Analyzing the scan results

Use the information presented in the 'Scanned computers' section (middle pane) to navigate the results of the scanned computers. Security scan results are organized in a number of category sub-nodes. These can be easily used to investigate and identify security issues in the scanned targets.

To view the scan results data retrieved during a security scan, click on the category of interest. The information is shown in the 'Scan Results' (right) pane.

Vulnerabilities

Click on the

Vulnerabilities sub-node to view the security vulnerabilities identified on the target computer. Detected vulnerabilities are grouped by type and severity into five main categories:

Vulnerabilities } Missing service packs

A Service Pack (SP) is a software program that corrects a set of known bugs or adds new features to operating systems and applications.

GFI LANguard N.S.S. checks for missing Microsoft software updates by comparing the version of the service packs currently installed on the scanned target(s) with the ones made currently available by the manufacturer.

NOTE: GFI LANguard N.S.S. is capable of checking for missing software updates and service packs on various Microsoft products. For a complete list of supported products go to http://kbase.gfi.com/showarticle.asp?id=KBID002573.

To access more detailed information on a missing service pack, right-click on the particular service pack and select More details ....

This will bring up the `Bulletin Info' dialog of the respective service pack. The information shown in this bulletin includes:

The QNumber. This is a unique ID number which is assigned by Microsoft to each software update for identification purposes.

The release date of the bulletin/service pack.

A long description of the service pack and its contents.

The list of OS/Application(s) to which the service pack applies.

The URL link to more information about the respective service pack.

The name of the service pack file and the relative file size.

The URL from where you can manually download this service pack.

Vulnerabilities } Missing patches

A patch is an update which is released by a software company to address a technical/security issue. It is very common for attackers to exploit these known vulnerabilities in order to gain access to a network. Failure to patch target systems make you vulnerable to an attack resulting in either loss of business time and/or data.

GFI LANguard N.S.S. scans target computers to ensure that all relevant security updates released by Microsoft are installed.

Missing patches discovered during target scanning are listed and grouped under the `Missing Patches' category.

To access more detailed information, right-click on a particular patch and select More details....This will bring up the `Bulletin Info' dialog containing addition details on the respective software patch.

Vulnerabilities } High, medium, low security vulnerabilities

The `High', `Medium' and `Low security vulnerabilities' sub-nodes contain information on weaknesses discovered while probing a target device. These vulnerabilities are organized into 8 groups:

CGI abuses

This group contains details of the security vulnerabilities (such as misconfiguration issues) discovered on scanned web servers. Supported web servers include Apache, Netscape, and Microsoft I.I.S. The information listed in this section includes:

FTP, DNS, Mail, RPC and Misc/Linux/UNIX vulnerabilities

These groups include details of the security weaknesses discovered during the scanning of particular network targets such as FTP servers, DNS servers, and SMTP/POP3/IMAP mail servers. The information shown in these sections includes links to Microsoft Knowledge Base articles or other support documentation related to the service pack.

Service vulnerabilities

This group includes details of security vulnerabilities associated to services which are running on the scanned network device(s). Other details enumerated in this section include unused accounts which are still active and accessible on the scanned target computers.

Registry vulnerabilities

This group includes details of the vulnerabilities discovered in the registry settings of a scanned network device. The details shown in this category include links to support documentation as well as a short description of the respective vulnerability.

Potential vulnerabilities

Click on the

Potential vulnerabilities sub-node to view scan result items which were classified as possible network weaknesses. These scan result items, although not classified as vulnerabilities, require your meticulous attention since they can be exploited by malicious users during an attack.

For example, during a security scan GFI LANguard N.S.S. will enumerate all of the modems which are installed and configured on the target computer. If these modems are not used or connected to a telephone line, they are of no threat to your network (i.e. no vulnerability). On the other hand, if the modems are used and connected they can be used by your network users to gain unauthorized and unmonitored access to the Internet.

This would further allow them to both bypass your firewall and any other Internet security settings implemented (for example, virus scanning, site rating and content blocking) as well as generate high telephone bills for the company. In addition to the above, hackers might detect such connections and exploit them to gain uncontrolled access to your network system through this unmonitored route. As a result, GFI LANguard N.S.S. considers installed modems as potential threats and enumerates them in a dedicated category (i.e. the `Potential Vulnerability' sub-node) for your attention and analysis.

