GFI Product Manual Administrator Guide
The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources.
Contents 1 Introduction 1.1 How GFI LanGuard works 1.2 How GFI LanGuard Agents work 1.3 How GFI LanGuard Relay Agents work 1.4 GFI LanGuard Components 1.5 About this guide 1.5.1 Terms and conventions used in this manual 2 Installing GFI LanGuard 2.1 Deployment scenarios 2.1.1 Deploying GFI LanGuard in mixed mode 2.1.2 Deploying GFI LanGuard using Relay Agents 2.1.3 Deploying GFI LanGuard in Agent-less mode 2.2 System requirements 2.2.1 Hardware requirements 2.2.2 Software requirements 2.2.
5 Scanning Your Network 5.1 About Scanning Profiles 5.2 Available Scanning Profiles 5.2.1 Complete/Combination Scans 5.2.2 Vulnerability Assessment 5.2.3 Network & Software Audit 5.3 Manual scans 5.4 Enabling security audit policies 5.5 Scheduled scans 5.5.1 Creating a scheduled scan 5.5.2 Editing scheduled scan settings 5.5.3 Configuring scheduled scan properties 5.6 Agent scheduled scans 5.6.1 Starting an Agent scan manually 6 Dashboard 6.1 Achieving results from the dashboard 6.2 Using the Dashboard 6.
7.3 Saving and loading XML results 8 Remediate Vulnerabilities 8.1 Automatic Remediation 8.1.1 Auto-remediation notes 8.1.2 Configuring missing updates auto-deployment 8.1.3 Configuring unauthorized applications auto-uninstall 8.1.4 Configuring auto-remediation options 8.1.5 Configuring end-user reboot and shut down options 8.1.6 Configuring auto-remediation messages 8.1.7 Configuring Agent auto-remediation 8.2 Manual Remediation 8.2.1 Manual remediation notes 8.2.2 Using the Remediation Center 8.2.
11.2 Configuring Database Maintenance Options 11.2.1 Using Access™ as a database backend 11.2.2 Using SQL Server® as a database backend 11.2.3 Managing saved scan results 11.2.4 List scanned computers 11.2.5 Configure advanced database maintenance options 11.2.6 Configure database retention options 11.3 Configuring Program Updates 11.3.1 Configuring proxy settings 11.3.2 Configuring auto-update options 11.3.3 Installing program updates manually 12 Scanning Profile Editor 12.
14.1 Creating custom scripts using VBscript 14.1.1 Adding a vulnerability check that uses a custom VBScript (.vbs) 14.2 Creating custom scripts using Python Scripting 14.3 SSH Module 14.3.1 Keywords 14.3.2 Adding a vulnerability check that uses a custom shell script 15 Miscellaneous 15.1 Configuring NetBIOS 15.2 Uninstalling GFI LanGuard 16 Troubleshooting and support 16.1 Resolving common issues 16.2 Using the Troubleshooter Wizard 16.3 GFI SkyNet 16.4 Web Forum 16.
