GFI LANguard Network Security Scanner GFI LANguard Network Security Scanner Upgrading earlier versions of GFI LANguard N S S You can upgrade earlier versions 5 6 and 7 of GFI LANguard N S S and retain the current custom scan profiles scheduled scan details mailserver settings and the scan results database To achieve this 1 Launch GFI LANguard N S S installation GFI LANguard Network Security Scanner 4 0 Import Scanning Profiles Import scanning profiles from an older installation Previous installation of GFI LAN guard Network Securty Scanner detected Do vou want to import your previous scanning profiles or make a clean install C N
14. Screenshot 99 List of unauthorized blacklisted network devices Similarly you can create a separate scanning profile that enumerates only Bluetooth dongles and wireless NIC cards connected to your target computers However in this case you must specify Bluetooth and Wireless or WiFi in the unauthorized network and USB lists of your scanning profile GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 107 GFI LANguard N S_S 8 0 Full TCP amp UDP Scan Oy Ping Them All Og Share Finder Network devices you want to mark as dangerous and which you want to have ignored in your scan results Devices which wil have a high security vulnerability notification in the scan results Devices which are on the ignore list wil not be Uptimes Create a high security vulnerability for network devices which name contains Oy Disks Space Usage Oy System Information Qo Full Scan Active Qg Full Scan Slow Network T Settings Ignore Do not lst save to db devices which name contains o Database Maintenance 1 OR General amp Program Updates itg Version Information Licensing How to purchase Support Center Knowledge Base Other GFI Products Screenshot 100 Network and USB Devices tabs All the device scanning configuration options are accessible through the two sub tabs contained in the devices configuration page These are the Network Devices tab and the USB Devices tab e Use t
15. verify Settings Screenshot 68 Configuring Alerting Options 3 Configure the following parameters e To Email address where email notification will be sent e CC Carbon copy email address details e From Display name that will be shown in email sent to addressee e Server SMTP server details e Port SMITP port details e Username optional SMTP login name details e Password optional SMTP password 4 Click on the Verify settings button to verify email settings 5 Click OK to finalize your settings Computer profiles When working in both large and smaller sized networks you will inevitably have to log in with different sets of credentials on different computers Systems such as Linux based systems often make use of special authentication methods such as public key authentication Such authentication methods generally require special custom logon credentials such as private key files instead of the conventional password strings Through computer profiles you can specify a different set of logon credentials for every target computer The scanning engine can then refer to the logon credentials stored in these computer profiles when authenticating to target computers This way you will not need to specify a default set of logon credentials prior to starting a network scan It also makes it possible to scan target computers that require 74 e 7B8 Configuring GFI LANgu
16. GFI LANguard Network Security Scanner 8 Manual By GFI Software GF http www gfi com Email info gfi com Information in this document is subject to change without notice Companies names and data used in examples herein are fictitious unless otherwise noted No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose without the express written permission of GFI SOFTWARE LANguard is copyright of GFI SOFTWARE 2000 2008 GFI SOFTWARE All rights reserved Version 8 0 Last updated March 27 2008 Contents 1 Introduction 1 Introduction to GFI LANguard Network Security Scanner ecceeeeeeeeeeeeeeeeeeeeeeeaes 1 How is this manual StrUCtUred cccceecccceeceeseeeeeeeeeeeeeeeseeeeeseeseeseeeeseeeeseneeees 1 Key features avicduciissrncatvawnedethyectiatuyduatntigvncsssaisasajavieesadeabelduadaatsaveestecaencaiuscucoaiVeavesvaueduaidund 2 GFI LANguard N S S COMPONENMS cccceeeeecceeeeceaeeeeeceeeeeeeeaeeseeeeeeeseaeseeeeeeesssaaageess 3 License Scheme cccccccccesccccececcececeaeeeceueecsaueeseeessaueessaeeessueeesaeessueeessgeessuseesaeeesaaees 6 2 Installing GFI LANguard Network Security Scanner 9 VSEM edurre memis sr A TAN A 9 Firewall considerationis ccccecccccseeeceeceeseeceeeeeceeeeceeceueeeseueeeeseeueeesseeeesaaeeess 9 Installation PrOCCCUIEC cccccseeccccccseseeeeeccueseeceeceuauee
17. ae Fd Process Test 7 ae F RPC Service Test fe 2H Script Test ew J Uname Test H Solaris Checks Check description Executes a 55H script on the target computer and returns 4 boolean value a ie Back Nexk Cancel Screenshot 158 The check triggering conditions dialog 7 Select Unix checks gt SSH Script test node and click on Next button to continue setup 8 Click on the Choose file button and select the custom SSH Script file that will be executed by this check For this example select myscript sh Click on Next to proceed 9 Select the relative condition setup in the wizard to finalize script selection Click on Finish to exit wizard 10 Click on OK to save new vulnerability check Testing the vulnerability check script used in our example Scan your local host computer using the scanning profile where the new check was added Testing the vulnerability check script used in our example 1 Log on to a Linux target computer and create a file called test file This check will generate a vulnerability alert if a file called test file is found 2 Launch a scan on the Linux target where you created the file 3 Check you scan results The 3 Vulnerabilities node will the vulnerability warning shown below 1 File test file exists 2 Description The test file test file exists in the current scanned user home directory Screenshot 159 Testing the vulnerability check
18. e Enable auditing on gt Selected computers to configure the audit policy settings of multiple computers e Enable auditing on gt All computers to configure the audit policy settings of all scanned computers GFI LANguard 4 5 5 Administration Wizard Switch on secunty auditing policies ch E Automatic turning on of security auditing policies A amp Specify which auditing policies are to be turned on The recommended auditing policies have been selected by default Auditing Policy Success Failure Auditaccountlogonevente ible Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege uze 10 AAAA R K JOH Hees fa Suid aneess track ied Select Hest to turm on the selected auditing policies Back Cancel Screenshot 39 The audit policy administration wizard 2 Select unselect the check boxes of the auditing policies that you wish to set up on the selected target s For example to log successful events select the Successful check box of the relevant GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 41 auditing policy Click on Next to deploy the audit policy configuration settings on the target computer s GFI LAN guard N 5 5 Administration Wizard Application of security auditing policies results wi y j A The results of the application of the securi
19. fox Patch Autodownload CI 1F you add edt or remove a vulerabiity the changes wil be appled to al the profies add edit or remove a vulnerability the changes will be applied to all the profiles D eee Screenshot 89 Scanning Profiles properties Use the Advanced button included in the Vulnerabilities tab to bring up the advanced vulnerabilities scanning options Advanced ulnerabilittes Properties General A Specify advanced vulnerabilities options Le El ulnerability Scan Options Internal checks Weak passwords FTP anonymous access allowed Administrator account exists K K K K Users that never logged on New vulnerabilities are enabled by default Yes Show vulnerabilities with errors during evaluatio Mo CGI Probing Settings Send CGT request through proxy Mo Proxy IP Proxy port Cancel Apply Screenshot 90 Advanced vulnerability scanning dialogs Use these options to 102 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner e Configure extended vulnerability scanning features that check your target computers for weak passwords anonymous FTP access and unused user accounts e Configure how GFI LANguard N S S will handle newly created vulnerability checks e Configure GFI LANguard N S S to send CGI requests through a specific proxy server This is mandatory when CGI requests will be sent from a computer that is behind a firewall to a target web serve
20. 4 Computer 2 Groups 13 gee Users 9 ZA Logged On Users 9 gt Sessions 5 Services 93 Processes 38 Local drives 2 ES Remote TOD time of d Screenshot 35 Potential vulnerabilities node Click on the sa Potential vulnerabilities sub node to view scan result items that were classified as possible network weaknesses These scan result items although not classified as vulnerabilities still require your meticulous attention since they can be exploited by malicious users during an attack For example during vulnerability scanning GFI LANguard N S S will enumerate all of the modems that are installed and configured on the target computer If unused these modems are of no threat to your network however if connected to a telephone line these modems can be used to gain unauthorized and unmonitored access to the Internet In practice this means that users can bypass corporate perimeter security including firewalls anti virus website rating and web content blocking exposing the corporate IT infrastructure to a multitude of threats including hacker attacks As a result GFI LANguard N S S considers installed modems as possible threats and enumerates them in the Potential Vulnerability sub node for your attention and analysis Detailed scan results Analyzing shares In the wild there is malicious software e g worms and viruses such as Klez Bugbear Elkern and Lovgate that can spread
21. Dy Vulnerabilities and Patcha Retrieve basic OS information by SMB Yes g Full Scan Request server information Yes Oy Full Scan Slow Networks Sg Vulnerabilities Identify PDC Primary Domain Controller Yes y Top SANS 20 Vulnerabilities Identify BDC Backup Domain Controller Yes y High Security Vulnerabilities Enumerate trusted domains Yes Oy Last Year s Vulnerabilities Enumerate shares Yes Dy Only Web Display admin shares Yes Gy Trojan Ports Display hidden shares Yes Oy Only SNMP Enumerate local users Yes Gy Protection from Portable Storac Dy Test Oy Missing Patches Sy Critical Patches Enumerate users logged on locally Yes Gy Last Month s Patches Enumerate users logged on remotely Yes Sy Only Service Packs Enumerate disk drives Yes Dy Port Scanner Request remote time of day Yes Oy USB Devices Request information from remote registry Yes Dy Software Audit Oy Full TCP amp UDP Scan gy Ping Them All y Share Finder Oig Uptimes Enumerate local groups Yes Enumerate logged on users Yes Enumerate services Yes Enumerate sessions Yes z Screenshot 82 Scanning Profiles properties OS Data tab options To specify which OS Data will be enumerated by a particular scanning profile during vulnerability scanning 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to cu
22. Installing GFI LANguard Network Security Scanner e 9 GFI L4Nguard Network Securnty Scanner 8 0 InstallShield Wizard User Account Information Please enter required data The GFI LAN guard N 5 5 attendant service handles scheduled security scans and scheduled updates of configuration files Ik is recommended to run the attendant service under a domain administrator account Set up the GFI LAN guard N 5 5 attendant service to run under Account Corporationsadministrator Password a Contirm password E NOTE Specify the user name in the format DOMAINS administrator InstallShield Back Cancel Screenshot 5 Specify domain administrator credentials or use local system account 4 lf GFI LANguard N S S is already running on your system you will be asked to upgrade to a newer version or build NOTE For more information refer to Upgrading earlier versions of GFI LANguard N S S section within this chapter 5 Specify the service account under which GFI LANguard N S S will be running and click Next NOTE 1 GFI LANguard N S S requires administrative privileges to scan network computers NOTE 2 For more information on how to specify different administrator credentials on a computer by computer basis refer to the Computer Profiles section in this manual 10 e 1B2 Installing GFI LANguard Network Security Scanner GFI LANguard Network Security Scanner GFI L4N guard Network Security Scanner 8 0
23. MARKBU Windows XP Workstation K Whois MARIAG Windows xP Workstation f Enumerate all computers KA Enumerate Computers LYANNEG Windows XP Workstation Only these Enumerate Users LUKER Windows xP Workstation S Snmp Audit LORIS Windows XP Workstation E Operating System S Snmp Walk KEVINGO Windows XP Workstation Windows 95 98 ME SK SQL Server Audit KEITHF Windows XP Workstation Windows NT KARLB Windows XP Workstation Windows 2000 L JULES Windows XP Workstation Windows XP LJ JOSETTE Windows XP Workstation Windows 2003 C JOSEPHGA Windows xP Workstation Windows Vista O JOSEF Windows XP Workstation Novell O o JEANPAUL Windows xP workstation Linux C JASON Windows xP Workstation Services OWAN Windows xP workstation Microsoft SQL Servers HP LASERJET 5 Windows 9X ME Workstation Primary Domain Controllers ad eee ae a a fe Backup Domain Controllers BDC eat Apple File protocol servers L Start gathering information f Getting the computers of Primary domain Servers sharing print queue Ready Found 89 computers Servers sharing dial in service L Types workstations O Servers Screenshot 150 Enumerate Computers tool Click on the Tools button and select the Tools gt Enumerate Computers tool to identify domains and workgroups on a network During execution this tool will also scan each domain workgroup discovered so to enumerate their respective computers
24. S whois Enumerate all users C Enumerate the following J Users E Gontacts Sk Snmp Walk 4 SQL Server Audit Highlight I Disabled accounts J Locked accounts Screenshot 151 The Enumerate Users tool dialog Click on the Tools button and select the Tools gt Enumerate Users tool to scan the Active Directory and retrieve the list of all users and contacts included in this database To enumerate users and contacts contained in the Active Directory of a domain select the domain name from the provided list of domains on your network and click on the Retrieve button You can filter the information to be extracted and display only the users or contacts details In addition you can optionally configure this tool to highlight disabled or locked accounts This is achieved through the GFI LANguard Network Security Scanner 14B15 Tools e 155 configuration options included at the right side of the enumerate users tool From this tool you can also enable or disable any user account that has been enumerated This is achieved by right clicking on the account and selecting Enable Disable account accordingly SNMP Auditing GFI LANguard N S S 8 0 iof Xx File Tools Configure Help New Scan Using Currently Logged On User ad Username Password el a IP of computer running SNMP fi 27 0 0 1 Options n Configuration 6 Tools Ip Address Comp public private
25. Screenshot 26 Results Pane The information included in the results pane includes A graphical measurement based on a weighted sum of the vulnerabilities detected l in the last scan Scan details as well as a description of the current network vulnerability level The top 5 most vulnerable computers Links to tasks that assist you in fixing vulnerabilities discovered during scans o Links through which you can enable configure auditing policies Analyzing the target computer scan summary Clicking on the target computer node will display a graphical representation of its vulnerability level This is an automated interpretation of the scan results obtained following the successful scanning of that particular target computer In addition to the vulnerability level GFI LANguard N S S 8 also provides guidelines on how to resolve the weaknesses discovered during vulnerability scanning GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 29 The selected computer has the following vulnerability level High o __ _ _ gt BOOOOoeneS What does this mean Top 5 issues to address Next steps MS06 068 Security Update for Windows XP KB920213 lt 5 Deploy Microsoft Service Packs Deploy Microsoft patches MS07 007 Security Update for Window s XP KB927802 Seba gt Deploy custom software O 3 MS06 032 Security Update for Windows XP KB
26. Tes Screenshot 53 Saved Scan Results dialog 3 Select the scan results to load and click OK Loading saved scan results from an XML file Loading saved scan results from an XML file is identical to loading results from database 1 Click on the Main button 2 Right click on the Security Scanner default node and select Load saved scan results from gt XML 3 Select the XML containing the scan results to load and click OK GFI LANguard Network Security Scanner 5B6 Saving and loading scan results e 57 7 Filtering scan results Introduction Scan results contain an wide ranging amount of information Even though all of this information is important there are times when you will require only specific information in order to achieve a particular scope such as for example identifying only which patches are missing in your system GFI LANguard N S S 8 0 Iof Xx File Tools Configure Help CO New Scan Using Currently Logged On User Username Password FT F Tools Explorer a Bis GFi SECURITY amp MESSAGING SOFTWARE A Main 2 Configuration Ss Tools GFI LANguard N S 5S What are the Scan results filters io Full Report Vulnerabilities High security Vulnerabilities Medium security Vulnerabilities All Missing Patches and Service Packs Important Devices USB Important Devices Wireless Open Ports Open Shares Auditing Policies
27. Top SANS 20 Vulne m A ons T OVAL 1000 Windows XP Help Center C 1000 CVE 2003 0907 ae peu m GA FTP T OVAL 100084 Windows XP SP1 TAPIB 100084 CVE 2005 0058 Oy Only Web m A Mail T OVAL 100085 Test Consolidated to OV 100085 CVE 2005 0058 Og Trojan Ports M LA Miscellaneous E 2 OvAL 100086 Test Consolidated to OV 100086 CVE 2005 0058 g Only SNMP M OA Registry ovaL 100088 Test Consolidated to OV 100088 CVE 2005 0058 mq Missing Patches M LA Rootkit 8 ovaL 100113 X Display Manager DoS 100113 CVE 2004 1347 Oy Port Scanner m A rpc 8 OVAL 1004 WinXP Management Vulner 1004 CVE 2003 0909 Cg USB Devices M LA Services T OVAL 1008 Windows XP Help and Sup 1008 CVE 2004 0199 Se Software Audit VV LA Software T OVAL 101 Ethereal 0 Length Buffer Siz 101 CVE 2003 0431 ka sa lt mg ne m A web T OVAL 1032 Windows Server 2003 Help 1032 CVE 2004 0199 dy iks Finder HV F Potential Vulnerabilities i OYAL 1036 Veritas Backup Exec Restri 1036 CVE 2002 1117 Se Portable Storage T OVAL 1042 Malicious CVS Server RCS 1042 CVE 2004 0180 OVAL 1050 Flash Arbitrary Code Exec 1050 CVE 2006 3587 M 2 OvAL 1053 Windows XP 32 Bit DUNZ 1053 CVE 2004 0575 T OVAL 1057 Windows XP HTML Help Re 1057 CVE 2005 1208 T OVAL 106 Various Ethereal Dissector V 106 CV E 2003 0432 OVAL 1065 Multiple Format String Yuln 1065 CVE 2004 0179 Ma gt _ gt 422 vulnerabilities Dy Parameter
28. 078 Security Update for Windows Media Player 6 4 KB925398 MS06 076 Cumulative Securty Update for Outlook Express for Windows XP KB923694 MSO06 071 MSXML 4 0 SP2 Securty Update KB927978 7y Ance gt SQL Server High security vulnerabilities 3 Medium securty vulnerabilities 1 Low securty vulnerabiities 4 Screenshot 25 Scan Results The information included in the results pane includes 1 Scan target node Displays information related to scan targets in terms of scan range and if scan result was retrieved from database 2 Scan computer node Displays information related to scanned computer This includes if scan was successful and O S details Scan details node Displays information related to the scan performed on target computer This includes number of vulnerabilities found system patching status etc O Scan results node Displays the results of the scans carried out for specific computers Scan results details Displays the details of the scan results This includes vulnerability or missing patch name level of patch vulnerability detailed vulnerability missing patch details connected device information etc Analyzing the summary scan results for the scanned network Clicking on the scan target node displays a graphical representation of the total network vulnerability level This is an automated combined interpretation of the scan results obtained following the successful scanning of one or
29. 10 58 08 AM Last update download Newer Last update wersion 2 GFI LANguard N S S Dictionaries Update Download new patch detection updates Yes Last update check 1 27 2007 10 58 08 AM Last update download Never Last update version 4 Microsoft Software Updates English Version Download new patch detection updates Yes Last update check 1 27 2007 10 58 08 AM Last update download Newer Last update version 8 2007 All rights reserved GFI Software Ltd Screenshot 114 Details on the currently installed updates Select the Configuration button and click on General gt Program Updates node to view the update status of your GFI LANguard N S S The program update details are organized into categories and are shown in the right pane of the GFI LANguard N S S management console Every category includes the date of the last update performed the date of the most recent download as well as the version of the current installed database updates GFI LANguard Network Security Scanner 9B10 GFI LANguard N S S updates e 119 S Update LANguard Network Security Scanner Choose which packages to update Disabled items represents packages already updated that you can also update by checking Update ALL files or packages without update Packages Microsoft Software Updates English Version Microsoft Software Updates German Version Microsoft Software Updates French ver
30. 16B17 Adding vulnerability checks via custom conditions or scripts e 171 18 Miscellaneous Introduction In this section you will find information on e How to enable NetBIOS on a network computer e Installing the Client for Microsoft Networks component on Windows 2000 or higher e Configuring Password Policy Settings in an Active Directory Based Domain e Viewing the Password Policy Settings of an Active Directory Based Domain Enabling NetBIOS on a network computer 1 Log on to the target computer with administrative rights 2 Navigate to the Windows Control Panel Start gt Control Panel and double click on Network Connections icon Ce Local Areas Connection icon 3 Right click on Local Areas Connection icon of the NIC card that you wish to configure and select Properties 4 Click on Internet Protocol TCP IP and select Properties 5 Click on the Advanced button 6 Click on the WINS tab GFI LANguard Network Security Scanner 17B18 Miscellaneous e 173 Advanced TCP IP Settings IP Settings DNS WINS Options WINS addresses in order of use If LMHHOSTS lookup is enabled it applies to all connections for which TCPVIP ts enabled V Enable LMHOSTS lookup Import LMHHOSTS NetBIOS setting used or the DHCP server does not provide NetBIOS setting enable NetBIOS over TCP IP Enable NetBIOS over TCP IP C Disable NetBIOS over TCP IP Screenshot 161 Local A
31. 5E Personal Edition ve a Lavasoft Ad 4ware Enterprise Client al CA PestPatrol Anti Spyware Client ae 3 CA eTrust PestPatrol Anti Spyware Corporate Edition Screenshot 112 Selecting the security applications to be investigated 3 Click on the Security Applications tab and select the security applications that you wish investigate 116 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner 4 Click OK to finalize your settings Configuring security applications advanced options Advanced Applications Properties General Cc Specify advanced applications options C Generate high security vulnerabilities when 4 security product is out of date Ves Real time protection For an antivirus is disabled Real time protection for an antispyware is disabled Mo No supported antivirus is installed Mo No supported antispyware is installed Mo El Timeout HTTPIFTP timeout when checking updates on remote sites 60 Screenshot 113 Advanced configuration options dialog Use the Advanced button included in the Security Applications configuration page to configure extended security product checks that generate high security vulnerability alerts when e The anti virus or anti spyware product definitions files are out of date e The Realtime Protection feature of a particular anti virus or anti spyware application is found disabled e None of the selected anti virus or anti spyware software is currently installed on
32. 6B7 Filtering scan results e 61 2 In the General tab specify the name of the new scan filter Add Filter Properties Select the filter property on which you want to make a restriction FilterCondition E 1 Operating system T Hostname oe User logged in a Domeair Trusted domain vi Patch 3 Missing patches jy Serice Pack Ga Missing service packs Ea Yulherability i High vulnerabilities i Medium vulnerabilities i Low vulnerabilities a Application Computer usage OF Time to live x rea Screenshot 57 Filter properties dialog 3 Click on Add and select the required filter property from the provided list for example operating system This defines what type of information will be extracted from the scan results i e the area of interest of the scan filter 4 Click on Next to continue 62 e 6B7 Filtering scan results GFI LANguard Network Security Scanner Add Filter Properties Ce Filter Condition Properties Filter Property Informatio Filter condition to add Propert Operating system Conditions Equal to Value windows xF Summar Determine if operating systern it equal to Windows sF Screenshot 58 Filter condition properties dialog 5 Select the required filter condition from the Conditions drop down and specify the filter value The filter value is the reference string to be used with the specified condition to filter information from scan results 6 Click on
33. 75 164 Indexe 185 Status Monitor 3 6 145 146 147 148 System patching status 50 System requirements 9 T TCP Ports 96 Trace Route 152 U USB devices 2 36 49 60 95 106 107 108 111 142 Users 42 49 42 49 163 users and groups 44 60 V Virtual devices 48 Vulnerabilities 32 33 34 35 37 59 60 95 98 99 102 111 165 167 168 169 170 W Whois 151 153 Wireless devices 48 186 elndex GFI LANguard Network Security Scanner
34. Active Global Port Query Options g Full Scan Slow Networks Settings Scheduled Scans i Computer Profiles F Patch Autodownload Include non responsive computers No Network Scanner Options Scanning threads count 3 TCP port scan query timeout default 1500 ms 1500 UDP port scan query timeout default 600 ms 600 Screenshot 95 Scanning Profiles properties Scanner Options tab GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 105 Configurable options include timeouts types of queries to run during target discovery number of scanning threads count SNMP scopes for queries and more NOTE Configure these parameters with extreme care An incorrect configuration can affect the security scanning performance of GFI LANguard N S S GFI LANguard N S S 8 0 Fie Jools Configure Help New Scan fm xk fh Using Currently Logged On User Username Password Latest Year Vulnerabilities Dg Only Web Trojan Ports UDP Ports OSData Vulnerabilities Patches Scaner Options Devices Anpicatons 4 gt Specify what information is to be retrieved by the scanner when using this profile IV Enable scanning for installed Network Devices on target computer s IV Enable scanning for USB devices used on target computer s EES ECE E S A ignored in your scan results Devices which will be marked as dangerous will have a high security vulnerability notification in the scan resu
35. Add to continue NOTE You can create multiple filter conditions for every scan filter This allows you to create powerful filters that more accurately isolate the scan results information that you may want to analyze GFI LANguard Network Security Scanner 6B7 Filtering scan results e 63 Advanced Properties General Peport Ibe ty f Select the teme that wil be contained in HTML repat F Show header table E NETBIOS names fe Computers v Inetalled Patches amp Semice Packs Security updates cag Missing serice packs FEJ Missing patches Security Levels High secunty vuherabiities ft Medium secui vulnerabilities 1 4 Low security vulnerabilties Hr Potential Vulnerabilities gt Appl ahicers gg ulvesabilty level ok ra Screenshot 59 The new Scan Filter properties dialog Report Items tab page 7 Click on the Report Items tab and select the information categories sub nodes that will be displayed in the configuration interface Click on OK to save and create the new filter The new filter will be added as a new permanent sub node under the Security Scanner gt Results Filtering node NOTE To delete or customize a scan filter right click on the target filter and selecting Delete or Properties respectively Example 1 Create a filter which displays all computers that have a particular patch missing In this example we will create a filter that lists all Window
36. Feb E3 mso2 012 313450 2003 02 18 0313450 Security Up Se MS02 01 311967 2003 02 18 311967 Security Up a Screenshot 92 Selecting the missing patches to be enumerated 3 Select unselect which missing patches will be enumerated by this scanning profile Searching for bulletin information GFI LANguard ee H0 Fle Iocs Conigue Help D New Scan To Sc FRR Using Akernative Credentist z Username Adr piskrabor Password emn A a Too EEES TCP Pots UDP Pets OSData Yulrerabiities Patches Scanner Options Devices Applications HMen Configuration spacy what information is to be retriewed by the scanner when using this profile E Detect instabed and messing service packs patches e Se Ci Hee ee Bs Oriy Service Packs Bs Port Scanner 5 Ful TEP amp UDP Sean hes Ping Them Al Windows internet Exp E indices ienet Erp Wido Liebert Exp 207 02 27 Seourity Update For W Lipdste for Windas 5 Update For Winks 5 Fan anial rrn Update For Windows 5 27 02 21 Update tor Inteligent Security Updata for wW Security Update For W Security Updaba hir W Security Updata for wW Seouity Update For W Security Updaba hir W Senrkty Update for wT t Pie mes 8 pabchmingmt_en madb Yeron 7 Last updated onc JAND 3 42 OPM S70 patches Ss System Infomation jg Full Scan Slow Network 2i Settings Ty Scheduled Scans Tg Computer Profiles fi Patch Auto
37. Feito p ity vulnerabilities 1 GFI LANquard N me Nety vulnerabilities 6 USB Enable auditing on gt abilities could not be evaluated because of the following errors Pass Deploy Microsoft updates b Service packs on gt This computer F sigs Deploy custom software on gt Patches on Selected computers a Regi Yninstall Microsoft updates gt All computers DI Opel Oper Open patch deployment log NETE Com Send message to computer a Grou Shut down computer e User Expand all nodes Loge Collapse all nodes 5055 Check all nodes Serv Uncheck all nodes hay Proc Loca Customize View Screenshot 120 Deploying missing service packs and patches To specify on which target computers patches and service packs will be deployed do as follows To deploy missing updates on one computer From the Scanned Computers middle pane right click on the computer that you wish to update and select Deploy Microsoft updates gt Service packs on or Patches on gt This computer Deploying missing updates on a range of computers 1 From the Scanned Computers middle pane select the computers to be updated 2 Right click on any of the selected computers and select Deploy Microsoft updates gt Service packs on or Patches on gt Selected computers Deploying missing updates on all computers From the Scanned Computers middle pane right click on
38. Files amei ae r S Database Mainten S General Find yulnerabilty by Name 7 Find haa nex amp Program Updates lin Versio Informavo l E If you add edit or remove a vulnerability the changes will be applied to all the profiles Oy Uptimes g Settings 4 Scheduled Scans ig Computer Profiles F Patch Autodownilo yy Alerting Options Screenshot 157 Adding a new vulnerability check 1 Click on the Main button select the Configuration gt Scanning Profiles node and select the scanning profile where you wish to add the new vulnerability check 2 Click on the Vulnerabilities tab 3 From the middle pane select the category in which the new vulnerability check will be included for example DNS Vulnerabilities 4 Click on the Add button This will bring up the Add Vulnerability dialog box 5 Go through the General Description and Reference tabs while specifying the basic details such as the vulnerability name short description security level and OVAL ID if applicable 6 Choose the Conditions tab and click on the Add button This will bring up the check properties wizard 168 e 16B17 Adding vulnerability checks via custom conditions or scripts GFI LANguard Network Security Scanner Check properties Fa Step 1 of 3 Select the type of check Specify what do you want to check From the list below Check type Unix Checks File Test oa g Inetd Test
39. MS06 071 927978 Windows 4 itr AGE SECURITY amp MESSAGING sowane Hl Deploy immediate __Reset__ aa 4 Results Comparisor H Ss Patch Deployment fam Deploy Microsoft U Deploy Custom Sof E Reporting GFI ReportCenter GFI LANguard N S Screenshot 123 A list of patches to be downloaded To initiate the download of selected patches and service packs do as follows e To download a specific patch or service pack right click on the respective patch file and select Download File e To download all selected patches and service packs right click on any patch file and select Download all checked files Identifying the download queue status Bulletin la Not Available 890 E E WindowsP KB Not downloaded Not Available 931 A windows P KB 61 of 4 45 MS07 016 928090 MEL windowsXP KB Downloaded MS07 011 926436 E By WindowsXP KB Not downloaded MSO07 013 918118 E Ep window PKB Not downloaded MS07 009 927779 E Ep WindowsXP KB Not downloaded MS07 012 924867 B Ep windowsXP KB Not downloaded MS07 007 927802 E window PKB Not downloaded MS07 008 928843 E By Window PKB Not downloaded MS07 006 928255 E Fy IE7 WwindowsXP Not downloaded Not Available 926 E By windowsXP KB Notdownloaded MS07 004 929969 B By windowsP KB Notdownloaded MS06 078 923689 J WindowsMedia Not downloaded MS06 078 925398 Screenshot 124 Identifying
40. NOTE Missing patch scanning and network audit operations are not performed through this profile e Last Year s Vulnerabilities Use this scanning profile to network vulnerabilities which emerged during the last 12 months GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 89 NOTE Missing patch scanning and network audit operations are not performed by this profile e Only Web Use this scanning profile to identify web server specific vulnerabilities This includes scanning and enumerating open TCP ports which are most commonly used by web servers such as port 80 NOTE Only TCP ports commonly used by web servers are scanned by this profile Network auditing operations as well as enumeration of vulnerabilities and missing patches are not performed using this profile e Trojan Ports Use this scanning profile to enumerate open TCP UDP ports which are commonly exploited by known Trojans The list of TCP UDP ports to be scanned can be customized through the TCP Ports and UDP Ports tabs respectively NOTE Only the TCP UDP ports commonly exploited by known Trojans are scanned by this profile Network auditing operations as well as enumeration of other open TCP UDP ports and missing patches are not performed by this profile e Only SNMP Use this scanning profile to perform network discovery and retrieve information regarding hardware devices routers switches printers etc that have SNMP enabled This enables you to moni
41. Password Policies Groups and Users Computer Properties Installed Applications Non Updated Security Software 2 Result comparison is Patch Deployment Deploy Microsoft Updates Deploy Custom Software Reporting K GFI Report Center GFI LANguard N 5 5 8 0 Report Pack In Scan result fiter nodes you can define queries for filtering scan results which are generated after each scan from Ul and service In each filter you can specify parameters on what information you want to see You can create and delete any filter node as well as customize any existing filter to your needs Filtering the results The fitters apply on the scan currently loaded in Security Scanner To load an old scan from the database or an Nguard N S S gt Security Scanner gt Load saved scan results from gt Database XML Let s say you have an XML scan result file for 1000 computers and you want to see only the results for Windows computers missing MSO3 041 823182 patch 1 Create a new Filter node GFI LANguard N S S gt Security Scanner gt Scan Filters gt New Scan Filter 2 Inthe properties window of the scan filter add the following filtering conditions a Operating system is operating system you are interested in b Patch MSO3 041 823182 is not installed 3 Confirm the fitter properties by selecting OK The results will be displayed in the filter results area Example 2 You want to list all Sun stations running a
42. S44 SOL Server 2000 Service Pack 4 for D Mot Available Normal Critical 0 Ok Windows Internet Explorer 7 0 For Wi amp MS07 016 High Critical ms07 016 Normal Critical a Cel toe el Bi L Pl BE L Set Priority ARI Pause All Cancel selected Downloads 100 Cumulative Security Update For Interr 100 1 Cumulative Security Update For Interr Pe Ce frr 1 moa Loo c fe aa et oe oe a Screenshot 146 Status Monitor Autodownload queue tab 148 e 13B14 GFI LANguard N S S Status Monitor GFI LANguard Network Security Scanner To view the autodownload queue 1 Bring up the status monitor by right clicking on the E icon located in your Windows system tray and select Status 2 Click on the Autodownload queue tab 3 If required trigger any one of the following operations e To pause all downloads that are in progress click Pause All e To cancel a particular download that is in progress click Cancel Selected downloads e Change the priority of a downloads via the Set Priority selection box GFI LANguard Network Security Scanner 13B14 GFI LANguard N S S Status Monitor e 149 15 Tools Introduction In this chapter you will discover how to use the default set of network tools that troubleshoot common network problems and assist you in the administration of your network Use the Tools button to access the following list of default network tools e DNS Lookup e Tracero
43. Scan target 127 0 0 1 Missing Patches 4 192 168 3 30 TMJASON Windows vulnerabilities 9 6 Low security vulnerabilities 5 Potential Vulnerabilities 3 Registry 5 System patching status 2 Some vulnerabilities could not be evaluated because Scanner Activity Window STARTING SECURITY SCAN FOR MACHINE RANGE 127 0 0 1 Profile Vulnerabilities and Patches Starting security scan of host TMJASON_XP 192 168 3 30 Time 2 04 22 PM SMB probing Connecting 1 45 Session established 2 6 I Protocol neaotiated 3 6 ce Hl Network discovery Scan thread 1 idle Scan thread 2 fidle Scan thread 3 idle ne 2 Screenshot 1 GFI LANguard N S S management console Launch the GFI LANguard N S S management console from Start gt Programs gt GFI LANguard Network Security Scanner 8 0 gt LANguard Network Security Scanner Use this console to e Launch network security scans and patch deployment sessions e View saved and real time security scan results Configure scan options scan profiles and report filters Use specialized network security administration tools GFI LANguard N S S attendant service This background service runs all scheduled operations of GFI LANguard N S S including scheduled network security scans and patch deployment operations GFI LANguard N S S pa
44. System information Shares 7 Password policy Security audit policy On P Registry NETBIOS names 4 Computer 26 Groups 13 ees Users 9 T Logged On Users 9 gt Sessions 5 Services 93 Processes 38 Local drives 2 oe Remote TOD time of d Screenshot 36 Shares node Through the details provided in the I Shares sub node you can identify 1 Users sharing entire hard drives 2 Shares that have weak or incorrectly configured access permissions e g shares that can be accessed without the need for authentication 3 Startup folders and similar system files that are accessible by unauthorized users or through user accounts that dont have administrator privileges but are yet allowed to execute code on target computers 4 Unnecessary or unused shares For every open share detected GFI LANguard N S S collects and enumerates the following information in the scan results e Share name e Share remark extra details on the share e Folder which is being shared on the target computer e Share permissions and access rights e NTFS permissions and access rights Handling administrative shares Every Windows computer has administrative shares C D E etc which GFI LANguard N S S will by default enumerate during target computer scanning As these can become irrelevant to your security audit you can configure GFI LANguard N S S not to report
45. USB device listed as a High Security Vulnerability GFI LANguard N S S can be configured to distinguish between authorized and unauthorized USB devices For more information refer to the Compiling a list of unauthorized network devices section in the Scanning Profiles chapter in this manual GFI LANguard Network Security Scanner Detailed scan results Analyzing potential vulnerabilities GFI LANguard N S S 8 0 Iof x File Tools Configure Help New scan V Ff cy Using Currently Ka eae T Username Password P Tools Explorer q o O A PA main _ Configuration lt lt npe Scanned Computers Scan Results GFI LANguard N 5 5 E A Security Scanner ig Results Filtering 2 Result comparison B 6 Patch Deployment m Deploy Microsoft Updates 2 Deploy Custom Software E Reporting a GFI Report Center GFILANguard N 5 5 8 0 Information 3 Administrator account exists J Description It is recommended to rename this account User ASPNET never logged on J Description It is recommended to remove this account if not used User Rich never logged on J Description It is recommended to remove this account if not used E Scan target localhost E 192 168 3 30 TMJASON JI 6 vulnerabilities 1 Potential Vulnerabilities 3 5 System information Shares 7 Password policy Security audit policy On P Registry NETBIOS names
46. Using Currently Lagged On User hd Username password l Tools Explorer TCP Ports UDP Ports 05 Data Patches Scanner Options Devices 4 gt Specify what information is to be retrieved by the scanner when using this profile E f Configuration IV Enable Vulnerabilities Scanning B F Scanning Profiles g vulnerabilities and Patches g vulnerabilities Dy Top SANS 20 Vulnerabilities g High Security Vulnerabilities g Latest Year Vulnerabilities y Only Web o Trojan Ports Dy Only SNMP q Missing Patches G Port Scanner Oy USB Devices Oy Software Audit Gy Full TCP amp UDP Scan Go Ping Them All Share Finder Portable Storage LA Vulnerabilities HV F Potential Vulnerabilities i Abyss Web server Bufferoverflow AFS Kerberos Support in OpenSSH Pos Alerter service enabled All Servers e shop Online Shop System All Servers A1Stats aldisp M All Servers Abe Timmerman zml cgi File all Servers Adcycle build cgi All Servers Aglimpse All Servers AHG s search cgi Search E All Servers Alex Heiphetz Group EZSho V 1 all Servers Arts Store cgi All Servers Auktion cgi Sy Uptimes EDAM an Cn ener Dian Chan ack beouart col z b Oy Disks Space Usage i gt 2o GET Ter Add Edit Remove Me Full Scan Slow Networks Settings Scheduled Scans Find vulnerability by Name 7 Find Find Hex gy Computer Profiles J