Open shares

In the wild, there are various worms and viruses (for example, Klez, Bugbear, Elkern and Lovgate) which spread out using open shares detected on the computers of a network.

GFI LANguard N.S.S. enumerates the properties of all shares discovered on your network. Use this data to ensure that:

2. Anonymous/unauthenticated access to shares is not allowed and that appropriate access permissions are set up.

3. Startup folders or similar system files are not shared as these could allow less privileged users to execute code on target computers.

For every open share detected the following information is retrieved from the target computer:

NOTE: Every Windows computer has administrative shares (C$, D$, E$ etc.) which GFI LANguard N.S.S. will by default enumerate during target computer scanning. As these can become irrelevant to your security audit you can configure GFI LANguard N.S.S. not to report such administrative shares. For more information on how to achieve this refer to the `Customizing OS Data Retrieval parameters' section in the 'Scanning Profiles' chapter in this manual.

Password policy settings

Click on the

Password Policy sub-node to view the password policy settings of the scanned target computer(s).

Windows 2000/XP/2003 security policies provide a set of rules that can be configured for all user accounts to protect against brute force password guessing attacks. Such policies include account lockout control policies as well as password strength enforcement policies. These are essential to the enforcement of a secure network as they make it very difficult for an attacker to locate a weak link in your user base. Typical vulnerabilities in an IT infrastructure include weak passwords which are made up of few characters for example, blank or default passwords or password which are identical to the respective username.

Use the password policy settings which GFI LANguard N.S.S. retrieves from scanned target computers to identify configuration vulnerabilities on your network.

Registry settings

Click on the

Registry sub-node to view important registry key values configured on your target computer.

By examining the values in the Run node, you can check which programs are configured to be automatically launched at startup.

This information allows you to identify Trojans, authorized or unauthorized applications as well as valid applications which can provide remote access into your network. Any type of software which is run without your express instruction from the start menu should be noted and checked for validity.

Security audit policy settings

Click on the

Security Audit Policy sub-node to view the security audit policy settings configured on a scanned target computer.

An important part of any security plan is the ability to monitor and audit events happening on your network. These event logs are frequently referenced in order to identify security holes or breeches. Identifying attempts and preventing them from becoming successful breeches of your system security is critical. In Windows, you can use `Group Policies' to set up an audit policy that can track user activities or system events in specific logs.

Whilst scanning, GFI LANguard N.S.S. extracts the currently configured security audit policy settings from the target computer(s). Use this information to identify whether auditing policies are properly set up on your network computers.

GFI recommends that you set up the audit policy settings of your network computers as follows:


Auditing Policy	Success	Failure
Account logon events	Yes	Yes
Account management	Yes	Yes
Directory service access	Yes	Yes
Logon events	Yes	Yes
Object access	Yes	Yes
Policy change	Yes	Yes
Privilege use	No	No
Process tracking	No	No
System events	Yes	Yes

You can also remotely configure the audit policy settings of target computers directly from the GFI LANguard N.S.S configuration interface. This is done as follows:

1. From the `Scanned Computers' (middle) pane, right-click on the respective target computer and select Enable auditing on } This computer. This will launch the `Audit Policy Administration Wizard'. Click on Next to proceed with the configuration.

NOTE 1: To remotely configure auditing policies on a particular selection of target computers, right-click on any target computer (which is listed in the middle pane) and select Enable auditing on } Selected computers.

NOTE 2: To remotely configure auditing policies on all target computers listed in the `Scanned Computers' (middle) pane, right-click on any target computer and select Enable auditing on } All computers.

2. Select/unselect the check boxes of the auditing policies that you wish to set up on the selected target computer(s). For example, to log successful events, select the `Successful' check box of the relevant auditing policy. Click on Next to initiate the audit policy configuration process on the remote target computer(s).

3. A dialog will now show the audit policy configuration results. Click on Next to proceed to the last stage of the configuration process.

Open ports

Click on the

Open Ports sub-node to view a list of ports which are detected as being open for listening on a scanned target computer.

Open ports represent active services and applications which can be exploited by malicious users to gain access to a computer. It is very important to only leave the ports which you know are necessary for the central/core functions of your network services. All other ports should be closed.

