Getting started: Performing an audit
Introduction
An audit of network resources enables the administrator to identify and assess possible risks within a network. Doing this manually involves a tiresome series of repetitive and time consuming tasks that must be accurately performed on each and every network computer. GFI LANguard N.S.S. automates the security auditing process and remotely scans computers for known vulnerabilities, common misconfiguration and other potential security issues in a relatively short time. The information collected during the scanning process is then used to assist the tracking and mitigation of security issues that have been identified. Typical information enumerated during the security scanning process includes:
- The service packs level of the computer
- Missing security patches
- Wireless access points
- USB devices
- Open shares
- Open ports
- Services/applications active on the target computer(s)
- Key registry entries
- Weak passwords
- Users and groups.
To perform a security audit the scanning engine requires you to specify three primary parameters:
1. Target computer(s) to scan for security issues.
2. Scanning Profile to use (specifies vulnerability checks/tests to be done against the specified targets).
3. Authentication details to be used to log on to the target computer(s).
About scanning profiles (list of vulnerability checks/tests)
Before starting a scan you must specify which vulnerability checks/tests to be run against the specified target(s).
This is required because GFI LANguard N.S.S. contains a multitude of vulnerability checks that can be run on your network infrastructure. Although much of these vulnerability checks can be run against all network computers, there are some `specialized' checks which are role specific and thus their results depend both on the services that are running on that particular target computer(s) as well as the desired type of security scan you need to perform. For example, CGI vulnerability checks need to be run only when scanning Web servers.
In GFI LANguard N.S.S. the vulnerability checks that will be run against a target in a security scan are specified in templates called `Scanning Profiles'. These scanning profiles hold the `scanning instructions/parameters' that the scanning engine will follow during a security audit i.e. the vulnerability checks that must be executed against the targets as well as the information that is to be retrieved from these targets. For more information on scanning profiles, refer to the `Scanning Profiles' chapter in this manual.
For a well balanced security scan use the `Default Scanning Profile' option.
Logon credentials to access the target computer(s)
During a security scan, for some types of information retrieval/vulnerability tests, GFI LANguard N.S.S. needs to remotely log on to each target computer. By default GFI LANguard N.S.S. uses the security context of the user under which it is running. You can also specify alternative logon credentials to run a scan under a different security context from the currently logged on user.
While the above would fit most network scanning needs you may meet situations when you log on to some target computers with a particular administrative account and onto some other target computers with a totally different administrative account.
To cater for this situation GFI LANguard N.S.S. allows you to configure computer profiles for different targets which are located in your network. Use computer profiles to specify the logon credentials to use when logging in to a target computer even when a security scan is being run under a different security context. For example, you can use computer profiles to make sure that the computer FILESERVER is always scanned with the account COMPANY\fileserveradmin and that the computer WEBSERVER is always scanned with the account COMPANY\webserveradmin.
For more information on computer profiles refer to the `Computer Profiles' section in the `Configuring GFI LANguard N.S.S.' chapter in this manual.
Important considerations
1. Please note that if your company runs any type of Intrusion Detection Software (IDS) during scanning, GFI LANguard N.S.S. will set off a multitude of IDS warnings and intrusion alerts in these applications. If you are not responsible for the IDS system, make sure to inform the person in charge about any planned security scans.
2. Along with the IDS software warnings, be aware that a lot of the scans will show up in log files across the board. UNIX logs, web servers, etc. will all show the intrusion attempts made by the computer running GFI LANguard Network Security Scanner. If you are not the sole administrator at your site make sure that the other administrators are aware of the scans you are about to run.