47. You can post any queries that you may have about GFI LANguard N S S scripting on the GFI LANguard forums at http forums gfi com Through this forum you will be able to share scripts problems and ideas with other GFI LANguard N S S users GFI LANguard N S S SSH Module GFI LANguard N S S includes an SSH module which handles the execution of vulnerability scripts on Linux UNIX based systems GFI LANguard Network Security Scanner 16B17 Adding vulnerability checks via custom conditions or scripts e 163 The SSH module determines the result of vulnerability checks through the console text data produced by an executed script This means that you can create custom Linux UNIX vulnerability checks using any scripting method that is supported by the target s Linux UNIX OS and which outputs results to the console in text Keywords The SSH module can run security scanning scripts through its terminal window When a security scan is launched on Linux UNIX based target computers vulnerability checking scripts are copied through an SSH connection to the respective target computer and run locally The SSH connection is established using the logon credentials i e username and password SSH Private Key file specified prior to the start of a security scan The SSH module can determine the status of a vulnerability check through specific keywords present in the text output of the executed script These keywords are processed by the module a
48. a vulnerability check condition 1 Click on the Add button 100 8B9 Scanning Profiles GFI LANguard Network Security Scanner Check properties Step 1 of 3 Select the type of check Ful Specify what do you want to check From the list below a Check type ow J Port Open Test a J SMTP Banner Test J 55H Banner Test H TCP Banner Test TELNET Banner Test oo J Text File Content Test Se aC Script Test Check description Executes 4 VB script on the target computer and returns a boolean value ld Back Next Cancel Screenshot 87 Check properties wizard 2 Select the type of check to be configured and click Next 3 Define the object to examine and click Next 4 Set attributes desired parameters and click Finish to finalize your settings Edit vulnerability General Conditions Description References This vulnerability will be triggered when the below conditions are met Ja Independent CGI Abuse Test Description Checks for a Col abuse on the target computer ae zl Add Edit Delete Clear 4p ra Screenshot 88 Edit vulnerability 5 If more than one condition is setup define conditional operators and click OK to finalize your configuration settings GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 101 Vulnerability checks advanced options GFI LANguard N S S 8 0 File Tools Configure Help New Scan f x hi
49. accounts 3 Click on the Retrieve button to start the process 158 e 14B15 Tools GFI LANguard Network Security Scanner 16 Using GFI LANguard N S S from the command line Introduction In this chapter you will discover how to use the two command line tools bundled with GFI LANguard N S S Insscmd exe and deploycmd exe These command line tools allow you to launch network vulnerability scans and patch deployment sessions without bringing up the GFI LANguard N S S management console Configured through a set of command line switches the complete list of supported switches together with a description of the respective function is provided below Using Insscmd exe the command line scanning tool The insscmd exe command line target scanning tool allows you to run vulnerability checks against network targets directly from the command line or through third party applications batch files and scripts The Insscmd exe command line tool supports the following switches Insscmd Target profile profileName report reportPath output pathToXmIFile user usrname password password UseComputerProfiles email emailAddress DontShowStatus Switches e Target Specify the IP range of IPs or host name s to be scanned e Profile Optional Specify the scanning profile that will be used during a security scan If this parameter is not specified the scanning profile that is cur
50. and software settings such as which drivers and applications will be automatically launched at system startup GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 39 The registry s prominent role within a Windows based system makes a primary target for all hackers and malicious users Just by gaining access to the registry settings a crafty hacker could enable malicious software such as Trojans to automatically run at every program start up This way he would be able to gain backdoor access to a system unnoticed GFI LANguard N S S 8 0 OF x File Tools Configure Help New Scan Wv M ce c Using Currently Logged On User ig Username Password aid Tools Explorer a Scan Target flocalhost Profile Test Profile BA main Phas Configuration 4 gt GFI LANguard N S S Scanned Computers Scan Results A Security Scanner E Scan target localhost ab RegisteredOwner Jason Micallef i gop Results Filtering E 6 192 168 3 30 TMJASON J ab RegisteredOrganization GFI Software Ltd X Result comparison Yulnerabilities 1 ab ProductName Microsoft Windows XP E Patch Deployment Potential vulnerabilities 3 ab CurrentBuildNumber 2600 2 Deploy Microsoft Updates A 6 System information ab CurrentType Uniprocessor Free gt Deploy Custom Software a Shares 7 ab CurrentVersion 5 1 Sl Reporting a Password policy a
51. any of the listed target computers and select Deploy Microsoft updates gt Service packs on or Patches on gt All computers 126 e 10B11 Patch management Deploying Microsoft Updates GFI LANguard Network Security Scanner Selecting which patches to deploy GFI LANguard N S S 8 0 File Tools Config Help New Scan Usi ae ene YL icername Password el E Tim Specify upda boly and select Start to start the deployment of updates Options i amp Sort by computers Sort by patches Deployment status fa a OO anguage Update file name State Bulletin Application Download dite g 3 TMJASON_XP English p IE 7 KB929969 Not downloaded MS07 004 929969 Windows C Program Fil S ER WindowsXP KB Not downloaded MS06 001 912919 Windows C Program Fil L ER WwindowsXP KB Not downloaded MS05 053 896424 Windows C Program Fil ER WindowsXP KB Not downloaded MS05 051 902400 Windows C Program Fil al Patch Deployment Assistant About the Patch Deployment Assistant 2007 All rights reserved GFI Software Ltd Deploy immediately Reset C Deploy on at a Screenshot 121 Patch Deployment options page After you have specified which target computers will be updated GFI LANguard N S S will automatically bring up the Patch Deployment options These options are displayed in the right pane of the management console together with the
52. been disabled making your network highly vulnerable to hacker and malware attacks This trial version has expired To extend your trial period to 30 daps click on Extend evaluation or click Buy now to acquire unlimited network vulnerability scanning and patch management SErviCes A Extend evaluation Screenshot 11 General licensing node When you obtain the 30 day evaluation key or the purchased licensed key you can enter your license key without re installing or re configuring the product To achieve this 1 Launch GFI LANguard N S S management console 2 Click on Configuration upper left of the management console 3 Select General gt Licensing 14 e 1B2 Installing GFI LANguard Network Security Scanner GFI LANguard Network Security Scanner 3 Navigating the management console Introduction The GFI LANguard N S S management console offers a standardized common management interface through which you can configure the product as well as run network vulnerability scans perform patch management tasks and collect system information from a single point of administration Navigating the GFI LANguard N S S management console GFI LANguard N S S 8 0 Mi x File Tools Conhigwe Help Password are e ST lt O Scan Reais Scan target localhost E a E ik 192 168 3 17 RICH E The average vulnerability level for this scanning session is High fa Senutty Scanner Resuts Filt
53. by right 154 e 14B15 Tools GFI LANguard Network Security Scanner clicking on any of the enumerated computers and selecting Scan in background Deploying custom patches You can use the Enumerate Computers tool to deploy custom patches and third party software on the enumerated computers To launch a deployment process directly from this tool 1 Select the computers that require deployment 2 Right click on any of the selected computers and select Deploy Custom Patches Enabling auditing policies The Enumerate Computers tool also allows you to configure auditing policies on particular computers This is done as follows 1 Select the computers on which you want to enable auditing policies 2 Right click on any of the selected computers and select Enable Auditing Policies This will launch the Auditing Policies configuration Wizard that will guide you through the configuration process For more information on how to remotely configure auditing policies on particular targets refer to the Security Audit Policy settings section in the Getting started Performing an audit chapter Enumerate users GFI LANguard N S S 8 0 Jof x File Tools Configure Help New Scan Using Currently Logged On User 7 Username Password e xd q Enumerate users in domain o Retieve Options User Name FullName Desc Options q General S DNS Lookup amp Tracerou te
54. check that uses a custom shell script In GFI LANguard N S S you can add vulnerability checks that use custom shell scripts to check Linux and UNIX based targets These checks are remotely executed over SSH by the SSH module Script can be written using any scripting language that outputs text results to the console In the following example we will create a vulnerability check for Linux based targets which uses a script written in Bash The vulnerability check in this example will test for the presence of a dummy file called test file Step 1 Create the script 1 Launch your favorite text file editor 2 Create a new script using the following code bin bash if e test file then echo TRUE else echo FALSE fi echo SCRIPT FINISHED 3 Save the file in C Program Files GFI LANguard Network Security Scanner 8 0 Data Scripts myscript sh GFI LANguard Network Security Scanner 16B17 Adding vulnerability checks via custom conditions or scripts e 167 Step 2 Add the new vulnerability check GFI LANguard N S S 8 0 File Tools Configure Help New Scan Te 3 lt FIR Using Currently Logged On User Usernaz mwd Scanner Options Devices Applications IV Enable Vulnerabilities Scanning Dy Vulnerabilities ova oeo q Vulnerabilities M LA Vulnerabilities J OVAL 10 Heap Overflow in Solaris 8 xlock 10 CVE 2001 0652
55. contains Mass storage Pen Drive Je Screenshot 106 List of unauthorized blacklisted USB devices GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 111 3 Click on the USB Devices sub tab and do as follows e To create a USB device blacklist specify which devices you want to classify as high security vulnerabilities in the space provided under Create a high security vulnerability for USB devices whose name contains For example if you enter the word iPod you will be notified through a high security vulnerability alert when a USB device whose name contains the word iPod is detected e To create a USB device whitelist specify which USB devices you want to ignore during network vulnerability scanning in the space provided under Ignore devices Do not list save to db whose name contains NOTE Include only one USB device name per line Configuring applications scanning options Use the Applications tab to specify which installed applications will be investigated by this scanning profile during a target computer scan GFI LANguard N S S 8 0 File Jools Configure Help diate f x fe amp Currently Logged On User Username Password b za is Explorer P UOPPorts OSData Vulnerabilities Patches Scanner Options Devices Aeekcations gt Bee _ Configuration A B Specify what information is to be retrieved by the scanner when using this profile 4 Configuration ht
56. deployments Gutodownload queue MS Deployment 2 Scheduled C Deployment time 2007 03 09 15 13 40 Computers RICHARDYM BES Files Status Remove Finished deployments Cancel selected deployment Screenshot 145 Status Monitor Scheduled deployments To view scheduled deployments in progress 1 Bring up the status monitor by right clicking on the 4 icon located in your Windows system tray and select Status 2 Click on the Scheduled deployments tab 3 If required trigger any one of the following operations e To cancel any scheduled deployment that is in progress click Cancel selected deployment e To remove any finished deployment details click Remove finished deployments Viewing the autodownload queue GFI LANguard NSS Status Monitor _ OF x Global security threat level Active scheduled scans Scheduled deployments 4utodownload queue Bulletin name Priorit Severit Progress Mot available Mormal Critical 100 0 Windows Malicious Software Removal amp Not Available Mormal Critical 100 Microsoft MET Framework 1 1 Service amp Not Available Normal Critical 100 Update For PowerPoint 2003 KB9290 amp Not Available High Critical 100 1 Updabe For Windows P KB931836 amp Not Available Mormal Critical 100 Update For Excel 2003 KB929058 amp Not Available High Critical 100 1 Windows Malicious Software Removal Mot Available Normal Critical 5
57. details shown in this sub node include o J Computer The IP Address of the host which was remotely connected to the scanned target computer P Username The logged on username e Open files The number of files accessed during the session e Connection time The duration of the connection session i e the time in seconds that the user s has been remotely connected to the scanned target computer e Idle Time The total time in seconds during which the connection was inactive e Client type The platform operating system that the remotely logged on computer i e client computer is running e J Transpor The name of the service that was used to initiate the remote connection between the client computer and the target computer for example NetBios Smb NOTE The information enumerated in this sub node also includes the remote connection details of the scanning session just performed by GFI LANguard N S S i e the IP of the computer that is running GFI LANguard N S S the logon credentials etc Detailed scan results Analyzing remote time of day Click on the Remote TOD time of the day sub node to view the network time that was read from the target computer during the scan 52 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner This time is generally set on network computers by the respective domain controller Detail
58. devices e te USB devices e 4 Password policy e 4 Security audit policy e amp Registry e l Open TCP ports GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 31 e i Open UDP ports e System patching status e i NETBIOS names e l Computer e Groups e Users e Logged on users e Sessions e Services Processes e Local drives e amp Remote time of day TOD To view the scan results data retrieved during a security scan click on the category of interest The information is shown in the Scan Results right pane r Detailed scan results Analyzing Vulnerabilities GFI LANguard N S S 8 0 of x Fie Tools Configure Help New Scan A Lv m T T Using Currently Logged On User hd Username Password 1 H Tools Explore a aad Scan Target 127 0 0 1 E Profile Vulnerabilities a and Patches Ha s HA main Phas Configurati 4 gt GFI LANguard N S S Scanned Computers 5 A Security Scanner Scan target 127 0 0 1 Eig Results Filtering E 6 192 BBS an 30 KT E P JO Low security vulnerabilities 5 Potential Yulnerab H E Registry 5 System patching s 2 Result comparison 6 Patch Deployment Deploy Microsoft Upde 2 Deploy Custom Softw E E System information f Reporting bi Shares 7 GFI Report Center Applications 1 GFI LANguard N S S i m Network devic
59. exe Insscomm exe logon scr Isass exe ofireporterservice exe 1688 516 3796 3640 1728 1760 1768 2484 960 926 1040 CAWINDOWSIs C AWINDOWSIs C WINDOWS C Program File C Program File C Program File C Program File C Program File C WINDOWSI s C WINDOW SIs C WINDOWS s C WINDOWSI s C WINDOW S C WINDOWSI s LOCAL SERVICE SYSTEM SYSTEM EmGuest SYSTEM EmGuest EmGuest SYSTEM jason EmGuest EmGuest SYSTEM SYSTEM SYSTEM EmGuest EmGuest LNSS_MONITO SYSTEM SYSTEM EmGuest SYSTEM SYSTEM SYSTEM NETWORK SER 3536 NT AUTHORITY NT AUTHORITY NT AUTHORITY TMJASON_XP NT AUTHORITY TMJASON_XP TMJASON_XP NT AUTHORITY GFIMALTA TMJASON_XP TMJASON_XP NT AUTHORITY NT AUTHORITY NT AUTHORITY TMJASON_XP TMJASON_XP TMJASON_XP NT AUTHORITY NT AUTHORITY TMJASON_XP NT AUTHORITY NT AUTHORITY NT AUTHORITY NT AUTHORITY Command line a CA WINDOW SY CA WINDOWSIS CAWINDOWS C Program Fil C Program Fil C Program Fil C Program Fil C Program Fil logon scr js C WINDOWS s rdpclip C WINDOWS s SystemRoot S CAWINDOWS s oil Screenshot 44 List of running processes enumerated during a target scan During security scanning GFI LANguard N S S harvests various information on active processes including Process name Process ID PI
60. from the command line prompt through third party applications as well as through custom scripts and batch files GFI LANguard N S S components GFI LANguard N S S is built on an architecture that allows for high reliability and scalability that caters for both medium to larger sized networks GFI LANguard N S S consists of five main components which are e GFILANguard N S S management console e GFILANguard N S S attendant service e GFILANguard N S S status monitor GFI LANguard Network Security Scanner 0B1 Introduction e 3 e GFILANguard N S S patch agent service e GFI LANguard N S S script debugger GFI LANguard N S S management console GFI LANguard N S S 8 0 Iof xi File Tools Configure Help new Scan ive FY te c Using Currently Logged On User Username Password e Oh Tools Explorer Tools Explorer a Scan Target 127 0 0 1 7 Profile vulnerabilities and Patches x A main _ amp Configuration gt GFI LANguard N S S E A Security Scanner Results Filtering Result comparison E amp Patch Deployment Deploy Microsoft Updates T Deploy Custom Software B E System information El Reporting Shares 7 a GFI Report Center i Applications 101 GFI LANguard N 5 5 8 0 Rep me Network devices 9 USB devices 15 Password policy Security audit policy On ay Registry OT Open TCP Ports 4 Open UDP Ports 5 NETBIOS names 4 Scanned Computers Scan Results
61. function that will overwrite the default description of a vulnerability check with a new description This string is formatted as follows SetDescription New description 164 e 16B17 Adding vulnerability checks via custom conditions or scripts GFI LANguard Network Security Scanner e ISCRIPT_FINISHED This string marks the end of every script execution The SSH module will keep looking for this string until it is found or until a timeout occurs If a timeout occurs before the NSCRIPT_FINISHED string is generated the SSH module will classify the respective vulnerability check as failed IMPORTANT NOTE It is imperative that every custom script outputs the JSCRIPT_FINISHED string at the very end of its checking process Adding a vulnerability check that uses a custom VB vbs script Use the script editor that ships with GFI LANguard N S S to create custom scripts that can be run against your network targets to identify specific vulnerabilities To create new vulnerability checks that use custom Vbscripts you must do as follows e Step 1 Create the script e Step 2 Add the new vulnerability check The following are examples of how this is done Step 1 Create the script 1 Launch the Script Debugger from Start gt Programs gt GFI LANguard Network Security Scanner 8 0 gt GFI LANguard N S S Script Debugger 2 Go on File gt New 3 Create a script For this example use the following dummy script cod
62. hostname or IP address Scan a domain or workgroup J Show this dialog at application startup Bak next gt A Screenshot 17 Selecting scan range 4 Select one of the following scan target types and click Next e Scan single computer Select this option to scan a single computer GFI LANguard Network Security Scanner 3B4 Getting started Performing an audit e 21 e Scan range of Computers Select this option to scan a specific range of computers e Scan list of Computers Select this option to scan a custom list of computers e Scan a Domain Select this option to scan an entire Windows domain Step 4 of 5 Specify scan job target s qy Step 4 of 5 Specify scan job target s Specdfy the target computer s to be scanned Specify the target computer s to be scanned 192 166 100 254 Step 4 of 5 Specify scan job target s Specify the target computer s to be scanned Screenshot 18 New Scan range options dialogs 5 Specify scan target details i e host name IP range of IPs or domain name and click Next NOTE When configuring IP ranges GFI LANguard N S S 8 0 also allows you to specify which IPs must be excluded from this range For more information on this feature please refer to Configuring scan ranges section in this document 22 e 3B4 Getting started Performing an audit GFI LANguard Network Security Scanner Step 5 of 5 Specify scan job credentials
63. i ee transmission 4 3 6 1 2 4 10 Goci2uIs 2 1 3 6 1 2 1 10 45 doti2MIBObjects 2 1 3 6 1 2 1 10 45 1 GotizConfigTable 1 1 3 6 1 2 4 10 4 1 1 G6cizContigEncey 9 1 3 6 1 2 3 10 45 1 1 4 doti2Conmands 0 1 3 6 1 2 1 10 45 1 1 1 7 x Screenshot 73 List of Parameter Files During vulnerability scanning GFI LANguard N S S extracts parameters from a number of text files known as Parameter Files These parameter files can be modified in order to improve the performance of GFI LANguard N S S 8 NOTE Only advanced users should modify these files If these files are modified in an incorrect way they will affect the functionality and reliability of the GFI LANguard N S S target discovery process The following is a list of the parameter files that can be accessed and modified through the Configuration gt Settings gt Parameter Files sub node e Enterprise_numbers txt This file contains a list of the OIDs Object Identifiers and the associated enterprise vendor university relation codes During target scanning GFI LANguard N S S will first query the object_ids txt file for information on the discovered network device If this information is not available GFI LANguard N S S will then reference the Enterprise_numbers txt file and will attempt to identify the product manufacturer through the vendor specific information retrieved from the target device The vendor information is based o
64. include the download URL and the destination path of the downloaded patch file To change the deployment and download settings of a missing patch 1 Right click on the particular patch file and select Properties This will bring up the patch file properties dialog 2 Make the required changes and click OK to finalize your settings Deploy downloaded patches on selected targets GFI LANguard N S S 8 0 OF x File Tools Configure Help Currently Logged On User Y Username Password a F cy Specify updates to apply and select Start to start the deployment of updates Options J i a Sort by computers Sort by patches Deployment status m 3 Language Upd Applica Download dire g Y TMJASON_XP English IE7 KB929969 Not downloaded MS07 004 929969 Windows C Program Fil S EA WwindowsXP KB Not downloaded MS06 001 912919 Windows C Program Fil L EA WwindowsXP KB Not downloaded MS05 053 896424 Windows C Program Fil EA WindowsXP KB Not downloaded MS05 051 902400 Windows C Program Fil SECURITY amp MESSAGING SOFTWARE Patch Deployment Assistant About the Patch Deployment Assistant 2007 All rights reserved GFI Software Ltd Deploy immediately Reset C Deployon 1 30 2007 at 9 36 03 A Screenshot 127 Patch deployment options After the required patch files have been downloaded you can proceed with the deployment of these files on the r
65. including missing patches 20 e 3B4 Getting started Performing an audit GFI LANguard Network Security Scanner Step 2 of 5 Select scan profile tt Select parameters to use For scan job Scan profiles Description Use this scanning profile to retrieve system information as well as scan your network For all i Full Scan Slow Networks supported vulnerabilities including open TCP UDP ports missing patches and service packs USB devices connected and more The vulnerability check timeouts in this profile are specifically preconfigured to suite the network traffic and transmission delays usually associated with LAM environments eq Vulnerabilities and Patches Full Scan MOTE Scan profiles contain pre set parameters used by the scanner For the job type selected J Show this dialog at application startup Back Next gt r Screenshot 16 Choose the scanning profile 3 Select the required scanning profile and click Next NOTE For a detailed description of what each individual scanning profile does please refer to the Scanning profile description section in the Scanning Profiles chapter in this document Hew scan E4 Step 3 of 5 Select scan job target type Specify which network segment to scan Scan type Description Scan a single computer Scan a single computer Scan a range of computers You can either choose the local l computer or specify another i Scan a list of computers computer by
66. maintain your database backend and delete saved scan results that are no longer required Deletion of non required saved scan results can be achieved manually as well as automatically through scheduled database maintenance During scheduled database maintenance GFI LANguard N S S automatically deletes saved scan results that are older than a specific number of days weeks or months You can also configure automated database maintenance to retain only a specific number of recent scan results for every scan target and scan profile Properties Change Database Saved Scan Results Scanned Computers Advanced Saved scan results in database backen Target Profle Daes C localhost Full Scan gDr 2457 Y 127 0 0 1 Missing Fate 3297 2007 12 11 55 Y 127 0 0 1 Missing Pate 3972007 11 11 56 Y 127 0 0 1 Missing Pate 3297 2007 10 11 57 Y 127 0 0 1 Missing Pate 3297 2007 10 11 42 Y localhost Custom Profle 37872007 15 50 01 T localhost Custom Profle 3 8 2007 15 43 12 mi L Pon E P E Pon E E o ien N D a B a a Y kna HE Delete canle Mark canjs as read only Saved scan results retaining options Retain i scans which are less than 20 ald f only last fia scans per scan target per profile NOTE Scan results marked as read only will not be removed by the database results cleanup operations cat aem Screenshot 76 Database maintenance proper
67. more network computers In addition to the network vulnerability level GFI LANguard N S S 8 also provides guidelines on how to resolve the weaknesses discovered during vulnerability scanning 28 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner The average vulnerability level for this scanning session is High A What does this mean More information The vulnerability level per session is an average of the individual vulnerability levels of the computers that were scanned in this session Browse through the information retrieved by the security scanner to find out more details You should address all vulnerabilities as soon as possible Humber of scanned computers 1 computer s Vulnerability level listing High 1 computers Medium 0 computers Low 0 computer s 0 computer s Top 1 most vulnerable computers Next steps BRICHARDVM 3 Deploy Microsoft Service Packs 2 Deploy Microsoft patches Deploy custom software Uninstall Microsoft Service Packs 25 Uninstall Microsoft patches Fe Enable auditing policy Once vulnerabilities are addressed scan again the targets to check the updated Vulnerability Level Hotes The Vulnerability Level depends on the scanning profile used to perform the scan Setting bulletins and vulnerabilities to be skipped when scanning may result in reporting a lower Vulnerability Level than it actually is
68. on various Microsoft products For a complete list of Supported products visit http kbase gfi com showarticle asp id KBID001820 Details listed under the results tree of the Missing Service Packs category include the e Product name and Service Pack Number e URL The URL link to support articles related to the missing service pack e amp l Release date The date when the reported service pack was released Bulletin information To access bulletin information right click on the respective service pack and select More details gt Bulletin Info Bulletin Info x Bulletin Bulletin ID MS05 051 Number 902400 Date 2005 10 06 Severity Important Title Security Update For Windows XP KB902400 Description a remote code execution security issue has been identified that could allow an attacker to remotely compromise your Windows based system and gain control over ik You can help protect your computer by installing this update From Microsoft After you install this item you may have to restart your computer Applies To Windows P http tiga microsoft comifwlinkirLinkId 49482 File File Mame WindowsP KB902400 x86 ENU exe File Size 4 519 KB File URL Athos download windowsupdate comimsdownloadfupdately3 19990518icabpoolfwindowsxp kb902401 Screenshot 31 Missing Service pack Bulletin info dialog This will bring up the Bulletin Info dial
69. out and infect entire systems through open shares that are available on network computers Handling open shares GFI LANguard N S S 8 is able to identify open shares present on network computers and enumerate them in the scan results for your GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 37 attention and analysis To access the list of open shares discovered on a target computer click on the Shares sub node GFI LANguard N S S 8 0 Jof x File Tools Configure Help New Scan KA fi 7 To Using Currently Logged On User v Username Password el F Tools Explorer q Tools Explorer a Scan Target flocalhost 7 Profile Test Profile A Main Phas Configuration lt gt Scan Results y ADMIN Remote Admin H C Default share Y4 Fun_zone gt IPC Remote IPC Jason_HP1010 hp LaserJet 1010 Series Driver print Printer Drivers Technical_Writers_4rea Common share For technical writii GFI LANguard N S S Scanned Computers A Security Scanner ig Results Filtering 2 Result comparison E im Patch Deployment Deploy Microsoft Updates Deploy Custom Software E Reporting GFI Report Center GFI LANguard N 5 5 8 0 Scan target localhost O 192 168 3 30 TMJASON J Yulnerabilities 1 Potential Yulnerabilities 3 A 6
70. patching StatuS ccccceeeeeeeees 50 Detailed scan results Analyzing NETBIOS names ccccccceesesseseeeeeseeeeeeeeaaaeeeees 50 Detailed scan results Analyzing scanned target computer details cceeeeeee 51 Detailed scan results Analyzing SESSIONS cccccccseeeeeeeeeeeceeeeeeeeeeesaeeeeesseaeeeenaaes 52 Detailed scan results Analyzing remote time Of day cccccccseecceeseeceeeeeeeeeeeeeeeesaaes 52 Detailed scan results Analyzing local drives cccccssscccceseeeeeeeeeeseaseeesseeeeesseeeeesaass 53 Displaying and sorting SCAN categories cccceccecececeeeeeeeeeeeeeeeeeeeeeeeeeessuaaeeeeeeeeeseaas 53 6 Saving and loading scan results 55 PIINOGUI GUO era anchtela mio otdtnactthe saatetusadeeatedaasctte asentecenacchuatieoleteaat bale 55 Saving scan results to an external XML file 2 0 0 ceeeeeceeeeeeeeeceeeeeeeeeeeseeeeeeeeeas 55 L ddiNg saved scan Tesu Snae aaa A RE EOE 56 Loading saved scans from database backend ccceeeeeeeeeeeeeeeeeeeeeeeees 56 Loading saved scan results from an XML file eee cc eeeeeeceeeeeeseeeeeeeeeees 57 7 Filtering scan results 59 gh e 6 Vert 0 q Reseeer semester er srmerre orn Me cea erm ieee teenie eran er a ene ie meee Otrey ee eee 59 Running a MINOT OR a SCAN reasons oy 2h riendt rc boadacicay sara sGdaeatuncva iar enseuntousseduiedincceniauebouiaan sess 60 Creating a CUSIOMi SCAN Mer acer es cecectit noti
71. phates 156 SNE N AK aaae EA E A T EA tease dteteetes 157 Microsoft SOL Server Audit sini e a a Gace 157 16 Using GFI LANguard N S S from the command line 159 MTO CUIGUO M eannan a a AE 159 Using Insscmd exe the command line scanning tool ssssssssssssssessennnnrreesssrnnnnnees 159 Using deploycmd exe the command line patch deployment tool cccceeeees 160 17 Adding vulnerability checks via custom conditions or scripts 163 FFL GUN hai cece ances a a e matte E 163 GFI LANguard N S S VBscript language cceessseseeeeseeeeeeeeeeeeeeeeeaaaaeaaseeeeeeeeeeeeees 163 GFI LANguard N S S SSH Module cccccssssseeeseeeeeeeeeeeeeeeeeaaaeeeeseeeeeeeeeeeeesseeeaaaaes 163 IOV WOKS aaria aa a a a a 164 iv e Contents GFI LANguard Network Security Scanner Adding a vulnerability check that uses a custom VB vbs script cccceeeeeeeeeees 165 SEP 1 Ce gle TNS SOrD nenea E 165 Step 2 Add the new vulnerability check ccccccsseeeeeeeeeeeeeeeseeeeeeeeseneeeees 165 Adding a vulnerability check that uses a custom shell SCript eens 167 Step 1 Create the SCLIPt ceeeeecccccecsessseeeeeeeseeeeeeseeeeeeeeseaaeaeeeeeeessaeaaeees 167 Step 2 Add the new vulnerability check ccccccsseeeeeeeeeeeaeeeeeeeeeeeeeeneeaeees 168 Adding a CGI vulnerability CHECK ccccccccceccsssseeceeeeeeeeeeeeeeeeeeesseseeaeeeeeeeessaanseeeeess 170 18 Miscellaneous 17
72. scan use the Full Scan option About authentication credentials When performing a security scan GFI LANguard N S S must authenticate to the target computer s in order to execute the vulnerability checks and retrieve system information To achieve this GFI LANguard N S S must physically log on to the target computer s with administrative rights i e using a local administrator account domain administrator enterprise administrator account or any other account that has administrative privileges over the target computer s Different systems often require different authentication methods For example to scan Linux systems you are often required to provide a private key file instead of the conventional password string NOTE 1 For more information about authentication methods refer to the Computer Profiles section in the Configuring GFI LANguard N S S chapter NOTE 2 For more information about Public Key authentication refer to the About SSH Private Key file authentication section in the Configuring GFI LANguard N S S chapter About the scanning process The target computer scanning process has three distinct stages Stage 1 Determine availability of target computer During this stage GFI LANguard N S S will determine whether a target computer is available for vulnerability scanning This is GFI LANguard Network Security Scanner 3B4 Getting started Performing an audit e 17 achieved thro
73. script GFI LANguard Network Security Scanner 16B17 Adding vulnerability checks via custom conditions or scripts e 169 Adding a CGI vulnerability check When creating new CGI vulnerability checks you do not need to create a VB or SSH script In fact the scanning functionality of CGI checks is configurable through the options included in the check properties dialog GFI LANguard N S S 8 0 File Tools Configure Help New Scan 3M iF Using Currently Logged On User Usernam Password 1 TCP Ports UDP Ports OS Data Vulnerabilities Patches Scanner Options Devices Applications Configuration 4 Scanning Profik J Dg Vulnerabilities and Oy Vulnerabilities g Top SANS 20 Vulne Dg High Security Vulne Og Latest Year Vulner L tiame OVAL ID Se 3 7 LA Vulnerabilities r All Servers e shop Online Shop System CVE 2001 1014 a m G3 ons 1 All Servers AlStats aldisp CVE 2001 0561 m G3 Ftp 1 All Servers Abe Timmerman zml cgi File C E 2001 1209 os SIE M A mail 8 Al Servers Adcycle build cgi CVE 2000 1161 dg Tolir Ports M LA Miscellaneous T Al Servers Agimpse Dy Only SNMP M LA Registry Al Servers AHG s search cg Search E CYE 2002 2113 Missing Patches a Rootkit Al Servers Alex Heiphetz Group EZSho CYE 2000 1092 ng Oy Port Scanner m G rec Al Servers Arts Store cgi CYE 2001 0305 q USB Devices 7 A Services Z f Al Servers Auktion cgi CVE
74. settings An important part of any security plan is the ability to monitor and audit events happening on your network These event logs are frequently referenced in order to identify security holes or breaches Identifying attempts and preventing them from becoming successful breaches of your system security is critical In Windows you can use Group Policies to set up an audit policy that can track user activities or system events in specific logs In order to help you keep track of your system s auditing policy GFI LANguard N S S collects the security audit policy settings from scanned target computers and includes in the scan results This information is accessed by click on the A Security Audit Policy sub node 40 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner NOTE GFI recommends that you set up the audit policy settings of your network computers as follows Auditing Policy Success Failure Account management Yes Yes Object access System events Yes Yes Apart from gaining knowledge on the current audit policy settings you can also use GFI LANguard N S S 8 to access and modify the audit policy settings of your target computers To achieve this 1 From the Scanned Computers middle pane right click on the respective target computer and select e Enable auditing on gt This computer to configure the audit policy settings of that particular computer
75. the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Patches tab 3 Select the Detect installed and missing service packs patches option GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 103 NOTE Missing patch scanning parameters are configurable on a scan profile by scan profile basis Make sure to enable missing patch scanning in all profiles where missing patch scanning is required Customizing the list of software patches to be scanned To specify which missing security updates will be enumerated and processed by a scanning profile 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Patches tab Bulletin names Date posted O 63 msoi o59 315000 2003 02 18 Security Update Dec C 63 msoz 006 314147 2003 05 06 Security Update Feb C E3 mso2 008 317244 2003 06 18 Security Update Feb E3 mso2 008 317244 2003 09 30 Security Update Feb E3 mso2 008 318202 2003 10 21 Security Update Feb E3 mso2 008 318203 2003 10 21 Security Update Feb E3 msoz 009 318089 2003 02 18 Security Update Feb E3 msoz 009 318089 2003 12 04 Security Update Feb E3 msoz 009 318089 2004 04 09 Security Update Feb E3 ms02 012 313450 2003 01 14 Security Update
76. through the OVAL Community Forum An OVAL Board consisting of representatives from a broad spectrum of industry academia and government organizations from around the world oversees and approves the OVAL Language and monitors the posting of the definitions hosted on the OVAL Web site This means that the OVAL which is funded by US CERT at the U S Department of Homeland Security for the benefit of the community reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals worldwide GFI LANguard N S S OVAL Support GFI LANguard N S S supports all checks defined in the XML file issued by OVAL with the exception of HP UX checks GFI LANguard N S S does not support HP UX based machines and therefore it is beyond the scope of this product to include these checks within its check definition database About OVAL Compatibility OVAL Compatibility is a program established to develop consistency within the security community regarding the use and implementation of OVAL The main goal of the compatibility program is to create a set of guidelines that will help enforce a standard implementation An offshoot of this is that users are able to distinguish between and have confidence in compatible products knowing that the implementation of OVAL coincides with the standard set forth For a product or service to gain official OVAL Compatibility it must adhere to the Requirem
77. to close the dialog Minimum password length Properties Security Policy Setting Minimum password length IY Define this policy setting Password must be at least a characters Screenshot 169 Configuring the minimum number of characters in a password 15 From the right pane double click on the Minimum password length policy Then select the Define this policy setting option and set the value of the Password must be at least entry field to 8 16 Click on the OK button to close the dialog GFI LANguard Network Security Scanner 17B18 Miscellaneous e 179 Password must meet complexity requirements Properties ed X Security Policy Setting C Disabled Screenshot 170 Enforcing password complexity 17 From the right pane double click on the Password must meet complexity requirements policy Then enable the Define this policy setting in the template option and select Enabled 18 Click on the OK button to close the dialog 19 At this stage the password policy settings of the new GPO have been configured Close all dialogs and exit the Active Directory Users and Computers configuration dialog Viewing the Password Policy Settings of an Active Directory Based Domain NOTE You must be logged on as a member of the Domain Admin group Use the following procedure to verify that the appropriate password policy settings are applied and effectiv
78. using currently logged on user credentials You can trigger network vulnerability scans directly from the toolbar without having to perform major configurations as well as without bringing up the new scan wizard To achieve this File Tools Configure Help new Scan ym t C Using Se sob On User a Username Password ei ot enctiy Wn Use Screenshot 20 GFI LANguard N S S new scan toolbar 1 From credentials drop down list provided in the toolbar select the Currently logged on user option GFI LANguard N S_S 8 0 File Tools Configure Help C New Scan by F L Using Currently Logged On User Username Password 1 sad Ud i al Scan Target 192 168 100 108 192 168 1 Profile Full Scan BA main Configuration Tools Full TCP amp UDP Sean Scanned Computers _ Scan Results pace Usag or Scan Slow Networks Screenshot 21 GFI LANguard N S S target details toolbar 2 In Scan Target drop down specify the targets to be scanned using these credentials for example TMJason 130 12 1 20 130 12 1 30 etc 3 From the Profile drop down select the scanning profile to be used for this network vulnerability scan 4 Click on Scan to initiate the scanning process Quick start scans using alternative logon credentials To run a network security audit using alternative logon credentials GFI LANguard N S S 8 0 File Tools Confi