List of Figures Screenshot 1: Export configurations to file 28 Screenshot 2: Import configurations from a file 29 Screenshot 3: Import setting 30 Screenshot 4: Pre–requisite check dialog 31 Screenshot 5: Import and Export settings from a previous instance 32 Screenshot 6: End-user license agreement 33 Screenshot 7: Specify user details and license key 33 Screenshot 8: Attendant service credentials 34 Screenshot 9: Import and Export configurations 35 Screenshot 10: Launch a scan 36 Screen
Screenshot 39: Scheduled scan reporting options 75 Screenshot 40: Scheduled scan auto–remediation options 76 Screenshot 41: Scheduled scan reporting options 77 Screenshot 42: Scheduled scan reporting options 78 Screenshot 43: Scheduled Scan properties 80 Screenshot 44: Agent Activity Recurrence 81 Screenshot 45: View Dashboard 84 Screenshot 46: Simple filtering 85 Screenshot 47: Add Filter Properties 86 Screenshot 48: Search specific computers and groups 87 Screenshot 49: Assigning attri
Screenshot 79: General auto-remediation settings 126 Screenshot 80: Before deployment options 127 Screenshot 81: After deployment options 128 Screenshot 82: Advanced deployment options 129 Screenshot 83: Device Manager 130 Screenshot 84: Power Management 131 Screenshot 85: Reboot/shut down options 132 Screenshot 86: Remediation Center - Deploy Software Updates 133 Screenshot 87: Deployment options dialog 134 Screenshot 88: Before Deployment Message options 135 Screenshot 89: Customizing
Screenshot 119: Configuring Alerting Options 177 Screenshot 120: The database maintenance properties dialog 179 Screenshot 121: SQL Server® database backend options 180 Screenshot 122: Database maintenance properties: Managed saved scan results tab 181 Screenshot 123: Database Maintenance properties: Advanced tab 183 Screenshot 124: Configuring proxy server settings 185 Screenshot 125: Configure updates at application startup 186 Screenshot 126: Check for Updates wizard 187 Screenshot 127: T
Screenshot 159: Adding vulnerability checks - Define conditions 233 Screenshot 160: Add vulnerability dialog 234 Screenshot 161: Adding vulnerability checks - Select type of check 235 Screenshot 162: Adding vulnerability checks - Select Python Script file 236 Screenshot 163: Adding vulnerability checks - Defining conditions 237 Screenshot 164: Add vulnerability dialog 239 Screenshot 165: Adding vulnerability checks - Select type of check 240 Screenshot 166: Adding vulnerability checks - Select
List of Tables Table 1: GFI LanGuard Components 18 Table 2: Terms and conventions used in this manual 18 Table 3: Hardware requirements - GFI LanGuard Server 23 Table 4: Hardware requirements - GFI LanGuard Agent 23 Table 5: Hardware requirements - GFI LanGuard Relay Agent 24 Table 6: Supported Operating Systems 24 Table 7: Software requirements - Additional components 25 Table 8: Ports and Protocols 26 Table 9: Override options 30 Table 10: Import override options 36 Table 11: Target se
Table 39: Software information from an audit 92 Table 40: View by computers information 95 Table 41: Response time icons 105 Table 42: Vulnerability level weight scores 106 Table 43: Vulnerability groups 108 Table 44: Hardware information from an audit 111 Table 45: Software information from an audit 112 Table 46: System information from an audit 112 Table 47: Automatic remediation stages 117 Table 48: Patch Auto-Deployment Advanced Options 119 Table 49: Manage applicable schedule scans
Table 79: Device scanning options 206 Table 80: Applications scanning options 207 Table 81: Scanner Options 210 Table 82: DNS lookup options 213 Table 83: Traceroute icons 215 Table 84: Enumerate computers options 217 Table 85: Insscmd command switches 223 Table 86: Supported variables in lnssmcd 224 Table 87: deploycmd command switches 225 Table 88: impex command switches 226 Table 89: Vulnerability keywords 238 Table 90: GFI LanGuard common Issues 245 Table 91: Information gatherin
1 Introduction GFI LanGuard is a patch management and network auditing solution that enables you to easily manage and maintain end-point protection across devices within your LAN. It acts as a virtual security consultant that offers Patch Management, Vulnerability Assessment and Network Auditing support for Windows®and MAC computers. GFI LanGuard achieves LAN protection through: Identification of system and network weaknesses via a comprehensive vulnerability checks database.
Upon installation, GFI LanGuard operates in two stages: First it determines the machines that are reachable. It also tries to collect information sets from the target machines as part of its Network Discovery operations, using a subset of SMB, NETBIOS, and ICMP protocols. Supported targets include the localhost, IP, computer name, computers list, IP range, whole domain/workgroup and/or organizational unit.
