3.6 Detailed scan results: Network & Software Audit

Screenshot 18 - The network and software audit node

Expand the Network & Software Audit node to view security vulnerabilities identified on scanned targets. Here, vulnerabilities are grouped by type and severity as follows:

•	System Patching Status

•

Ports

•

Hardware

•

Software

•	System Information

 

Category	Information
	Fast response
	Medium Response
	Slow response

NOTE: The first icon indicates that the scan is queued, while the second icon indicates that the scan is in progress.

3.6.1 System patching status

Expand System Patching Status sub-node to access Information on:

•	Missing Patches – List of missing Microsoft Patches

•	Missing Service Packs – List of missing Microsoft Service Packs

•	Installed Patches – List of installed Microsoft Patches

•	Installed Service Packs – List of installed Microsoft Service Packs.

3.6.2 Ports

Expand the Ports sub-node to view all TCP and UDP ports detected during a scan. When a commonly exploited port is found open, GFI LANguard will mark it in red. Care is to be taken, as even if a port shows up in red, it does not mean that it is 100% a backdoor program. Nowadays with the array of software being released, it is becoming more common that a valid program uses the same ports as some known Trojans.

Further to detecting if, the port is open or not, GFI LANguard uses service fingerprint technology to analyze the service(s) that are running behind the detected open port(s). Through service fingerprinting you can ensure that no hijack operation has taken place on that port. For example, you can verify that behind port 21 of a particular target computer there is an FTP server running and not an HTTP server.

3.6.3 Hardware

Expand the Hardware sub-node to view a hardware audit categorized as follows:

 

Category	Information provided
Network Devices (Physical, Virtual, Wireless, Software enumerated devices)	• MAC address • IP address • Device type • Vendor • Hostname • DHCP Set • DNS Server • Status
USB Devices	• Device name • Description • Manufacturer
Local Drives	• Drive letter • Total disk space • Available disk space
Processors	• Vendor • Processor speed
Motherboard	• Product name • Manufacturer • Version • BIOS name • BIOS vendor • BIOS version • BIOS release date • BIOS Serial Number
Memory details	• Physical memory • Free physical memory • Virtual memory • Free virtual memory
Storage details	• Description • Manufacturer • Interface type • Media type • Partitions • Size • Drive(s)
Display adapters	• Manufacturer • Monitor • Current video mode
Other devices	• HID • System devices • Keyboard • Ports (COM & LPT ports) • Floppy disk controllers • Mouse • Multimedia • Hard disk controllers • Computer • Storage volumes • SCSI and RAID controllers • Storage Volume Snapshots

3.6.4 Software

Expand the Software sub-node to access software audit categories:

 

Category	Information provided
General Applications	• Application name • Version • Publisher
Antivirus Applications	• Application name • Real-time protection • Up-to-date • Last update • Version • Publisher

3.6.5 System Information

Expand the System Information sub-node to access OS information grouped as follows:

Category	Information Provided	Helps to identify
Shares	• Share name • Share remark (extra details on the share) • Folder which is being shared on the target computer • Share permissions and access rights • NTFS permissions and access rights.	Users sharing entire hard-drives, shares that have weak or incorrectly configured access permissions. Startup folders, and similar system files, that are accessible by unauthorized users, or through user accounts, that do not have administrator privileges, but are allowed to execute code on target computers. Unnecessary or unused shares.
Password Policy	• Minimum password length • Maximum password length • Minimum password age • Force logoff • Password history	Incorrectly configured lockout control Password strength enforcement policies
Security Audit Policy	• Audit account logon events • Audit account management • Audit directory service access • Audit logon events • And more…	Security holes or breaches
Registry	• Registered owner • Registered organization • Product name • Current build number	Hardware and software settings such as which drivers and applications will be automatically launched at system startup
NETBIOS Names	• Workstation service • Domain name • Domain controllers • File server service	Rogue computers and Wrong configurations
Computer	• MAC address • Time to live (TIL) • Network role • Domain	Rogue computers and Wrong configurations
Groups	• Account operators • Administrators • Backup operations • Guests	Wrong configurations and security flaws due to rogue or obsolete user groups
Users	• Full name • Privilege • Flags • Login	Rogue, obsolete or default user accounts
Logged On Users	• List of logged on users	Authorized and unauthorized users currently logged on computers
Sessions	• Lists hosts remotely connected to the target computer during scanning,	Authorized and unauthorized remote connections
Services	• List of active services	Rogue or malicious processes; redundant services
Processes	• List of active processes	Rogue or malicious processes
Remote TOD (time of day)	• Time of remote workstation, server or laptop.	Time inconsistencies and regional settings Wrong configurations