79. web server on port 80 Create a new filter and use the followine sueries 2007 All rights reserved GFI Software Ltd Screenshot 54 Scan filter nodes GFI LANguard N S S 8 provides you with a default set of scan results filters Using them you can sift out trivial information and display only the relevant information In this chapter you will discover how to apply scan result filters and display only the information that you want to analyze About default scan results filters The following is a brief description of the scan results filters which are included with GFI LANguard N S S 8 e Full report Use this scan results filter to display all the information that was collected during a network vulnerability scan including system information outdated anti virus signatures and missing security updates e Vulnerabilities high security Use this default scan filter to display only severe vulnerabilities such as missing critical security patches and service packs GFI LANguard Network Security Scanner 6B7 Filtering scan results e 59 e Vulnerabilities medium security Use this default scan filter to display only moderate severity vulnerabilities which may need to be addressed by the administrator such as average threats and medium vulnerability patches e Vulnerabilities All Use this default scan filter to display all Critical High and Medium severity vulnerabilities discovered during a ne
80. with the sponsori registrar Users may consult the sponsoring registrar s Whois dat view the registrar s reported date of expiration for this registration TERMS OF USE You are not authorized to access or query our database through the use of electronic processes that are high aiitamsted aurant a raacanashli nacascarn tn ranistar daman na Screenshot 149 Whois tool Click on the Tools button and select the Tools gt Whois Client tool to look up information on a particular domain or IP address Select the Whois Server that will look for your information from the options area on the right of the management console or leave as default to let the tool automatically select a domain server for you To look for information on a particular domain or IP address specify the domain IP or hostname in the Query drop down and click on the Retrieve button GFI LANguard Network Security Scanner 14B15 Tools e 153 Enumerate computers GFI LANguard N S S 8 0 ile Ed File Tools Configure Help New Scan Using Currently Logged On User Username Password gl zt Tools Explorer q l s Enumerate computers in domain T Primary domain gt Options fa Main Phas Configuration Tools 5 amp Tools Thame Operating System Type Options a S DNS Lookup ee Windows xP Workstation General Information Source Sk Traceroute
81. 2001 0212 Dy Software Audit Og Ful Lj A Software 1 Al Servers Brian Stanback bsguest cgi CVE 2001 0099 Full TCP amp UDP Sez IV LA Web V f Al Servers Brian Stanback bslist cgi CVE 2001 0100 Ping Thern All des Finder a A Potential Vulnerabilities Al Servers Commerce cai CVE 2001 0210 y Portable Storage Al Servers COWS CGI Online Worldwe Cy Uptimes M p All Servers DCShop vulnerability CYE 2001 0821 1 Al Servers Directory Manager Excutio 1 All Servers Directory traversal vulnera CVE 2001 0804 1 Al Servers Directory php Allows Arbitr CYE 2002 0434 7 8 Al Servers Free On line Dictionary CVE 2001 0461 of 4 gt Dy Disks Space Usage Oy Full Scan Active Gy Full Scan Slow Net ig Settings Scheduled Scans Zy Computer Profiles amp Patch Autodownlo gt 678 vulnerabilities Uy Alerting Options ee z Oy Parameter Files x Database Mainten l E Ss 7 a General Find yulnerabilty by Name x Find ine amp Program Updates fan Yersio Informata Z 93 If you add edit or remove a vulnerability the changes will be applied to all the profiles Screenshot 160 Creating a CGI vulnerability check To create a new CGI vulnerability check 1 Click on the Configuration button and select the Configuration gt Scanning Profiles gt Only Web node 2 Click on the Vulnerabilities tab 3 From the middle pane select the Web node 4 Click on the Add bu
82. 3 ig id e le Ofc Io Ieee mmr emery wen eer einer Once ert akc e ane cree ete Orc er emer ees eee eee 173 Enabling NetBIOS on a network computer ccccccecsseeeeeeeeeeeaaeeseeeeeeeeesesaeseeeeeeess 173 Installing the Client for Microsoft Networks component on Windows 2000 0r NONOssa a a a a 174 Configuring Password Policy Settings in an Active Directory Based BBY a9 f pene eee e a ee ee eee en ee ee eee 175 Viewing the Password Policy Settings of an Active Directory Based ONIN es ce chrt ree abate a E E 180 19 Troubleshooting 183 FATE LNG UN Ih sew te Sasa nite seat Oty E Gae 183 Knowledge BSE Asi a a E a a a a a E e 183 Request support via email cccceeecccceeeeecceeeeeceeeeeceeseecceaueeeseaseeeceaseesseusessseseeenss 183 Request support via phone ccceecccceseecceeseeeceeeececeseecseueeecsaeeeesaseessecseesssgeeeess 184 WEDE Or aa a a a ac aetacsedaeaak aed eenee teas 184 Build notifications nnnnennnnnennnnannnnenennsnnnesrnrrnrrrrenrnrersnrrrsrnrrrnrrrnntrnnrrrnnnrrenrerennrenne 184 Index 185 GFI LANguard Network Security Scanner Contents e v 1 Introduction Introduction to GFI LANguard Network Security Scanner GFI LANguard Network Security Scanner N S S is a security scanning network auditing and patch deployment tool which enables you to scan and protect your network by e Identifying system and network weaknesses using a state of the art vulnerability check data
83. 6 Database Maintenance Options 80 81 82 83 84 85 DNS Lookup 151 152 E Enumerate Computers 151 154 155 Enumerate Users 151 155 G groups 44 installation 12 13 157 160 161 L License 6 licensing 6 9 Logged on Users 45 M Microsoft SQL Server Audit 151 157 GFI LANguard Network Security Scanner N NetBIOS 50 173 174 network devices 2 48 106 110 network tools 151 O Open Ports 42 43 60 Operating System 3 OS data 95 97 OVAL 1 2 87 88 89 100 166 168 170 P Parameter files 79 Password Policy 39 Patch Autodownload 77 78 patch deployment 4 125 130 131 139 160 161 Patch management 3 125 134 Patch rollback 3 Physical devices 48 program updates 119 120 123 R Registry 35 36 39 40 Remote Processes 46 results comparison 141 142 results comparison tool 141 S scan categories 53 scan results 3 4 11 31 55 56 57 59 63 67 72 80 81 82 83 99 142 159 160 164 167 Scanning Profiles 36 39 43 87 93 94 96 97 98 102 103 104 105 109 110 111 113 114 116 159 165 168 170 scanning threads 106 Scheduled Scans 68 72 73 76 77 81 82 83 84 85 94 95 147 Script Debugger 4 5 163 165 script editor 163 165 Security Audit Policy 40 services 2 11 36 42 80 82 138 161 Shares 37 38 60 SNMP Audit 151 156 SNMP Walk 151 157 SSH 9 163 164 165 167 170 SSH Private Key 17 70 74
84. 917953 Uninstall Microsoft Service Packs 23 1505 025 Security Update for Windows XP KB911280 eS N salts E3 MS06 033 Security Update for Microsoft NET Framework amp Open patch deployment log Version 2 0 KB917283 J Enable auditing policy KA Show all vulnerabilities J Send message to computer g Shut down computer More information The vulnerability level is calculated based on the count and severity of the vulnerabilities and missing patches detected on the system High vulnerability level means that the system has vulnerabilities or missing patches whose severity is high Browse through the information retrieved by the security scanner to find out more details You should address all vulnerabilities as soo O as possible Hotes Once vulnerabilities are addressed scan again the targets to check the updated Vulnerability Level The Vulnerability Level depends on the scanning profile used to perform the scan Setting bulletins and vulnerabilities to be skipped when scanning may result in reporting a lower Vulnerability Level than it actually is Screenshot 27 Results Pane The information included in the results pane includes A graphical measurement based on a weighted sum of the vulnerabilities detected in the last scan The top 5 issues to address in order to fix the vulnerabilities discovered during the scan for that specific computer Click on any of the listed issues to access the respective bu
85. BitDefender Client Standard vee Wal BitDefender Client Professional Plus see 3 BitDefender Professional Edition 2 a BitDefender amp Professional 2 J Panda Antivirus Firewall 2007 H Panda Antivirus 2007 se a Panda Titanium Antivirus 2005 n a CA eTrust Antivirus Client 2 eTrust EZ Antivirus Kaspersky Anti virus 6 0 oe a Kaspersky Anti Virus 5 0 For Windows Workstations ve al Kaspersky Anti Virus Personal Pro 5 0 ven a Mcafee VirusScan Enterprise vi vee al McAfee VirusScan Enterprise v i ie a McAfee VirusScan Enterprise v 5i aa 2 Norman virus Control 3 Norton Antivirus B Norton Antivirus 2005 gt a Symantec Antivirus R Trend Micro Antivirus 2007 i a Trend Micro OfficeScan Client vee 2 Trend Micro PC cillin Internet Security ve a F Secure Client Security Virus amp Spy Protection 7 F Secure Anti virus 2007 se W al F Secure 4nti virus Client Security Virus amp Spy Protection 6 o Wal F Prot Antivirus For Windows i Ha Antispyware applications H a Trend Micro Anti Spyware se Po Ad Aware SE Personal Edition l vee a Lavasoft Ad Aware Enterprise Client seen a cA PestPatrol Anti Spyware Client 3 CA eTrust PestPatrol Anti Spyware Corporate Edition Screenshot 108 List of supported anti virus and anti spyware applications By default GFI LANguard N S S also supports integration with particular security applications These include variou
86. Bring up the status monitor by right clicking on the E icon located in your Windows system tray and select Status 2 Click on the Active scheduled scans tab 3 If required trigger any one of the following operations e To cancel any scheduled scan that is in progress click Stop Selected Scans e To remove any finished scan details click Remove finished scans NOTE From the Active Scheduled Scans tab you can only view and cancel scheduled scans that are in progress To view or cancel scheduled scans that have not yet started launch the GFI LANguard N S S management console and go to Configuration gt Scheduled Scans Viewing the progress of scheduled deployments Scheduled deployments are patch or service pack deployments that have been set up to trigger at a later date time combination Through this feature you can set up GFI LANguard N S S to deploy missing patches and service pack during times of the day when users are not using their computer therefore not stopping them when computers need to restart to complete some update Through the Scheduled deployments tab available with GFI LANguard N S S s status monitor you can monitor these scheduled patch or service pack deployments and cancel deployments or remove finished deployments GFI LANguard Network Security Scanner 13B14 GFI LANguard N S S Status Monitor e 147 GFI LAN guard N55 Status Monitor Miel x Global security threat level Active scheduled scans Scheduled
87. Computer Profiles sub node 76 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Security Scanner 2 Select one or more profiles to be enabled disable 3 Right click on these profiles and select enable disable accordingly Using computer profiles in a scan GFI LANguard N S S 8 0 File Tools Configure Help New Scan iv m T Using Currently Logged On User x Username The U a TUTE CUE mput I p les k Dutton T Tools Explorer yl Scan Target flocalhost 7 Profile Full Scan Slow Networks J E a Main 2 Configur 4 gt GFI LANguard N S S Security Scanner Results Filtering Results Comparison Patch Deployment Reporting Scanned Computers Saved Scan Result localhost 21 Mar 201 l Scan Results Saved Scan Result loca m 192 168 3 17 RIC E 3 M Vulnerabilities 74 Potential Yulnerabiliti System patching status B E System information Shares 4 lt Applications 18 B f Network devices Password policy Security audit po ay Registry a Open TCP Ports 9 Open UDP Ports 6 NETBIOS names 4 Computer i Groups 23 ges Users 13 GA Logged On Users gt Sessions 2 The selected computer has the following vulnerability level High a What does this mean Top 5 issues to address 4 3 mso8 068 Security Update for Windows XP KB92021 3 ba MS07 007 Security U
88. D Path User PPID Domain Command Line Handle Count Thread Count Priority 46 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner Detailed scan results Analyzing installed applications GFI LANguard N S S 8 0 File Tools Configure Help ile Es oO New Scan vY a t Using Currently Logged On User Username Password EI E cy Scan Target flocalhost 7 Profile Ful Scan 7 i Scanned Computers Saved Scan Result localhost 20 Mai 4310 dx3 sjoo Saved Scan Result I jj 192 168 3 17 E Vulnerabilities 79 Potential Yulner System patching B Network dev Password po Security audi ay Registry Hf Open TCP P Open UDP P NETBIOS na Computer 2a Groups 23 ge Users 13 E Logged On U gt Sessions 2 3 Services 95 To w 41 Processes 37 bs 4 b B E System information 2 Shares 4 hae Applications gt General Applications 18 Adobe Reader 7 0 J version 7 0 0 J Publisher Adobe Systems Incorporated lt FastStone Capture 5 3 J ersion 5 3 J Publisher FastStone Soft 2 gt GFI EndPointSecurity 3 0 ReportPack J version 1 0 2006 0724 J Publisher GFI Software Ltd 2 GFI EventsManager J Yersion 7 01 0020 J Publisher GFI 2 gt GFI EventsManager 7 Report Pack J version 1 0 2006 0929 J Publisher GFI Softwar
89. Enumerate Computers K Enumerate Users 4 Snmp Audit lt Eee lt Snmp Walk amp SQL Server Audit New Scan Using Currently Logged On User Username Password a za IP address 127 0 0 1 x Object ID 1 3 6 1 2 1 1 Biel x Options Description iso org dod internet mgmt mib 2 system Options g B L mgmt a mib 2 H transmission E dott dBrida H appletalk General aji Name Community string to query C Use default community string public Use alternative community string LD snmpDot3h N etherMIB ele LeTGve C dotSSMlB egp H entityMIB henumTC N ianadddres gt ianaifT ype L ianaRtProte 5 icmp D ipMIB interfaces gt ifMIB E ip 1 ipMRouteS Screenshot 153 SNMP Walk Use the Tools gt SNMP Walk tool to probe your network nodes and retrieve SNMP information for example OID s To start an SNMP scan on a target 1 Click on the Tools button and select the Tools gt SNMP Walk node 2 Specify the IP address of the computer that you wish to scan for SNMP information 3 Click on the Retrieve button to start the process NOTE 1 SNMP activity is often blocked at the router firewall so that Internet users cannot SNMP scan your network NOTE 2 It is possible to provide alternative community strings NOTE 3 The information enumerated through SN
90. Es GFI LANguard N S S 8 0 File Tools Configure Help oO New Scan Using Currently Logged On User v Username Password FI E Tools Explore r saat Specify updates to apply and select Start to start the deployment of upd Options H Main Contig AL GFI LANguard NSS Sort by computers Sort by patches Deployment status A Security Scanner Scanned com Language f Update file name State Bulletin Applicatio Eig Results Filtering RICHA English C Windows KB89 Not downloaded Not Available 890 Windows oO EL WindowsXP KB Downloaded Not Available 931 Windows oO EL WindowsXP KB Downloaded MSO 012 924667 Windows oO EA WindowsXP KB Not downloaded MSO 007 927802 Windows E WindowsXP KB Not downloaded MS07 008 928843 Windows EA WwindowsXP KB Not downloaded MSO 006 928255 Windows oO B IE 7 WindowsxP Not downloaded Not Available 926 Windows oO EA WwindowsXP KB Not downloaded MS0O 7 004 929969 Windows oO EA WwindowsXP KB Not downloaded MS06 078 923689 Windows oO EB WindowsM edia Not downloaded MS06 078 925398 Windows oO EA WindowsXP KB Not downloaded MS06 076 923694 Windows oO EA WindowsXP KB Not downloaded MS06 075 926255 Windows oO ER WindowsXP KB Not downloaded MS06 066 923980 Windows g EA WwindowsXP KB Not downloaded MS06 069 923789 Windows g B mexml4 KB9279 Not downloaded
91. IT infrastructure The Guest account for example is just one example of commonly exploited accounts reason being that more often than not this account is left configured within a system and even worse without changing the default password settings Malicious users have developed applications which can automatically re enable the Guest account and grant it administrative rights Empowering users to gain access to sensitive areas of the corporate IT infrastructure GFI LANguard N S S collects information on all user accounts and user groups currently enabled on scanned targets This information is organized in the scan results under 2 separated nodes To access the list of user accounts identified during on a target computer click on the Users sub node Use the information enumerated in this sub node to inspect the access privileges assigned to each user account To gain access to the list of user groups configured on a target computer click on the 2 Groups sub node NOTE Users should not use local accounts to log on to a network computer For better security users should log on to network computers using a Domain or an Active Directory account 44 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner Detailed scan results Analyzing logged on users Click on the 4 Logged on Users sub node to access the list of users that are logged on to the scanned target computer l
92. InstallShield Wizard Installation Type Choose the installation type that best suits pour needs Choose a database in which GFI LAN guard Network Security Scanner 3 0 will store the scan Information The scan information can be stored ir Microsoft Access MS Access does NOT need to be installed Note For larger networks itis recommended that you use Microsoft SOL server 2000 or higher or MSDE 2000 MSDE ts provided for free on the Microsoft Office PY2003 CD For more information please see the manual Installshield Back Cancel Screenshot 6 Choose database backend 6 Select database backend to use when storing network audit results and click Next NOTE We recommend the use of Microsoft SQL Server Express or higher GFI L4N guard Network Security Scanner 8 0 InstallShield Wizard Database Server Select database server and authentication method Select the database server to install to from the list below or click Browse to see a list of all database servers You can also specify the way to authenticate pour login using your curent credentials or a SQL Login ID and Password Database Server 2 F001 Browse Connect using f Windows authentication C SOL Server authentication using the Login ID and password below Login ID fka Password InstallShield Screenshot 7 Specify SQL Server details 7 If Microsoft SQL Server is selected specify SQL server details and au
93. LANguard N S S A Security Scanner Saved Scan Result localhost 21 Mar 2007 ge Results Filtering Scanned Computers Scan Results Missing Service Packs 2 FE gt SOL Server amp Results Comparis Saved Scan Result localh ij SQL Server 2000 Service Pack 4 for Database Compe Patch Deployment 192 168 3 17 RICHA Jj 4 URL http www microsoft com downloads deta Deploy Microsoft Vulnerabilities 74 hy Release date 2005 05 06 Deploy Custom Sc Potential Yulnerabilities Windows Reporting System patching status Microsoft NET Framework 1 1 Service Pack 1 GFI ReportCente A 6 System information amp URL http support microsoft com kbid 867 46 GFI LANguard N Shares 4 Gey Release date 2004 09 01 lt Applications 18 J E 2 Missing Patches 62 Ba Network devices 9 Fl gt Windows a Password policy E 4a MS07 006 Security Update for Windows XP KB9282 Security audit polic J Severity Important ay Registry ce Date posted 2007 02 13 OT Open TCP Ports 9 MS07 008 Security Update For Windows XP KB9288 lt Open UDP Ports 6 2 Severity Critical NETBIOS names 4 ey Date posted 2007 02 13 Computer X MS07 007 Security Update for Windows XP KB9278C 2 Groups 23 J Severity Important gtd Users 13 chy Date post
94. MP can be used by malicious users to attack your system Unless this service is required it is highly recommended that SNMP is turned off Microsoft SQL Server Audit Click on the Tools button and select the Tools gt Microsoft SQL Server Audit tool to perform a security audit on a particular Microsoft SQL server installation This tool allows you to test the password vulnerability of the sa account i e root administrator and any other SQL user accounts configured on the SQL Server During the audit process this tool will perform dictionary attacks on the SQL server accounts using the credentials specified in the passwords txt dictionary file However you can also direct the SQL Server Audit tool to use other dictionary files You can also customize your dictionary file by adding new passwords to the default list To perform an SQL Server Audit 1 Click on the Tools button and select the Tools gt SQL Server Audit node 2 Specify the IP address of the SQL server that you wish to audit GFI LANguard Network Security Scanner 14B15 Tools e 157 NOTE By default this tool will check the vulnerability of the administrator sa account If you want to perform dictionary attacks on all the other SQL user accounts select the Audit all SQL user accounts option and specify the SQL Server logon credentials These credentials are required to authenticate to the SQL server when retrieving the respective list of user
95. Network IEEE 802 11 Poli J Public Key Policies Software Restriction Policies IP Security Policies on Active Directe J Administrative Templates E A User Configuration J Software Settings A Winclows Settinas x 4 gt 4 Screenshot 171 Verifying the GPO settings Eg Minimum password length 8 characters 83 Password must meet complexity requirements Enabled ie Store passwords using reversible encryption Not Defined E A 4 e e The password policy configuration settings are displayed in the right pane of the GPO editor Assuming that you have configured the password policy of your GPO as shown in the above screenshot you should verify that users cannot specify passwords that are shorter than eight characters These password policy settings should also prevent users from create non complex passwords and should not allow users to change passwords that are not older than two days GFI LANguard Network Security Scanner 17B18 Miscellaneous e 181 19 Troubleshooting Introduction This chapter explains how you should go about resolving issues you have The main sources of information available to users are e The manual most issues can be solved by reading the manual e The GFI Knowledge Base accessible from the GFI website e The GFI support site e Contacting the GFI support department by email at mailto support gfi com e Contacting the GFI support department us
96. OS family OS version Product Timestamp and Severity e Conditions Use this tab to configure the operational parameters of this vulnerability check These parameters will define whether a GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 99 vulnerability check is successful or not For information on how to configure vulnerability check conditions refer to the Vulnerability check conditions setup section in this chapter e Description Use this tab to customize the vulnerability check description e References Use this tab to customize references and links which lead to relevant information in the OVAL CVE MS Security Security Focus and SANS TOP 20 reports 3 Click on OK to save your settings Vulnerability check conditions setup The Conditions tab enables you to add or customize conditions which define whether the computer s or network s being scanned are vulnerable or not It is therefore of paramount importance that any custom checks defined in this section are set up by qualified personnel that are aware of the ramifications of their actions Edit vulnerability General Conditions Description References This vulnerability will be triggered when the below conditions are met a Independent CGI Abuse Test Description Checks for a CGI abuse on the target computer ae zl Edit Delete Clear j OK Cancel Apply Screenshot 86 Vulnerability conditions setup tab To add
97. Remind me in X Minutes Select this option to generate a reboot reminder at specific time intervals in minutes e Restart on date at time Select this option to automatically reboot the target computer on a specific day and at a time e Don t bother me again Select this option to abort remote rebooting e Shutdown the target computer s Select this option to shutdown target computers after completion of the deployment process e Delete copied files on the remote computers after deployment Select this option to delete the source installation file from target computer s on successful deployment e Computer filters Click on the Computer filters button to configure particular target filtering conditions such as deploy only on targets running Windows XP 138 e 11B12 Patch management Deploying custom software GFI LANguard Network Security Scanner Configuring advanced deployment options GFI LANguard N S S 8 0 lolx File Tools Configure Help New Scan Using Currently Logged On User I Username Password el i matin mi Configure which computers and which software fies are to be deployed Options Software to deploy Deployment Status Software GFI LANguard N S5 S a Security Scanner Results Filtering lt Result comparison Number of deployment threads 5 max 10 gt Patch Deployment WARNING Deploying with more than 5 threads Depl
98. Screenshot 74 The database maintenance properties dialog GFI LANguard N S S 8 supports both MS Access and MS SQL Server 2000 or higher based database backend Storing scan results in an MS Access database backend To store scan results in a Microsoft Access database 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Database Maintenance Options sub node and select Properties 3 Select the WS Access option and specify the full path including the file name of your Microsoft Access database backend NOTE 1 If the specified database file does not exist it will be created for you NOTE 2 If the specified database file already exists and belongs to a previous version of GFI LANguard N S S you will be asked whether you wan to over write the existing information 4 Click OK to finalize your settings GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 81 Storing scan results in an MS SQL Server database Properties Change Database Saved Scan Results Scanned Computers Advanced Curent GFI LAN guard N 5 5 database backend settings Database type MS Access File path C Program Files GFISLAN guard Network Se New GFI LAN guard 6 5 5 database backend setting Indicate below the new type of database backend to use MS Access f WMS SOL Server Please specify the name or IF of the machine containing the SOL Serve
99. Service started gt Deploying C WINDOW S NtUninstallKB928090 spuninst spuninst exe q z 1 1 E Reporting Screenshot 130 Monitoring the patch rollback process GFI LANguard Network Security Scanner 10B11 Patch management Deploying Microsoft Updates e 133 12 Patch management Deploying custom software Introduction In addition to Microsoft security updates i e patches etc the versatile deployment engine that ships with GFI LANguard N S S 8 also allows you to remotely deploy third party or custom software network wide Software that can be remotely deployed via this engine includes e Security applications such as complete anti virus anti soyware solutions software firewalls etc e Third party software updates and patches such as anti virus anti spyware signature file updates e Custom code such as scripts and batch files e Desktop applications such as MS Office 2007 and more In this chapter you will learn how to e Specify which software must be deployed e Specify on which target computers the software will be deployed e Configure file deployment preferences e Start the deployment process and monitor its progress 134 e 11B12 Patch management Deploying custom software GFI LANguard Network Security Scanner Enumerating the software to be deployed GFI LANguard N S S 8 0 OF xi File Tools Configure Help oO New Scan Using Currently Logged On User v Usern
100. The information enumerated by this tool includes the domain or workgroup name the list of domain workgroup computers the OS installed on the discovered computers and any additional details that might be collected through NetBIOS Computers can be enumerated using one of the following methods e From the Active Directory This method is much faster and will include computers that are currently switched off e Using the Windows Explorer interface This method enumerates computers through a real time network scan and therefore it is slower and will not include computers that are switched off Use the Information Source tab provided in the Enumerate Computers tool to configure your preferred method of computer discovery NOTE For an Active Directory scan you will need to run the tool i e GFI LANguard N S S under an account that has access rights to the Active Directory Starting a security scan The Enumerate Computers tool scans your entire network and identifies domains and workgroups as well as their respective computers After enumerating the computers in a domain or workgroup you can use this tool to launch a security scan on the listed computers To start a security scan directly from the Enumerate Computers tool right click on any of the enumerated computers and select Scan You can also launch a security scan and at the same time continue using the Enumerate Computers tool This is achieved
101. USB devices 15 Password policy Security audit ay Registry OI Open TCP Por Open UDP Por NETBIOS nam Computer i Groups 13 a Users 9 A Logged On Us gt Sessions S Services 93 Processes 37 Local drives 2 ch Remote TOD Screenshot 29 The Vulnerabilities node Click on the Vulnerabilities sub node to view the security vulnerabilities identified on the target computer Discovered vulnerabilities are grouped by type and severity into five main categories e Missing service packs e Missing patches e High security vulnerabilities e Medium security vulnerabilities 32 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner e Low security vulnerabilities Vulnerabilities gt Missing service packs A Service Pack SP is a software program that corrects a set of Known bugs or adds new features to operating systems and applications GFI LANguard N S S checks for missing Microsoft software updates by comparing the version of the service packs currently installed on the scanned target s with the ones made currently available by the Microsoft Corporation El Microsoft WET Framework 1 1 Service Pack 1 7 oe URL http suppork microsoft com kbid 867460 ot Release date 2004 09 01 Screenshot 30 Missing Service Packs results tree NOTE GFI LANguard N S S can identify missing patches and service packs
102. Use this scanning profile to enumerate only missing Microsoft patches that were released last month The 90 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner list of missing patches that will be enumerated by this profile can be customized through the Patches tab NOTE No network audit operations or vulnerability checks other than those related to missing Microsoft patches released last month are performed by this profile e Only Service Packs Use this scanning profile to enumerate missing Microsoft service packs The list of service packs that will be enumerated by this profile can be customized through the Patches tab NOTE No network audit operations or vulnerability checks other than those related to missing Microsoft service packs are performed by this profile e Port Scanner Use this scanning profile to enumerate open TCP UDP ports including those most commonly exploited by Trojans The list of ports that will be enumerated by this profile can be customized through the TCP UDP ports tab NOTE No network audit operations or vulnerability checks other than open port scanning are performed by this profile e USB Devices Use this scanning profile to audit your network and enumerate all USB devices currently connected to your network computers NOTE 1 No vulnerability checks are performed by this profile You can customize this profile to enumerate only unauthorized blacklisted USB Devices or vice versa e So
103. V Enable ae for installed applications on aks computer s 4 Scanning Profiles Dy Vulnerabilities and Patches Sy Vulnerabilities oe Top SANS 20 Vulnerabilities Specify which installed applications are pre EEE and which you do not need to be notifie Dy High Security Yulnerabilit NOTE When an application is not authorized a high security vulnerability warning will be generated sang Yulner abilities Specify whict a anys watt ey o Only applications whose name contains o Trojan Ports lo Trojan Por l Dy Only SNMP C All applications except the ones whose name contains Sy Missing Patches D Port Scanner Cy USB Devices Dy Software Audit Full TCP amp UDP Scan Dy Ping Them All Sy Share Finder Oy Portable Storage Sy Uptimes S Disks Space Usage bo Full Scan Active gt Dy Full Scan Slow Networks i amp Settings Ignore Do not list save to db applications whose name contains a Scheduled Scans gy Computer Profiles F Patch Autodownload Doo O Screenshot 107 The applications configuration page Through this tab you can also configure GFI LANguard N S S to detect and report unauthorized or hot software installed on scanned targets and to generate high security vulnerability alerts whenever such software is discovered 112 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner Scanning installed applications ra lta Antivirus applications ef SS
104. a eet eratecancts 119 Checking the version of current installed updates cceccceeecssseeeeeeeeeeeeeesaeeeeeees 119 Downloading Microsoft product updates in different languages cccceeeeeeeeees 120 Starting program updates manually ce ececcccccccssseseeeeeeeeeseeeeseeeeeessaeeseeeeeeeeessaeaseees 120 Check for software updates at program StartUp ccccccsseeeceeeceeeseeeceseeeeeeeesaeeeees 122 Configure which updates to check on program StartUp cccceeeeeeeeeceeeeeeeeeeaeeeeees 123 11 Patch management Deploying Microsoft Updates 125 MOGUCOM peemerecmeerten seer a ey ek Aen PT CeRrre er oRme er ont re eine ots ered Ronee 125 Selecting target computers for patch deployment ccccceeececeeeseeeceeeeeeseeeeeeeeeees 125 To deploy missing updates ON ONE computer cccccseeeeeeeeeeeeeaeeeeesaeeeees 126 Deploying missing updates on a range Of COMPUTELS cccccseeeeeeeeeeeeees 126 Deploying missing updates on all computers cece eeeeeeeeeeeeeeeeeeeeeeeeees 126 Selecting which Patches tO deploy asenon a E E e aA 127 Sorting the list of pending software updates 00000nnnnneoennnnnnneosennnnnnnnossnnnnnnessnnnnne 127 GFI LANguard Network Security Scanner Contents e iii Download patches and Service pack files cceccccceceeeeeeeceaeeeeeeesaeeeeeeeesaaeeeeseesaaees 128 Identifying the download QUEUE status cccceeeceeceee
105. able o26074 2007 03 06 Windows F ie Moderate 3 mso7 009 Moderate 927779 2007 02 27 Security l E L Low E3 Not Available 931836 A007 02 27 Update fi 3 Not Available 931036 2007 02 27 Update fi 3 Not Available 93183 2007 02 27 Update Fi E 9 Not Available SO7747 2007 02 21 Update fi amp PISO O05 Important prana 2007 02 13 Security l Ee mso7 005 important 923723 2007 02 13 Security amp PISO O05 Important prne 2007 02 13 Security E se Devices FIE mso7 o05 Important 923723 2007 02 13 Securty l ware Audit J a Sq Full TOP amp UDP Scan 5 Pi ty Ping Them All File Ings_8_pabchmngmt_en mdb Version 7 Last updated on 3 8 2007 3 42 10 PM Oy Share Figer s T y Uptimes 7 Sg Disks Space Usage Sg System Information Find bulletin rl j Sean Acke You can search by entering a bulletin name e g MS02 017 of entering a QONumber e g O31 1967 Screenshot 91 Scanning Profiles properties Patches tab options Use the Patches tab to specify which security updates will be checked during vulnerability scanning The patches to be checked are selected from the complete list of Supported software updates that is included by default in this tab This list is automatically updated whenever GFI releases a new missing patch definition file update for GFI LANguard N S S Enabling disabling missing patch detection checks To enable missing patch detection checks in a particular scanning profile 1 Select
106. age Dy Test g Missing Patches e Critical Patches Sy Last Month s Patches Only Service Packs G Port Scanner a USB Devices Software Audit Full TCP amp UDP Scan q Ping Them All Share Finder Uptimes Disks Space Usage q System Information This scan profile tells the scan engine to perform a full scan port detection vulnerability checks patch management and network audit operations This profile configures appropriate timeouts which are tailored for LAN environments Full Scan Slow Networks This scan profile tells the scan engine to perform a full scan port detection vulnerability checks patch management and network audit operations This profile configures appropriate timeouts which are tailored for slower network environments such as WAN Vulnerabilities This scan profile tells the scan engine to check targets for open vulnerabilities as configured in the Vulnerabilities tab No Patch management or network audit operations will be performed ug o H S General 4 gt 2007 All rights reserved GFI Software Ltd Screenshot 79 The Scanning Profiles node Scanning profiles in action Example 1 Using the Vulnerabilities amp Patches profile to scan your local host 1 Click on New Scan button 2 Select Complete Combination Scans option and click on the Next button to proceed 3 Select the Vulnerabilities and Patc
107. al ohysical network devices connected USB devices connected installed applications and more NOTE No vulnerability checks or missing patch detection are performed using this scanning profile e Full Scan Use this scanning profile to retrieve system information as well as scan your network for all Supported vulnerabilities including open TCP UDP ports missing patches and service packs USB devices connected and more The vulnerability check timeouts in this profile are specifically preconfigured to suite the network traffic and transmission delays usually associated with LAN environments e Full Scan Slow Networks Use this scanning profile to retrieve system information as well as scan your network for all supported vulnerabilities including open TCP UDP ports missing patches and service packs USB devices connected and more The vulnerability check timeouts in this profile are specifically preconfigured to suite the network traffic and transmission delays usually associated with WAN environments Which scanning profile shall use Select the scanning profile to be used for network vulnerability scanning based on the 1 The scope of your vulnerability analysis i e what you want to achieve out of your vulnerability scan Based on these factors you can determine the type of vulnerability checks to be performed and the information that you want to retrieve from your scan targets 2 Time you have at your disposal for target
108. al parameters of the security scanning engine These parameters are configurable on a scan profile by scan profile basis and define how the scanning engine will perform target discovery and OS Data querying GFI LANguard N S S 8 0 File Tools Configure Help New Scan f x re Using Currently Logged On User Username Password aE TCP Ports UDP Ports SData Vulnerabilities Patches Devices 14 gt EB main 2 Configuration amp 4 Specify network discovery and other parameters on how the scanner is to discover machines and output gy Configuration debug information Scanning Profiles Network Discovery Methods g Vulnerabilities and Patches Dy Vulnerabilities Sey Top SANS 20 Vulnerabilities Sy High Security Vulnerabilities Ping sweep g Latest Year Vulnerabilities Custom TCP discovery e g 21 25 80 Qy Only Web Network Discovery Options Tools Ex plor er Netbios queries SNMP queries e Trojan Ports Scanning delay default 100 ms 100 g Only SNMP Network discovery query responses timeout default 500 m 500 Sq Missing Patches Number of retries default 1 1 S Port Scanner Oy USB Devices Dy Software Audit Full TCP amp UDP Scan Oy Ping Them All Netbios Query Options Share Finder Scope ID Sy Portable Storage SNMP Query Options Gy Uptimes Load SNMP enterprise numbers Yes Ciy Disks Space Usage Community strings e q public private public private peg Full Scan
109. all pri Options q amp DNS Lookup 127 0 0 1 Traceroute S4 whois K Enumerate Computers Enumerate Users Snmp Audit Sk Snmp Walk SQL Server Audit General Query SNMP Service For the weak common community strings specified in the Following dictionary file c Program Files GFI LANquard Network Sec A Refresh information I Resolve computer names Screenshot 152 SNMP Audit tool Click on the Tools button and select the Tools gt SNMP Audit tool to perform SNMP audits on network targets and identify weak community strings This tool identifies and reports weak SNMP community strings by performing a dictionary attack using the values stored in its default dictionary file snmp pass txt You can add new community strings to the default dictionary file by using a text editor for example notepad exe You can also direct the SNMP Audit tool to use other dictionary files To achieve this specify the path to the dictionary file that you want to from the tool options at the right of the management console To perform an SNMP Audit 1 Click on the Tools button and select the Tools gt SNMP Audit node 2 Specify the IP address of the computer that you wish to audit 3 Click on the Retrieve button to start the process 156 e 14B15 Tools GFI LANguard Network Security Scanner SNMP Walk GFI LANguard N S S 8 0 File Tools Configure Help
110. ame Password a A cy Configure which computers and which software files are to be deployed Options o Software to deploy Deployment Status m 3 General Advanced 2 C Documents and Settings A Copy software to deploy to target computer s via Administrative shares C Custom share a Era Do not reboot shut down the computer s Reboot the target computer s Cet the user deade when to reboot C Shut down the target computer s IV Delete copied files from remote computers after deployment Computer s to deploy software on Name Notes ooo y O Reset Start Screenshot 131 Selecting the software to deploy To specify which software needs to be deployed 1 From the left pane of the management console click on the Main button and expand the Patch Deployment node 2 Click the Deploy Custom Software node and from the Software area in the right pane see image above click Add Add custom software Specify the location of the File to deploy on the target machines Deploy the File ak location ae With the Following parameters 0 Mo parameters required C Parameters normally used for Windows patches C Parameters normally used For Internet Explorer patches Custom mooo Cancel Screenshot 132 Specifying the software to deploy 3 Specify the complete path to the file software to be deployed 4 Specify any command line parame
111. ancel Apply Screenshot 78 Database Maintenance properties Advanced tab To compact and repair a Microsoft Access based database backend 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Database Maintenance Options sub node and select Properties 3 Click the Advanced tab 4 To manually launch a repair and compact process on an MS Access database backend on the Compact Now button 5 To automate the repair and compact process on an MS Access database backend select one of the following options GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 85 e One time only Select this option to schedule a one time MS Access database repair and compact e Every Select this option to execute a repair and compact process on a regular schedule Specify the date time and frequency in days weeks or months at which the compact and repair operations will be executed on your database backend 86 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Security Scanner 9 Scanning Profiles Introduction A typical IT infrastructure is constantly under attacks from various attack vectors GFI LANguard N S S 8 allows you to scan your IT infrastructure for particular vulnerabilities using pre configured sets of vulnerability checks known as scanning profiles A scanning profile allows you to scan your network targets and enume
