This document demonstrates how to use GFI LANguard Network Security Scanner (N.S.S.) to secure your internal network. It explains how administrators can use the product to identify security issues.

Introduction to GFI LANguard Network Security Scanner

GFI LANguard Network Security Scanner (N.S.S.) is a tool that allows network administrators to quickly and easily perform a network security audit. GFI LANguard N.S.S. combines the functions of a port scanner and a security scanner. It also creates reports that can be used to fix security issues on a network.

Unlike other security scanners, GFI LANguard N.S.S. does not create a "barrage" of information, which is virtually impossible to follow up. Rather, it helps highlight the most important information. It also provides hyperlinks to security sites to find out more about these vulnerabilities.

GFI LANguard N.S.S. is freeware for non-commercial use.
 

Importance of internal network security

Internal network security is, more often than not, underestimated by administrators. Very often, such security does not even exist, allowing one user to easily access another user’s machine using well-known exploits, trust relationships and default settings. Most of these attacks require little or no skill, putting the integrity of a network at stake.

Most employees do not need and should not have access to each other’s machines, administrative functions, network devices and so on. However, because of the amount of flexibility needed for normal operation, internal networks cannot afford maximum security. On the other hand, with no security at all, internal users can be a major threat to many corporate internal networks.

A user within the company already has access to many internal resources and does not need to bypass firewalls or other security mechanisms which prevent non-trusted sources, such as Internet users, to access the internal network. Such internal users, equipped with hacking skills, can successfully penetrate and achieve remote administrative network rights while ensuring that their abuse is hard to identify or even detect.

In fact, 80% of network attacks originate from inside the firewall (ComputerWorld, January 2002).

Poor network security also means that, should an external hacker break into a computer on your network, he/she can then access the rest of the internal network more easily. This would enable a sophisticated attacker to read and possibly leak confidential emails and documents; trash computers, leading to loss of information; and more. Not to mention that they could then use your network and network resources to start attacking other sites, that when discovered will lead back to you and your company, not the hacker.

Most attacks, against known exploits, could be easily fixed and, therefore, stopped by administrators if they knew about the vulnerability in the first place. The function of GFI LANguard N.S.S. is to assist administrators in the identification of these vulnerabilities.

Introduction to security audits

An audit of network resources enables the administrator to identify possible risks within a network. Doing this manually requires a lot of time, because of the repetitive tasks and procedures which have to be applied to each machine on the network.

A tool such as GFI LANguard N.S.S. will help identify common vulnerabilities within your network in a very short time. Using intelligent scanning, GFI LANguard N.S.S. minimizes the time it takes to gather information on machines within the scanning perimeter. Such information normally includes usernames and groups, which may include rogue objects to allow backdoor access, enumeration of network shares and similar objects found on a Windows NT or 2000 domain. Apart from this, GFI LANguard N.S.S. also identifies specific vulnerabilities such as configuration problems in FTP servers, exploits in Microsoft IIS and Apache Web Servers or problems in NT security policy configuration, plus a number of other potential issues.

Performing a scan

The first step in beginning an audit of a network is to perform a scan of current network machines and devices.

To begin a new network scan:

1. Click on File > New.
    
2. Select Scan a range of computers.
    
3. Input the starting and ending range of the network to be scanned.
    
4. Select Finish.
    
5. Select the Play button [Start Scanning] from the main GFI LANguard N.S.S. window.

GFI LANguard will now do a scan of the entire range entered. It will first detect which hosts/computers are on, and only scan those. This is done using NETBIOS probes, ICMP ping and SNMP queries.

If a device does not answer to one of these, GFI LANguard N.S.S. will assume, for now, that the device either does not exist at a specific IP address or that it is currently turned off. If you want GFI LANguard to scan all devices, even those that do not respond to these queries, you can configure it to do so.

Scans can also be done in the following manner:

• Scan one Computer
   
• Scan List of Computers
   
• Scan Computers that are part of a Network Domain.

Best usage policy

To get the most out of GFI LANguard N.S.S. you will want to perform a number of scans.

The first scan to perform, from within your network, is that of a NULL User. By doing this you will see what anyone - using GFI LANguard N.S.S. or another such tool - can detect and learn about your network if they are already inside. The NULL User scan uses an anonymous connection that Windows supports, and with it gathers a ton of information.