Table 1: GFI LanGuard Components Component Description GFI LanGuard Server Also knows as the Management Console. Enables you to manage agents, perform scans, analyze results, remediate vulnerability issues and generate reports. GFI LanGuard Agents Enable data processing and auditing on target machines; once an audit is finished, result is sent to GFI LanGuard. GFI LanGuard Update System Enables you to configure GFI LanGuard to auto–download updates released by GFI to improve functionality.
2 Installing GFI LanGuard This chapter guides you in selecting the most appropriate deployment solution that caters to your requirements as well as provides you with information about how to successfully deploy a fully functional instance of GFI LanGuard. Topics in this chapter: 2.1 Deployment scenarios 19 2.2 System requirements 23 2.3 Importing and Exporting Settings 27 2.4 Upgrading from previous versions 30 2.5 New installation 32 2.6 Post install actions 35 2.
The following screenshot shows how GFI LanGuard can be deployed using agents on a Local Area Network (LAN): Figure 2: Agent/Mixed Mode 2.1.2 Deploying GFI LanGuard using Relay Agents Relay agents are used to reduce the load from the GFI LanGuard server. Computers configured as relay agents will download patches and definitions directly from the GFI LanGuard server and will forward them to client computers.
In a network, computers can be grouped and each group can be assigned to a relay agent as shown below. Figure 3: Relay Agent Mode Note For more information, refer to Configuring Relay Agents (page 53). 2.1.3 Deploying GFI LanGuard in Agent-less mode Agent-less auditing is started from the GFI LanGuard management console. GFI LanGuard creates a remote session with the specified scan targets and audits them over the network.
Note Scans in Agent-less mode use the resources of the machine where GFI LanGuard is installed and utilize more network bandwidth since auditing is done remotely. When you have a large network of scan targets, this mode can drastically decrease GFI LanGuard's performance and affects network speed. In larger networks, deploy Agents/Relay Agents to balance the load appropriately.
2.2 System requirements Computers that are going to run GFI LanGuard Server/Agent/Relay Agent must meet the system requirements described below to ensure maximum and optimized performance. If you are looking for a patch management solution for 2,000 or more computers, we recommend that you contact us for pricing, as well as suggestions regarding the proper deployment and management procedure for such a solution.
Has the required disk space to allow caching. Computers configured as Relay Agents must meet the following hardware requirements: Table 5: Hardware requirements - GFI LanGuard Relay Agent Component 1 to 100 Clients 100 to 500 Clients 500 to 1,000 Clients Processor 2 GHz Dual Core 2 GHz Dual Core 2.8 GHz Dual Core Physical Storage 5 GB 10 GB 10 GB RAM 2 GB 2 GB 4 GB Network bandwidth 100 Mbps 100 Mbps 1 Gbps 2.2.
Supported database backends The database backend is the location where GFI LanGuard stores scan and network information from network security audits and remediation operations. The database backend can be any of the following: Microsoft® Access SQL Server® 2000 or later MSDE/SQL Server Express® edition.
3. From the right pane, click Agents Settings. 4. From the Agents Settings dialog, specify the communication port in the TCP port text box. 5. Click OK. GFI LanGuard Agent and Agent-less computers GFI LanGuard communicates with managed computers (Agents and Agent-less), using the ports and protocols below. The firewall on managed computers needs to be configured to allow Inbound requests on ports: Table 8: Ports and Protocols TCP Ports Protocol Description 22 SSH Auditing Linux systems.
Note For more information, refer to: Supported Third-Party applications: http://go.gfi.com/?pageid=LAN_PatchMng Supported application bulletins: http://go.gfi.com/?pageid=3p_fullreport Supported Microsoft applications: http://go.gfi.com/?pageid=ms_app_fullreport Supported Microsoft bulletin: http://go.gfi.com/?pageid-ms_fullreport 2.2.5 Supported antivirus/anti-spyware applications GFI LanGuard, detects outdated definition files for a number of Anti–virus and Anti–spyware software.