112. ard N S S GFI LANguard Network Security Scanner different logon credentials and authentication methods in the same single session For example you can run vulnerability checks on Windows targets which require username password credential strings and Linux based targets which require username SSH private key files in a single scanning session About SSH private key authentication GFI LANguard N S S connects to Linux based target computers through SSH connections In public key cryptography two keys in the form of text files are used to verify the authenticity of an SSH connection request These keys are identified as the SSH private key and SSH public key The SSH key pair i e public and private Keys are manually generated using a third party tool such as SSH KeyGen generally included by default in the Linux SSH package The SSH private key is the half of the key pair that the scanning engine will use to authenticate to a remote Linux based target This means that the SSH private key is used instead of the conventional password string and hence must be stored on the computer which is running GFI LANguard N S S The SSH public key is the part which the remote target computer will use to challenge the authentication of GFI LANguard N S S and is stored on the remote target computer s Creating a new computer profile Computer s profile General Logon Credentials Specify credentials to
113. as a result of having a rootkit installed on the scanned network device s The details shown in this category include links to supporting documentation as well as a short description of the vulnerability Reporting unauthorized devices as high security vulnerabilities GFI LANguard N S S 8 0 OF x File Tools Configure Help ae eke Y Username Password a F New Scan iv FY c Using Tools Explorer Tools Explorer R Scan Target flocalhost Profile Test Profile x A Main Phas Configuration lt gt GFI LANguard N S S _Scanned Computers Scan Results A Security Scanner Scan target localhost i Missing Patches 4 Results Filtering 192 168 3 30 ON gt gt E E9 High security vulnerabilities 11 lt Result comparison Vulnerabilities 23 E Black listed USB devices 10 6 Patch Deployment Potential Vulnerabilities 3 J USB Composite Device System patching status J USB Human Interface Device H E System information J USB Human Interface Device J USB Root Hub J bp LaserJet 1010 DOT4 Deploy Microsoft Updates lt gt Deploy Custom Software Reporting GFI Report Center GFI LANguard N 5 5 8 0 F J hp LaserJet 1010 J USB Root Hub J USB Root Hub J USB Root Hub J USB Root Hub Medium security vulnerabilities 1 Low security vulnerabilities 6 diddididdididididiij A diddididddididdiddi Screenshot 34 Dangerous
114. atically generate a results comparison report e Analyze the results in the comparison report Configuring what scan results changes will be reported The result comparison tool can report various information discovered during the comparison of two saved scan results To configure what changes will be included in a comparison report 1 Select the Main button click on Security Scanner gt Result comparison node GFI LANguard N S S 8 0 OF x File Tools Configure Help oO New Scan fi Pi Using Currently Logged On User Username Password FT mad Tools Explorer r Scan result 1 ahs mpare Options fa Main 9 Configuration 4 gt Scan result 2 GFI LANguard N S S ajli fa Security Scanner E i Results Filtering Full Report Vulnerabilities Hic Vulnerabilities Me Vulnerabilities All Missing Patches a lt Important Device 7 Important Device oa Open Ports P Open Shares Auditing Policies Password Policies a Groups and Users lt Computer Proper Installed Applicati lt Non Updated Sec Bc GFi SECURITY amp MESSAGIN General Result comparison tool Display the Following items IV New items GFI LANguard N S S Removed tems Use the result comparison tool to detect any changes which happened within two separate scans The data source for the scans can be both saved scan results inside the database or saved scan results in XML f
115. ations are not enumerated by this profile NOTE 2 This profile will scan for all vulnerabilities This includes vulnerabilities which have an associated Microsoft patch to them and which are considered to be missing patches e Vulnerabilities Use this scanning profile to enumerate all network vulnerabilities except missing patches and service packs This includes open TCP UDP ports commonly exploited by Trojans The list of vulnerabilities enumerated by this profile can be customized through the Vulnerabilities tab NOTE 1 Missing patch scanning and network audit operations are not performed through this profile NOTE 2 All vulnerabilities including OVAL vulnerabilities which have a Microsoft issued patch associated with them will not be scanned for if this profile is selected These vulnerabilities are considered to be missing patches and are scanned in profiles that include missing patch detection e SANS Top 20 Vulnerabilities Use this scanning profile to enumerate all vulnerabilities reported in the SANS top 20 list NOTE Missing patch scanning and network audit operations are not performed through this profile e High Security Vulnerabilities Use this scanning profile to enumerate open TCP UDP ports and high security vulnerabilities The list of TCP UDP ports and high security vulnerabilities that will be enumerated by this profile can be customized through the TCP UDP Ports tabs and the Vulnerabilities tab respectively
116. b PathName C WINDOWS GFI Report Center Security audit policy On ab ProductId 55274 640 1998044 23606 GFI LANquard N 5 5 8 0 P Registry ab SoftwareType SYSTEM NETBIOS names 4 ab SourcePath D I386 p Computer ab SystemRoot Cii WINDOWS 2 Groups 13 ab YendorIdentifier GenuineIntel ee Users 9 ab Identifier x86 Family 15 Model 2 Stepping 9 i Logged On Users 9 J ab MHz 2793 gt Sessions 5 ab DriverDesc Intel R 828656 Graphics Controller Services 93 3b DriverDesc Media Control Devices Processes 38 ab WhbhemOem Dell Computer Corporation Local drives 2 36 WbemProduct OptiPlex GxX270 oe Remote TOD time of d ab CSDYersion Service Pack 2 Sb InstallLanquage 0409 3b Default 0409 gt Run Screenshot 38 Registry node GFI LANguard N S S helps you identify foul play in your registry by collecting the registry settings from all scanned computers and making them available for you to analyze from a centralized location To access the registry settings collected during a scan click on the amp Registry sub node For example by examining the values in the Run folder which is included by default in the scan results you can identify which programs are set to automatically run at system startup This way you can identify any type of software that is automatically run without your express instruction Detailed scan results Analyzing security audit policy
117. base based on OVAL and SANS Top 20 vulnerability database e Auditing of all hardware and software aspects of system installations on your network allowing you to create a detailed inventory of assets present on your IT infrastructure This goes as far as enumerating installed applications as well as USB devices connected on your network Further to this GFI LANguard N S S also checks whether your anti virus and anti spyware protection is enabled by analyzing the configuration settings of such software e Enabling you to automatically download and remotely install service packs and patches for Microsoft operating systems and third party products How is this manual structured This manual is logically structured to assist you to in getting GFI LANguard N S S up and running in the shortest time possible e Chapters 1 and 2 provide you with an introduction to GFI LANguard N S S and overview of how to install GFI LANguard N S S on your system e Chapter 3 shows you how to navigate the management console e Chapters 4 and 5 provide you with Getting started information related to performing audits and analyzing security scan results e Chapter 6 shows you how to save and load scan results of scans previously performed e Chapter 7 demonsirates how to filter results using the results filter tab to display on screen reports NOTE At this stage you will have gained enough knowledge to run GFI LANguard N S S on default set
118. bout any planned security scans NOTE 3 Along with the IDS software warnings kindly note that a lot of the scans will show up in log files across diverse systems UNIX logs web servers etc will all show the intrusion attempts made by the computer running GFI LANguard N S S If you are not the sole administrator at your site make sure that the other administrators are aware of the scans you are about to run Performing the first security scans Out of the box GFI LANguard N S S includes default configuration settings that allow you to run immediate scans soon after the installation is complete 18 o 3B4 Getting started Performing an audit GFI LANguard Network Security Scanner Mew scan Scan type Select the type of scan you want to perform Local computer scan Tl Scan local computer For all security vulnerabilities gt 1 Complete network scan Scan entire local domain For all security vulnerabilities slow Custom scan Let me choose what ko scan Help me choose Jw Show this dialog at application startup eae Screenshot 14 New scan wizard To perform the first scans select one of the following scan options e Local computer scan Use this option to enumerate all the vulnerabilities and missing patches on the local computer i e the computer on which GFI LANguard N S S is installed This option is strongly recommended for first time users e Complete network scan
119. by this scanning profile and reported in the scan results These include wired network devices wireless network devices software enumerated network devices and virtual network devices To specify which network devices to enumerate in the scan results 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Devices tab 3 From the Network Devices tab which opens by default click the Advanced bution at the bottom of the page 4 Set the required options to Yes and on completion click OK to finalize your settings 110 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner Scanning for USB devices GFI LANguard N S S 8 0 _forx File Tools Configure Help oO New Scan vV t C Using EA E a nO aae x Username Password e vat Tools Explorer a ros opa EN Scan Target flocalhost x Profile Test Profile A Main Phas Configuration lt 4 P GFI LANguard N S S _ Scanned Computers Scan Results JA Security Scanner Scan target localhost i 3 Missing Patches 4 gp Results Filtering 192 168 3 30 ON gt E E3 High security vulnerabilities 11 i Result comparison Vulnerabilities 23 E Black listed USB devices 10 im Patch Deployment Potential vulnerabilities 3 J USB Composite Device Deploy Microsoft Updates x S
120. can thread 1 idle Scan thread 2 idle Scan thread 3 idle Scan toolbar Enables you to perform scan related operations such as launch new vulnerability scans and configure alternate scan credentials Quick Scan toolbar Allows you to quickly launch a vulnerability scan on a particular IP using a specific profile Tool Buttons Includes 3 buttons Main Configuration and Tools through which you can switch the options that are accessible through the left pane Left Pane Allows access to the options available through the Main Configuration and Tools buttons These include scan result filters scheduled scan customization and network administration tools Middle Pane Shows the vulnerability scan results broken down into specific categories such as vulnerabilities potential vulnerabilities and system information Right Pane Shows more detailed information on the scan results as well as a graphical representation of the threat level on a computer by computer basis as well as on scan by scan basis Scanner Activity Window Displays the activity of scans that are in progress GFI LANguard Network Security Scanner 2B3 Navigating the management console e 15 Mew scan Scan type Select the type of scan you wank to perform Local computer scan Scan local computer For all security vulnerabilities Complete network scan Scan entire local domain For all security vulnerabilities slow
121. canning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Vulnerabilities tab 3 Select the Enable Vulnerability Scanning option NOTE Vulnerability scanning is configurable on a scan profile by scan profile basis If in a particular profile this option is not selected no vulnerability tests will be performed in the security audits carried out by this scanning profile Customizing the list of vulnerabilities to be scanned To specify which vulnerabilities will be enumerated and processed by a scanning profile during a security audit 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile to be customize and from right pane click on the Vulnerabilities tab 98 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner i CVAL 1014 IE File Download Dialog De 1014 CV E 2001 0875 MS01 055 i CVALITO1S WineP SP2 Drag and Drop 1015 CV E 2005 0053 11466 MS05 014 i OVAL 1018 Windows HT IIS Directory 1018 CV E 2001 0333 2708 M501 026 i OVAL 1020 IE6 Double Byte Character 1020 CV E 2006 1159 17454 Ms 6 013 i OVAL 1026 IES 01 5P3 File Disclosure 1026 CV E 2002 0648 S260 Mso2 047 i OVAL 1O37 Mozilla Privilege Escalation 1037 CVE 2006 1735 17516 iN OYAL 1051 Windows 2000 115 Director 1051 C E 2001 0333 2708 MS01 026 i OVAL 1058 Yulnerabilit
122. ce ean cahsae cnc deusans i deus tnncossocsaind 61 8 Configuring GFI LANguard N S S 67 PLPOCUICHO M2350 natiect eaetatetesnsacnacnasne6iuadaseteavetagetacacauasiessgaes nwsdnas toed aduaalsmeantesaasaesxustoee 67 Creating and Configuring scheduled SCANS ccccsseesceeeeeeeeceeecaeeeeeeeesseaeeeeeesaeeeeeeeeas 67 CrealinGsa Scheduled SCAR midea a R Maat otdeutaaees 68 Scheduled scan Configuring scan targets cccccccsssseeeeceeeeeeeeeeeeeeeeeessaeeeees 69 Scheduled scan Configuring logon Credentials cccccceseeeceeeeeseeeeeeeeeeees 70 Scheduled scans Configuring advanced OPTIONS cccccsseeeeeeeeeeeeeeeeeaeeees 71 Scheduled scan Configuring the scan results SAVING OPTIONS cceeeeeeeeeeeeeeeeeeees 72 Scheduled scan Configuring results notifications ccccccceeeeeeeeeeeeeeeaeeeeeeeeeeesaaeeeees 73 GCOMIGUIINIGalERUING Oplo Saanen aa a A 73 GOMPULE DIONIES anon ae ee le ee ae ltt assed 74 About SSH private key authentication cccccccsseeceeeeesseceeeeeeseeeeesaeeeeess 75 Creating a NEW computer Profile iieseiiiana e 75 Configuring Computer profile parameters cecccecseeeeeeeeeeeeeeeeeeeeeeeeeeseeseeees 76 Ehabling Disabling Proe S ningeona Se ee eae ies 76 Using Computer pronles ina SCAN eeic2 ciscte ict ecco eee E E eels 77 Gontiguring PatenAulodOw load resnie a a a N 77 Parameter TNS saat 2 ascii hearse vacate E 79 p tapase gare la Coy a re e
123. cellaneous issues that could not be included in other sections of the manual e Chapter 19 is a troubleshooting guide that assists you in resolving any issues you might encounter during the use of this product Finds rogue services and open TCP and UDP ports Detects known CGI DNS FTP Mail RPC and other vulnerabilities Detects rogue or backdoor users Detects open shares and enumerates who has access to these shares including their respective permissions Scans for all Known vulnerabilities reported in the OVAL CVE and SANS Top 20 databases Enumerates Groups group members during target computer scanning USB devices attached to target computers Network devices wired wireless or virtual Services and their respective state Remote running processes o Installed applications O O O O Checks that the signature files of supported installed security applications anti virus and anti spyware are updated Where applicable the security scanner will also examine the running configuration settings of particular security software for example GFI LANguard Network Security Scanner BitDefender anti virus to verify that key features such as real time scanning are enabled e Scheduling of network security scans and email reporting on completion e Security scanning and OS data collection for Windows operating systems e Security scanning and OS data collection for Linux operating systems through SSH
124. curity Scanner environments where security databases must be intact it is highly advisable to not delete any data whatsoever In such scenarios it is advisable that more licenses are acquired to cater for network growth or expansion Database maintenance Advanced options To improve the performance of your MS Access based database backend you must regularly repair and compact it two functions that GFI LANguard N S S allows you to automate During compaction the database files are reorganized and records that have been marked for deletion are removed In this way you can regain precious storage space During this process GFI LANguard N S S also repairs corrupted database backend files Corruption may occur for various reasons In most cases a Microsoft Access database is corrupted when the database is unexpectedly closed before records are saved for example due to a power failure hung up processes forced reboots etc Properties Change Database Saved Scan Results Scanned Computers Advanced n l l wp Please configure the database compaction options The below option is only available when using Microsott Access as a database backend When using SOL Server MSDE as a database backend you need to manualy set maintenance plans according to your company policies Compact Mow Schedule repair compact database operation C One time only f Evens i weeks Next operation 3416 2007 12 43 20 PM OF C
125. custom vulnerability checks through which you can custom scan network targets for specific vulnerabilities Launch the GFI LANguard N S S script debugger from Start gt Programs gt GFI LANguard Network Security Scanner 8 0 gt GFI LANguard N S S Script Debugger GFI LANguard Network Security Scanner 0B1 Introduction e 5 GFI LANguard N S S status monitor E GFI LANguard NSS Status Monitor Iof x Global security threat level Active scheduled scans Scheduled deployments Autodownload queue Global security threat level High BOUUUDOEES Global security threat level indicates an average of the latest vulnerability levels For all computers that were scanned in your network Top five most vulnerable computers RICHARDOM Computers Number of computers in database 1 computeris Yulnerability level High 1 computers Medium 0 computer s Low 0 computers Medium High Vulnerability Level MA 0 computer s Screenshot 3 GFI LANguard N S S status monitor Use the GFI LANguard N S S status monitor to e Examine the security threat level of your entire network e Monitor the status of scheduled scans software updates and patch deployment sessions e Stop scheduled operations that have not yet been executed e Supervise the status of your patch autodownload queue LAH quard Network Securty Scanner LAN guard Network Secunty Scanner Help LNSS Script Debuger LNSS Scripting Documentat
126. d expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Applications tab 3 Click the Installed Applications tab and select one of the following options e Only applications whose name contains Select this option to setup a blacklist whitelist of applications whose name matches specific criteria e All applications except the ones whose name contains Select this option to setup a blacklist whitelist of applications whose name does not match specific criteria 4 Define application blacklist whitelist by doing as follows 114 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner f All applications except the ones whose name contains El Screenshot 110 List of unauthorized applications e o create an applications blacklist specify which applications you want to classify as high security vulnerabilities in the space provided under Only applications whose name contains For example if you enter the word Kazaa you will be notified through a high security vulnerability alert when an application whose name contains the word Kazaa is detected e To create a applications whitelist specify which applications you want to ignore during network vulnerability scanning in the space provided under Ignore Do not list save to db applications whose name contains NOTE Include only o
127. d select the Tools gt DNS lookup node 2 Specify the hostname to resolve 3 Specify the information that you wish to retrieve e Basic Information Select this option to retrieve the host name and the relative IP address e Host Information Select this option to retrieve HINFO details The host information known as HINFO generally includes target computer information such as hardware specifications and OS details NOTE Most DNS entries do not contain this information for security reasons e Aliases Select this option to retrieve information on the A Records configured on the target domain e MX Records Select this option to enumerate all the mail servers and the order i e priority in which they receive and process emails for the target domain e NS Records Select this option to specify the name servers that are authoritive for a particular domain or sub domain 4 Specify if required the alternative DNS server that will be queried by the DNS Lookup tool or leave as default to use the default DNS server 5 Click on the Retrieve button to start the process Traceroute GFI LANguard N S S 8 0 iof x File Tools Configure Help New Scan Using Currently Logged On User x Username Password el Tools Explorer q Trace domainP neme focas O Options A Tools Hop Iteration IP Hostname Time ms Best time
128. ded to group Users A Password Policies 7 Groups and Users 7 Computer Properties User GFIMALTAIalessio was added to group Remote Desktop Users User GFIMALTA was removed from group Users 4 Installed Applications User was removed from group Remote Desktop Users Non Updated Securit User GFIMALTA Domain Admins was added to group Administrators eg Result comparison User GFIMALTA was removed from group Administrators 6 Patch Deployment 1 Deploy Microsoft Update U5 Services i Deploy Custom Software Service started GFI_ReportCenter35 Reparting Service started gfi_Inss6_attservice a GFI Report Center GFI LANguard N S 5 8 C Network Devices The virtual device Packet Scheduler Miniport MAC 36 1C 20 52 41 53 was added The virtual device Packet Scheduler Miniport MAC 96 C3 20 52 41 53 was removed Applications Application Update for Windows XP KB894391 has been uninstalled 2007 All rights reserved GFI Software Ltd Screenshot 141 Results Comparison Report On completion the results comparison report is displayed in the right pane of the management console GFI LANguard Network Security Scanner 12B13 Results comparison e 143 14 GFI LANguard N S S Status Monitor Introduction GFI LANguard N S S 8 ships with a state of the art status monitor which graphically indicates the status of various operations that might be currently active or scheduled such as patch d
129. deployment Ea Non Updated Securit Do not reboot shut down the computer s 2 Result comparison Import C Rel ha 5 4 Patch Deployment j tha target COMPRIS rt M Deploy Microsoft Update Lettie user decide when to revoct Deploy Custom Software C Shut down the target computer s E Reporting GFI Report Center GFI LANguard N 5 5 8 0 g Deploy immediately Reset gt 2 Deploy on 1 27 2007 at 3 57 36 P Screenshot 138 Software deployment details Vulnerabilities High lt Edit IV Warn user before deployment show a message Copy software to deploy to target computer s via GFI LANguard Network Security Scanner 11B12 Patch management Deploying custom software e 139 Once you have configured the required parameters you can e Initiate the deployment process by clicking on the Start button e Schedule the deployment process To achieve this select the Deploy on option specify the preferred date time and click Start 140 e 11B12 Patch management Deploying custom software GFI LANguard Network Security Scanner 13 Results comparison Introduction GFI LANguard N S S ships with a results comparison tool which allows you to compare saved scan results and generate a list of network changes discovered In this section you will discover how to e Configure what scan results changes will be reported e Manually generate a results comparison report e Autom
130. dit policy settings ccccsseeeeesseeeeeeees 40 GFI LANguard Network Security Scanner Contents e i Detailed scan results Analyzing open TCP ports ccccccccccesesceeeeeeceseeeeeesseeeeeeaees 42 imporant consid ration S s2c252sacccnaacsactuadzarcaxedensacezassndeas duatedexedadueeseseiewagebontegent 43 SENICE INGEPINUN esep a e a a E 43 Dangerous port reporting ccccceseecccesseecceeeeeccsaeeecseeeeseaseeessaeeessanseesseass 44 Detailed scan results Analyzing users and QrOUPS scccccccseeeeeceeeeeeeneeeeeseeneeesaees 44 Detailed scan results Analyzing logged on users c sccceceeceeceeeeeseeeeeeeeeeseeeeesaeeees 45 Detailed scan results Analyzing SOIrViC S cccccecccccsseeeeceeeeeeeeueeeeseeeeesaaeeeeeseseessaaes 45 Detailed scan results Analyzing Processes ccccseccccesceseeeeeeeeeeeeeeeeesaeeesaeeeesaeeeees 46 Detailed scan results Analyzing installed applications sneeenennneneeeennnenneesse nenene 47 Anti virus and Anti spyware applications groups c ccsccccsseeeesseeeeeeseeeeeens 47 General applications group ccecccccccssseeeeeeeseeeeceeeeeeeseeeeseaeeseeessaaeeeesesaaaees 48 Detailed scan results Analyzing network devices ccccseeeceeceeeeeceeeeeeeeeeeeeneeeeesaaes 48 Detailed scan results Analyzing USB devices cccccccceeseeeceeeceeeeeeeeeeeceeseeeaeeeees 49 Detailed scan results Analyzing system hot fixes
131. donmioad ae Alerting Options D Parameter Firs Tg Database Maintenance Screenshot 93 Searching for bulletin information To search for a particular bulletin 104 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner 1 Specify the bulletin name for example MS02 017 or QNumber for example Q311987 in the search tool entry box included at the bottom of the right pane 2 Click on Find to start searching for your entry Bulletin Info Bulletin Bulletin ID Not Available ONumber 931836 Date 2007 02 27 Severity Undefined Title Update for Windows Server 2003 Service Pack 2 For Itanium based Systems KB9S1836 Description Installing this update enables your computer to automatically adjust the computer clack on the correct date in 2007 due to revised Daylight Saving Time laws in many countries After you install this item vou may have to restart your computer Applies To Windows Server 2003 Datacenter Edition Windows Server 2003 http suppork microsoft comkb os1e36 File File Name WindowsServer2003 KB931836 ia64 ENU exe File Size 1 110 KB File URL hkg tive download windowsupdaete commsdownloadfupdately3 199905 18 icabpool windowsserver2Zo03 Screenshot 94 Extended bulletin information Configuring the security scanning options Use the Scanner Options tab to configure the operation
132. durring normal scanning times and therefore they are never scanned This Feature ensures that such devices are processed because the scan will not end until all the machines within the scan target are detected alive and scanned IF non existent systems are specified in the scan target the scan will not Finish until the user manually stops it From Status Monitor tool Cancel Apply Screenshot 65 Configuring advanced options GFI LANguard N S S can automatically keep track of scan targets that were missing e g switched off during the execution of a vulnerability scan and attempt to re scan these machines as soon as these are reachable over the network To achieve this click on the Advanced tab and select the Wait for offline machines to connect to network option GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 71 Scheduled Scans Properties Result Saving Results Notification I foal Specify where to save scan results to XML or HTML reports For result comparison operations GFI LANguard 6 5 5 saves all scan results to the database backend You can configure SFI LaNguard 6 5 5 bo qukput the scheduled scan results also to XML or HTML report files in a directory on the hard drive ave as XML Files WARNING Saving scheduled scan results to XML can take several minutes For large scans and can cause performance degradation Save scheduled scan results to XML F
133. e Function Main echo Script has run successfully Main true End Function 4 Save the script in C Program Files GFI LANguard Network Security Scanner 8 0 Data Scripts myscript vbs Step 2 Add the new vulnerability check 1 Open the GFI LANguard N S S management console 2 Expand the Configuration gt Scanning Profiles node and select the scanning profile where the new vulnerability check will be added 3 Click on the Vulnerabilities tab 4 From the middle pane select the category in which the new vulnerability check will be included for example DNS Vulnerabilities GFI LANguard Network Security Scanner 16B17 Adding vulnerability checks via custom conditions or scripts e 165 Add vulnerability General Conditions Description References Hame New DNS Vulnerability check Type DNS kaai o5 Family windows OS versioni windows 2003 Product PC Timestamp 1 29 2007 T Severity D medium O H Screenshot 154 The new vulnerability check dialog 5 Click on the Add button This will bring up the Add Vulnerability dialog box 6 Go through the General Description and Reference tabs while specifying the basic details such as the vulnerability name short description security level and OVAL ID if applicable 7 Choose the Conditions tab and click on the Add button This will bring up the check properties wizard Check properties x Step 1 of 3 Select the typ
134. e NETBIOS names sub node GFI LANguard Network Security Scanner Detailed scan results Analyzing scanned target computer details GFI LANguard N S S 8 0 iof xi Fie Tools Configure Help New Scan ve 4 t c Using Currently Logged On User Username Password e She Scan Target flocalhast Profile Full Scan 7 Scanned Computers Scan Results Scan target localhost i Identifier Tools Ex p lorer fa Main GFI LANguard N S 5 fa Security Scanner Phan Configure 4 P 4 Results Filtering Result comparison E m Patch Deployment T Deploy Microsoft Upi lt Deploy Custom Softy E Reporting GFI Report Center GFILANguard N 5 5 Vulnerabilities 113 Potential Yulnerabili System patching st 9 System information Shares 7 m Applications 101 Ge Network device 192 168 3 30 TM E EMAC J Time to live TTL J Network role J Domain J LAN Manager 8 Language 00 0D 56 23 22 7F Dell PCBA Test 128 128 Same network segment Workstation GFIMALTA Windows 2000 LAN Manager English United States cow USB devices 15 A Password policy A Security audit p ay Registry Open TCP Ports Open UDP Ports NETBIOS names Computer i Groups 13 ees Users 9 4 Logged On User 3 Sessions 4 Services 93 Processes 38 i Local drives 2 9 Remake TON fi
135. e Select type of scan job to perform tt Scan job operation gy Vulnerability Scanning Assess the vulnerability status using a combination of open pork scans and a Focused selection of checks contained within the vulnerabilities database which include GFI Research created vulnerability checks OVAL and SANS top 20 Patching status 455ess the overall patching status of the nodes on your network Network amp Software Auditing Discover and assess network inventory and software inventory Leg f Complete Combination Scans time consuming Discover the security status of your network through the integrated Vulnerability Scanning Network amp Software auditing and Patching status assessment operations J Show this dialog at application startup Screenshot 15 Selecting the type of security scan 2 Select one of the following scanning operations and click Next Vulnerability Scanning Use this scanning operation to enumerate all the vulnerabilities present on target computers including missing patches e Patching status Use this scanning operation to enumerate only missing patches on target computers e Network and Software Auditing Use this scanning operation to enumerate system information without including vulnerabilities and missing patches e Complete Combination scan Use this scanning operation to retrieve system information and enumerate all vulnerabilities
136. e Database Saved Scan Results Scanned Computers Advanced 5 List of scanned computers Number of computers in the database 6 RICHARD YM 192 168 3 177 a 9 200F RESESRCH 2 192 168 3 9 3572007 o emmanuel carabotts computer local 19 3 5 2007 localhost 192 168 3 22 a5 200F o GFI PATCHTST2 192 168 3 13 3572007 res gentoo 192 168 5 123 a5 2007 Delete selected computer s Cancel ppp Screenshot 77 Database maintenance properties Scanned Computers tab To delete computers previously scanned 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Database Maintenance Options sub node and select Properties 3 Click the Scanned Computers tab 4 Select the computers to delete by holding the control key and clicking on the computers 5 Click on the Delete selected computer s button to delete scanned computer data NOTE 1 Deleting computers from the database is a one way operation that will also delete all computer related data from the database Once deleted this data is no longer recoverable NOTE 2 While this is a very efficient mechanism for freeing up licenses previously occupied by unused nodes kindly note that this impacts the long term security reporting capabilities of GFI LANguard N S S Where long term security reporting must be ascertained or in 84 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Se
137. e Logon to remote Linux targets through conventional logon credentials strings as well as through Public Key authentication i e using SSH Public Private Key files e Self updating Automatically downloads definition files for the latest vulnerability checks missing patches information on program startup e Patch management support for Windows 2000 XP 2003 Vista operating systems Microsoft Office XP or later Microsoft Exchange 2000 2003 and Microsoft SQL Server 2000 or later e Patch management support for multilingual operating systems that are Unicode compliant e Patch rollback support e Allows you to save security scan results in Microsoft Access or Microsoft SQL Server database backend and XML files e Reports to administrator on completion of a scheduled scan with detailed full scan results and or detected changes identified between successive scans e Live host detection operating system identification SNMP Auditing and Microsoft SQL Auditing e Script debugger that you can use to create and debug custom vulnerability checks Checks are created using a VBscript compatible scripting language e Improved multithreading capabilities that allows more that three computers to be scanned at a time e Includes command line tools that allow you to scan and deploy software updates patches and third party applications without bringing up the GFI LANguard N S S user interface These command line tools can be used directly
138. e Ltd lt gt GFI LANguard Network Security Scanner 8 0 J ersion 8 0 2007 0309 J Publisher GFI lt gt GFI Report Center Framework ZF ersion 3 5 3 J Publisher GFI Software Microsoft NET Framework 1 1 J ersion 1 1 4322 P Publisher Microsoft Screenshot 45 List of installed applications enumerated during target computer scanning Click on the Applications sub node to access the complete list of applications that are installed on a scanned target computer Discovered applications are organized into three groups e gt Anti virus applications e gt Anti spyware applications e General applications Anti virus and Anti spyware applications groups The anti virus applications and anti spyware applications groups contain the list of security applications installed on a scanned target computer Details enumerated in these groups include e gt Application name e lt Real time protection Denotes if real time protection is enabled or disabled in an anti virus application o J Up to date Denotes if the anti virus anti spyware signature files of a security application are up to date This is achieved by checking where applicable the signature file status flag of an application e J ast update Shows the date and time of the last anti virus anti spyware signatures update e Version Shows the version number of the security application
139. e a high security vulnerability for network devices whose name contains Screenshot 103 List of unauthorized blacklisted network devices 3 Click on the Network Devices tab and do as follows e To create a network device blacklist specify which devices you want to classify as high security vulnerabilities in the space GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 109 provided under Create a high security vulnerability for network devices whose name contains For example if you enter the word wireless you will be notified through a high security vulnerability alert when a device whose name contains the word wireless is detected e To create a network device whitelist specify which devices you want to ignore during network vulnerability scanning in the space provided under Ignore devices Do not list save to db whose name contains NOTE Include only one network device name per line Configuring advanced network device scanning options Advanced Network Devices Properties General Cc Specify advanced network devices options Enumerate Network Devices Enumerate wired network devices Enumerate wireless network devices Enumerate software enumerated network devices Enumerate virtual network devices Cancel Amy Screenshot 104 Advanced network devices configuration dialog From the Devices tab you can also specify the type of network devices that will be checked
140. e c c Using Currently Logged On User Username Password Scan Target flocalhost Profile Full Scan scan GFI LANguard N S S Scanned Computers Scan Results pn A Security Scanner Scan target localhost g aj G RICHARD Lg Results Filtering E 6 192 168 3 30 TM ij J Computer RICHARD Tools Explorer A main Pha amp Configure 4 gt vulnerabilities 113 J Username RICHARD Potential Yulnerabili J Open files 3 Deploy Microsoft Upe System patching st J Connection time 5 hours 48 minutes 55 seconds A Deploy Custom Softy 9 System information JF Idle time no delay Reporting Shares 7 J User flags 0 a GFI Report Center lt gt Applications 101 J Client type Windows 2002 Service Pack 2 2600 GFI LANguard N 5 5 Se Network device f J Transport Device NetBT_Tcpip_ C3BB4D21 A8B0 444C 89 USB devices 15 I 192 168 3 20 a Result comparison E 6 Patch Deployment Password policy J E EMMANUELC Security audit p i E gt 192 168 3 30 ay Registry I Open TCP Ports Open UDP Ports NETBIOS names Computer 2 Groups 13 eee Users 9 T Logged On User Sessions 4 Services 93 Processes 38 3 Local drives 2 AD Rernte TAN fi Screenshot 50 Session s node Click on the J Sessions sub node to access the list of hosts that were remotely connected to the target computer during scanning The
141. e in the Domain Policy GPO Verifying the settings and their operation ensures that the correct password policies will be applied to all users in the domain To verify password policy settings for an Active Directory domain 1 Navigate to the Control Panel Start gt Settings gt Control Panel and open the Administrative Tools 2 Open the Active Directory Users and Computers Right click on the root container of the domain and select Properties 3 Click on the Group Policy tab Then select the GPO to be checked for example Domain Policy GPO and click on Edit to open the Group Policy Object Editor 4 Expand the Computer Configuration node and navigate to Windows Settings gt Security Settings gt Account Policies gt Password Policy folder 180 e 17B18 Miscellaneous GFI LANguard Network Security Scanner fai Group Policy Object Editor File Action View Help e AmB e Domain Policy christophertest christest com Policy af Policy 4 BolicySetting aw Computer Configuration Re Enforce password history 24 passwords remembered o Software Settings Sz Maximum password age 42 days o Windows Settings Rg Minimum password age 2 days lt Scripts Startup Shutdown Security Settings S E Account Policies 2 Ee gd Account Lockout Policy Ea Kerberos Policy J E Local Policies aej Event Log 9 Restricted Groups C3 System Services 3 Registry File System Y Wireless
142. e of check Specify what do you want to check From the list below Check type a J Port Open Test ae Pd SMTP Banner Test a at 55H Banner Test aie F TCP Banner Test oo J TELNET Banner Test oe 2 Text File Content Test em a6 Script Test Check description Executes a VB script on the target computer and returns a boolean value Screenshot 155 The check triggering conditions dialog 166 e 16B17 Adding vulnerability checks via custom conditions or scripts GFI LANguard Network Security Scanner 8 Select Independent checks gt VBScript node and click on Next button to continue setup 9 Click on the Choose file button and select the custom VBscript file that will be executed by this check For this example select myscript vbs Click on Next to proceed 10 Select the relative condition setup in the wizard to finalize script selection Click on Finish to exit wizard 11 Click on OK to save new vulnerability check Testing the vulnerability check script used in example Scan your local host computer using the scanning profile where the new check was added 3 High security vulnerabilities 1 ey DNS 1 i New DNS vulnerability 2 Description Test a new DNS vulnerability Screenshot 156 High security vulnerabilities In the scan results a vulnerability warning will be shown in the Vulnerabilities gt Miscellaneous Alerts node of the scan results Adding a vulnerability
143. e your settings GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 53 6 Saving and loading scan results Introduction Scan results are an invaluable source of information for systems administrators GFI LANguard N S S results are stored in a MS SQL Server or a MS Access database and is exportable to a an XML format In this chapter you will discover how 1 GFI LANguard N S S stores scan results 2 To modify scan results storage parameters e g the format in which scan results will be saved 3 To reload saved scan results data in the GFI LANguard N S S 8 management console Saving scan results to an external XML file Once GFI LANguard N S S completes a security scan the results are automatically saved to the database backend Nevertheless you can also save these results to an external XML file To achieve this 1 Go to File gt Save scan results 2 Specify the name of the XML file where the results will be stored for example ScanResult_11052006 xml 3 Click on Save GFI LANguard Network Security Scanner 5B6 Saving and loading scan results e 55 Loading saved scan results Loading saved scans from database backend io x File Tools Configure Help New Scan WA c5 Using Currently Logged On User Username Password e Oe Tools Explorer i Scan Target flocalhost Profile Full Scan Slow Networks main L confi 4 gt GFI