The next scan to perform is that of an Administrator on your Domain, Workgroup, or Active Directory Tree. By comparing these two scans you will be able to see the difference between an authenticated user and an anonymous user within the Intranet.

The last scan you will want to perform is that of a NULL User again, but this time, from outside your Intranet. By using an outside dialup or high speed Internet connection to perform this scan, you will be able to determine what any user on the Internet - who scans you with a tool such as GFI LANguard N.S.S. - can gather from your network. Hopefully, in most cases, they cannot gather any information at all because of a corporate firewall.

Analyzing the scan results

After a scan, nodes will appear under each machine that GFI LANguard N.S.S. finds. The left pane will list all the machines and network devices. Expanding one of these will list a series of nodes with the information found for that machine or network device.

GFI LANguard N.S.S. will find any network device that is currently turned on when doing a network probe. The type of device and what type of queries it responds to will determine how well GFI LANguard N.S.S. can identify it and what information it can retrieve.

Depending on the device found, different information is available. However, for explanation purposes we will assume that the network device found is a Windows machine for most of the information to come.

Network device IP and name
First to appear is the IP address of the device we are working on. Next to that is the NetBIOS Name or DNS name depending on the type of device. Finally GFI LANguard N.S.S. reports what OS is running on the device and if it is NT/2000/XP. GFI LANguard N.S.S. also reports what Service Pack is on the machine.

NetBIOS names
The first node under the device lists NetBIOS information, such as services, current user logged on, etc.

Trusted domains
If the computer is part of a Domain, it will show one or more trusted Domains. Ensure that the trust relationships are set up correctly and this machine actually should trust all Domains listed.

Shares
Open shares, if not secured, are a threat to network integrity. Administrators should make sure that:

• No user is sharing his/her whole drive with other users.
• Anonymous/unauthenticated access to shares is not allowed. GFI LANguard N.S.S. has an option to check for these non-passworded shares and will let you know when it finds them.
• Startup folders or similar system files are not shared. This could allow less privileged users to execute code on target machines.

  The above points are important for all machines, but especially for machines that are critical to system integrity, such as the Public Domain Controller. Imagine an administrator sharing the startup folder (or a folder containing the startup folder) on the PDC to all users. Given the right permissions, users can then easily copy executables into the startup folder, which will be executed upon the next interactive logon by the administrator.

Note: If you are running the scan logged in as an administrator, you will also see the administrative shares, for example "C$ - default share". These shares will not be available to normal users.

Due to the way Klez and other new viruses are starting to spread - through the use of open shares - all unneeded shares should be turned off and all needed shares should have a password on them.

Users & groups
The next 2 nodes show the local groups and the local users available on the computer. Check this area to ensure that there are no extra user accounts, and verify that the Guest account is disabled. Rogue users and groups can allow users backdoor access!
Some backdoor programs re-enable the Guest account and grant it Administrative rights, so expand the users node to see the activity of all the accounts and the rights they have.

Ideally the user should not be using a local account to logon, but should be logging into a Domain or an Active Directory account.

The last main thing to check is to ensure that the password is not too old.

Services & processes
All running services on the machine are listed. Verify that the services running need to be and disable all services that are not required. Be aware that each service can potentially be a security risk and a hole into the system. By closing or switching off services that are not needed, this automatically reduces the security risks on that machine.

General information
Network devices, drives and remote time of day shows general information about the computer.

Note: For more information on these see the “Additional Results” in the next section.

Password policy
This node is an important one, allowing you to check that the password policy is secure. For example, enable a maximum password age and password history. Minimum password length should be something practical, such as 8 characters. If you have Windows 2000, you can enable a secure network-wide password policy using GPO (Group Policy Objects) in Active Directory.

Registry
This node gives vital information about the remote registry. It provides information on anything that is set up to automatically start with the interactive login on the machine.

Auditing
If the target machine runs Windows NT/2000/XP, GFI LANguard N.S.S. will check if auditing is turned on. It is recommended to activate auditing on Windows machines. This is an important security feature of Windows that is disabled by default. Turning on auditing will allow you to detect security breaches and check how they occurred.

Installed hot fixes
The hot fixes node shows what hot fixes are installed. Ensure that your machines have the latest hot fixes and service packs installed.