By default GFI LANguard N.S.S. is configured to use the 'Default Scanning Profile'. Via the use of this scanning profile, not all of the 65535 TCP and UDP ports are checked as this may take a long time to complete per target computer. When using the 'Default Scanning Profile', GFI LANguard N.S.S. performs checks on the ports most commonly exploited by hackers, Trojans, viruses, spyware and malware. Use the ' Full TCP & UDP Port Scan' scanning profile to run a full open port check on all targets.

For more information on how to run security audits using different scanning profiles refer to the `Scanning profiles in action' section in the `Scanning Profiles' chapter in this manual.

For more information on how to customize a scanning profile refer to the `Creating a new scanning profile' section in the `Scanning Profiles' chapter in this manual.

Service fingerprinting

Further to detecting if the port is open or not, GFI LANguard N.S.S. uses service fingerprint technology to analyze the service(s) which are running behind the detected open port(s). Through service fingerprinting you can ensure that no hijack operation has taken place on that port. For example, you can verify that behind port 21 of a particular target computer there is an FTP server running and not an HTTP server.

Dangerous port reporting

When a commonly exploited port is found open, GFI LANguard N.S.S., will mark it in red. Care is to be taken as even if a port shows up in red, it does not mean that it is 100% a backdoor program. Nowadays with the array of software being released it is becoming more common that a valid program uses the same ports as some known Trojans.

Users and groups

Click on the

Users sub-node to view all local user accounts on target computer(s). Click on the

Groups sub-node to view all local groups on the scanned target computer(s).

Use this information to identify rogue or unused users and groups that can allow access to unauthorized visitors! These include the `Guest' account and other unused or obsolete user accounts and groups. Some backdoor programs re-enable the `Guest' account and grant it administrative rights. Use the details enumerated in the Users sub-node of the scan results to inspect the access privileges assigned to each user account.

NOTE: Users should not use local accounts to log on to a network computer. For better security, users should log on to network computers using a `Domain' or an `Active Directory' account.

Logged on users

Click on the

Logged on Users sub-node to access the list of users that are logged on to the scanned target computer locally (via an interactive logon) or remotely (via a remote network connection).

For every logged on user that is detected, the following information is retrieved (depending on applicability).

Logged on username.

`Time and Date of the Logon' - The time and date when the user logged on the target computer.

`Time elapsed since their logon' - How long the user has been logged on this computer.

`Number of programs running' - The number of programs that the interactively logged on user was running at the time of the scan.

`Idle time' - How long the remote user's connection has been idle (i.e. completely inactive).

`Client type' - The platform/operating system that the remote user used to connect to the target computer.

`Transport' - The name of the service that was used to initiate the remote connection between the remote computer and the target computer (for example, NetBios.Smb, Terminal Service, Remote Desktop).

Running services

Click on the

Services sub-node to access the list of services that were running on the target computer(s) during the security scan. Use this information to identify unknown/unrequired running services on your network computer(s).

NOTE: Each running service can be a potential security weak spot in your network system. For this reason, we recommend that you close/disable all unnecessary applications and services that are running your network. This exercise automatically hardens your network by reducing the entry points through which an attacker can penetrate into your system.

Remote running processes

Click on the

Remote Processes sub-node to access the list of processes that were running on the target computer during a scan.

During security scanning, GFI LANguard N.S.S. harvests various information on the processes which are running on scanned target computers. Details enumerated during security scanning include:

Installed applications

Click on the

Applications sub-node to access the complete list of applications that are installed on a scanned target computer. Discovered applications are organized into three groups:

The anti-virus applications and anti-spyware applications groups contain the list of security applications installed on a scanned target computer. Details enumerated in these groups include:

Application name.

`Real time protection:' - Denotes if real time protection is enabled or disabled in an anti-virus application.

`Up to date:' - Denotes if the anti-virus/anti-spyware signature files of a security application are up to date. This is achieved by checking (where applicable) the signature file status flag of an application.

`Last update:' - Shows the date and time of the last anti-virus/anti-spyware signatures update.

`Version:' - Shows the version number of the security application.

`Publisher:' - Shows the manufacturer details.