Security audit policy

An important part of any security plan is the ability to monitor and audit events happening on your network. These event logs are frequently referenced in order to identify security holes or breaches. Identifying attempts and preventing them from becoming successful breaches of your system security is critical. In Windows, you can use ‘Group Policies’ to set up an audit policy that can track user activities or system events in specific logs.

In order to help you keep track of your system’s auditing policy GFI LANguard collects the security audit policy settings from scanned target computers and includes in the scan results. This information is accessed by click on the Security Audit Policy sub-node.

Apart from gaining knowledge on the current audit policy settings, you can also use GFI LANguard to access and modify the audit policy settings of your target computers. To achieve this:

1. From the Scanned Computers (middle) pane, right-click on the respective target computer and select Enable auditing on ► This computer/Selected computers/All computers.

Screenshot 19 - The audit policy administration wizard

2. Select/unselect auditing policies accordingly, and click Next to deploy the audit policy configuration settings, on the target computer(s).

Screenshot 20 - Results dialog in audit policy wizard

3. At this stage, a dialog will show whether the deployment of audit policy settings was successful or not. You can choose to re-deploy settings on failed computers by clicking on the Back button. To proceed to the next stage click Next.

4. Click Finish to finalize your configuration.

Groups/users

Rogue, obsolete or default user accounts can be exploited by malicious or unauthorized users to gain access to restricted areas of your IT infrastructure. The ‘Guest’ account for example is just one example of commonly exploited accounts – reason being that more often than not, this account is left configured within a system and even worse without changing the default password settings. Malicious users have developed applications, which can automatically re-enable the ‘Guest’ account and grant it administrative rights; Empowering users to gain access to sensitive areas of the corporate IT infrastructure.

GFI LANguard collects information on all user accounts and user groups currently enabled on scanned targets. This information is organized in the scan results under two separated nodes. To access the list of user accounts identified during on a target computer, click on the Users sub-node. Use the information enumerated in this sub-node to inspect the access privileges assigned to each user account. To gain access to the list of user-groups configured on a target computer, click on the Groups sub-node.

NOTE: Users should not use local accounts to log on to a network computer. For better security, users should log on to network computers using a ‘Domain’ or an ‘Active Directory’ account.

Sessions

Click on the Sessions sub-node to access the list of hosts that were remotely connected to the target computer during scanning.

NOTE: The information enumerated in this sub-node also includes the remote connection details of the scanning session just performed by GFI LANguard i.e. the IP of the computer that is running GFI LANguard, the logon credentials, etc.

Services

Active services can be a potential security weak spot in your network system. Any of these services can be a Trojan, a viruses or another type of malware, which can seriously affect your system in a dangerous way. Furthermore, unnecessary applications and services that are left running on a system consume valuable system resources.

During the scanning process, GFI LANguard enumerates all services running on a target computer for you to analyze. This way you can identify which services must be stopped. Further to the freeing up of resources, this exercise automatically hardens your network by reducing the entry points through which an attacker can penetrate into your system. To access the list of services enumerated during a scan, click on the Services sub-node.

Processes

Click on the Processes sub-node to access the list of processes that were running on the target computer during a scan.

Remote time of day

Click on the Remote TOD (time of the day) sub-node to view the network time that was read from the target computer during the scan. This time is generally set on network computers by the respective domain controller.