Unfortunately, in the Windows world there seems to be no greater security risk than not being up-to-date on the latest hot fixes and service packs, so make sure you always have the latest patches installed.

Open ports
The open ports node lists all open ports found on the machine (this is called a port scan). GFI LANguard N.S.S. does a selective port scan. It does not scan all 65535 TCP and 65535 UDP ports, just the ports it is asked to.

Each open port represents a service/application; if one of these services can be “exploited”, the hacker could gain access to that machine. Therefore, it is important to close any port that is not needed.

Note: On Windows Networks, ports 135, 139 & 445 are likely to be open. Hopefully, your Internet firewall is blocking these ports from the outside world.

Alerts node
The alerts node displays known security issues and informs you how to fix them. These threats can include HTTP issues, NETBIOS alerts, configuration problems and so on.

Currently GFI LANguard N.S.S. detects approximately 300 unique alerts. GFI LANguard N.S.S. provides an inbuilt script editor to let you build your own alerts. This allows you to create very simple or very complex alerts.

Alerts are broken down into the following sections:

• Missing patches show up on Windows NT/2000/XP machines if there are any missing Hot Fixes or Service Packs. GFI LANguard N.S.S. provides a link to the Microsoft page where you can download that individual patch.
   
• CGI abuses describe issues related to Apache, Netscape, IIS and other web servers.
   
• FTP alerts, DNS alerts, mail alerts, RPC alerts, and miscellaneous alerts provide links to BugTraq or other security sites so that you can look up more information about the problem GFI LANguard N.S.S. found.
   
• Service alerts can be a number of things. Anything from actual services running on the device in question to accounts listed on a machine that have never been used.
   
• Registry alerts cover information pulled from a Windows machine when GFI LANguard N.S.S. does its initial scan. They provide a link to Microsoft’s site or other security-related sites to explain why these registry settings should be changed.
   
• Information alerts are added to the database and concern issues important enough to be brought to the administrator’s attention, but not always damaging to leave open.
   

MS hot fixes and service packs

The deployment of patches is a powerful tool to allow you to keep your Windows NT, 2000 and XP machines up-to-date with the latest security patches.

• Detection of hot fixes, patches, and service packs that are on a machine
• Pushing of hot fixes and patches that the machine is missing

For either of these to work, you must have administrative rights on the machine you are scanning. If you do not have the correct rights, you will not be able to make a remote connection to the registry, you will not be able to scan for file information and you will not be able to install the patches.

GFI LANguard N.S.S. currently provides scanning, identification and patching of missing hot fixes and service packs* on 21 different products. (*Version 3.0 of GFI LANguard N.S.S. detects the fact that a machine is missing the latest service pack, but it does not push service packs, only hot fixes. The ability to push service packs is planned for a future release.)
 

Installing hot fixes on machines

Once you have a list of Hot Fixes that are missing, you will want to patch these machines. Patching a machine is as simple as right-clicking on a machine that is missing some hot fixes and telling it to "Deploy patches to this machine".

If you have previously used the utility, then the hot fixes will already be on your machine and ready to push to the client machine. If you have not downloaded the patch yet, GFI LANguard N.S.S. prompts you to download the patch and provides a link to the Microsoft website and page that will allow you to download it.

Generation of reports

One of the most important things after a successful scan is the ability to provide the information discovered in an easy-to-use format. GFI LANguard N.S.S. provides many predefined reports to do just that.

• Default Template -This is the default report format if you do not try any of the customization options. It includes all information generated by GFI LANguard N.S.S. in an easy-to-read format.
• High Security Alerts - This report includes:
  • All open ports
  • Missing service packs
  • High security alerts
• Security Alerts - This report includes:
  • All open ports
  • All missing hot fixes
  • Medium security alerts
• Missing Hot Fixes - This report includes:
  • Missing service packs
  • Missing hot fixes/patches
• Open Ports - This report includes:
  • All open ports (TCP and UDP)
• Open TCP Ports - This report includes:
  • All open TCP ports
• SNMP Information - This report includes:
  • SNMP information (system id)
• List of Computers - This report includes:
  • Detailed information for every computer (columnar)
• Custom Reports - If the predefined reports above are not enough for you, through the use of XSL files you can create your own custom reports with a little XSL programming.
   