The General applications group contains the list of general purpose applications installed on a scanned target computer. These include all software programs which are not classified as anti-virus or anti-spyware products such as Adobe Acrobat Reader and GFI LANguard Network Security Scanner.

Network devices

Click on the

Network Devices sub-node to access the list of network devices/components (for example, wired and wireless network cards) which are installed on a scanned target computer. Use this information to analyze and identify unauthorized devices connected to your network.

Unmonitored network devices, especially wireless ones, are becoming a main source of information leakage in organizations. Special care must be given to ensure that only authorized wireless devices are connected to your network infrastructure!.

GFI LANguard N.S.S. identifies all devices on your network including physical and wireless ones. The information enumerated in the Network Devices sub-node is organized in four main groups:

USB devices

Click on the

USB Devices sub-node to access the list of USB devices connected to the target computer(s). Use the information collected in this sub-node to identify unauthorized USB devices currently plugged into the scanned target computer(s). These unauthorized devices may include portable storage devices such as the Apple iPod, or Creative Zen as well as USB wireless devices and Bluetooth dongles.

Reporting unauthorized devices as high security vulnerabilities

GFI LANguard N.S.S. can be configured to distinguish between authorized and unauthorized USB devices. For more information, refer to the `Compiling a list of unauthorized network devices' section in the 'Scanning Profiles' chapter in this manual.

System hot fixes patching status

Click on the

System patching status node for an overview of the patching status of a target computer.

NETBIOS names

Click on the

NETBIOS names sub-node to access the list of NetBIOS names enumerated during target computer scanning.

Each computer on a network has a unique NetBIOS name. The NetBIOS name is 16-byte address that allows NetBIOS resources to be identified on the network. NETBIOS names are successfully mapped to an IP address using NetBIOS name resolution.

During the target probing process, GFI LANguard N.S.S. queries the identity and availability of a target network computer using NetBIOS. If available, the target computer will respond to the request by sending the respective NetBIOS name.

Scanned target computer details

Click on the

Computer sub-node to access particular details about the scanned target computer. The details enumerated in this node include:

`MAC:' - Shows the MAC address of the network card which the target computer is using to connect to the network.

`Time To Live (TTL):' - Shows the maximum number of network hops allowed before a data packet expires/is discarded. Based on this value, you can identify the distance (i.e. the number of router hops) between the computer running GFI LANguard N.S.S. and the target computer that was just scanned. Typical TTL values include 32, 64, 128, and 255.

`Network Role:' - Denotes whether the scanned target computer is a Workstation or a Server.

`Domain:' - Denotes the domain/workgroup details. When scanning targets which are part of a domain, this field shows the list of trusted domain(s). If the scanned target computer is not part of a domain, this field will show the name of the respective Workgroup.

`LAN Manager:' - Shows the type of operating system and LAN Manager in use (for example, Windows 2000 LAN Manager).

`Language:' - Shows the language setting configured on the scanned target computer (for example, English).

Active sessions

Click on the

Sessions sub-node to access the list of hosts that were remotely connected to the target computer during scanning. The details shown in this sub-node include:

`Computer:' - The IP Address of the host which was remotely connected to the scanned target computer.

`Username:' - The logged on username.

`Open files:' - The number of files accessed during the session.

`Connection time:' - The duration of the connection session i.e. the time (in seconds) that the user(s) has been remotely connected to the scanned target computer.

`Idle Time:' - The total time (in seconds) during which the connection was inactive.

`Client type' - The platform/operating system that the remotely logged on computer (i.e. client computer) is running.

`Transport' - The name of the service that was used to initiate the remote connection between the client computer and the target computer (for example, NetBios.Smb).

NOTE: The information enumerated in this sub-node also includes the remote connection details of the scanning session just performed by GFI LANguard N.S.S. i.e. the IP of the computer that is running GFI LANguard N.S.S., the logon credentials, etc.

Remote time of day

Click on the

Remote TOD (time of the day) sub-node to view the network time that was read from the target computer during the scan. This time is generally set on network computers by the respective domain controller.

Local drives

Click on the

Local Drives sub-node to view the list of physical drives that are accessible on the scanned target computer. The information enumerated in this sub-node includes the drive letter, the total disk space and the available disk space.