144. ed 2007 02 13 Zi Logged On Users 7 S a Windows Internet Explorer 7 0 For Windows XP gt Sessions 2 ES Date posted 2007 02 06 Y Services 95 MS07 004 Security Update for Windows XP KB9299 a Processes 35 P Severity Critical Screenshot 52 Reloaded scan results GFI LANguard N S S can store scan results in a Microsoft Access or Microsoft SQL Server database backend as well as to an XML file By default saved scan results are organized in a database containing the results data of the last 10 scans performed per scanning profile NOTE You can configure the number of scan results that are stored in a database file For more information on how to achieve this please refer to the Manage saved scan results section in the Database Maintenance Options chapter Saved scan results can also be re loaded from XML file for further processing and analysis To load saved scan results from the database backend 1 Click on the Main button 2 Right click on the Security Scanner default node and select Load saved scan results from gt Database 56 e 5B6 Saving and loading scan results GFI LANguard Network Security Scanner Database source General Select the scan result to use for the required operation Target Profile Date Completed localhost Full Scan 12 r200 13 10 18 Tes localhost Full Scan 1 27 2007 11 16 16 Yes 127 0 0 1 Vulnerabilities 1 27 2007 10 59 52
145. ed as a new permanent sub node Security Scanner gt Results Filtering gt Missing Blaster Patch Example 2 Create a filter that lists all Sun stations with a web server To create a filter that lists all Sun workstations that are running a web server on port 80 perform the following steps 1 Click on the Main button right click on the Security Scanner gt Results Filtering node and select New gt Filter 2 In the filter name field key in Sun WS web servers on port 80 and click on the Add button 3 From the list of filter properties select operating system and then click on Next 4 From the conditions drop down select Includes and in the value field type in Sun OS 5 Click on the Add button 6 From the properties dialog click on the Add button to add another filter condition 7 Select TCP Port and click on Next 8 From the conditions drop down box select is open and in the value field type key in 80 9 Click on the Add button to include this condition in the scan filter 10 Click on OK to finalize the configuration The new filter will be added as a new permanent node Security Scanner gt Results Filtering Sun WS web servers on port 80 66 e 6B7 Filtering scan results GFI LANguard Network Security Scanner 8 Configuring GFI LANguard N S S Introduction GFI LANguard N S S 8 allows you to run vulnerability scans straight out of the box using
146. ed beware co FTP If this service is not installed beware could be trojan y Trojan Ports a 23 Telnet If this service is not installed beware could be troj gy Only SNMP a 25 SMTP If this service is not installed beware could be troj gy Protection from Portable Storage a 42 NameServer gt WINS Host Name Server Sy Test a 53 DNS If this service is not installed beware could be troja Giy Missing Patches a 79 Finger o Critical Patches a 80 HTTP If this service is not installed beware could be troja Sy Last Month s Patches x ee Only Service Packs ma tin Suita 109 Pop2 gt Post Office Protocol 2 y USB Devices a 110 Pop3 If this service is not installed beware could be troja Oy Software Audit a 111 SunRPC If this service is not installed beware could be tr Full TCP amp UDP Scan a 113 identd If this service is not installed beware could be troj gy Ping Them All 116 SqlServ gt SQL Services Sy Share Finder teeta Sy Uptimes Sy Disks Space Usage Dy System Information ay se ings General Screenshot 80 The Scanning Profile configuration page 94 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner 4 Use the tabs presented in the right pane of the management console to configure the operational parameters for this new scanning profile The tabs displayed at the top of the scanning profile configuration page are listed below e TCP ports tab Use this tab to confi
147. ed scan results Analyzing local drives Click on the Local Drives sub node to view the list of physical drives that are accessible on the scanned target computer The information enumerated in this sub node includes the drive letter the total disk space and the available disk space Displaying and sorting scan categories GFI LANguard N S S provides you with the ability to hone down and sort available scan categories and scanned computers This allows you to focus on specific data that might require your attention in more detail without getting lost in other data that might not be relevant at that point in time Customize Yew Fa View Sorting Select which information categories you want to showhide naide the scan result window ltem to show hide Vulnerabilities sja Potential Vulnerabilities Ri Shares no Applications Bal Network devices USB Devices LA Password policy Security audit policy ar Registry l Open TCP Ports iS Open UDP Ports vw System patching status i MetBios names wW Computer B SNMP M1 A Trusted damains Cancel Apply Screenshot 51 Customize view To customize and sort the list of scan results 1 Click on the Customize view button 2 From the View tab select which scan categories you want to show or hide Click Apply to save setting 3 Click on the Sorting tab and set your sorting preferences by selecting the required sorting options Click OK to finaliz
148. eeceeeeeeseeeeeeesaeeeeeeas 128 Stopping active COW NAIO AGS aane aa A a A A 129 Optional Configure alternative patch file deployment parameters cccccseeees 129 Deploy downloaded patches on selected targets cc eeeeeeeeeeeeeeeeeeeeeeeaaaaeeeeeeeeees 130 Monitor the patch deployment PrOCeSs cccccceccceeeeeeeeeeeeeeaeeseeeeeeeeeueegeeeeeeeeeseaas 131 Uninstall patches already deployed on targets ccccceeeeeseeeeeeeeaeeeeeeeeaeeseeeeseaeees 131 Monitoring the patch Uninstall PrOCESS cccccseeseecceeeeeeeeeeeeeseeseeesaeeeseseeeeesaeeeeeeas 132 12 Patch management Deploying custom software 134 PAF O CUI G UON corar a E E 134 Enumerating the software to be deployed cccccccseseeeeeeeaeeeeeeeeeeeeeeeeesaeseeeeseaaaees 135 Selecting target computers for file GEplOYMENT ccceeeseeeeeeeeeeeeeeaeeseeeeeeeeessaaeees 136 DEDIOVIMENT OPTIONS sesamin a n a 136 Configuring pre deployment options ccccccccssssssessseeeeeeeeeeeeeeeeaaaeeeeseeseeees 137 Configuring post deployment options cccccecceeseeeeeeeeeeeeseeseeeeeeeeseaeeeeees 138 Configuring advanced deployment OPtiONS cseeeseeeeeeeeeeeeeeeeeeeeeeaeeeeees 139 Start the deployment procesS ccccccsseseececeeeeeeeeseseeeeeeeeeeeeseeeeeeessaaaaeeeeeeeeessaaageses 139 13 Results comparison 141 PATO CG IOM ee a a T a 141 Configuring what scan results changes will be repor
149. eeecauaaseeeessuaeeeeessuaeceeesseageeessssaaeeess 9 Upgrading earlier versions of GFI LANguard N S S cccecccceeeeeeeeeeeeeeeeeeeeeeeeaeeeees 13 Entering your license key after installation cccccseseceeseeeeeeseeseeeeeeeseeseneeeeneeeeeseaees 13 3 Navigating the management console 15 MEOOUCHON os sc iasre erat ck edad enc ah ae cated aaliee ohat stale ce cea aaaeeh adieu ed tne onbesete ese tacnteleemeds 15 Navigating the GFI LANguard N S S management CONSOIE cccccsseeeeeeeeeeeeeees 15 4 Getting started Performing an audit 17 MOGUCOM sosser e oenenes oeenarizsteace se spcensesiecsnaanaacaaneneaasadeecexanssanaceaecdseraoleseees 17 Performing the first security SCANS cccccccseececceeseecceeseeceaseeceeseesssageeessegeeesseaseeeees 18 Performing a security scan using default settings cccceeeeeccseeeeeceeeeeeeneeseeeseaeeeeens 19 GOMUIGUPING SCAM FANG SS sieve eicccctcaaslastutane enaa E e CO e E a 23 SCLIN E aAa a ee er 23 DCAM FANGS OX CIUSIONS aeea E E A 23 Quick start scans using currently logged on user credentials cccccceeeeseeeeeeeees 24 Quick start scans using alternative logon cCredentials cccccseeseceeeeeeseeeeeeeeeeeeeeees 24 Quick start scans USING SSH Private Key ccccccccccccccceccceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeess 24 Quick start SCANS USING A null SESSION ccccccccccccccecceceeeeeeeceeeeeeeeeceeeeeceeeeeeeeeeeeee
150. eeeeeeesseeeeeeeeeeeeeeaaeeees 96 Enabling disabling TCP UDP Port SCanning cccccssseeeeeeeeeeeeeeeeeaeeseeeeeeas 96 Configuring the list of TCP UDP ports to be SCanned cccccceeeseeeeeeeeeees 96 Customizing the list TCP UDP Ports ccccccccceecceseeseeeeeeeeeeeeeeeeeeeeessaaaaeees 96 Configuring OS data retrieval Options cccccceccssseseeceeeeeeeeeeeeeceeeeeseeeeeeeeeeeeessaaaaeees 97 Configuring vulnerabilities SCANNING OPTiONS cccecccccceeeeeaeeseeeeeeeesaeeeeeeeeeeeessaeaaeees 98 Enabling disabling vulnerability SCANNING c cseecceecseeeeeeeeeeeeeeeeseeseeeeeeeas 98 Customizing the list of vulnerabilities to be scanned ceccceeseeeeeeeeeeeeees 98 Customizing the properties of vulnerability CNECKS cccceseeeeeeeeeeeeeeeeeees 99 Vulnerability Check conditions Setup cccccseeeeeeeecaeeeeeeeeeeeeeeeeesaeseeeeeeaaaees 100 Vulnerability checks advanced OPtiONns ccccecseeeeeeeeeeeeeeeeeeeeaeeeeeseaeaees 102 Configuring patch SCANNING OPTIONS cccccccccecesesseeeeeeeeeeeeeeeeeeeeeeessaaaeeeeeeeessaeaeeess 103 Enabling disabling missing patch detection CNeCKS seseeeeeeeeeeeeeeeeees 103 Customizing the list of software patches to be SCaNnned ccccseeeeeeeeeeees 104 Searching for bulletin information cccccccecccccceeeeeeeseseeeeeeeeseeeseeeeeeessaeeaeess 104 Configuring the Security SCANNING OPTIONS
151. eemmertere teem eager Bae eee Defame era a 80 Selecting a database DACkeNd cccccccsssssssecceeeeeeeeeeeceeeeessueeeeeeeeeseesaaaseses 81 Storing scan results in an MS Access database backend 0 cceeeeeeees 81 Storing scan results in an MS SQL Server database ccceeeeseeceeeeeeeeeeees 82 Database maintenance Managing Saved scan results ccccseseeeeeeeeeeeeees 83 Database maintenance List of Scanned COMPUTETS ccccceeeeeeeeeeeeeeeees 84 Database maintenance Advanced options cccccsseeeeeceeeeeeaeeeeesneeeeeeneees 85 ii e Contents GFI LANguard Network Security Scanner 9 Scanning Profiles 87 PVA GUC TON cnain E S 87 FAY 9019 0 AN ee eeaseene tte terest Tet E Reece nT a Meo ene ene Orne mee Rare mee Terre 87 GEI LANGUard NoS S OVAL SUDDO aievea a eee tas 88 ABOUT OV AL GOMP Aum My as ceese cet a E E R 88 Submitting OVAL listing error TEDOMS anrasinen ann eee teae ee 89 Scanning Prole GSSCHOUON sesssie veces epecens Pov E E A 89 Which scanning profile shall US is2 ccers i ncerteniiiecieinve cate etosiiei eee 92 Scanning OFOTISS IMa CUON sisina a a A ai aaa S 93 Creating a new scanning DFOT Ss iacesiccc tines eeaceshant auscecaed igemeahendcobsen dedbagtadebcceuy iebanecentedieas 94 GUStOMIZING a SCANMING Proe i u cteusiaisiea tans cddssauuctocens iolbwegheudsnmsen eiaa n ihoaneed wits 95 Configuring TCP UDP ports scanning OPtiONS ccccccceesceseee
152. eeseness 25 5 Getting started Analyzing the security scan results 27 MTOdUCHON morera ites rte ho a shed tertile hie dosent deel de eaesenale nus iesieieiaeed 27 SCARTO 0 Coe ae oe ee ee eee 27 Analyzing the summary scan results for the scanned Network cccccseeeeeeeeeeeeeees 28 Analyzing the target Computer SCAN SUMMALY ccccceeeceeceeeeeeeaeeeeseseeeeseeeeesaaneeeens 29 What to do after a SCAN eccccccecccccceeecccceeeeeeseeeeeeceseceeceeueeessaacesseaeessaeeeessaeeeeseeeeeeeas 30 Analyzing the detailed scan reSults ccccccecccecseseeeeeeceeeeeceeeceeaeeeeeeseeseeeeeseaeeeeeessaaees 31 Detailed scan results Analyzing Vulnerabilities ccccccccccseeeeeeeeeeseeeeeeseeeeeeeeeaes 32 Reporting unauthorized devices as high security VU fals ecle s n 36 Detailed scan results Analyzing potential vulnerabilities cccccceecccceeeeeeseeeeeeeaees 37 Detailed scan results Analyzing shares ccccscccccssseeeceeseeeceesseecseseeessagseessegeesseass 37 Handing open Shar Sisk cvsccsnts a a yaanateon vem aaatastcaan EA 37 Handling administrative SNAres cccccccsssseeccccsesseceeeceeeeceeeeeeeeeeseeeeseeeeseas 38 Detailed scan results Analyzing password POLICY ccccseeeeeesseeeeeceeeeeeeeeeeeeseeeeesaees 39 Detailed scan results Analyzing registry S ttinGS ccccssscccsseseeesseeeesseeeeeeseeeeeeaees 39 Detailed scan results Analyzing security au
153. ents and Recommendations for OVAL Compatibility and complete the formal OVAL Compatibility Process OVAL Compatibility means that GFI LANguard N S S incorporates OVAL in a pre defined standard way and also uses OVAL for communicating details of vulnerabilities patches security configuration settings and other machine states 88 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner Submitting OVAL listing error reports Any issues with the GFI LANguard N S S or the listing of the OVAL checks included with GFI LANguard N S S should be reported to GFI through its official support lines Please refer to the troubleshooting section within this document for more information regarding email phone or web forum support channels GFI Software Ltd will endeavor to look into any issues reported and if any inconsistency or error is ascertained it will issue updates to fix such issues Vulnerability check updates are usually released on monthly basis Scanning profile description Out of the box GFI LANguard N S S 8 includes an extensive list of scanning profiles e Vulnerabilities Patches and Service Packs Use this scanning profile to enumerate particular network vulnerabilities such as open TCP UDP ports commonly exploited by Trojans as well as missing patches and service packs The list of vulnerabilities enumerated by this profile can be customized through the Vulnerabilities tab NOTE 1 Installed USB devices and applic
154. ents on the right side of the window Click on the OK button to continue 6 To finalize the installation click on the OK button and reboot the computer After the computer has restarted Client for Microsoft Windows will be automatically installed Configuring Password Policy Settings in an Active Directory Based Domain NOTE You must be logged on as a member of the Domain Admin group GFI LANguard Network Security Scanner 17B18 Miscellaneous e 175 To implement password policies on network computers belonging to an Active Directory domain 1 Navigate to the Control Panel Start gt Settings gt Control Panel and open the Administrative Tools Act iv Directory Users and Compu ters 2 File Action View Window Help e mesa e tiny goa 4 Active Directory Users and Compi christest com 5 objects 000000000 m Saved Queries Name Type Description pum Delegate Control builtinDomain A Builti pma Find Container Default cont een il Connect to Domain rs Organizational Default cont J Foreic Connect to Domain Controller Principals Container Default cont Cy ieee Raise Domain Functional Level Container Default cont Operations Masters New gt All Tasks b s view gt gt Opens property st New Window From Here Refresh Export List Properties Help Screenshot 163 Active Directory Users and Com
155. er GFI LANguard N S S compares the RPC information received to the information listed in this file In this way it can identify and verify the associated service name identification e Smtp txt This file contains a list of SMTP banners together with the associated operating systems As with FIP and identd files these banners are used by GFI LANguard N S S to identify the OS that is running on the target computer e Snmp pass txt This file contains a list of popular community strings GFI LANguard N S S uses these community strings to assert and identify SNMP weaknesses on a target computer During target probing the scanning engine will check if any of the community strings listed in this file are being used by the SNMP target server Should it be the case these community strings will be reported by the SNMP scanning tool in the scan results e Telnet txt This file contains a list of different telnet server banners GFI LANguard N S S will use these telnet banners to identify which OS is running on a target computer e Www txt This file contains a list of different web server banners GFI LANguard N S S will use these web server banners to identify which OS is running on a target computer e Port_services_fingerprint xml This file contains a copy of the data sent while trying to recognize the type of the servers that are listening behind an open port HTTP FTP SMTP POP3 SSH TELNET etc e Snmpo
156. er the deployment process e Stop services before deployment Select this option to stop specific services before starting the deployment To specify the services to be stopped click on the Services button Configuring post deployment options Configure the After deployment options as follows e Do not reboot shut down the computer s Select this option if you do NOT want to remotely reboot target computers on completion of the deployment process e Reboot the target computers Select this option to automatically reboot target computers on completion of the deployment process e Let the user decide when to reboot Select this option to let target computer users interactively decide when to reboot the computers where software patches have been deployed When this option is enabled a message will be automatically sent to target computers on completion of the deployment process GFI LAN guard H 5_5 Microsoft Hotfixes were installed by GFI LANguard Network Security Scanner Windows needs to be restarted to complete the installation i Restart now Remind me in fi B ine Restart on sjzoj2007 at 4 3a 3epmM Don t bother me again Screenshot 136 Post deployment options dialog Decide when to reboot the target computer From this dialog users must select one of the following reboot options e Restart Now Select this option for an immediate restart e
157. ering lt 3 Resuts Comparison Gr Patch Deployment Deploy Microsoft Updates lt Deploy Custom Software o Reporting GFI ReportCenter GFI LANguard N S S 8 0 ReportPack Vulnerabilities 76 Potential Vulnerabiltie BOOULDOEEes v System patching status What does this mean 3 System information Shares 4 More information lt gt Applications 18 The vulnerability level per session is an average of the individual vulnerability nat Sate 9 levels of the computers that were scanned in this session SSWOr icy j gt f a Securty polic Browse through the information retrieved by the security scammer to find out PE F more details You should address all vulnerabilities as soon as possible O egistry ol Open TCP Ports 9 Humber of scanned computers Open UOP Ports 6 1 computer s NETBIOS names 4 Vulnerability level listing Computer High 1 computer s i Groups 23 Medium 0 computer s hd Users 13 Low 0 comnputer s Gi Logged On Users 6 0 computer s QoQ Sessions 2 Top 1 most vulnerable Next steps Ti Services 95 computers E Processes 34 5 Deploy Microsoft Service Packs Local drives 3 SBRICHARDVM _ Deploy Microsoft patches Deploy custom software hd Netbios reply from 192 168 3 17 RICHARDYM Pong from 192 168 317 1 Computer s found COMPLETED SECURITY SCAN FOR MACHINE RANGE kana Scan Start Time 1 28 54 PM Scan Duration 3 minutes 23 seconds Network discovery S
158. es Optional Parameter Include this switch if you want to delete the source file after it has been successfully installed e timeout Optional Parameter Specify the deployment operation timeout This value defines the time that a deployment process will be allowed to run before the file patch installation is interrupted GFI LANguard Network Security Scanner 15B16 Using GFI LANguard N S S from the command line e 161 e Optional Use this switch to show the command line tool s usage instructions Example How to launch a patch deployment process from the command line tool For this example we will be assuming that a patch deployment session with the following parameters is required 1 Deploy a file called patchA001002 XXX 2 On target computer TMjason 3 Reboot the target computer after successful deployment of the file The command line tool instruction for this particular patch deployment session Is deploycmd TMjason file patchA001002 XXX reboot 162 e 15B16 Using GFI LANguard N S S from the command line GFI LANguard Network Security Scanner 17 Adding vulnerability checks via custom conditions or scripts Introduction In this section you will learn how to add new custom vulnerability checks created either through scripts or by configuring a set of custom vulnerabilities Scripts can be created using any VB script compatible scripting language By default GFI LANguard N S S ships w
159. es GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 77 Patch Autodownload Properties General Patch Repository Timeframe MW Enable patch autodownload Configure patches autodownload options Select patches to download f All patches NOTE Download all patches For deployment C Only needed patches NOTE Download only required patches as determined by previous Scans Number of download threads Cancel Apnly Screenshot 72 Configuring Patch Autodownload Properties 3 In the General tab which opens by default select one of the following options e All patches Select this option to download all available patches e Only needed patches Select this option to download only the missing patches as determined during vulnerability scanning 4 To change the path in which downloaded patches are stored click on the Patch Repository tab and specify the required details 5 To change the timeframe during which patch downloads are performed click on the Timeframe tab and specify the required details NOTE GFI LANguard N S S can use patch files downloaded by Microsoft WSUS when deploying missing patches and service packs on target computers To enable use of Microsoft WSUS downloaded files select the Use files downloaded by Microsoft WSUS when available option and specify the path from where the Microsoft WSUS downloaded patches will be retrieved 6 C
160. es and service packs GFI LANguard N S S can also deploy downloaded updates network wide as well as recall any patches that have already been deployed Patches are generally recalled due to newly discovered vulnerabilities or problems caused by the installation of these updates such as conflict issues with present software or hardware Examples of updates recalled by the manufacturer include patches MS03 045 and MS03 047 for Exchange that were released by Microsoft on October 15 2006 Both patch deployment and patch rollback operations are managed by an agent service which handles all file transfers between GFI LANguard N S S and the remote targets This service is silently and automatically installed on the remote target computer during patch deployment process NOTE 1 To successfully deploy missing patches ensure that GFI LANguard N S S is running under an account that has administrative privileges NOTE 2 Ensure that the NetBIOS service is enabled on the remote computer For more information on how to enable NetBIOS refer to the Enabling NetBIOS on a target computer section in the Miscellaneous chapter NOTE 3 A complete list of Microsoft products for which GFI LANguard N S S can download and deploy patches is available on http kbase gfi com showarticle asp id KBID001820 In this chapter you will learn how to e Specify target computers for patch deployment e Specify which Microsoft patches updates must be depl
161. escription You MUST set a password for the Ba Network d administrator account and or disable quest logons Password E f1 OVAL 999 Hyperlink Object Buffer Overflow Vulnerability a Security a B Medium security vulnerabilities 1 E ay Registry E Registry 1 H Open TCP 3 c f1 LM Hash Open UDP G x Low security vulnerabilities 8 NETBIOS n El E FTP 1 Computer E f1 FTP anonymous access allowed Groups 23 p Description It is recommended to disable anonymous lo gee Users 13 E Registry 5 24 Logged On G gt Web 2 gt Sessions 2 2 IIS Frontpage check Y Services 95 i IIS Terminal Services Fa Processes Screenshot 33 High medium low security vulnerabilities The High Medium and Low security vulnerabilities sub nodes contain information on weaknesses discovered while probing a target device These vulnerabilities are organized into 10 groups 5B Mail e FTP e o Web e Registry e Services e RPC e DNS e Software e Rootkit e 4 Miscellaneous The content of each group is described below Mail FTP RPC DNS and Miscellaneous These groups contains the vulnerabilities discovered on FIP servers DNS servers and SMTP POP3 IMAP mail servers The information shown in these sections includes links to Microsoft Knowledge Base articles or other Support documentation
162. esenting configuration information of systems for testing e Analyzing the system for the presence of the specified machine state vulnerability configuration patch state etc e Reporting the results of this assessment The repositories are collections of publicly available and open content that utilize the language GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 87 The OVAL community has developed three XML schemas to serve as the framework and vocabulary of the OVAL Language These schemas correspond to the three steps of the assessment process e An OVAL System Characteristics schema for representing system information e An OVAL Definition schema for expressing a specific machine state e An OVAL Results schema for reporting the results of an assessment Content written in OVAL Language is located in one of the many repositories found within the community One such repository known as the OVAL Repository is hosted by MITRE Corporation It is the central meeting place for the OVAL Community to discuss analyze store and disseminate OVAL Definitions Each definition in the OVAL Repository determines whether a specified software vulnerability configuration issue program or patch is present on a system The information security community contributes to the development of OVAL by participating in the creation of the OVAL Language on the OVAL Developers Forum and by writing definitions for the OVAL Repository
163. espective targets To start the deployment process click on the Start button at the bottom right of the patch deployment page 130 e 10B11 Patch management Deploying Microsoft Updates GFI LANguard Network Security Scanner Monitor the patch deployment process GFI LANguard N S S 8 0 Pie x File Tools Configure Help ETc A a n n Username _ el Password el New Scan Using Tools Explorer R E s Specify updates to apply and select Start to start the deployment of updates Options A Main ha Configur 4 P Sort by computers Sort by patches Deployment status E RICHARDYM gt Preparing to copy 1 files GFI LANguard N S S A Security Scanner Results Filtering Results Comparison E Tm Patch Deployment lt Deploy Microsoft Up T Deploy Custom Softy Reporting suondo iw gt Copying process started gt Copying IHA_OlOp2dZjPZEQONCoW _xAXzo _WindowsxP KB927802 x86 ENU exe 593 8 KB v Copying process completed Y Batch file copy OK gt NT machine Starting the GFI L4Nguard Patch agent service on the remote machine gt Service is not installed Installing the service gt Copying the Files needed v Service installed Y Service started gt Deploying IH amp A_OlOp2dZjPZEQONCoW _xAxXzo _WindowsxP KB927802 x86 ENU exe q z er 1 1 gt Completed 1 1
164. esults Devices which will be marked as dangerous will have a high security vulnerability notification in the scan results Devices which are on the ignore list will not be listed or saved to the database Create a high security vulnerability for network devices whose name contains Ignore Do not list save to db devices whose name contains Screenshot 101 Device configuration page Network Devices tab options 108 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner Enabling disabling checks for installed network devices To enable network device scanning in a particular scanning profile 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Devices tab 3 Select the Enable Scanning for installed Network Devices on the target computer s option NOTE Network device scanning is configurable on a scan profile by scan profile basis Make sure to enable network device scanning in all profiles where this is required GFI LANguard N S S 8 0 File Tools Configure Help new Scan f x ii Using Currently Logged On User Username m Password Tools Explorer P UDPPorts OSData Vulnerabilities Patches Scanner Options Applications lt 4 gt EA main Configuration y a Specify what information is to be retrieved by the scanner when using this profile 4 Configura
165. et Start computer s after deployment C Deploy on aT i gt ai 6 19 19 PHE Computer Aters Screenshot 134 General deployment options Configuring pre deployment options Configure the Before deployment options as follows e Warn users before deployment Select this option if you want to send a message to the target computer user before deploying an update GFI LAN guard Patch Agent Warming It Administrative software i going to be installed by LANguard Network Securty Scanner This installation was initiated by RICHARD YM AdminG ti The system may reboot after installation Screenshot 135 Deployment Warning Informs that a deployment process is about to start The message is intended to inform target computer users that a deployment will take place hence give them time to save their work and close all running programs before the deployment process takes place e Wait for user s approval Select this option to request an approval from the target computer user before starting the deployment process Target computer users can opt to put on hold the deployment process in case some other important process for example a system backup is already under way This way other processes can be left to finish prior to the deployment just in case GFI LANguard Network Security Scanner 11B12 Patch management Deploying custom software e 137 the target computer requires a reboot aft
166. etween the compared scan results Generating a Results Comparison Report GFI LANguard N S S 8 0 Iof xi Fie Tools Configure Help new Scan M E Using Currently Logged On User Username Password Ey Ee Tools Explorer g Scan result 1 localhost Full Scan 1 27 2007 13 10 18 Dai Compare fa Main Phas Configuration gt Scan result 2 localhost Full Scan 1 27 2007 11 16 16 Opti g zR GFi SECURITY amp MESSAGIN AANE General Options GFI LANguard N S S fa Security Scanner E i Results Filtering Full Report Vulnerabilities Hic Vulnerabilities Me Yulnerabilities All Missing Patches a a Result comparison tool Display the following items IV New items GFI LANguard N S S V Removed items Use the result comparison tool to detect any changes Changed items which happened within two separate scans The data source for the scans can be both saved scan results Options inside the database or saved scan results in XML file format JV Show vulnerability changes Select the two data sources and click on Compare Show only hotfix changes 7 Important Device Important Device Open Ports Open Shares Auditing Policies Password Policies Groups and Users 7 Computer Proper Installed Applicati P Non Updated Sec v Result comparison amp Patch Deployment 3 Deploy Microsoft Upd Deploy Custom Softw Reportin
167. even worse blank password technically referred to as null passwords are a big vulnerability because they could easily allow malicious users to gain access to your system without any considerable effort GFI LANguard N S S allows you to specifically verify whether your target computers have null passwords through a null session During null sessions the scanning engine will attempt to logon to a target computer with blank credentials The benefit of such an exercise is that is such a scan is successful it means your target is accessible without the need of logon credentials To run a null session 1 From credentials drop down list provided in the toolbar select the Null Session option 2 In Scan Target drop down specify the targets to be scanned during this null session 3 From the Profile drop down select the scanning profile to be used during this network vulnerability scan 4 Click on Scan to initiate the scanning process GFI LANguard Network Security Scanner 3B4 Getting started Performing an audit e 25 5 Getting started Analyzing the security scan results Introduction The most important thing following a network security scan is identifying which areas and systems require your immediate attention This is achieved by analyzing and correctly interpreting the information collected and generated during a network security scan This chapter is entirely focused on this aspect and will guide you t
168. ftware Audit Use this scanning profile to enumerate all software applications installed on scan targets This includes security software such as anti virus and anti spyware NOTE 1 No vulnerability checks and missing service pack enumeration are performed using this profile You can customize this profile to enumerate only unauthorized blacklisted software or vice versa e Full TCP amp UDP Scan Use this scanning profile to audit your network and enumerate all open TCP and UDP ports NOTE No vulnerability checks are performed by this profile e Ping Them All Use this scanning profile to audit your network and enumerate all computers that are currently connected and running NOTE No vulnerability checks are performed by this profile e Share Finder Use this scanning profile to audit your network and enumerate all open shares either hidden or visible NOTE No vulnerability checks are performed by this profile e Uptimes Use this scanning profile to audit your network and identify how long each computer has been running since the last reboot NOTE No vulnerability checks are performed by this profile e Disks Space Usage Use this scanning profile to audit your network and retrieve system information on available storage space GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 91 e System Information Use this scanning profile to retrieve system information such as operating system details wireless virtu
169. g GFI Report Center GFI LANguard N 5 5 d 2007 All rights reserved GFI Software Ltd Screenshot 140 Comparing scan results To generate a scan results comparison report 1 Select the Main button click on the Security Scanner gt Result comparison node 2 Click on the search file buttons to select the scan result files that you wish to compare NOTE You can compare results stored in XML files or database files but you cannot directly compare XML file results to database file results 3 Click on Compare to start the results comparison process 142 e 12B13 Results comparison GFI LANguard Network Security Scanner The Results Comparison Report GFI LANguard N S S 8 0 Joj x Fie Tools Configure Help Send us feedback on this beta O new Scan Ga m Using Currently Logged On User Username Password FIE Tools Explorer EE O Conran Scan result 1 localhost Full Scan 1 27 2007 13 10 18 a Compare Options A guration 4 gt Scan result 2 localhost Full Sean 1427 2007 11 16 16 fe GFI LANguard N S S A Security Scanner ap Renee ears SECURITY amp MESSAGING SO d Full Report _ Vulnerabilities High s ar vulnerabilities Mediu Ea vulnerabilities All Results Comp arison Rep ort amp Missing Patches and r Important Devices TMJASON_XP 192 168 3 30 7 Open Ports af Open Shares T ro CCS A Auditing Policies User GFIMALTA Domain Users was ad
170. g GFI ReportCenter GFI LANguard N S Screenshot 129 Uninstalling a patch 3 Select the patches or service packs to be uninstall from selected targets NOTE 1 Some patches or service packs cannot be rolled back since uninstalling them could impair the functionality of your systems Patches that cannot be uninstalled will not be displayed for selection NOTE 2 You can sort the list of patches currently on display by clicking on the Sort by computers and Sort by patches tabs accordingly 4 Click Start to initiate the uninstall process Monitoring the patch uninstall process To view the patch roll back progress click on the Uninstallation Status tab located next to the Sort by patches tab at the top of the right pane 132 e 10B11 Patch management Deploying Microsoft Updates GFI LANguard Network Security Scanner GFI LANguard N S S 8 0 O Currently Logged On User I ial fil Speci updates tout and selec Stat to stat he rina ofupdsies ioe GFI LANguard N S S Sort by computers Sort by patches Security Scanner E RICHARDYM Tools Explorer S Results Filtering V Batch file copy OK Ee Results Comparison gt NT machine Starting the GFI LANguard Patch agent service on the remote machine a g Patch Deployment gt Service is not installed Installing the service ow Enoy Microsoft Upi gt Copying the files needed 15 Deploy Custom Softy Vi Service installed
171. guard N S S Scanned Computers Scan Results r Security scanner Scan target localhost Meang Patches 4 4 Results Fitering gt Windows Vulnerabilties 4 System patching stabus System information NETBIOS names 4 Computer x 507 004 Securty Update for Internet Explorer 7 For Windows XP KB92 J Severty Critical y Date posted 2007 01 09 MS06 001 Securty Update for Windows XP KB912919 P Severty Critical Date posted 2006 01 05 MS505 053 Securty Update for Windows XP KB896424 J Severty Critical a Date posted 2005 11 08 a M505 051 Securty Update for Windows XP KB902400 J Severky Important ay Date posted 2005 10 06 Result comparison Fim Patch Deployment lt gt Deploy Microsoft Updates 3 192 168 3 30 TMJA J lt gt Deploy Custom Software fal Reporting SI Report Center SI LANguard N S S 8 0 Screenshot 32 Missing patches detected during target scanning Missing patches discovered during target scanning are listed and grouped under the Missing Patches category Details shown in results tree of this category include e 9 Patch ID and Product name e D URL The ID and URL of the respective Microsoft Knowledge Base article e 4 Severity The effect that the patch has on the security level of a network device e amp l Date Posted The release date of the missing patch To access bulle
172. gure Help New Scan Y fF oc Eat Cavertly deanas On User A ername Password AE Screenshot 22 GFI LANguard N S S new scan toolbar Authentication methods drop down list 1 From credentials drop down list provided in the toolbar select the Alternative credentials option 2 In the adjacent fields specify the username and password to be used during this scan 3 Configure the rest of the options as described in the Quick start scans using currently logged on user credentials section above Quick start scans using SSH Private Key To run a network security audit using SSH Private key credentials do as follows 24 e 3B4 Getting started Performing an audit GFI LANguard Network Security Scanner GFI LANguard N S S 8 0 File Tools Configure Help New scan V FY c lt Using Currently Logged rf ername Password e Ci i Screenshot 23 GFI LANguard N S S new scan toolbar Authentication methods drop down list 1 From credentials drop down list provided in the toolbar select the SSH Private key option 2 In the adjacent fields specify the username and private key file to be used during this scan 3 Configure the rest of the options as described in the Quick start scans using alternative credentials section above Quick start scans using a null session One of the most serious threats in a network system is the misconfiguration of passwords Default passwords or
173. gure TCP port scanning parameters and options e g specify which TCP ports to be scanned e UDP ports tab Use this tab to configure UDP port scanning parameters and options e g specify which UDP ports to be scanned e OS data tab Use this tab to specify which operating system data will be extracted from scanned targets e g open shares user accounts and currently logged on user details e Vulnerabilities tab Use this tab to specify which vulnerability checks will be run against your target computers e g Web Server vulnerability checks e Patches tab Use this tab to specify which missing security updates will be scanned for on target computers e Scanner Options tab Use this tab to configure the operational parameters of the vulnerability scanning engine e g target discovery parameters such as timeout values query methods e Devices tab Use this tab to configure the required parameters and enable scanning for installed network and USB devices connected to target computers e Applications tab Use this tab to configure the required parameters and enable scanning for applications installed on target computers Customizing a scanning profile To customize a scanning profile 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Select the scanning profile to be edited 3 From the right pane use the tabs at the top of the page to access the required co
174. hase a Support Center Knowledge Base Other GFI Products Y Screenshot 62 List of configured scheduled scan To create a scheduled scan 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click on the Scheduled Scans sub node and select New gt Scheduled scan This will bring up the New Scheduled Scan configuration dialog 68 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Security Scanner Scheduled scan General Logon Credentials Advanced Cc Configure the scheduled scan Scan target localhost Scanning profile Full Scan Description Test machine scheduled scan Perform a scan f One time only fe Every i Hours Next scan 1 27 2007 2 09 35 PM Screenshot 63 New Scheduled Scan dialog 3 In the General tab which opens by default specify the target computers i e hostname IP or IP range NOTE For more information on how to specify which target computers to be scanned refer to the Scheduled scan Configuring scan targets section below 4 Select the scanning profile that will be used for this scheduled scan and specify a description of the scheduled scan 5 If this scheduled scan is to be run periodically specify the frequency at which the scan will be launched 6 Specify the date and time at which the scheduled scan will start 7 lf alternative logon credentials are required click on t
175. he Logon Credentials tab For instructions on how to achieve this refer to the Scheduled scan Configuring Logon Credentials section in this chapter 8 When scanning targets that are normally offline such as laptops click on the Advanced tab Follow the instructions provided in the Scheduled scan Configuring Advanced options section in this chapter 9 Click OK to finalize your settings Scheduled scan Configuring scan targets When configuring the list of target computers you can specify e The fully qualified domain name to scan all machines making part of a specific domain e Computer names to denote scanning of particular machines e The URL ex computer corporation com GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 69 e The I P addresses ex 192 168 100 5 of all machines to be scanned e An I P address range ex 192 168 100 5 192 168 100 50 e CIDR subnets ex 192 168 100 0 24 e The name and full path of the text file which contains target computer details using the following syntax file lt filename gt NOTE The file must contain one target computer name per line Scheduled scan Configuring logon credentials As with normal vulnerability scans scheduled scans will require to logon to target computers with administrator credentials in order to perform a vulnerability scan By default scheduled scans will use the credentials of the currently logged on user accou
176. he Network Devices sub tab to configure the attached network devices scanning options and blacklisted unauthorized whitelisted safe devices lists e Use the USB Devices sub iab to configure the attached USB devices scanning options and unauthorized safe devices lists Scanning for attached network devices GFI LANguard N S S 8 0 File Tools Configure Help New Scan fm x Th Using Currently Logged On User Username Password Tools Explorer Configuration 4 Scanning Profiles Dy Vulnerabilities and Patches g Vulnerabilities Oy Top SANS 20 Vulnerabilities High Security Yulnerabilitie Om Latest Year Vulnerabilities Gy Only Web Trojan Ports Gy Only SNMP Missing Patches Port Scanner USB Devices Dy Software Audit Dy Full TCP amp UDP Scan Diy Ping Them All Share Finder Portable Storage Dy Uptimes Dy Disks Space Usage Og Full Scan Active Settings g Scheduled Scans gy Computer Profiles F Patch Autodownload HE UDP Ports OSData Yulnerabilities Patches scanner Options Devices appications 4 gt Specify what information is to be retrieved by the scanner when using this profile IV Enable scanning for installed Network Devices on target computers IV Enable scanning for USB devices used on target computer s atone noore Configure which Network devices you want to mark as dangerous and which you want to have ignored in your scan r