Screenshot 1: Export configurations to file 5. Wait for the configuration tree to load and select the configurations to export. Click Next to start export. 6. A notify dialog will confirm that exporting is completed. 7. Click OK to finish. 2.3.2 Importing configurations from a file To import saves configurations: 1. Launch GFI LanGuard. 2. Click the GFI LanGuard button > File > Import and Export Configurations… 3. Select Import the desired configuration from a file and click Next. 4.
Screenshot 2: Import configurations from a file 6. Confirm the override dialog box; by clicking, Yes or No as required. 7. A notify dialog will confirm that exporting is completed 8. Click OK to finish. 2.3.3 Importing configurations from another instance of GFI LanGuard 1. Launch GFI LanGuard. 2. Click the GFI LanGuard button > File > Import and Export Configurations… to launch the Import and Export Configurations wizard. 3. Select Import the configuration from another instance and click Next. 4.
Screenshot 3: Import setting 5. Select which settings you want to import and click Next. 6. While importing, GFI LanGuard will ask you whether you want to override or keep your settings. Select one of the following options: Table 9: Override options Option Description Yes Override the current setting with the imported setting. No Keep the current setting and ignore the imported setting. Auto Rename Rename the imported settings and keep the current settings. 7. Click OK when the import is ready.
Note License keys of earlier versions of GFI LanGuard are not compatible and must be upgraded to run GFI LanGuard. To upgrade to a newer version: 1. Logon using administrator credentials on the machine where you wish to install GFI LanGuard. 2. Launch GFI LanGuard installation. Screenshot 4: Pre–requisite check dialog 3. The pre–requisite check dialog shows an overview of the status of the components required by GFI LanGuard to operate. Click Install to start the installation. 4.
Screenshot 5: Import and Export settings from a previous instance 5. Once GFI LanGuard is installed, it detects the previous installation and automatically launches the Import and Export Configuration Wizard. This enables you to export various configurations from the previous version and import them into the new one. 6. Select the configurations to import and click Next to finalize the import process. 2.5 New installation 1.
Screenshot 6: End-user license agreement 5. Read the licensing agreement carefully. To proceed with the installation, select I accept the terms in the License Agreement and click Next. Screenshot 7: Specify user details and license key 6. Specify user details and enter license key. Click Next.
Screenshot 8: Attendant service credentials 7. Key in the administrator credentials and password. This will be used by the service under which scheduled operations will operate. Click Next to continue setup. 8. Click Install to install GFI LanGuard in the default location or click Browse to change path. 9. Click Finish to finalize installation. When launched for the first time, GFI LanGuard automatically enables auditing on the local computer and scans the local computer for vulnerabilities.
2.6 Post install actions GFI LanGuard can be installed on a machine with an older version of GFI LanGuard without uninstalling it. This enables you to retain configuration settings and reuse them in the new version. To import the settings from the earlier version: 1. Launch the GFI LanGuard management console from Start > Programs > GFI LanGuard 2012 > GFI LanGuard 2012. 2. Click the GFI LanGuard button > File > Import and Export Configurations… to launch the Import and Export Configurations wizard.
Table 10: Import override options Option Description Yes Override current setting with imported setting. No Keep current setting and ignore imported setting. Auto Rename Rename imported settings and keep the current settings. 8. Click OK when complete. 2.7 Testing the installation Once GFI LanGuard is installed, test your installation by running a local scan to ensure it installed successfully. 1. Launch GFI LanGuard. Screenshot 10: Launch a scan 2.
3. From Scan Target drop–down menu, select localhost. 4. From Profile drop–down menu, select Full Scan. 5. Click Scan to start the scan on the local computer. 6. The scan progress is displayed in the Scan tab. Screenshot 12: Scan results summary 7. On completion, the Progress section will display an overview of the scan result. 8. Use the Scan Results Details and Scan Results Overview to analyze the scan result. For more information, refer to Interpreting manual scan results (page 104).