Rounding off the audit
After you have audited your network, you should:

• Patch/fix all security issues found
   
• Delete unused user accounts*
   
• Ensure strong passwords
   
• Disable unnecessary services
   
• Update your systems to the latest Service Pack and Hot Fixes
   
• Closely review the LANguard alerts

This will prevent some of the most popular attacks. After fixing such problems, re-scan the network and compare the difference.

*GFI LANguard N.S.S. will check to see if the account has been used to locally logon to that machine; if the machine in question is a PDC, accounts listed on the box could very well be in use - the fact that they show as never having been used only means, on a PDC or BDC, that they have not been used to log in locally. Verify all accounts before deleting them.
 

Report comparison

By performing audits regularly and comparing results from previous scans you will get an idea of what security holes continually pop up or are reopened by users. This creates a more secure network.

GFI LANguard N.S.S. helps you do this by allowing you to compare results between scans. It reports the differences and enables you to take action.

You can compare results manually or through scheduled scans. GFI LANguard N.S.S. provides you with the ability to perform a comparison at any time, but it also provides you with the ability to schedule a scan to run, compare that to the previous scan and issue an email report of any differences it finds.
 

Comparison of GFI LANGUARD N.S.S. to other tools

Part of the problem with trying to compare GFI LANguard N.S.S. to other security or patching programs is that most other programs do only one specific task. They either just do a security scan or they just have the ability to detect missing hot fixes and service packs. So in most cases it is like trying to compare apples to oranges. They are similar in one aspect, but totally different in another. But we will give it a try!

The leading network security scanner out there is probably Eeye's Retina Security Scanner.
 

Retina is a very strong product for security scanning, but only for security scanning. It does not check for hot fixes or provide the ability to patch Windows machines that are missing hot fixes.

Unlike Retina, GFI LANguard N.S.S. does not provide the ability to push certain registry fixes to users, but GFI LANguard N.S.S. gives the user more control over the way reports and alerts are generated and viewed. It also provides service pack and hot fix checking for Windows machines.

So for an all-in-one scanner, GFI LANguard N.S.S. provides you with a very good security scanner and the ability to patch Windows machines for a fraction of the price of Retina.

The leading hot fix checker and pushing utility out there is probably Shavlik's HFNetCheck Pro.
 

HFNetCheck has one main advantage over GFI LANguard N.S.S., and that is the ability to push SPs. GFI LANguard N.S.S. has plans to push SPs in the near future. The other small advantage HFNetCheck has is that it currently detects more applications than GFI LANguard N.S.S., but again, GFI LANguard N.S.S. has plans to improve and extend its support there also.

Conclusion
Ultimately there are products out there that cover everything that GFI LANguard N.S.S. has the ability to do, but most of these products are anywhere from 3 to 10 times more expensive than GFI LANguard N.S.S., not to mention that they are specialized and only do part of what GFI LANguard N.S.S. can do. For an all round security, hot fix, and OS detection scanner, GFI LANguard N.S.S. provides the most value for money.
 

About GFI
GFI (www.gfi.com) is a leading provider of Windows-based messaging, content security and network security software. Key products include the GFI FAXmaker fax connector for Exchange and fax server for networks; GFI MailSecurity email content/exploit checking and anti-virus software; and the GFI LANguard family of network security products. Clients include Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI has six offices in the US, UK, Germany, France, Australia and Malta, and has a worldwide network of distributors. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion 2000 (GEM) Packaged Application Partner of the Year award.

All product and company names herein may be trademarks of their respective owners.
 

© 2002 GFI Software Ltd. All rights reserved. The information contained in this document represents the current view of GFI on the issues discussed as of the date of publication. Because GFI must respond to changing market conditions, it should not be interpreted to be a commitment on the part of GFI, and GFI cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GFI MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. GFI FAXmaker, GFI MailEssentials, GFI MailSecurity and GFI LANguard and the GFI FAXmaker, GFI MailEssentials, GFI MailSecurity and GFI LANguard logos and the GFI logo are either registered trademarks or trademarks of GFI Software Ltd. in the United States and/or other countries. Microsoft, Exchange Server, VS API, Word, and Windows NT/2000/XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product or company names mentioned herein may be the trademarks of their respective owners. GFI. http://www.gfi.com info@gfi.com 1-888-2GFIFAX / +44 (0) 870 770 5370.

back to top