177. hes option from the scanning profile selection box Click on the Next button to proceed 4 Select Scan single computer option Click on the Next button to proceed 5 Select the Scan this computer option Click on the Next button to proceed 6 Provide the credentials under which the scan will be performed and click on the Scan button to start the scan TIP Take note of the time it takes to complete the scan as well as the information range it returns Example 2 Using the Vulnerabilities profile to scan the local host 1 Click on New Scan button 2 Select Vulnerability scanning option and click on the Next button to proceed 3 Select Vulnerabilities option and click on the Next button to proceed 4 Select Scan single computer option Click on the Next button to proceed GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 93 5 Select the Scan this computer option Click on the Next button to proceed 6 Provide the credentials under which the scan will be performed and click on the Scan button to start the scan Important consideration As you can see the time taken to complete a vulnerability scan using the Vulnerabilities scanning profile is less than that of the Vulnerabilities and Patches scanning profile previously performed This is because the Vulnerabilities scanning profile only performs specific vulnerability checks which analyze and
178. hos 192 168 3 17 RI 6 vulnerabilities 78 Potential Yulnerabil System patching st E System information D 443 Snore Secure HTTP If this service is not installed beware could be Napaa Slapper a Shares 4 445 Description Microsoft Ds IF this service is not installed beware could be trojan Nimda Se Applications 18 1027 Description Inetinfo If this service is not installed beware could be trojan Clandestine mst Network device 1433 Description Microsoft SQL server IF this service is not installed beware could be trojan Password policy s a Security audit ay Registry Q Open TCP Port Open UDP Port NETBIOS name Computer i Groups 23 gi Users 13 a Logged On Use gt Sessions 2 Services 95 Processes 35 Local drives 3 Gey Remote TOD ti sauojdxg joo Cal Screenshot 42 Scan Results Dangerous ports are marked in RED When a commonly exploited port is found open GFI LANguard N S S will mark it in red Care is to be taken as even if a port shows up in red it does not mean that it is 100 a backdoor program Nowadays with the array of software being released it is becoming more common that a valid program uses the same ports as some known Trojans Detailed scan results Analyzing users and groups Rogue obsolete or default user accounts can be exploited by malicious or unauthorized users to gain access to restricted areas of your
179. hrough the steps required to 1 Access the vulnerability scan results 2 Analyze and interpret the scan data results 3 Identify what to do after that a network scan is completed Scan results Upon completing a scan GFI LANguard N S S immediately displays a scan summary Scan completed successfully Summary of vulnerability results generated during last scan Scan details Scan type Local computer scan Scan profile Vulnerabilities and Patches Scan duration 3 minutes 12 seconds Average vulnerability level High BOULUD ee Scan results Missing security updates 93 69 Critical High Other vulnerabilities 11 4 Critical High Potential vulnerabilities 2 Open ports 2i Instaled security updates Z Guide me to the next step View reports Screenshot 24 Scan summary GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 27 By clicking on Guide me to the next step you can follow a recommended course of action that will helo you to address the vulnerabilities identified by GFI LANguard N S S To view a more detailed list of vulnerabilities click OK and the scan results window will appear In the scan results window you can navigate the scan results by clicking on the nodes displayed in the scanned computers pane middle pane This causes the scan results to change dynamically from one computer to the next and from one detailed information disp
180. ids och This file contains a map between SNMP object IDs and their display name and it is used to browse SNMP info by the SNMP Walk tool Database maintenance GFI LANguard N S S ships with a set of database maintenance options through which you can maintain your scan results database backend in good shape For example you can improve product performance and prevent your scan results database backend by getting excessively voluminous by automatically deleting scan results that are older than a specific number of months If you are using a Microsoft Access database backend you can also schedule database compaction Compaction allows you to repair any corrupted data and to delete database records marked for deletion in your database backend hence ensure the integrity of your scan results database 80 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Security Scanner Selecting a database backend Properties Change Database Saved Scan Results Scanned Computers Advanced Current GFI LAN guard N 5 5 database backend settings Database type MS Access File path C Program Files GFISLAaN guard Network Se New GFI LAN guard H 5 5 database backend setting Indicate below the new type of database backend to use i HS Access C MS SOL Server Please specify the path where the new database backend ts to be located CAProgram Files GFISLAN guard Network Security Sc Browse Cancel Aap
181. ile C Program Files SFl L4Nquard Network Security Scann a ave as HTML reports Generate and save scan result html reports to C Program Files SFl L4Nquard Network Security Scann Screenshot 66 Scheduled Scans properties dialog To save scheduled scan results in an XML HTML file 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Scheduled Scans sub node and select Properties This will bring up the scheduled scans properties dialog 3 Specify file type preferences by selecting Save scheduled scan results to XML file Select this option to save scan results to XML file Generate and save scan result HTML reports to Select this option to save scan results to HTML file 4 Click OK to finalize your settings 72 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Security Scanner Scheduled Scans Properties Result Saving Results Notification 4 Specify whether to send scheduled scan reports by email to FR administrator Once 4 scheduled security scan is completed send the Following emails to the administrator Full scan results in HTML Format MOTE Full scan results will generate a large size email For large networks W Result comparison with previous security scan with same scan target and scanning profile MOTE IF there are no differences the email will mot be sent MOTE Administrator email and mail server
182. ile format MV Show vulnerability changes Select the two data sources and click on Compare M Show only hotfix changes V Changed items Options Fea Result comparison A Patch Deployment lt Deploy Microsoft Upd Deploy Custom Softw Reporting GFI Report Center GFI LANguard N 5 5 d 2007 All rights reserved GFI Software Ltd Screenshot 139 Results comparison configuration options 2 From the right pane click on the Options button and select the information item s to be reported from the following e New items Select this option to include all new security issues that emerged since the previous vulnerability scan GFI LANguard Network Security Scanner 12B13 Results comparison e 141 e Removed items Select this option to include result items for example installed applications and components devices for example Network cards USB devices Wireless devices etc that were recorded in the previous older scan but which have not been recorded in the latest scan results e Changed items Select this option to include all result items that have changed such as a service that were enabled or disabled in between scans e Show vulnerability changes Select this option to include all vulnerabilities identified during the 2 scans being compared e Show only hot fix changes Select this option to include all missing and installed patches identified b
183. ing our live support service at http support gfi com livesupport asp e Contacting our support department by telephone Knowledge Base GFI maintains a Knowledge Base which includes answers to the most common problems If you have a problem please consult the Knowledge Base first The Knowledge Base always has the most up to date listing of support questions and patches The Knowledge Base can be found on http kbase fi com OUP UCU Request support via email lf after using the Knowledge Base and this manual you have any problems that you cannot solve you can contact the GFI support department The best way to do this is via email since you can include vital information as an attachment that will enable us to solve the issues you have more quickly The Troubleshooter included in the program group automatically generates a series of files needed for GFI to give you technical support The files would include the configuration settings debugging log files and so on To generate these files start the troubleshooter wizard and follow the instructions in the application In addition to collecting all the information you will be asked a number of questions Please take your time to answer these questions accurately Without the proper information it will not be possible to diagnose your problem Then go to the troubleshooter support folder located under the main program directory compress the files in ZIP format and send
184. ing the list TCP UDP ports 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the TCP Ports UDP Ports tab s accordingly 96 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner 3 Customize the list of TCP UDP Ports as follows e Use the Add button to add new TCP UDP ports to the list Specify the port number range description Select the s a Trojan port option if the new ports are commonly exploited by Trojans e Use the Edit button to modify TCP UDP port parameters i e port number and description e Use the Remove button to remove TCP UDP ports from the list To achieve this select the port s to be removed and click Remove NOTE The list of supported TCP UDP Ports is common for all profiles Deleting a port from the list will make it unavailable for all scanning profiles To exclude particular ports from scanning follow the procedure described in the Configuring the list of TCP UDP ports to be scanned section in this chapter File Jools Configure Help New Scan S lt Using Currently Logged On User Ue Password Ey E Tools Explorer Yulnerabilities Patches Scanner Options Devices lt gt EA man aoe pecify what information is to be retrieved by the scanner when using this profile Fa Configuration Scanning Profiles Windows OS Data
185. ion E wit TH Screenshot 4 Launching the GFI LANguard N S S status monitor The GFI LANguard N S S status monitor is automatically launched in the system tray on computer start up To access the status monitor right click on the GFI LANguard N S S icon E and select Status License scheme The GFI LANguard N S S licensing scheme works on the number of computers and devices that you wish to scan For example the 128 IP license allows you to scan up to 128 computers or devices from a single workstation server on your network To calculate the GFI LANguard N S S license that you require you need to add up the 6 e 0B1 Introduction GFI LANguard Network Security Scanner e Number of computers on which GFI LANguard N S S will be running e Number of computers that will be scanned by GFI LANguard N S S For example if you wish to install GFI LANguard N S S on one server from which you will be scanning a network of up to 60 target computers then you have to purchase a 64 IP license For more information on GFI LANguard N S S licensing visit http Awww gfi com pricing pricelist aspx product lanss GFI LANguard Network Security Scanner 0B1 Introduction e 7 2 Installing GFI LANguard Network Security Scanner System requirements Install GFI LANguard N S S on a computer that meets the following requirements e Windows 2000 SP4 XP SP2 2003 2008 VISTA SP1 XP SP3 operating system e Internet Expl
186. is required Customizing the list of security application for scanning To specify which security applications will be scanned during an audit 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Applications tab aj raD Antivirus applications Wi al BitDefender Client Standard wj al BitDefender Client Professional Plus feen a BitDefender Professional Edition a BitDefender amp Professional 2 Panda Antivirus Firewall 2007 a 3 Panda Antivirus 2007 sie al Panda Titanium Antivirus 2005 2 CA eTrust Antivirus Client iw J eTrust EZ Antivirus J Kaspersky Anti virus 6 0 a Kaspersky Anti Virus 5 0 For Windows Workstations i al Kaspersky Anti Virus Personal Pro 5 0 see a McAfee VirusScan Enterprise w8 ne a McAfee VirusScan Enterprise wBi s al McAfee VirusScan Enterprise vi 5i 3 Norman Virus Control Z Norton Antivirus of Norton Antivirus 2005 J Symantec Antivirus R Trend Micro Antivirus 2007 i a Trend Micro OfficeScan Client 2 Trend Micro PZ cilin Internet Security oe a F Secure Client Security Virus amp Spy Protection 7 R F Secure Anti virus 2007 von Wal F Secure 4nti virus Client Security Virus amp Spy Protection 6 ef 3 F Prot Antivirus for Windows b A Antispyware applications H a Trend Micro Anti Spyware ve Wj oo Ad Aware
187. ith a script editor that you can use to create your custom scripts New checks must be included in the list of checks supported by GFI LANguard N S S Use the Vulnerabilities tab to add new checks to the default list of vulnerability checks on a scan profile by scan profile basis NOTE Only expert users should create new vulnerability checks Scripting errors and wrong configurations in a vulnerability check can result in false positives or provide no vulnerability information at all GFI LANguard N S S VBscript language GFI LANguard N S S supports and runs scripts written in VBscript compatible languages Use VBscript compatible languages to create custom scripts that can be run against your network targets Security auditing scripts can be developed using the script editor that ships with GFI LANguard Network Security Scanner This built in script editor includes syntax highlighting capabilities as well as debugging features that support you during script development Open the script editor from Start gt Programs gt GFI LANguard Network Security Scanner 8 0 gt LNSS Script Debugger NOTE For more information on how to develop scripts using the built in script editor refer to the Scripting documentation help file included in Start gt Programs gt GFI LANguard Network Security Scanner 8 0 gt GFI LANguard N S S Scripting documentation IMPORTANT NOTE GFI does not support requests related to problems in custom scripts
188. k Import to import the list of target computers from a text file Deployment options General deployment options The general deployment options allow you to configure the actions and processes that must be triggered prior and post deployment of the 136 e 11B12 Patch management Deploying custom software GFI LANguard Network Security Scanner selected file Supported actions include sending a file deployment request to the user that is currently logged on to the target computer and the automated reboot of target computer following a successful deployment operation GFI LANguard N S S 8 0 OE Xx File Tools Configure Help New Scan Using Currently Logged On User Username Password el r Cy Configure which computers and which software files are to be deployed Options o S Software to deploy Deployment Status m Software General Advanced Software Location Before deployment IV Warn user before deployment show a message C Documents and Settings A Wait for user s approval Stop services before deployment Copy software to deploy to target computer s via Administrative shares Custom share After deployment Do not reboot shut down the computer s Reboot the target computer s DEbtie User dende When to C Shut down the target computer s Computer s to deploy software on L IY Delete copied files from remote Deploy immediately Res
189. lay to the next Scanned Computers Scan Resus svcd son nesuk erst ba 05 Mar 2007 1053447 il gt _ 9 Neang Patten Q v A 192 168 3 123 GNU Linux Oo TE Saves t Vulnerabilities 8 x MS07 007 Security Update for Windows XP KB927802 J System information J Severity Important OT Open TCP Ports 5 fay Date posted 2007 02 13 Open UDP Ports 2 Windows Malicious Software Removal Tool February 2007 KBS90830 Computer Ss Update for Windows XP KB931836 i Groups 52 MSO7 013 Security Update for Windows XP KB918118 Logged On Users 2 MS07 012 Security Update for Windows xP KB924667 To Serves 55 MS07 008 Security Update for Windows XP KB928843 lt gt Remote TOD time of day rs MS07 009 Security Update for Windows xP KB927779 O v J 192 168 3 13 Windows XP Service Pack 2 B lt MS07 006 Security Update for Windows XP KB928255 LD Vulnerabilities 31 MSO7 016 Cumulative Security Update for Internet Explorer 7 for Windows XP KB928090 Q Y System patching status MSO7 O11 Security Update for Windows XP KB926436 System information MS07 004 Security Update for Internet Explorer 7 for Windows XP KB929969 3 fv 192 168 3 22 Mandriva Linux release 2007 0 Official for i586 oO gt MS06 078 Security Update for Windows XP KB923689 AM 192 168 3 6 MacOS 10 4 1 ry MS06 075 Security Update for Windows XP KB926255 amp B 192 168 3 9 Windows Server 2003 x64 Service Pack 1 oO z MS06
190. le alled applications on target computer s Installed Applications Security Applications Specify which installed applications are authorized un authorized and which you do not need to be notifie Tools Explorer OS Dat H Man Configuration Tools specify what informa t Configuration int Scanning Profiles g Vulnerabilities and Patches g Vulnerabilities a Top SANS 20 Vulnerabilities a High Security Vulnerabilities y Latest Year Vulnerabilities NOTE When an application is not authorized a high security vulnerability warning will be generated Specify which applications are authorized to be installed y Only Web Pg eae Ports Only applications whose name contains Sy Only SNMP C All applications except the ones whose name contains a Missing Patches S Port Scanner Oy USB Devices Software Audit Gy Full TCP amp UDP Scan Dy Ping Them All Sy Share Finder Portable Storage Oy Uptimes Oy Disks Space Usage 2o Full Scan Active Sy Full Scan Slow Networks Settings Scheduled Scans i Computer Profiles v v oil g Ignore Do not list save to db applications whose name contains E Patch Autodownload Screenshot 109 The Applications tab Installed Applications tab options Compiling an installed applications blacklist whitelist To compile an installed applications blacklist whitelist 1 Select the Configuration button an
191. lick OK to finalize your settings 78 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Security Scanner Parameter files GFI LANguard N S S 8 0 Iof x File Tools Configure Help New Scan Using Currently Logged On User Username Password el sat iz Main Ba Configuration a Tools ethercodes txt Mapping list For mac address to vendor identification p tx ist of Ftp server banners used to identify y installed Ftp txt List of ft b d to identify OS by installed u Configuration r identd txt List of Ident server banners used to identify OS by install ii 2 vite Promes object_ids txt Mapping list for SNMP object identifiers to vendor produ kai meea Aeus passwords txt List of common weak passwords 3 Computer Profiles rpe txt Mapping list for RPC protocol service numbers to service E Pakde Aodainn j smtp txt List of SMTP banners used to identify OS by installed SMT L Alerting Options snmp pass txt List of community strings used to assert SNMP implement Roa net txt List of telnet server banners used to identify OS by install Z Database Maintenance Options T List of web server banners used to identify OS by installe General port Services_fingerpri Information used to identify the service running behind a snmpoids och Mapping tree used to translate SNMP object IDs to their This file was automatically generated by GFI LANguard N security Scanner a iso i
192. licy tab and select the new Group Policy Object Link that you have just created for example Domain Policy 7 Click on Up to move the new GPO to the top of the list and then click on Edit to open the Group Policy Object Editor va Group Policy Object Editor File Action View Help ap Domain Policy christophertest christest com Policy a Computer Configuration 88 Enforce password history Not Defined H E Software Settings Ra Maximum password age Not Defined Aw Windows Settings oar fg Minimum password age Not Defined ae wis a hg Minium password length Not Defined i l i j a3 poin ii a Password must meet complexity requirements Not Defined fa ICi ra P i i semenan Rd Store passwords using reversible encryption Not Defined gd Password Policy GA Account Lockout Policy E Ep kerberos Policy ag Local Policies Event Log HS Restricted Groups E System Services f a Registry File System J F Wireless Network IEEE 802 11 Policies G Public Key Policies H I Software Restriction Policies a IP Security Policies on Active Directory C H E Administrative Templates amp User Configuration Screenshot 165 The Group Policy Object Editor 8 Expand the Computer Configuration node and navigate to Windows Settings gt Security Settings gt Account Policies gt Password Policy folder GFI LANguard Network Security Scanner 17B18 Miscellaneous e 177 E
193. list of target computers selected and the English non English updates that will be downloaded and deployed on the enumerated targets Update file name Bulletin Application IEF EBS29969 failed to downl MSO 004 929969 Windows E windows PKB failed to downl MS06 001 912919 Windows E windows P EB failed to downl MSO5 053 5964244 Windows E windows PKB failed to downl MSO5 057 502400 Windows H Screenshot 122 Selecting patches to be downloaded and deployed NOTE GFI LANguard N S S can be configured to automatically download and any missing patches and service packs discovered during a network security scan For more information please refer to the Configuring Patch Autodownload section in the Configuring GFI LANguard N S S chapter of this manual Sorting the list of pending software updates The Patch Deployment options page allows you to organize and view the list of service packs and patches to be deployed in two ways e Sort by computers This view shows the list of missing patches grouped per target computer e Sort by patches This view shows the list of all missing patches sorted by Update file name GFI LANguard Network Security Scanner 10B11 Patch management Deploying Microsoft Updates e 127 Switch between these views by clicking on the Sort by computers and Sort by patches tabs accordingly Download patches and service pack files Pile
194. ll Scan report and the Results Comparison report e The Full Scan Report includes all the information collected or generated during the execution of a scheduled scan e The Results Comparison report enumerates only the differences identified between the last scheduled scan results and the preceding one GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 67 NOTE The Results Comparison report will not be emailed to the administrator if no differences exist between the compared scan results or if you are running your very first scheduled scan Creating a scheduled scan GFI LANguard N S S 8 0 Iof x File Jools Configure Help New Scan K Using Currently Logged On User Username Password em Tools Explorer Bix fv 4 Eman Configurat lt Scan Target Last Scanned NextScan_ interval Profile Oy Only Service Packs 3430 2007 5 42 36 PM Scan only once Vulnerabilitie Oy Port Scanner 3 16 2007 5 43 43 PM Last Year s Oy USB Devices Oy Software Audit Oy Full TCP amp UDP Scar Giy Ping Them All Oy Share Finder Oy Uptimes Oy Disks Space Usage Oy System Information i Settings 4 Scheduled Scans 4 Computer Profile F Patch Autodownloac Lm Alerting Options Parameter Files Siy Database Maintenar gt General 4 Program Updates 110 Version Information Licensing How to purc
195. lletin information More information related to the results pane information displayed Links to tasks with which you can fix weaknesses and vulnerabilities discovered Additional options through which you can view and enable policies as well as send administration messages and shutdown computers What to do after a scan The scan results summary of GFI LANguard N S S includes a list of common tasks recommended actions which can assist you in resolving network weaknesses commonly discovered during vulnerability scans Suggested actions include e Deploy service packs patches Use these options to resolve issues that require the download and deployment of missing Microsoft patches and service packs Clicking on any of these options will take you to the patch service pack management options from where you can download and automatically deploy patches and service packs network wide For more information on how to use these options refer to the Patch management Deploying Microsoft updates chapter e Deployment custom software Use this option to deploy scripts files or third party applications network wide For more information on how to achieve this refer to the Patch management Deploying custom software chapter 30 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner e Uninstall service packs or patches Use these options to resolve issues that require uninstall of ser
196. load dictionary file updates for example weak community strings dictionary file updates weak passwords dictionary files updates etc e Microsoft Software Updates Select the Microsoft Software Update files of all languages currently in use on your network For more information refer to the Downloading Microsoft updates in different languages section at the beginning of this chapter NOTE Select the Update ALL files including the ones already updated option at the bottom of the dialog to update all files including other ones already updated 7 Click on Start to initiate the update process Check for software updates at program startup By default GFI LANguard N S S checks for the availability of software updates at every program startup To disable this feature 1 Select the Configuration button right click and expand the General node 2 Right click the Program Updates sub node and select Properties This will bring up the Program Updates Properties dialog Build Update J Check for newer builds at startup Screenshot 118 The Check for newer builds at startup option 122 e 9B10 GFI LANguard N S S updates GFI LANguard Network Security Scanner 3 Unselect the Check for newer builds at startup option at the bottom of the dialog Configure which updates to check on program startup To configure which updates are checked at program startup Program Updates Properties General
197. lt localhost 29 Jan 2007 15 15 36 135 Description epmap gt DCE endpoint resolution Service Unknow 139 Description Netbios ssn gt NETBIOS Session Service f Service L 445 Description Microsoft Ds Service Unknown 3389 Description Terminal Services Service Unknown g peada Saved Scan Result localhost 29 a L Patch Deployment 192 168 3 30 TMJASON_XP J Vulnerabilities 9 Deploy Microsoft Updates Deploy Custom Software a Reporting GFI Report Center GFI LANguard N 5 5 8 0 Potential Vulnerabilities 3 System patching status 9 System information Shares 7 Applications 101 Rt Network devices 9 USB devices 15 Password policy Securty audit policy On ay Registry O Open TCP Ports 4 Open UDP Ports 5 NETBIOS names 4 Computer i Groups 13 a Users 9 1 Logged On Users 9 LS Sessions 5 Yi Services 93 i Processes 37 Local drives 2 Gey Remote TOD time of day bl Screenshot 41 Open TCP ports node During vulnerability scanning GFI LANguard N S S 8 will enumerate all TCP ports found open on a target computer The list of ports is then accessible through the scan results by clicking on the l Open TCP Ports sub node Important considerations By default GFI LANguard N S S is configured to use the Full Scan Via the use of this scanning profile not all of the 65535 TCP and UDP ports are checked as thi
198. lts Devices which are on the ignore list wil not be listed or saved to the database Create a high security vulnerabilty for network devices whose name contains Do Only SNMP Dy Missing Patches Port Scanner Oy USB Devices Software Audit Full TCP amp UDP Scan Ping Them All Share Finder Oy Portable Storage Uptimes me Disks usage Ignore Do not list save to db devices whose name contains Screenshot 96 The Devices configuration page Network Devices tab options Use the Devices tab to enable the scanning and reporting of network and USB devices installed on your target computers GFI LANguard N S S 8 0 File Tools Configure Help Miel x New Scan V a T Using Currently Logged On User username Password AE Scan Target flocalhost x Profile Full Scan scan 3 Scan target localhost B 192 168 3 17 RICH Vulnerabilities 79 Potential Vulnerabilitie vo System patching status B E System information a Shares 4 gt Applications 18 Ba Network devices 9 Password policy Security audit poli ay Registry HI Open TCP Ports 9 Open UDP Ports 7 NETBIOS names 4 Computer Groups 23 of Users 13 A Logged On Users 7 gt Sessions 2 Yi Services 95 E Processes 37 Local drives 3 cu Remote TOD time Scan Results Missing Service Packs 2 Missing Patches 64 dingy security vulnerabilities 4 gt Backdoors O
199. lts e 49 GFI LANguard N S S 8 0 OF xi File Tools Configure Help oO New Scan i m t C Using AEA Melee ene oa Username Password el wr cy Scan Target localhost v Profile Full Scan 7 _ Scanned Computers i E Scan target localhost E 63 Missing Service Packs fi J Missing service packs are reported under Vulnerabilities gt Missing service packs node Vulnerabilities 113 Potential Vulnerability y System patching status A E System information Shares 7 lt Applications 101 GM Network devices 9 USB devices 15 Password policy Security audit poli J Double click here to be taken to the appropriate node ED Missing Patches J Missing patches are reported under Vulnerabilities gt Missing patches node J Double click here to be taken to the appropriate node E d Installed Service Packs 3 9 SQL Server gt Windows A 9 MDAC i 44 Installed Patches 65 J NOTE Patches which are superseded by later updates are not listed 192 168 3 30 TM ay Registry gt Windows GI Open TCP Ports 4 MS506 076 Cumulative Security Update For Outlook Express For Windows XP KB92 MS06 075 Security Update for Windows XP KB926255 MS506 066 Security Update For Windows XP KB923980 MS06 069 Security Update For Flash Player KB923789 MS06 071 MSXML 6 0 RTM Security Update KB927977 MS06 071 MSXML 4 0 SP2 Security Upda
200. m USB devices 15 _ Password policy Security audit policy ay Registry QJ Open TCP Ports 4 Open UDP Ports 5 NETBIOS names 4 Computer i Groups 13 a a Users 9 Za Logged On Users 10 gt Sessions 6 Services 93 Processes 38 Local drives 2 a Remote TOD time o 4 USB Human Interface Device te HID Keyboard Device t USB Human Interface Device te HID compliant mouse t HID compliant consumer control device C HID compliant device to USB Root Hub hp LaserJet 1010 DOT4 co IEEE 1284 4 compatible printer hp LaserJet 1010 Ga LSB Root Hub Ge USB Root Hub H Ge USB Root Hub aL Y it F PFFFFFFFFFFFFT Screenshot 47 List of USB devices detected on a scanned target computer Click on the USB Devices sub node to access the list of USB devices connected to the target computer s Use the information collected in this sub node to identify unauthorized USB devices that are currently plugged into the scanned target computer s and which malicious insiders can use to steal valuable information or upload malicious files that can cripple your entire network These include portable storage devices such as the Apple iPod or Creative Zen as well as USB wireless devices and Bluetooth dongles GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan resu
201. med through a message dialog that will be shown on screen immediately before the deployment session is Started e useraproval Optional Include this switch to request the user s approval before starting the file patch installation process This allows users to postpone the file patch installation process for later for example until an already running process is completed on the target computer e stopservice Optional Include this switch if you want to stop specific services on the target computer before installing the file patch NOTE You cannot specify the services that will be stopped directly from the command line tool Services can only be added or removed through the management console For more information on how to specify services to be stopped refer to the Deployment options section in the Patch Management Deploying custom software chapter e customshare Optional Specify the target share where you wish to transfer the file before it is installed e reboot Optional Parameter Include this switch if you want to reboot the target computer after file oatch deployment e rebootuserdecides Optional Parameter Include this switch to allow the current target computer user to decide when to reboot his computer after patch installation e shutdown Optional Parameter Include this switch if you want to shutdown the target computer after the file patch is installed e deletefil
202. ment engine to download and install the missing update files in their respective languages network wide Supported languages include English German French Italian Spanish Arabic Danish Czech Finnish Hebrew Hungarian Japanese Korean Dutch Norwegian Polish Portuguese Portuguese Brazilian Russian Swedish Chinese Chinese Taiwan Greek and Turkish Information on how to download and deploy multilingual Microsoft Update Files is provided further on in this chapter Starting program updates manually To manually start GFI LANguard N S S program updates 120 e 9B10 GFI LANguard N S S updates GFI LANguard Network Security Scanner 1 Select the Configuration button right click and expand the General node 2 Right click the Program Updates sub node and select Check for Updates This will bring up the Check for updates wizard F Update LAN guard Network Securty Scanner Choose which action to do in the next step You can choose to update the application Files or to download all the update j files to a specific path used Further as an alternative update location f Update application files From the Following location Location f GFI web site C Alternative location e C Download all update files Fram GFI web site to this path ETOWE Back m gt Cancel Screenshot 116 The Check for Updates wizard Stage 1 ih 3 Specify the location from where the required
203. n SMI Network Management Private Enterprise Codes which can be found on http www iana org assignments enterprise numbers e Ethercodes txt This file contains a list of Mac addresses together with their associated vendor s e Ftp txt This file contains a list of FTP server banners through which GFI LANguard N S S can identify the OS of a target computer i e GFI LANguard N S S can identify the type of OS running on a target computer by analyzing the installed FTP server e Identd txt This file contains identd protocol banners through which GFI LANguard N S S can identify the OS running on a target computer i e GFI LANguard N S S can identify an OS through the banner information GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 79 e Object_ids txt This file contains the SNMP object_ids as well as the associated vendor s and product s When a device responds to an SNMP query GFI LANguard N S S will compare the Object ID information sent by the target computer to the OID information stored in this file e Passwords txt This file has a list of passwords that during a scan are used to perform dictionary attacks on target computers in order to identify weak passwords e Rpc txt This file contains the list of RPC protocol service numbers together with the associated service name identification When RPC services are found running on a UNIX Linux based target comput
204. nd interpreted as instruction for the GFI LANguard Network Security Scanner Standard keywords identified by the SSH module include e TRUE e FALSE e AddListltem e SetDescription e ISCRIPT_FINISHED Each of these keywords triggers an associated and specific process in the SSH Module The function of each keyword is described below e TRUE FALSE These strings indicate the result of the executed vulnerability check script When the SSH module detects a TRUE it means that the check was successful FALSE indicates that the vulnerability check has failed e AddListltem This string triggers an internal function that adds results to the vulnerability check report i e scan results These results are shown in the GFI LANguard N S S management console after completion of a scan This string is formatted as follows AddListltem parent node actual string o parent node ncludes the name of the scan results node to which the result will be added o actual string Includes the value that will be added to the scan results node NOTE Each vulnerability check is bound to an associated scan result node This means that AddListltem results are by default included under an associated default vulnerability node In this way if the parent node parameter is left empty the function will add the specified string to the default node e SetDescription This string triggers an internal
205. ne application name per line GFI LANguard N S S 8 0 Lik i File Tools Configure Help New Scan T x re Using Currently Logged On User x ername Password a ad ulnerabilities Patches Scanner Options Devices Applications KEL Tools Explorer a Main he Configuration E Tools to be retrieved by the scanner when using this profile itgllec applications on target computer s 4 Configuration ing Installed Applications Security Applications Scanning Profiles g Vulnerabilities and Patches Se Vulnerabilties a Use GFI LANguard N 5 5 to detect installed security software and ensure that they are using Sq Top SANS 20 Vulnerabilities the latest definition files Where applicable GFI LANguard N S S will also check that important settings are enabled e g real time scanning IV Detect and process installed antivirus antispyware software on target computer s g High Security vulnerabilities g Latest Year Vulnerabilities y Only Web G Trojan Ports J Norton Antivirus 2005 Sy Only SNMP J Symantec Antivirus J Kaspersky Anti Virus Personal Pro 5 0 a Missing Patches Port Scanner USB Devices Oy Software Audit Gy Full TCP amp UDP Scan Ping Them All Share Finder Sy Portable Storage Oa Uptimes Disks Space Usage em Full Scan Active amp Full Scan Slow Networks Settings ofl Scheduled Scans Computer Profiles E Patch Aut
206. nfiguration page s and make the necessary parameter updates NOTE Changes in scanning profiles will become effective in the next new scan GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 95 GFI LAN File Tools New Scan guard N S S 8 0 Configure Help Tools Ex plor er fa Main Configuration Configuration Se i Scanning Profiles Dg Vulnerabilities and Patches Sy Vulnerabilities Sy Top SANS 20 Vulnerabilities Dy High Security Vulnerabilities g Latest Year Vulnerabilities Only Web Trojan Ports o Only SNMP Port Scanner Oy USB Devices Oy Software Audit Gy Full TCP amp UDP Scan G Ping Them All O Share Finder Portable Storage Gy Uptimes G Disks Space Usage Gy Full Scan Active Gy Full Scan Slow Networks Settings i Scheduled Scans i Computer Profiles E Patch Autodownload XM Using Currently Logg TCP Ports Specify what information is to be retrieved by the scanner when using this profile l Enable TCP Port Scanning of ae If you add edit or remove a port the changes will be applied to all the profiles UDP Ports OS Data Yulnerabilities Patches Scanner Options Devices 1 4 gt Full Port List Daytime gt Time of the Day Qotd gt Quote of the Day FTP gt File Transfer Protocol SSH gt Remote Login Protocol Telnet gt Remote Login Protocol SMTP gt Simple Mail transfer Protocol NameSer
207. nforce password history Properties Security Policy Setting Enforce password history IY Define this policy setting Keep password history for 24 H passwords remembered Screenshot 166 Configure the GPO password history 9 From the right pane double click on the Enforce password history policy Then select the Define this policy setting option and set the Keep password history value to 24 10 Click on the OK button to close the dialog Maximum password age Properties Security Policy Setting Maximum password age Password wall expire irr 42 days Screenshot 167 Configuring GPO password expiry 11 From the right pane this time double click on the Maximum password age policy Then select the Define this policy setting option and set the Password will expire value to 42 days 12 Click on OK to close the properties dialog 178 e 17B18 Miscellaneous GFI LANguard Network Security Scanner Minimum password age Properties Security Policy Setting Minimum password age IY Define this policy setting Password can be changed after d H days Screenshot 168 Configuring the minimum password age 13 From the right pane double click on the Minimum password age policy Then select the Define this policy setting option and set the Password can be changed after value to 2 14 Click on the OK button
208. ng deploycmd exe the command line patch deployment tool The deploycmd exe command line patch deployment tool allows you to deploy Microsoft patches and third party software on remote targets directly from the command line or through third party applications batch files or scripts The deoloycmd exe command line tool supports the following switches 160 e 15B16 Using GFI LANguard N S S from the command line GFI LANguard Network Security Scanner deploycmd target file FileName username UserName password Password UseComputerProfiles warnuser useraproval stopservices customshare CustomShareName reboot rebootuserdecides shutdown deletefiles timeout Timeout sec Switches e Target Specify the name s IP or range of IPs of the target computer s on which the patch es will be deployed e File Specify the file that you wish to deploy on the specified target s e User and Password Optional Specify the alternative credentials that the scanning engine will use to authenticate to a target computer during patch deployment Alternatively you can use the UseComputerProfiles switch to use the authentication credentials already configured in the Computer Profiles Configuration gt Computer Profiles node e warnuser Optional Include this switch if you want to inform the target computer user that a file patch installation is in progress Users will be infor
