Ability to patch Windows NT/2000/XP machines that are missing hotfixes*
Once GFI LANguard N.S.S. has found a machine that lacks security patches, it can push those security patches to the remote machine, either installing them immediately or scheduling a time for them to install - all without user intervention!

Fast TCP & UDP port scanning & identification
GFI LANguard N.S.S. includes a fast TCP/IP and UDP port-scanning engine, allowing you to scan your network for unnecessary open ports. GFI LANguard N.S.S. identifies well-known services (such as www/FTP/telnet/SMTP...) and also supports "banner grabbing". Banner grabbing means that the product queries the port for an application name. View screenshot

GFI LANguard N.S.S. "alerts" pinpoint security issues & recommend action
After GFI LANguard N.S.S. has completed a scan of a computer, it generates an "Alerts" node which details key security issues and recommends a course of action. Wherever possible, GFI LANguard N.S.S. includes more information about the security issue or a web link to more information, for example a BugTraq ID or a Microsoft Knowledgebase article ID. View screenshot

Automatically detect NEW security holes with scheduled scan results comparisons*
GFI LANguard N.S.S. is able to compare scan results and identify new security holes appearing on your network. Use the scheduled scan feature to schedule daily or weekly network scans, which can then be automatically compared to previous scan results. This allows you to quickly identify changes such as newly created shares, installed services, added users or added ports. You can configure GFI LANguard N.S.S. to automatically email you the changes. View screenshot

Finds all shares on your network
GFI LANguard N.S.S. enumerates all shares on your network, including administrative shares (C$, D$, ADMIN$) and printer shares. Using this feature you can:

• Check whether a user is sharing his/her whole drive with other users;
• Prevent anonymous/unauthenticated access to shares;
• Ensure that startup folders or similar system files are not shared as this could allow less privileged users to execute code on target machines.

Find unused local users & groups
GFI LANguard N.S.S. also enumerates all local users and groups, and marks user accounts not being used, allowing you to remove the accounts you do not need. It is important to disable all unused accounts and ensure that the used accounts (administrator) have a strong password.

Vulnerabilities database includes Microsoft & UNIX/CGI issues
GFI LANguard N.S.S. automatically updates its security vulnerabilities database by downloading the continuously updated security bulletins XML file from the Microsoft site. This XML file contains the list of security vulnerabilities in Windows platforms and applications. In addition to this, the GFI LANguard N.S.S. security vulnerabilities database is also updated with issues reported to BugTraq. GFI LANguard N.S.S. also audits UNIX issues and cgi vulnerabilities.

Query generator for scan reports*
Because scan reports can include a lot of data, GFI LANguard N.S.S. includes a query generator that allows you to filter the XML scan reports for specific data. For example, you can query a scan result for all machines with shares, or for all machines running FTP servers.

LANguard Scripting (LANS)*
GFI LANguard N.S.S. includes a script creator for writing complex security checks. It includes a script editor with syntax highlighting capabilities and a debugger. Use GFI LANguard N.S.S. to create custom security checks for your network.

Identifies all installed NT/2000/XP services
Disable all services that you do not need! All services running on the scanned machines are listed. Each service can be a potential security risk, so closing/switching off what you do not need automatically reduces the security risk. View screenshot

Check if auditing is enabled & enable network wide
GFI LANguard N.S.S. will also check if each NT/2000/XP machine has security auditing enabled. If not, GFI LANguard N.S.S. will alert you and allow you to remotely enable auditing. Security event auditing is highly recommended - it enables you to detect intruders in real time. GFI LANguard N.S.S.'s companion product GFI LANguard Security Event Log Monitor automates network-wide, real time analysis of security events.

Check password policy
GFI LANguard N.S.S. can automatically check password policy for all machines on the network. Ensure that the password policy is secure, for example, by enabling a maximum password age, password lockout and password history.

Check for programs that run automatically
GFI LANguard N.S.S. can find programs that are automatically launched on a user's workstation. Review these entries carefully for possible Trojans.

HTML/XML reports
GFI LANguard N.S.S. outputs results of scans to a graphical HTML report, so that you can print the report and review it easily.

Other features:

• Scans large networks by sending UDP query status to every IP
• Lists NETBIOS name table for each responding computer
• Provides NETBIOS hostname, currently logged username & MAC address
• Provides a list of shares, users (detailed info), services, sessions, remote TOD (time of day) & registry information from remote computer (NT/2000)
• Tests password strength on Windows 9x/NT/2000 systems using a dictionary of commonly used passwords
• SNMP device detection, SNMP Walk for inspecting network devices like routers, network printers...
• Support for sending spoofed messages (social engineering)
• DNS lookup (www.somehost.com - > xxx.xxx.xxx.xxx); resolve hostnames (reverse DNS)
• Trace route support for network mapping
• Configuration manager so you can easily save particular scans

* These features are part of the registered/purchased version only.