209. ninstall Microsoft Service Packs OF Open TCP Ports 9 Ta Uninstal Microsoft patches Open UDP Ports 6 A E mMS06 032 Security Update tor NETBIOS names 4 P Viindow s XP KB91 7953 LO Open patch deployment tog Computer A E 506 025 Security Update tor LA Enable auditing policy gt Groups 23 E Vindows XP KB911280 o gt Users 13 Peis J Send message to computer Ge Logged On Users 7 E ms08 033 Security Update for E Shut down computer gt Sessions 2 Microsoft NET Framework Version 2 0 Ta Services 95 8917283 Processes 35 Local drives 3 on Show all vulnerabilities Gay Remote TOD time of More information The vuinerabidity level is caicudsted based on the court and severity of the vuinerab ties and missing patches detected on the system High vunerab ty level means that the system has vulnerabilities or missing 4 2 patches whose severity is high Screenshot 28 GFI LANguard N S S configuration interface Analyzing the scan results Use the information presented in the Scanned computers section middle pane to navigate the results of the scanned computers Security scan results are organized in a number of category sub nodes These can be easily used to investigate and identify security issues in the scanned targets Scan results are organized in the following categories e Vulnerabilities 1 Potential vulnerabilities e iv System Patching Status e Shares e gt Applications e Network
210. nt However if required you can also specify a different set of logon credentials to be used during a scheduled scan 1 2 0 0 10 Properties General Logon Credentials Advanced Flease enter the credentials that will be used bo access this vas computer Please enter credentials to be used by this scan IF vou don t specify credentials GFI LANguard 6 5 5 will use a NULL session M Logon using alternative Credentials User name JohnDoe Password e Use data from computer profiles Cancel Ame Screenshot 64 Configuring logon credentials To configure logon credentials for a scheduled scan select one of the following options from the provided drop down list e Alternative Credentials Select this option to authenticate to target computers a specific username and password string e SSH Private Key Select this option to authenticate to Linux based target computers using Private Key authentication Specify the username and the Private Key file in the provided fields 70 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Security Scanner Scheduled scans Configuring advanced options 127 0 0 1 Properties General Logon Credentials Advanced Please configure scheduled scan advanced options atl a W Wait For offline machines to connect to the network Enable this option when scanning laptops or other mobile devices that may nok be connected to the network
211. o make a clean install c pot all scannma paies Bename any oon when has the same name as tab olen Gh THE deraut scanning poies shppen Ath this metalatan i mpat all scanning profiles Oyente deraut panies shnped with this metaletan M Import tool configuration data scheduled scans mailserver settings scanresults DB etc IHstalsheld Back Cancel Screenshot 10 Choose import options 2 When prompted select the required import options 3 Continue installation by following the instructions listed in the installation procedure section above NOTE Evaluation versions and older builds of GFI LANguard N S S 8 can be upgraded to the latest build using the same method Entering your license key after installation The unregistered evaluation version of GFI LANguard N S S expires after 10 days and is feature limited For a list of restrictions that apply to the feature limited version of GFI LANguard N S S please visit http kbase gfi com showarticle asp id KBID003081 GFI LANguard Network Security Scanner 1B2 Installing GFI LANguard Network Security Scanner e 13 E GFI LANguard N 5 5 8 0 E4 Enter a GFI LAN guard Network Security Scanner license key in the space gh provided below License key E valuation Current license type 10 day feature linited Unlimited IPs license Evaluation days remaining OU days expired on 22 10 2007 Caution Network vulnerability scanning and patch management features have now
212. ocally via an interactive logon or remotely via a remote network connection GFI LANguard N S S 8 0 Iof x File Tools Configure Help new Scan Vv FQ Eli Currently Logged On User Username Password Tools Explorer Scan Target localhost Profile Test Profile San A Main Phas Configuration lt 4 gt GFI LANguard N S S Scanned Computers Scan Results El A E Scan target localhost F 4 Locally Logged On Users 4 f 4 Results Filtering E 6 192 168 3 30 TMJASON_ fj b NT AUTHORITYISYSTEM 2 Result comparison Vulnerabilities 2 El gay TMIASON_XP EmGuest Patch Deployment Potential Vulnerabilities 3 ZF Logon date and time 1 29 2007 12 07 00 PM A Deploy Microsoft Updates B E System information J Elapsed time 4 hours 56 minutes 1 seconds Deploy Custom Software 2 Shares 7 J Number of programs running 2 a Reporting a Password policy h NT AUTHORITYINETWORK SERVICE GFI Report Center Security audit policy OFF L NT AUTHORITY LOCAL SERVICE GFI LANguard N 5 5 8 0 ay Registry JEA Remotely Logged On Users 5 O Open TCP Ports 4 Jo Gl TMIASON_XP EMGUEST NETBIOS names 4 H EMMANUELC EMMANUELC Computer H jason gfimalta com JASON amp Groups 13 F RICHARDIRICHARD eth Users 9 gt Ge KEITHFYKEITH 24 Logged On Users 9 gt Sessions 5 Services 93 Processes 38 Local drives 2 chp Remote TOD time of day
213. odownload 3 Kaspersky Anti Virus 5 0 For Windows Workstations J Panda Titanium Antivirus 2005 J McAfee VirusScan Enterprise J McAfee VirusScan Enterprise v i J eTrust EZ Antivirus JJ Norman Virus Control 3 Trend Micro PC cillin Internet Security J Trend Micro OfficeScan Client E ma Antispyware applications J Microsoft AntiSpyware J Ad Aware SE Personal Edition 3J Lavasoft Ad Aware Enterprise Client 3 CA eTrust PestPatrol Anti Spyware Corporate Edition Screenshot 111 The Applications configuration page Security Applications tab options GFI LANguard N S S ships with a default list of anti virus and anti spyware applications that can be checked during security scanning GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 115 Enabling disabling checks for security applications To enable checks for installed security applications in a particular scanning profile 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Applications tab 3 Click the Security Applications tab and select the Detect and process installed anti virus anti soyware software on target computers option NOTE Security applications scanning is configurable on a scan profile by scan profile basis Make sure to enable security applications scanning in all profiles where this
214. og of the respective service pack The information shown in this bulletin includes GFI LANguard Network Security Scanner 4B5 Getting started Analyzing the security scan results e 33 e The QNumber This is a unique ID number that is assigned by Microsoft to each software update for identification purposes e The release date of the bulletin service pack e Along description of the service pack and its contents e The list of OS Application s to which the service pack applies e The URL link to more information about the respective service pack e The name of the service pack file and the relative file size e The URL from where you can manually download this service pack Vulnerabilities gt Missing patches A patch is an update that is released by a software company to address a technical security issue It is very common for attackers to exploit these known vulnerabilities in order to gain access to a network Failure to install missing patches on network computers makes you vulnerable to an attack resulting in either loss of business time and or data GFI LANguard N S S scans target computers to ensure that all relevant security updates released by Microsoft are installed GFI LANguard N_S_S 8 0 File Tools Configure Help New scan PF Using Currently Logged On User Username Password Scan Target focalhost Profile Missing Patches 7 EA main _ Configuration gt GFI LAN
215. ols Configure Help New Scan Using Currently Logged On User hd Username administrator Password Pree Query domain IP name Jwww aficomn Options Options g hai Configuration Tools A Main 5 Tools amp DNS Lookup Traceroute Whois Enumerate Computers Enumerate Users Sk Snmp Audit Sk Snmp Walk S SQL Server Audit General Whois server to query Choose one For me Whois Server Version 1 3 Use the following server Domain names in the com and net domains can now be register whois ripe net Add with many different competing registrars Go to http www intern for detailed information Remove whois networksolutions com Domain Name GFI COM whois arin net Registrar CORE INTERNET COUNCIL OF REGISTRARS Whois Server whois corenic net Referral URL http www corenic net Name Server SER YER1 GFI COM Name Server SERYVER3 GFI COM Status ACTIVE Updated Date 03 aug 2004 Creation Date 03 aug 1995 Expiration Date 02 aug 2006 whois nic gov whois nic mil whois ausregistry net au gt gt gt Last update of whois database Wed 17 Noy 2004 19 00 01 NOTICE The expiration date displayed in this record is the date t registrar s sponsorship of the domain name registration in the regi currently set to expire This date does not necessarily reflect the date of the domain name registrant s agreement
216. orer 5 1 or higher e Client for Microsoft Networks component included by default in Windows 95 or higher NOTE For more information on how to install the Client for Microsoft Networks component refer to the Installing the Client for Microsoft Networks component on Windows 2000 or higher section in the Miscellaneous chapter e Secure Shell SSH included by default in every Linux OS distribution pack Firewall considerations Firewalls installed on either the host or target computer s will interfere with the operations of GFI LANguard N S S You must either e Disable the firewall software on the host target computer s Or e Use the Windows Internet Connection Firewall domain policies to configure the necessary ports and services required by GFI LANguard N S S to operate correctly For more information on how to configure Active Directory policies to support scanning of from computers running the Windows Internet Connection Firewall XP SP2 or 2003 SP 1 visit http kbase gfi com showarticle asp id KBID002177 Installation procedure To install GFI LANguard N S S 8 1 Double click on languardnss8 exe and click Next 2 Read the licensing agreement carefully To proceed with the installation select the Accept the Licensing agreement option and click Next 3 Specify licensing details and click Next to continue NOTE Default key allows 10 days evaluation GFI LANguard Network Security Scanner 1B2
217. ork Con This connection uses the following items Client for Microsoft Networks zi File and Printer Sharing for Microsoft Networks v G05 Packet Scheduler w Y Intemet Protocol TCPAP Install Uninstall Properties Description Allows pour computer to access resources on a Microsoft network Show icon in notification area when connected V Notify me when this connection has limited or no connectivity Screenshot 162 Local Area Connection Properties dialog 3 From the General tab which opens by default select the checkbox next to Client for Microsoft Networks and click on Install to begin the installation process NOTE 1 If Client for Microsoft Windows checkbox is already selected then the component is already installed NOTE 2 If the network is currently active you may not see any checkboxes in the window In this case click the Properties bution one more time to reach the full General tab NOTE 3 If the computer runs any older version of Windows view the Configuration tab and verify if Clent for Microsoft Windows is present in the displayed list If not install the component by clicking on the Add button 4 From the new dialog on display select Client and click on Add to continue 5 From the list of manufacturers at the right of the active window choose Microsoft Then choose Client for Microsoft Windows from the list of Network Cli
218. ot downloaded MS05 075 926255 E Ep Windows PKB Not downloaded MS06 066 923980 E Ep Windows PKB Not downloaded MS05 069 923789 E Ep mssrnl4 KB9279 Not downloaded MS06 071 927978 E Ep Windows PKB Not downloaded MS06 070 924270 E Ep Windows PKB Not downloaded MS06 068 920213 E Ep NDP20 K89227 Not downloaded MS06 056 922770 E WindowsxP KB Not downloaded MS06 064 922819 E Ep WindowsP B Not dowloaded MS06 061 924191 E Ep WindowsxP KB Not downloaded MS07 007 927802 Mm Iiini PKR Nat dnwednarderd NF NNA IFRRATI Ian Screenshot 125 Stopping active downloads To stop an active patch download right click on the particular patch and select Cancel Download Optional Configure alternative patch file deployment parameters General Patch file name windowst P KB896424 x86 ENIJ exe Bulletin M505 053 896 424 Affected product windows Source URL http www download windowsupdate com msdownload update v3 a Download directory C Program Files SFI LAN guard Network Security Scanner 8 0Repos Deploy patch with the Following command line parameters fa Z Ef conest e Screenshot 126 Patch file properties dialog GFI LANguard Network Security Scanner 10B11 Patch management Deploying Microsoft Updates e 129 You can optionally configure alternative patch deployment parameters on a patch by patch basis Parameters that can be configured
219. ownload queue GFI LAN guard H 5 5 Monitor ay ir 6 25 PM Screenshot 142 GFI LANguard N S S Status Monitor icon shown in the Windows system tray The Status Monitor is automatically loaded in the Windows system tray whenever the GFI LANguard N S S management console is started NOTE Bring up the Status Monitor without opening the GFI LANguard N S S management console from Start gt Program files gt GFI LANguard Network Security Scanner 8 0 gt LNSS Status Monitor In this chapter you will discover how to use the GFI LANguard N S S 8 Status Monitor to view e The global security threat level e The state of active scheduled scans e Scheduled update deployments e Patch autodownload queue GFI LANguard Network Security Scanner 13B14 GFI LANguard N S S Status Monitor e 145 5 x Global security threat level Active scheduled scans Scheduled deployments 4utodownload queue Global security threat level High BOUUUDOEES Global security threat level indicates an average of the latest vulnerability levels For all computers that were scanned in your network Top five most vulnerable computers RICHARD YM Computers Sumber of computers in database 2 computerts Yulnerability level High 1 computerts Medium 0 computer s Low hecliuun High Low 0 computer s Vulnerability Level MIA 1 computerts Screenshot 143 Status Monitor Global security threat level tab The global securit
220. oy Microsoft Up may render the UI unresponsive until the et deployment operation is complete m Reporting GFI Report Center GFI LANguard N S S M Deploy software under the following administrative account domain user or user FQDN format m Screenshot 137 Advanced deployment options Use the Advanced tab to configure advanced options including e The number of patch deployment threads that will be used e Deployment timeout e Authentication credentials for the deployment agent service Start the deployment process GFI LANguard N S S 8 0 IO x Fie Tools Configure Help P New Scan Using Currently Logged On User Username Password el Tools Explore sos Configure which computers and which software files are to be deployed Options fa Main a Configuration 4 gt tions g GFI LANguard N 5 5 Software to deploy Deployment Status Op Security Scanner Software General Advanced Results Filtering Software Location Parameters Add Full Report Before deployment Vulnerabilities Mediu Wait for user s approval Vulnerabilities All Missing Patches and Stop services before deployment Pa Important Devices a Important Devices Pa Open Ports Open Shares Computer s to deploy software on i udto Pokies A Password Policies Custom share SSS Groups and Users Remo Computer Properties z Installed Applications Select After
221. oyed e Sort patches and change download priorities e Download patches and service packs e Start the deployment process and monitor its progress e Recall patches that were already deployed on target computers Selecting target computers for patch deployment After scanning your network you can start the deployment of missing patches and service packs on target computers GFI LANguard Network Security Scanner 10B11 Patch management Deploying Microsoft Updates e 125 GFI LANguard N S S 8 0 Iof xi Fie Tools Configure Help new Scan 7 m C Using Currently Logged On User Username Password el ad Tools Explorer ni ar Scan Target localhost Profile Full Scan fa Main Confi 4 gt GFI LANguard N 5 5 Scanned Computers Scan Results E A Security Scanner Scan target local E Missing Patches 4 g Results Filtering 192 168 3 3 jj Windows Result comparise vulnerat a A ment N04 Security Update for Internet Explorer 7 for Windows X Patch Deploymer Potentia ss P boot Security Update for Windows XP KB912919 Deploy Microsof y System GF Sati 053 Security Update For Windows XP KB896424 Deploy Custom B E System i te eee ear 051 Security Update For Windows XP KB902400 E Reporting shar Save scan results to XML file vulnerabilities 102 GFI Report Cent gt Appl
222. pdate for Windows XP KB927802 1 3s06 032 Security Update 4 for Windows XP KB917953 l ta MS06 025 Security Update for Windows XP KB911280 23 MS06 033 Security Update for Microsoft NET Framework Version 2 0 KB917283 sA Show all vulnerabilities Next steps lt Deploy Microsoft Service Packs 2 Deploy Microsoft patches lt gt Deploy custom software Uninstall Microsoft Service Packs Uninstall Microsoft patches E Open patch deployment log F Enable auditing policy J Send message to computer Shut down computer E Services 95 na Processes 35 Pyrrrrrrrrrrrr j Screenshot 71 The Use data from computer profiles button To scan target computers using computer profiles click on the Use data from computer profiles button included in the GFI LANguard N S S 8 tool bar Configuring Patch Autodownload GFI LANguard N S S 8 ships with a patch autodownload feature which allows you to automatically download missing Microsoft patches and service packs in all 38 languages supported by Microsoft products In addition you can also schedule patch autodownload by specifying the timeframe within which the download of patches is to be performed To configure patch autodownload 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Patch Autodownload sub node and select Properti
223. pen ports commonly used by trojans 1 5 gt Black listed Network devices 1 Intel 21140 Based PCI Fast Ethernet Adapter Generic Services 2 Medium security vulnerabilities 1 Low security vulnerabilities 8 Screenshot 97 Dangerous network devices are listed as High Security Vulnerabilities 106 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner Together with device enumeration you can further configure GFI LANguard N S S to generate high security vulnerability alerts whenever particular USB and network hardware is detected This is achieved by compiling a list of unauthorized blacklisted network and USB devices that you want to be alerted of You can also configure GFI LANguard N S S to exclude from the scanning process particular USB devices that you consider as safe such as USB keyboards This is achieved by compiling a safe whitelist of USB devices to be ignored during scanning Ignore Do not listfsayve to db devices whose name contains Bluetooth Mass storage pen drive Creative fen Screenshot 98 List of authorized network devices For example you can create a generic USB device scanning profile that checks and enumerates all USB and network devices found connected to your targets In this case you do not need to specify any device in the unauthorized and ignore lists of your scanning profile Create a high security vulnerability for network devices whose name contains
224. plications including security software discovered during target computer scanning e Non updated security software Shows only the installed security applications i e anti virus anti soyware software that have missing updates and outdated signature definition files NOTE You can also create new scan filters or customize the above default scan filters Running a filter on a scan To run a scan result filter on security scan results 1 Launch and complete a security scan of your network or load the scan results of past scans from your database or XML file 60 e 6B7 Filtering scan results GFI LANguard Network Security Scanner GFI LANguard N_S S 8 0 x Fie Tools Configue Help O New Scan wea Ai Using Currently Logged On User mane a e E EE Filter Vulnerabilities All Source Scan date 1 27 2007 1 10 19 PM scan target localhost scan profile Full Scan Eman configuration Tools GFI LANguard 4 5 5 E a Security Scanner E l Resuts Fikering W Ful Report idnerabilties High security unerabilties Medium security fd Vuinerabiities Al A Missing Patches and Service Packs W important Devices USB important Devices Wireless Open Ports Open Shares Auditing Policies Password Policies A Groups and Users Ed Computer Properties Scan target localhost 1 computers meet filter conditions Computer profiles On IP Address Vulnerability Level Detail
225. puters configuration dialog 2 Open the Active Directory Users and Computers Right click on the root container of the domain and select Properties christest com Properties General Managed By Group Policy Current Group Policy Object Links for christest Group Policy Object Links No Ovemde Disabled SS Default Domain Policy Domain Policy Group Polcy Objects higher in the list have the highest priority This list obtained from chnstophertest chistest com M Block Pobcy inheritance Screenshot 164 Configuring a new Group Policy Object GPO 176 e 17B18 Miscellaneous GFI LANguard Network Security Scanner 3 In the properties dialog click on the Group Policy tab Then click on New to create a new Group Policy Object GPO in the root container 4 Specify the name of the new group policy for example Domain Policy and then click on Close NOTE Microsoft recommends that you create a new Group Policy Object rather than editing the default policy called Default Domain Policy This makes it much easier to recover from serious problems with security settings If the new security settings create problems you can temporarily disable the new Group Policy Object until you isolate the settings that caused the problems 5 Right click on the root container of your domain and select Properties This will bring up again the Domain Properties dialog 6 Click on the Group Po
226. r that is outside the firewall for example Web servers that are on a DMZ The firewall will generally block all the CGI requests that are directly sent by GFI LANguard N S S to a target computer that is in front of the firewall To avoid this set the Send CGI requests through proxy option to Yes and specify the name IP address of your proxy server and the communication port which be used to convey the CGI request to the target Fie Took Configure Help new Scan f x TE Using Currenthy Logged On User Username admninestr inistrator Bord eee pl Fe TEP Ports UOPPorts OSData Yulnerabiities Patches Scanner ptions Devices Applications Specify what information is to be retrieved by the scanner when using this profile T Contigoratin k F Detect installed and missing service packs patches Scanning Profiles management Configure supported languages ra Vulnerabilities and Patches Poet a By vulnerabilities Ss Top SANS 20 Vulnerabilities Ss High Security ulnar abilities Sy Last Year s Vulnerabilities Oy Only Web Og Trojan Ports Da Oniy SNMP 5 Protection from Portable Sborat Os Custom Profile Oy Missing Patches Sy Critical Patches Oy Last Month s Patches Sy Oniy Service Packs Oy Port Scanner Bulletins bo be checked for F DA All Patches e 9 Not Available 325874 2007 08 06 Windas E F ep Critical 3 Not Available 926874 2007 03 06 Windows E Ls Important E amp Not Avail
227. rate only specific information For example you may want to create a scanning profile that is set to be used when scanning the computers in your DMZ as opposed to your internal network In practice scanning profiles allow you to focus your vulnerability scanning efforts on a specific area of your IT infrastructure such as identifying only missing security updates The benefit is that this way you have less scan results data to analyze therefore you can tighten the scope of your investigation and quickly locate the information that you require more easily With multiple scanning profiles you can perform various network security audits without having to go through a reconfiguration process for every type of security scan required In this chapter you will discover how to e Use the default scanning profiles that ship with GFI LANguard N S S e Configure and customize default scanning profiles e Create new customized scanning profiles About OVAL Open Vulnerability and Assessment Language OVAL is an international information security community standard to promote open and publicly available security content and to standardize the transfer of this information across the entire spectrum of security tools and services OVAL includes a language used to encode system details and an assortment of content repositories held throughout the OVAL community The language standardizes the three main steps of the assessment process e Repr
228. reas Connection properties WINS tab 7 Select the Default option from the NetBIOS Setting area NOTE If static IP is being used or the DHCP server does not provide NetBIOS setting select the Enable NetBIOS over TCP IP option instead 8 Click on OK and exit the Local Area Properties dialog s Installing the Client for Microsoft Networks component on Windows 2000 or higher 174 e 17B18 Miscellaneous The Client for Microsoft Networks is an essential networking software component for the Microsoft Windows family of operating systems A Windows computer must run the Client for Microsoft Networks to remotely access files printers and other shared network resources These step by step instructions explain how to verify that the client is present and if not how to install it 1 Navigate to the Windows Control Panel Start gt Settings gt Control Panel 2 Right click on the Local Area Connection item and select Properties This will bring up the Local Area Connection Properties dialog NOTE If the computer runs any older version of Windows like Windows 95 or Windows 98 locate and right click on Network Neighborhood then choose Properties Alternatively navigate to Control Panel and open the Network item GFI LANguard Network Security Scanner 4 Local Area Connection Properties General Authentication Advanced Connect using BS InteR PRO 1000 MT Netw
229. rently active in the GFI LANguard N S S will be used NOTE In the management console the default i e currently active scanning profile is denoted by the word Active next to its name To view which profile is active expand the Configuration gt Scanning Profiles node e Output Optional Specify the full path including filename of the XML file where the scan results will be saved e Report Optional Specify the full path including filename of the HTML file where the scan results HTML report will be output saved e User and Password Optional Specify the alternative credentials that the scanning engine will use to authenticate to a target computer during security scanning Alternatively you can GFI LANguard Network Security Scanner 15B16 Using GFI LANguard N S S from the command line e 159 use the UseComputerProfiles switch to use the authentication credentials already configured in the Computer Profiles Configuration gt Computer Profiles node e Email Optional Specify the email address on which the resulting report s will be sent at the end of this scan Reports will be emailed to destination through the mail server currently configured in the Configuration gt Alerting Options node of the management console e DontShowStatus Optional Include this switch if you want to perform silent scanning In this way the scan progress details will not be shown e Optional Use this swi
230. report which vulnerabilities are present on the system Hence no other patch related checks are run against the target s and no extra data is retrieved from the target computer s On the other hand the Vulnerabilities and patches scanning profile performs vulnerability checks on all vulnerable areas of your network as well as all checks for all missing patches Hence it takes more time to complete the scan More information is also retrieved from the scanned targets and reported in the scan results Creating a new scanning profile To create a new scanning profile 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Scanning Profiles sub node and select New gt Profile 3 Specify the name of the new profile and click OK GFI LANguard N S S 8 0 mil x File Tools Configure Help Se 43 OSData Vulnerabilities Patches Scanner Options J gt Specify what information is to be retrieved by the scanner when using this profile Configuration JV Enable TCP Port Scanning 4 Scanning Profiles g Vulnerabilities and Patches Active y Description es 2y Full Scan j M 1 65535 Full Port List very ti 4 Full Scan Slow Networks 7 oe 13 Daytime gt Time of the Day Gy Vulnerabilities 17 Quote of the Day If this service is not installed beware c Top SANS 20 Vulnerabilities 19 Gy High Security Vulnerabilities 2 TCP IP Services If this service is not install
231. ring the scanning process GFI LANguard N S S enumerates all services running on a target computer for you to analyze This way you can identify which services must be stopped Further to the freeing up of resources this exercise automatically hardens your network by reducing the entry points through which an attacker can penetrate into your system To access the list of services enumerated during a scan click on the T Services sub node Detailed scan results Analyzing Processes Click on the Processes sub node to access the list of processes that were running on the target computer during a scan GFI LANguard N S S 8 0 File 2 4auojdx3 sjooL S Tools Configure Help New Scan ive M Sc Using A eee Y Username Password cl os Biel Es Scan Target localhost Profile Test Profile x Scanned Computers Scan Results Scan target localhost E 6 192 168 3 30 TMJA vulnerabilities 2 A 6 System information Shares 7 Password policy Security audit polic ay Registry OT Open TCP Ports 4 NETBIOS names 4 Computer 2 Groups 13 eee Users 9 24 Logged On Users 9 gt Sessions 5 Services 93 Processes 38 3 Local drives 2 ch Remote TOD time Potential vulnerabilities CTS CCDA EXE explorer exe FSCapture exe HPBPRO EXE Es kavsvc exe i Kinagent exe kiswd exe fe Inss exe S Es Inssatt
232. rity Scanner Software General Advanced A Results Filtering Software Location Add Full Report Before deployment Vulnerabilities High lt Edit IV Warn user before deployment show a message Vulnerabilities Mediu I Wait for user s approval Vulnerabilities All Missing Patches and Stop services before deployment P Important Devices erpe P Important Devices Open Port Suen Copy software to deploy to target computer s via Open Shares Computer s to deploy software on ae Auditing Policies Add Administrative shares Password Policies _ C Custom share Groups and Users Remays Computer Properties Installed Applications Select Non Updated Securit z the computer s i mport l ae Reouk comparison p C Reboot the target computers E 6 Patch Deployment r 2 Deploy Microsoft Update fm Deploy Custom Software E Reporting GFI Report Center i GFI LANguard N 5 5 8 C C Shut down the target computer s V Delete copied files from remote computer s after deployment Deploy immediately Reset Screenshot 133 Selecting the target computers From the Computer s to deploy software on area see image above specify target computers using one of the following options e Click Add to input the IP name of your target computer s e Click Select to select target computer s from the list of machines currently connected to your domain e Clic
233. rs MSDE database to use Server E esearch 0 Use NT authority credentials Use the below SQL MSDE credentials to log into the database backend User name Password cat am Screenshot 75 Microsoft SQL Server database backend options To store scan results in a Microsoft SQL Server database 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Database Maintenance Options sub node and select Properties 3 Select the MS SQL Server option and choose the SQL Server that will be hosting the database from the provided list of servers discovered on your network 4 Specify the SQL Server credentials or select the Use NT authority credentials option to authenticate to the SQL server using windows account details 5 Click on OK to finalize your settings NOTE 1 If the specified server and credentials are correct GFI LANguard N S S will automatically log on to your SQL Server and create the necessary database tables If the database tables already exist it will re use them NOTE 2 When using NT authority credentials make sure that GFI LANguard N S S services are running under an account that has both access and administrative privileges on the SQL Server databases 82 e 7B8 Configuring GFI LANguard N S S GFI LANguard Network Security Scanner Database maintenance Managing saved scan results Use the Saved Scan Results tab to
234. s v i Abyss Web server Bufferoverflow AFS Kerberos Support in OpenSSH Pos V Alerter service enabled All Servers e shop Online Shop System 7 1 All Servers 41S5tats aldisp 7 all Servers Abe Timmerman zml cgi File 7 All Servers Adcycle build cgi All Servers Aglimpse All Servers AHG s search cgi Search E All Servers Alex Heiphetz Group EZSho All Servers Arts Store cgi B All Servers Auktion cai ED AS Canann Paxton Chaninack hamish aak J 9 9 9 9 9 9 CS CSCS SES OVAL ID oil 1993 vulnerabilities em Full Scan Active Sy Full Scan Slow Networks Settings Scheduled Scans Computer Profiles E Patch Autodownload Find vulnerability eel Name eae T If you H edit or remove a vulnerability the changes will be applied to all the profiles Screenshot 83 Scanning Profiles properties Vulnerabilities tab options The scanning profiles that ship with GFI LANguard N S S 8 are already pre configured to execute a number of vulnerability checks on selected target Nevertheless you can still disable vulnerability scanning as well as customize the list of vulnerability checks to be executed during a scan Enabling disabling vulnerability scanning To enable vulnerability scanning in a particular scanning profile 1 Select the Configuration button and expand the Configuration gt S
235. s Hostname Operating System 192168 3 30 o icol mason F wedows xP 192 168 3 30 TMJASON Windows XP Service Pack 2 Vulnerability Level Installed Applications Low Vulnerability Level zP Non Updated Security Software 4 Result comparison SHQOOCORREE fim Patch Deployment The vulnerability vel is calculated based on the Court and severfy of the vulnerabilities and missing patches detected on T Deploy Microsoft Updates the system Low vulnerability level means that the system has vulnerabilities or missing patches whose severity is low vuimerabinties 5 0 Low security vulnerabilities 6 Deploy Custom Software Reporting GFI Report Center GFI LANguard N 5 5 8 0 Report Pack gt Registry vulnerabilities 5 a aT CV Screenshot 55 Scan filters Full report 2 Expand the Security Scanner gt Results Filtering node 3 Select the scan filter that you want to apply e g Vulnerabilities All Creating a custom scan filter To create a custom scan filter 1 Click on the Main button right click the Security Scanner gt Results Filtering node and select New gt Filter Advanced Properties General Report Item Scan Filter Properties Bites name Filter conditions Alte Praper condmon when added fe Grd i Or Cancel Screenshot 56 The new Scan filter properties dialog General tab page GFI LANguard Network Security Scanner
236. s XP based computers that have the MS03 026 patch i e the Blaster virus patch missing 1 Click on the Main button right click on the Security Scanner gt Results Filtering node and select New gt Filter 2 In the filter name field type in Missing Blaster Patch and click on the Add button 3 Select the operating system option and click on Next 64 e 6B7 Filtering scan results GFI LANguard Network Security Scanner Add Filter Properties T oe Eqalto o n Windows FI Screenshot 60 Filter conditions dialog 4 From the conditions drop down box select Equal to and in the value field type in Windows XP 5 Click on the Add button to add the condition to the filter Advanced Properties SIT Tope Gono non mner added be ea ga Ur x ema Screenshot 61 The new Scan Filter properties dialog General tab page 6 Click on Add to create another filter condition in which you will specify the required patch name i e MS03 026 GFI LANguard Network Security Scanner 6B7 Filtering scan results e 65 7 From the list of filter properties select Patch and then click on Next 8 From the conditions drop down select is not installed and in the value field type in WS03 026 Click on the Add button to include this condition in the scan filter 9 Click OK to finalize the configuration and create the filter The new filter is add
237. s anti virus and anti spyware software During security scanning GFI LANguard N S S will check if the supported virus scanner s or anti spyware software is correctly configured and that the respective definition files are up to date Application scanning is configurable on a scan profile by scan profile basis and all the configuration options are accessible through the two sub tabs contained in the applications configuration page These are the Installed Applications sub tab and the Security Applications sub tab Enabling disabling checks for installed applications To enable installed applications scanning in a particular scanning profile 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Applications tab 3 Select the Enable scanning for installed applications on target computers option GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 113 NOTE Installed applications scanning is configurable on a scan profile by scan profile basis Make sure to enable installed applications scanning in all profiles where this is required GFI LANguard N S S 8 0 File Tools Configure Help new Scan f xX TE Using Currently Logged On User ername Password fore ulnerabilities Patches Scanner Options Devices ey to be retrieved by the scanner when using this profi
238. s may take a long time to complete per target computer When using the Default Scanning Profile GFI LANguard N S S performs checks on the ports most commonly exploited by hackers Trojans viruses soyware and malware Use the Full TCP amp UDP Port Scan scanning profile to run a full open port check on all targets For more information on how to run security audits using different scanning profiles refer to the Scanning profiles in action section in the Scanning Profiles chapter in this manual For more information on how to customize a scanning profile refer to the Creating a new scanning profile section in the Scanning Profiles chapter in this manual Service fingerprinting Further to detecting if the port is open or not GFI LANguard N S S uses service fingerprint technology to analyze the service s that are running behind the detected open port s Through service fingerprinting you can ensure that no hijack operation has taken place on that port For example you can verify that behind port 21 of a particular target computer there is an FTP server running and not an HTTP server 4B5 Getting started Analyzing the security scan results e 43 Dangerous port reporting O x File Tools Configure Help er pa New Scan v H lt Using Currently Logged On User Username Password Ue Scan Target flocalhost Profile Ful Scan Scanned Computers San Results can target local
239. settings are configured From Configuration Alerting Options Cancel Apply Screenshot 67 Scheduled Scan properties Results Notification tab To specify which reports will be sent via email after the execution of a scheduled scan 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Scheduled Scans sub node and select Properties This will bring up the scheduled scans properties dialog 3 Click on the Results Notifications tab and select the report s that will be emailed upon completion of the scheduled scan 4 Click on OK to save your settings NOTE For information on how to configure mail server settings or administrator email address refer to the alerting options section in this chapter Configuring alerting options To configure mail server settings or administrator email address 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Alerting Options sub node and select Properties This will bring up the scheduled scans properties dialog GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 73 Alerting Options Properties Ea General Specify SMTP server and email address details For email notifications after each scheduled scan To fiohndoe corporationcom CC Imanager corporation com From Ins i27001 Server 192 168 12 13 Fort fs ooo User mame Password
240. sion Microsoft Software Updates Italian Version 22020 Rab Mlicroscrt Software Updates Spanish version _ Checked packages details Size 6069038 bytes Inss_8_pakchmngmt_de cab version 9 Friday March 16th 2007 Sdded New Patches Inss_ 8 pakchmmgmt_frcab Version Wednesday March 14th 2007 Added New Patches Update ALL files fincluding the anes already updated lt Back next gt Cancel Screenshot 115 Selecting the Microsoft update files Out of the box GFI LANguard N S S supports multilingual patch management for all Unicode compliant languages Through multilingual patch management you can download and deploy missing Microsoft product updates discovered during a security scan in a variety of different languages The security scanning engine identifies missing Microsoft patches and service packs by referencing Microsoft Software Update files These files contain the latest complete list of product updates currently provided by Microsoft and are available in all languages supported by Microsoft products Use the GFI LANguard N S S Program Update tool to download the latest Microsoft Software Update files in all languages currently in use on your network This would allow the security scanning engine to discover and report both English as well as non English missing patches and service packs Based on this information you can then use the patch deploy
241. stomize and from right pane click on the OS Data tab 3 From the right pane expand the Windows OS Data group and Linux OS Data group accordingly 4 Select which Windows Linux OS information will be retrieved by the security scanner from scanned targets For example to enumerate administrative shares in scan results expand the Enumerate shares option and set the Display admin shares option to Yes GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 97 Configuring vulnerabilities scanning options GFI LANguard N S S 8 0 File Tools Configure Help O new Scan T SC FRR Using Currently Logged On User _ Username Password EI A Tools Explorer TCP Ports UDP Ports O5 Data Patches Scanner Options Devices 4 gt A Main _ Configuration amp Configuration Scanning Profiles g Vulnerabilities and Patches g Vulnerabilities a Top SANS 20 Vulnerabilities Sey High Security Vulnerabilities Sy Latest Year Vulnerabilities y Only Web o Trojan Ports Sy Only SNMP q Missing Patches Port Scanner USB Devices Gy Software Audit Gy Full TCP amp UDP Scan Ping Them All Share Finder Portable Storage Gy Uptimes Disks Space Usage Specify what information is to be retrieved by the scanner when using this profile V Enable Vulnerabilities Scanning Group by Type w LA Vulnerabilities H wy F Potential Yulnerabilitie
242. such administrative shares For more information on how to achieve this refer to the 38 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner Customizing OS Data Retrieval parameters section in the Scanning Profiles chapter Detailed scan results Analyzing password policy Windows 2000 XP 2003 security policies provide a set of rules that can be configured for all user accounts to protect against brute force password guessing attacks These include account lockout control and password strength enforcement policies which if correctly configured make it very difficult for an attacker to crack user logon credentials Typical vulnerabilities in an IT infrastructure are the result of incorrectly configured lockout control and password strength enforcement policies These include default passwords and weak passwords that are made up of few characters or which are identical to the respective username GFI LANguard N S S 8 0 ojx File Tools Configure Help Currently Logged On User ig Username Password f ad New scan V Fl Using Tools Explore Tools Explorer A Scan Target flocalhost x Profile Test Profile Bman Configuration lt GFI LANguard N S S _ Scanned Computers Scan Results E A Security Scanner g Results Filtering 2 Result comparison B 6 Patch Deployment 2 Deploy Microsoft Updates 2 Deploy C
243. tch agent service This background service handles the deployment of patches service packs and software updates on target computers 4 e 0B1 Introduction GFI LANguard Network Security Scanner GFI LANguard N S S script debugger ScrptDbg ftp_full_path_ expose File Edit View Debug Watches Options Window Help Using Current logged on user Username Fassword D a lE EF tm ip getparameter Computerl F port 21 cr Chr 13 Chr 10 rem _ip socket SetTimeout 5000 5000 set regexp CreateObject V bscript regexp Set SocketObject Socket OpenTCP ip port lf Not SocketObject is Nothing Then strResponse SocketObject recy 1 024 lf Len strResponse gt U Then If InStr 1 strResponse 220 gt 0 Then socketObject sendf user anonymous cr strResponse SocketObject recy 1 024 lf Len strResponse gt 0 Then lf InStrf1 strResponse 331 gt 0 Then SocketObject send pass Inss gfi com cr strResponse SocketObject recy 1 024 If Len strResponse gt U Then If InStr 1 strResponse 230 gt 0 Then socketObject send xpwd cr strResponse SocketObject recy 1024 lf Len strResponse gt 0 Then lf InStrf1 strResponse 25 1 gt 0 Then 2 Variable Vali Ready Line 13 pos 12 NUM BA Screenshot 2 GFI LANguard N S S script debugger This module allows you to write and debug custom scripts using a VBScript compatible language Use this module to create scripts for
244. tch to show the command line tool s usage instructions NOTE Always enclose full paths and profile names within double quotes i e path or profile name for example Default c temp test xml The command line target scanning tool allows you to pass parameters through specific variables These variables will be automatically replaced with their respective value during execution Supported variables include e INSTALLDIR During scanning this variable will be replaced with the path to the GFI LANguard N S S installation directory e IARGET During scanning this variable will be replaced with the name of the target computer e SCANDATE During scanning this variable will be replaced with the date of scan e SCANTIME During scanning this variable will be replaced with the time of scan Example How to launch target computer scanning from the command line tool For this example we will be assuming that a scan with the following parameters is required 1 Perform a security scan on a target computer having IP address 130 16 130 7 2 Output the scan results to c lout xmf i e XML file 3 Generate an HTML report and save it in c result htm 4 Send the HTML report via email to Inss 127 0 0 1 The command line tool instruction for this particular security scan is Insscmd exe 130 16 130 1 Profile Default Output c out xml Report c result html email Inss 127 0 0 1 Usi
245. te KB927978 MS06 070 Security Update for Windows XP KB924270 MS06 068 Security Update for Windows XP KB920213 MS06 056 Security Update For Microsoft NET Framework Yersion 2 0 KB922770 MS506 064 Security Update for Windows XP KB922819 MS506 061 Security Update For Windows XP KB924191 MSN6 N57 Security indate For Vitindoue YP 1KRO 31914 Open UDP Ports 5 NETBIOS names 4 Computer i Groups 13 En Users 9 Ua Logged On Users 8 L3 Sessions 4 Services 93 Processes 38 Local drives 2 e Remate TON time ee 4 b E E E E Screenshot 48 The list of missing and installed patches enumerated during target computer scanning Click on the x System patching status node for an overview of the patching status of a target computer Detailed scan results Analyzing NETBIOS names 50 e 4B5 Getting started Analyzing the security scan results Each computer on a network has a unique NETBIOS name The NetBIOS name is 16 byte address that allows NETBIOS resources to be identified on the network NETBIOS names are successfully mapped to an IP address using NETBIOS name resolution During the vulnerability scanning process GFI LANguard N S S queries the identity and availability of a target network computer using NETBIOS If available the target computer will respond to the request by sending the respective NETBIOS name To access NETBIOS details collected during a scan click on th
246. ted cceeeeceeeceseseeeeeseeeeeees 141 Generating a Results Comparison Report ccccccseecceecsseeeeeeesseeseeeeeeeeeeseesaeeeees 142 The Results Comparison REPONML ccccccccsssssssesssseeeeeeeeeeeeeessaeeeeesssseeseseeeeeeeeeeeeeeeaaas 143 14 GFI LANguard N S S Status Monitor 145 MUOOUC UON cossi 145 Viewing the global security threat leVel cccccseeeceeeeeeeeeeeeeeeeeeeeeesaeeseeeeeeeeeeeaeaaeees 146 Viewing the progress of Scheduled SCANS ccc cece cece eee eeeeee cette eeeaaeeeeeeeeeeeeaaaaaees 146 Viewing the progress of scheduled deployments cccceeeeeeeeeeeeeeeeeeeeeeeeneeeeeeeas 147 Viewing the autodownload QUeUG seeeeeeceeeeeceeeeeeeeeeeeeeaeeeeeeeeeeeeesaaaaeeeeeeeseaeaaeees 148 15 Tools 151 IMUOOUC UOM fox seach cats eae nse csadene ce achene E eases ee key taeesGees 151 DING TOOK Ul Otesetaninen cea igenstneatien E E E ven bleauenuenaa 151 TACO O E eatias ante iaaiiean a E RESA 152 WOS euge a a E A E OA 153 Enumerate COMPULCIS anpa aaa a EEEE R AEE EI AR aE ENEE 154 Starting a security SCAM cc2stesh wa dcntusasisnsdencedessdadacudvedeadeet baa cesint2eatvelwadeindeuaseds 154 Deploying CUSTOM PatCNeS ccccceececeeeeeeeeeeeeeeeeeeeeeesaaeeeeeessaeeeeeesaaeeeeeeeeas 155 Enabling auditing policies 1 2 0 0 ccceccecseeeeeeeeeeeeeeeeeeeeeeeeeaeeaeeeeeeeeseeaeeneeeeeeseeees 155 UMMC T ACIS CLS aiia a a a a O A 155 SNMBEAQOMNG creen ea aE E EE EE E A
247. ters to pass on during deployment by select one of the following options GFI LANguard Network Security Scanner 11B12 Patch management Deploying custom software e 135 e Parameters normally used for Windows patches Select this option if you want to pass parameters normally supplied during the installation of Windows patches e Parameters normally used for Internet Explorer patches Select this option if you want to pass parameters normally supplied during the installation of Internet Explorer patches e Custom Select this option if you want to include custom parameters Specify the required parameters in the entry box provided at the bottom of the dialog 5 Click Add to finalize your settings Repeat the process described above for every file software that you want to deploy On completion proceed on configuring the list of target computer s where the selected files will be deployed A description on how to achieve this is provided below Selecting target computers for file deployment GFI LANguard N S S 8 0 Iof x File Tools Configure Help oO New Scan Using Currently Logged On User Username Password el ad Tools Ex lor er g n E i Configure which computers and which software files are to be deployed Options Fa main Configuration lt gt Software to deploy Deployment Status Options q GFI LANguard N S S fa Secu
248. the generated ZIP file to mailto support gfi com Ensure that you have registered your product on our website first at http customers gfi com GFI LANguard Network Security Scanner 18B19 Troubleshooting e 183 We will answer your query within 24 hours or less depending on your time zone AET win wivone sosetntetetntnnetntstntetatenenenetaeieiiisniisistnisinisinisiiinininiiisininininininiiitte You can also contact GFI by phone for technical support Please check our support website for the correct numbers to call depending on where you are located and for our opening times Support website http support gfi com Ensure that you have registered your product on our website first at http customers gfi com Web Forum User to user support is available via the web forum The forum can be found at http forums gfi com Build notifications We strongly suggest that you subscribe to our build notifications list This way you will be immediately notified about new product builds To subscribe to our build notifications go to http support gfi com 184 elndex GFI LANguard Network Security Scanner Index A Alerting Options 160 alerts 12 Applications 47 95 112 114 115 116 117 Attendant service 3 4 C command line 3 135 159 160 161 162 command line tools 3 159 Computer Profiles 17 74 160 161 custom scripts 5 163 167 D database backend 3 11 55 56 67 80 81 82 85 8
249. the default settings configured prior to shipping However if required you can also customize these settings to suit any particular vulnerability management requirements that your organization might need You can customize and configure various aspects of GFI LANguard N S S including scan schedules vulnerability checks scan filters and scan profiles In this chapter you will discover how to e Create and configure scheduled scans e Configure email alerts e Configure computer profiles e Configure automatic patch downloads e Configure the database backend settings Creating and configuring scheduled scans Network vulnerability scans can be scheduled to be executed automatically on specific date time periods as well as regularly on a daily weekly monthly schedule By default scheduled scan results are stored in the Microsoft Access or Microsoft SQL Database backend However you can also configure GFI LANguard N S S 8 to e Save scan results as XML or HTML files and store them in a specific location to be used further on for report comparison operations e Automatically generate a scan results report and send it to the administrator via email NOTE For information on how to configure mail server settings or administrator email address refer to the alerting options section in this chapter GFI LANguard N S S 8 can automatically generate and email two types of reports following the completion of a scheduled scan the Fu
250. the download queue status The icons next to each update file show the current download status These icons indicate the following states EL Downloaded 128 e 10B11 Patch management Deploying Microsoft Updates GFI LANguard Network Security Scanner e Currently being downloaded e B Not downloaded Stopping active downloads GFI LANquard N S S 8 0 OE x File Tools Corfigse Help New Scan Using Currently Logged On User Username Administrator Password presses Pa v fangs T Specty updates to apply and select Start to stat the deployment of updates Options main Configurati gt Sort by computers Sort by patches Deployment status GFI LANguard N S S J Security Scanner Aly Results Fitering Downloaded Not Avadable 931 Windows C Program f a Results Comparison 4 EL Windows P KB Downloaded MSO 013 918119 Windows C Program f Patch Deployment m EL wWindowxPKB Downloaded MSO 009 927773 Windows C Program f T Deploy Microsoft Updat FA Eo window PKB MS07 012 924667 P Windows C Program f lt Deploy Custom Softwar PA Dram 5 Reporting GFI ReportCenter GFI LANguard N S S 8 Windows PKB 37 ot 228 M MS06 078 923689 E WindowsMedia Not downloaded MS06 078 925398 Download ile BB Windows PKB Not downloaded MS0S 076 923634 Cancel download EX windows PKB N
251. the scanned target computer GFI LANguard Network Security Scanner 8B9 Scanning Profiles e 117 10 GFI LANguard N S S updates Introduction Periodically GFI releases program updates aimed at enhancing the performance and functionality of the product such as the addition of new vulnerability checks Apart from its own program updates GFI LANguard N S S 8 can also download Microsoft product updates including missing patches and service packs for operating systems as well as desktop applications such as MS Office XP 2007 In this chapter you will learn how to check download and update GFI LANguard N S S You will also learn how to configure GFI LANguard N S S so to enable disable automatic checking for newer builds at application startup Checking the version of current installed updates GFI LANguard N S S 8 0 Ml x File Tools Configure Help New Scan Kae Using Currently Logged On User Username Password e Oh GF SECURITY amp MESSAGING SOFTWARE Program Updates i Tools Explorer fa Main fax Configuration 6 Tools Configuration H Scanning Profiles gy Settings General Program Updates 110 Version Information Licensing How to purchase a Support Center a Knowledge Base a Other GFI Products New GFI L Nguard N S S builds Check for newer builds at startup Yes Vulnerabilities Database Download new patch detection updates Yes Last update check 1 27 2007
252. thentication method Click on Next to continue NOTE GFI LANguard N S S services require administrative privileges over the SQL Server database backend GFI LANguard Network Security Scanner 1B2 Installing GFI LANguard Network Security Scanner e 11 GFI L4N guard Network Security Scanner 8 0 InstallShield Wizard Hail Settings Enter administrator email and SMTP mail server settings jee HD Please enter the details of the SMTP server and email address which are to be used by GFI LAN guard Network Security Scanner 3 0 for email notifications on schedule scan reports Fror LN 550127 0 0 1 To administrator localhost SMTP server f 2r 0 0 1 Fott 25 f SMTP server does not require authentication C SMTP server requires authentication SMTP User SMTP Password Very mail settings Installshield Cancel Screenshot 8 Specify alerting email address and mail server details 8 Specify the SMTP mail server details and email address where administrator notifications will be sent Click on Next to continue GFI L4Nguard Network Securty Scanner 8 0 InstallShield Wizard Patch Management Languages Select the Languages for patch management To reduce the size of downloads GFI LAN guard Network Security Scanner 6 0 is configured to detect and deploy the English version of missing Microsoft software updates Select any additional operating system languages which are deployed on your network
253. ties Managed saved scan results tab To manage saved scan results 1 Click on the Configuration button and expand the Configuration gt Settings sub node 2 Right click the Database Maintenance Options sub node and select Properties 3 Click the Saved Scan Results tab 4 To manually delete saved scan results select the particular result s and click on the Delete Scan s button 5 To let GFI LANguard N S S manage database maintenance for you select one of the following options e Scans which are less than Select this option to automatically delete scan results which are older than a specific number of days weeks or months e Only last Select this option to retain only a specific number of recent scan results GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 83 Database maintenance List of scanned computers GFI LANguard N S S incorporates a mechanism where a global list of scanned computers is maintained for licensing purposes This enables GFI LANguard N S S to enforce its licensing details where a larger range of scanned computers than what is specified in the licensing information will not be scanned GFI LANguard N S S enables systems administrators to delete previously scanned computers nodes so that that node licenses taken by computers that are no longer present on the network or which should no longer be scanned can be reutilized Properties Chang
254. tin information right click on the respective patch and select More details gt Bulletin Info 34 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner Vulnerabilities gt High medium low security vulnerabilities GFI LANguard N S S 8 0 Miel E3 File Tools Configure Help new Scan KA a t C Using Currently Logged On User l Username Password e vd Tools Explorer Tools Explorer a Scan Target localhost x Profile Full Scan H Main Config 4 gt Scanned Computers Scan Results GFI LANguard N S S a A Security Scanner x a Service Packs 2 g Results Filtering x Missing Patches 64 2 Results Comparison Saved Scan Result ij pA High security vulnerabilities 4 Saved Scan Result localhost 20 Patch Deployment 3 192 168 3 17 E El E Backdoors Open ports commonly used by trojans 1 Deploy Microsoft Ur Vulnerabilities J epmap gt DCE endpoint resolution 135 F Deploy Custom Soft Potential Vulne gt Black listed Network devices 1 Reporting v System patchi J Intel 21140 Based PCI Fast Ethernet Adapter Generic GFI ReportCenter E G9 System inform p E E Services 2 GFI LANguard N S fs Shares 4 T A connection could be opened using account Administrator lt Application J D
255. tings e Chapter 8 deals with how you can customize GFI LANguard N S S to suit your particular network needs e Chapter 9 is exclusively dedicated to scanning profiles and their customization You will also learn how to create new scanning profiles to scan for specific issues GFI LANguard Network Security Scanner 0B1 Introduction e 1 Key features 2 e 0B1 Introduction e Chapter 10 deals with GFI LANguard N S S program updates the configuration of such updates and how to turn them on and off e Chapters 11 and 12 enable you to discover how to deploy Microsoft updates service packs and third party software You will also discover how to roll back uninstall Microsoft updates e Chapter 13 will enable you to learn how to use GFI LANguard N S S to generate a results comparison report between scans held in different periods of time e Chapter 14 demonstrates the functionality of GFI LANguard N S S status monitor and the features that are included within It assists you in interpreting the various tabs that are included in the status monitor e Chapter 15 shows you how to use the various tools that are implemented within GFI LANguard N S S Amongst others these include DNS Lookup Traceroute and enumeration of users and computers e Chapters 16 and 17 deals with advanced features related to the use of GFI LANguard N S S via command line and how to add custom vulnerabilities using scripts e Chapter 18 engages any mis
256. tion M Enable scanning for installed Network Devices on target computer s 4 Scanning Profiles r IV Enable scanning for USB devices used on target computer s Dy Vulnerabilities and Patches Vulnerabilities Dy Top SANS 20 Vulnerabilities Dy High Security Vulnerabilities ee ignored in your scan results Devices which will be marked as dangerous will have a high Sg Latest Year Vulnerabilities security vulnerability notification in the scan results Devices which are on the ignore list will Oy Only Web not be listed or saved to the database D Trojan Ports Create a high security vulnerability for USB devices whose name contains Dy Only SNMP Sy Missing Patches Dy Port Scanner Sy USB Devices Dy Software Audit Dy Full TCP amp UDP Scan Dy Ping Them All Oy Share Finder Ignore Do not list save to db devices whose name contains Sy Portable Storage Sy Uptimes Sy Disks Space Usage g Dy Full Scan Slow Networks H Settings Scheduled Scans gy Computer Profiles F Patch Autodownload Screenshot 102 Devices configuration page Unauthorized devices and Ignore devices lists Compiling a network device blacklist whitelist To compile a network device blacklist whitelist 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you want to customize and from the right pane click on the Devices tab Creat
257. tor network attached devices for conditions that require administrative attention NOTE No network audit operations or vulnerability checks other than those used for SNMP scanning are performed by this profile e Protection from Portable Storage Use this scanning profile to check if GFI EndPointSecurity is installed or if GFI EndPointSecurity s security agent is deployed on scan targets NOTE 1 No vulnerability checks missing patch scans or network audit operations other than those related to GFI EndPointSecurity are performed by this profile NOTE 2 You can customize this profile to enumerate only unauthorized blacklisted software or vice versa For more information refer to the user manual e Missing Patches Use this scanning profile to enumerate missing Microsoft patches The list of missing patches that will be enumerated by this profile can be customized through the Patches tab NOTE No network audit operations or vulnerability checks other than those related to missing Microsoft patches are performed by this profile e Critical Patches Use this scanning profile to enumerate only missing Microsoft patches that are tagged as critical The list of critical patches that will be enumerated by this profile can be customized through the Patches tab NOTE No network audit operations or vulnerability checks other than those related to missing critical Microsoft patches are performed by this profile e Last Month s Patches
258. tton This will bring up the Add vulnerability dialog box 5 Go through the General Description and Reference tabs while specifying the basic details such as the vulnerability name short description security level and OVAL ID if applicable 6 Choose the Conditions tab and click on the Add button This will bring up the check properties wizard 7 Select Independent checks gt CGI Abuse test node and click on Next button to continue setup 8 Specify e HTTP method Specify the type of http request that the CGI vulnerability check will use when querying information CGI vulnerability checks supports 2 HTTP methods that are the GET method and the HEAD method e To check for the URL Specify the name of the CGI script that will be executed during target computer scanning 170 e 16B17 Adding vulnerability checks via custom conditions or scripts GFI LANguard Network Security Scanner e Directories Specify the directories where the CGI script is located Click on the Next button to continue setup 9 Specify the conditions for the CGI vulnerability check Click Finish to save the custom condition settings 10 Click on OK button to save new CGI vulnerability check NOTE To automatically include new checks in the next target computer scan click on the Advanced button and set the New vulnerabilities are enabled by default option to Yes GFI LANguard Network Security Scanner
259. twork security scan e High vulnerability level computers Use this default scan filter to display computers and vulnerability details for which vulnerability level is high e Missing patches and service packs Use this default scan filter to display only all missing service packs and patch files discovered on the scanned target computer s e Missing critical patches Use this default scan filter to display all missing patches marked as critical e Missing service packs Use this scan filter to display a list of all computers and computer details of computers which have a missing service pack e Important devices USB Shows all the USB devices attached to the scanned target computer s e Important devices wireless Shows all the wireless network cards both PCI and USB attached to the scanned target computer s e Open ports Shows all open TCP and UDP ports discovered on the scanned target computer s e Open shares Shows all open shares and the respective access rights e Auditing policies Shows the auditing policy settings of the scanned target computer s e Password policies Shows the active password policy settings configured on the scanned target computer s e Groups and users Shows the users and groups detected on the scanned target computer s e Computer properties Shows the properties of each target computer e Installed applications Shows all the installed ap
260. ty auditing policies to all computers j Resulta J RICHARDY M SUCCESS Before re attempting to apply the policies please ensure that communication between this computer and the target computer is possible and that you have administrative privileges to access the security policies of these computers Eancel Screenshot 40 Results dialog in audit policy wizard 3 At this stage a dialog will show whether the deployment of audit policy settings was successful or not You can choose to re deploy settings on failed computers by clicking on the Back button To proceed to the next stage click Next 4 Click Finish to finalize your settings and close the Audit Policy Administration Wizard Detailed scan results Analyzing open TCP ports Open ports represent active services and applications that can be exploited by malicious users to gain access to a computer It is very important to leave only the ports that you know are necessary for the central core functions of your network services All other ports should be closed 42 e 4B5 Getting started Analyzing the security scan results GFI LANguard Network Security Scanner GFI LANguard Network Security Scanner GFI LANguard N S S 8 0 Mil x File Tools Configue Help New Scan Vaan t Using Currently Logged On User Username Password e Oe Test Profile PA main 2 Configuration 4 gt GFI LAY INSS Scanned Computers Scan Results iz Saved Scan Resu
261. ugh connection requests that are sent in the form of NETBIOS queries SNMP queries and or ICMP pings NOTE By default GFI LANguard N S S will NOT scan the devices that fail to respond to the connection requesis sent via NETBIOS queries SNMP queries ICMP pings Stage 2 Establish connection with target device In the second stage of its target scanning process GFI LANguard N S S will establish a direct connection with the target computer by remotely logon on to it This is achieved using the scan credentials configured in step 5 of the new scan wizard Stage 3 Execute vulnerability checks During this final stage GFI LANguard N S S will execute the vulnerability checks configured within the selected scanning profile This will result in the identification and reporting of specific weaknesses present on your target computer NOTE 1 GFI LANguard N S S ships with a default list of scanning profiles that are preconfigured with vulnerability checks Nevertheless you can also customize both the scanning profiles and the vulnerability checks contained within For more information on how to achieve this refer to the Scanning Profiles chapter NOTE 2 Please note that if any type of Intrusion Detection Software IDS is running during scans GFI LANguard N S S will set off a multitude of IDS warnings and intrusion alerts in these applications If you are not responsible for the IDS system make sure to inform the person in charge a
262. update files will be downloaded 4 To change the default download path select the Download all update files to this path option and provide the alternate download path 5 Click on Next to proceed with the update GFI LANguard Network Security Scanner 9B10 GFI LANguard N S S updates e 121 Update LANguard Network Security Scanner Choose which packages to update Disabled items represents packages already updated that you can alsa Update by checking Update ALL files or packages without update Packages Microsoft Software Updates English version Microsoft Software Updates German Version Microsoft Software Updates French version Microsoft Software Updates Italian version ol Sieh Lae EET Microsoft Software Updates panisch vet si Checked packages details Size 6069038 bytes Inss_ 6 pabkchmngmt_de cab Version 9 Friday March 16th 2007 Sdded New Patches Inss_ 8 pabkchmmgmt_frocab version 8 Wednesday March 14th 2007 Added New Patches Update ALL files including the ones already updated lt Back mees Cancel Screenshot 117 The Check for updates Wizard Stage 2 6 Select the updates to be downloaded and click Next Available updates include e GFI LANguard N S S Vulnerabilities Update Select this option to download new vulnerability checks and fixes e GFI LANguard N S S Dictionaries Update Select this option to down
263. use to log on to target computerfs Logon bo target computers using f security context of the account under which the security scan is being made alternative credentials User Wane Password 55H private key authentication Linux Unix logans User Wane ker hile MOTE To scan Windows computers use the scan security context currently logged on userfservice user or alternative logon credentials To scan non Windows computers such as Linux machines you need to specify alternative credentials or a 55H private key File Screenshot 69 Computer profile properties dialog To create a new computer profile 1 Click on the Configuration button and expand the Configuration gt Settings sub node GFI LANguard Network Security Scanner 7B8 Configuring GFI LANguard N S S e 75 2 Right click the Computer Profiles sub node and select New gt Computer s Profile This will bring up the Computer Profile properties dialog 3 In the General tab which opens by default specify the target computer name 3 Click on the Logon Credentials tab select the required authentication method and specify the respective logon credentials 4 Click OK to finalize your settings NOTE In GFI LANguard N S S 8 newly created computer profiles are disabled by default For information on how to enable newly created computer profiles refer to the Enabling Disabling computer profiles section in this chapter Configuring comp
264. ustom Software E Reporting GFI Report Center GFILANguard N 5 5 8 0 Scan target localhost O iS 192 168 3 30 TMJASON JE J Minimum password length 8 chars J Maximum password age 30 days 0 hours O minutes 0 se J Minimum password age no delay J Force logoff never force J Password history 12 passwords Yulnerabilities 1 Potential Yulnerabilities 3 H E System information Shares 7 Password policy Security audit policy On P Registry NETBIOS names 4 Computer 26 Groups 13 eee Users 9 ZA Logged On Users 9 gt Sessions 5 Services 93 Processes 38 J Local drives 2 oe Remote TOD time of d Screenshot 37 Password policy node GFI LANguard N S S helps you identify misconfiguration in your password policies by collecting the password policy settings currently configured on target computers and including them as part of the scan results This way you avoid the need of having to physically check these out on the respective machines To access the password policy settings collected during a scan click on the 4 Password Policy sub node Detailed scan results Analyzing registry settings The registry is one of the most delicate parts of Windows based operating systems since it coordinates the various hardware and software blocks of a system It is quite obvious that in order to keep up with its task the registry must store key information These include hardware
265. ute e Whois e Enumerate Computers e Enumerate Users e SNMP Audit e SNMP Walk e SQL Server Audit DNS lookup Click on the Tools button and select the Tools gt DNS Lookup tool to resolve domain names into the corresponding IP address and to retrieve particular information from the target domain for example MX record etc GFI LANguard N S S 8 0 ojx Fie Tools Configure Help New Scan Using Currently Logged On User Username Password el z Hastname IP to resolve www afi com 7 fee SESS SE SS EE SE SISAL SSIS SLE LLSLSLSVSL2222 Options O OOO COL General Tools Explorer BA main hi Configuration 4 gt E F5 Tools K DNS Lookup K Traceroute 4 whois K Enumerate Computers K Enumerate Users amp Snmp Audit amp Snmp Walk amp SQL Server Audit Performing DHS Lookup operation through DHS Server 192 168 Retrieve the Following Information Resolving host www gqfi com IV Basic information Please wat T Host information Basic information results T Aliases 4 69 20 55 135 www gfi com Iv MX Records MX Records results NS Records No MX Records found DNS Server s to query Use default DNS server C Use alternative DNS server s Screenshot 147 The DNS Lookup tool GFI LANguard Network Security Scanner 14B15 Tools e 151 To resolve a domain host name 1 Click on the Tools button an
266. uter profile parameters GFI LANguard N S S 8 0 Iof Xx File Tools Configure Help New Scan Using Currently Logged On User Username Password el xa Tools Explorer A a 3 4 EB main Configurat lt gt Pass a Only Service Packs Port Scanner Sy USB Devices a Software Audit Sy Full TCP amp UDP Scar S Ping Them All a Share Finder Sa Uptimes Disks Space Usage Day System Information is Settings 4 Scheduled Scans lt Computer Profiles fo Patch Autodownloac gy Alerting Options Parameter Files E Database Maintenar General 8 Program Updates 110 Version Information Licensing How to purchase a Support Center a Knowledge Base a Other GFI Products Screenshot 70 List of existing computer profiles To configure change the parameters of an existing computer profile 1 Click on the Configuration button and expand the Configuration gt Settings gt Computer Profiles sub node 2 Right click the computer profile to configure and select Properties 3 Configure the required parameters and click OK to finalize your settings Enabling Disabling Profiles By default all the newly created computer profiles are disabled In practice this means that GFI LANguard N S S 8 will not use these profiles during vulnerability scans To enable or disable profiles 1 Click on the Configuration button and expand the Configuration gt Settings gt
267. ver gt WINS Host Name Server Domain gt Domain Name Server Finger HTTP gt World Wide Web HTTP linuxconf Pop2 gt Post Office Protocol 2 Pop3 gt Post Office Protocol 3 SunRPC gt SUN Remote Procedure Call identd gt Authentication Service avi of very time consumir Screenshot 81 Scanning Profiles properties TCP Ports tab options Enabling disabling TCP UDP Port scanning To enable TCP Port Scanning in a particular scanning profile 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 From the right pane click on the TCP UDP Ports tab s accordingly 3 Select the Enable TCP Port Scanning and or Enable UDP Port Scanning option s accordingly NOTE TCP UDP Ports scanning parameters are configurable on a scan profile by scan profile basis Make sure to enable TCP UDP port scanning in all profiles where TCP UDP port scanning is required Configuring the list of TCP UDP ports to be scanned To configure which TCP UDP ports will be processed by a scanning profile during vulnerability scanning 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the TCP Ports UDP Ports tab s accordingly 3 Select the TCP UDP ports that will be analyzed by this scanning profile Customiz
268. vice packs or patches previously deployed on network computers e Enable Auditing Policy Use this option to resolve vulnerabilities related to the wrong configuration of Microsoft auditing policies Clicking on this option will launch the GFI LANguard N S S Auditing Policies Administrative Support Wizard through which you can configure auditing policies on your target computers Analyzing the detailed scan results GFI LANguard N_S S 8 0 File Jools Configure Help C New Scan V F Using Currently Logged On User Username pessword 3S z ame ne ES GG Configuration cp GFI LANguard N S S Scanned Computers Scan Resuks mome gt W seen taroet locaihost OET Results Filtering z a 192 168 3 17 RICHAR oO The selected computer has the folowing vulnerability level High e Vulnerabilities 74 gt Results Comparison Patch Deployment Potential Vulnerabilities 6 BHOOCOEEES T Deploy Microsoft Updates System patching status Z What does this mean Deploy Custom Software a BS she information Reporting Shares 4 2 J Pn GF ReportCenter Z Applications 18 i Top 5 issues to address Hlext steps GFI LANguard N S S 8 0F mat Network devices 9 E mso8 068 Security Update tor 7 Deploy Microsoft Service Packs Password polcy Windows XP KBS20213 7 Deploy Microsoft patches A Security audit policy s E ms07 007 Security Update for Deploy custom software 5 Ropeuy T Windows XP KB927802 1 U
269. vulnerability scanning Obviously the more vulnerability checks you run the longer it will take for the scan process to complete 92 e 8B9 Scanning Profiles GFI LANguard Network Security Scanner GFI LANguard N S S 8 0 OF xi File Tools Configure Help New Scan Lv Using Currently Logged On User Username Password a A Tools Explorer g a Main thes Configuration Ss 4 gt B lt GFi SECURITY amp MESSAGING SOFTWA iE a On i a is q Vulnerabilities and Patches Active Sy Full Scan Gy Full Scan Slow Networks y Vulnerabilities a Top SANS 20 Vulnerabilities g High Security Vulnerabilities g Last Year s Vulnerabilities my Only Web y Trojan Ports Oy Only SNMP This scan profile tells the scan engine to check target systems for open vulnerabilities and missing 1 security updates No network audit operations will be performed Scanning Profiles Use this node to configure different profiles which can be used to scan the network For example you can create a profile that scans only for missing patches Alternatively use a different profile to scan a DMZ as opposed to your internal network Once you have created a profile you can make GFI LANguard N S S use this profile by right clicking on it and selecting Set Active You can see which profile a scan is using from the text in brackets on the security scanner node Vulnerabilities and Patches Active Sy Protection From Portable Stor
270. work Connection Result comparison Vulnerabilities 113 J MAC Address 00 00 56 23 22 7F Patch Deployment Potential Yulnerabilities 3 J IP Address es 192 168 3 30 Z Deploy Microsoft Updates System patching status J Device Type Wired 5 Deploy Custom Software 5 System information J Hostname TMjason_XP s8 T Reporting Shares 7 P Domain gfimalta com GFI Report Center Applications 101 J DHCP Set True GFI LANguard N 5 5 8 0F B Network devices 9 a g DHCP Server 192 168 3 254 USB devices 15 J ONS Server s 192 168 3 254 Password policy J Gateway s 192 168 3 254 Security audit policy FE J Status Plugged in ay Registry at Virtual devices QP Open TCP Ports 4 mat Software enumerated devices Open UDP Ports 5 a RAS Async Adapter NETBIOS names 4 J Device Type Software enumerated Computer J DHCP Set False i Groups 13 et Users 9 ZA Logged On Users 10 gt Sessions 6 Services 93 Processes 38 Local drives 2 AD Remote TAON time n Na le Screenshot 46 Network devices enumerated during a security scanning session As parts of the vulnerability scanning process GFI LANguard N S S enumerates all hardware and software network devices including physical and wireless ones To access this information click on the Network Devices sub node The information collected in this sub node is grouped as follows e E Physical devices Wired e
271. y in vector Mark 1058 C E 2007 0024 1930 MsoF 004 iN OVAL 1061 IE6 2P 5P2 COM Object In 1061 C E 2005 1990 14511 MS05 0365 iN OVAL TO68 Windows 2000 Internet Pri 1066 CVE 2001 0241 M501 023 iN OVAL 1073 RHE4 Firefox External App 1073 CVE 2005 2267 14242 OVALO78 Exception Handling Memor 1078 CVE 2006 2216 17620 nce 4 Screenshot 84 Select the vulnerability checks to be run by this scanning profile 3 Select the vulnerability checks that you wish to execute through this scanning profile Customizing the properties of vulnerability checks All the checks listed in the Vulnerabilities tab have specific properties that determine when the check is triggered and what details will be enumerated during a scan Edit vulnerability General Conditions Description References Mame OVAL 1078 Exception Handling Memory Corruption Vulnerability 503 5F1 Type web OS Family windows OS Version Microsoft Windows Server 2003 Product Internet Explorer Timestamp 6fi4 2006 Severity m Medium Screenshot 85 Vulnerability properties dialog General tab To change the properties of a vulnerability check 1 Right click on the vulnerability to customize and select Properties 2 Customize the selected vulnerability check through the following tabs e General Use this tab to customize the general details of a vulnerability check including vulnerability check name vulnerability type
272. y threat level tab provides you with extensive security information based on data acquired during scans This enables you to determine at a glance the current network vulnerability level the top five most vulnerable computers the number of computers in the database It also provides you with a breakdown of the vulnerable computers according to their vulnerability level NOTE 1 The data displayed in the Global security threat level tab is dynamically worked out by GFI LANguard N S S based on previous scans To view the global security threat level 1 Bring up the status monitor by right clicking on the E icon located in your Windows system tray and select Status 2 Click on the Global security threat level tab Viewing the progress of scheduled scans Scheduled scans are scans that have been set up to trigger at a later date and time Through the Active Scheduled scans tab in GFI LANguard N S S s Status Monitor you can monitor these scans and stop current scans in progress or remove finished scan details 146 e 13B14 GFI LANguard N S S Status Monitor GFI LANguard Network Security Scanner GFI LANguard NSS Status Monitor IO x Global security threat level Active scheduled scans Scheduled deployments 4utodownload queue Start Time Full Scan 12972007 10 26 12 AM ofl Remove Finished scans Stop selected scans Screenshot 144 Status Monitor Active scheduled scans tab To view scheduled scans in progress 1
273. ystem patching status J USB Human Interface Device 5 Deploy Custom Software H E System information J USB Human Interface Device 3 Reporting J USB Root Hub GFI Report Center GFI LANguard N 5 5 8 0F J hp LaserJet 1010 DOT4 J hp LaserJet 1010 J USB Root Hub J USB Root Hub J USB Root Hub J USB Root Hub i 8 Medium security vulnerabilities 1 Low security vulnerabilities 6 Screenshot 105 Dangerous USB devices are listed as High Security Vulnerabilities Enabling disabling checks for attached USB devices To enable scans for attached USB devices in a particular scanning profile 1 Select the Configuration button and expand the Configuration gt Scanning Profiles sub node 2 Select the scanning profile that you wish to customize and from right pane click on the Devices tab 3 Select the Enable scanning for USB Devices installed on the target computer s option NOTE USB device scanning is configurable on a scan profile by scan profile basis Make sure to enable USB device scanning in all profiles where this is required Compiling a USB devices blacklist whitelist To compile a list of unauthorized dangerous USB devices 1 Select the Configuration button expand Configuration gt Scanning Profiles node and select the scanning profile that you wish to customize 2 From the right pane click on the Devices tab Create a high security vulnerability For USB devices whose name
Download Pdf Manuals
Related Search