3 Achieving Results This chapter provides you with step by step instructions about how to strengthen your network's security and integrity using GFI LanGuard. This chapter helps you achieve positive patch management, vulnerability management and legal compliance results, while ensuring that your network is protected using the most up-to-date vulnerability detection methods and techniques. Topics in this chapter: 3.1 Effective Vulnerability Assessment 38 3.2 Effective Patch Management 39 3.
4. Investigate and remediate other security issues. Deploying Custom Software Malware Protection Actions Uninstalling Custom Applications Using Remote Support 5. Check network security status. Use the Dashboard to monitor and view the status of your network. To learn more about the Dashboard, refer to Using the Dashboard 3.2 Effective Patch Management GFI LanGuard enables you to manage patch deployment on your network.
3.3 Using GFI LanGuard for asset tracking Unmanaged or forgotten devices are a security risk. Perform the following steps to track unmanaged and forgotten devices: 1. Automatically discover new devices in your network GFI LanGuard automatically detects new computers on your network: Enumerate Computers Network discovery 2. Deploy agents on new discovered computers Deploying Agents Deploy Agents Manually Agent Properties Agents Settings 3.
3.4 Up to date network and software analysis Network analysis enables you to learn more what is happening in your network because it detects the configurations and applications that are posing a security risk on your network. Such issues can be identified using the following functions: GFI LanGuard views and tools Software View - Get a detailed view of all the applications installed in the network. Hardware View - Check the hardware inventory of the network.
3.5 Compliance with PCI DSS Be fully compliant with PCI DSS, the strict security standards drawn up by the world’s major credit card companies. In providing complete vulnerability management coupled with extensive reporting, GFI LanGuard is an essential solution to assist with your PCI compliance program. To learn more about how to be compliant with PCI DSSuse the following links: Registration form for PCI DSS Compliance and GFI Software Products. http://go.gfi.
4 Managing Agents GFI LanGuard can be configured to deploy agents automatically on newly discovered machines or manually, on selected computers. Agents enable faster audits and drastically reduce network bandwidth utilization. When using Agents, audits are performed using the scan target's resource power. Once an audit is finished, the results are transferred to GFI LanGuard in an XML file. Topics in this chapter: 4.1 Deploying Agents 43 4.2 Deploy Agents manually 45 4.3 Agent properties 47 4.
Screenshot 13: Manage agents 3. From Common Tasks, click Deploy Agents to select the target scan computers and click Next. Select one of the options described below: Table 11: Target selection Option Description Local Domain Deploy agents on all reachable computers within the same workgroup / domain where GFI LanGuard is installed. No further configuration is required in Define target step. Custom Deploy agents on specific computers or group of computers.
7. (Optional) Click Advanced Settings, and configure the settings in the following tabs: Table 13: Deploy Agents: Advanced Settings Tab Description General Configure the schedule for when GFI LanGuard automatically scans for new machines in the network perimeter where agents are enabled. Audit Sched- Configure how often the agent audits the host computer (where the agent is installed). Select the recurule rence pattern, the time the audit will start and the scan profile to use.
Option Description Add computers from a text file Import computer list from text file. Click Browse and locate the text file containing the list of computers. Add computers manually Manually create a list of computers. Use the Add and Remove buttons to add and remove computers from the list. Use the Import and Export buttons to import and export the list from\to a text file. Click Next. Screenshot 15: Add more computers - Assign attributes to new computers 4.
Note If the selected computers have different login credentials from the GFI LanGuard machine, GFI LanGuard launches a dialog that enables you to specify valid credentials. 6. Once the computers are added to the list, click Close. 7. From the computer tree, right-click the newly added computers and select the computer where to deploy the agent and from the Agent Status click Deploy Agent. 8. Configure the Agent properties. For more information, refer to Agent properties (page 47). 4.
Screenshot 16: Agent Properties - General tab 3.(Optional) From General tab, specify the name, type and authentication method for the selected agent.
Screenshot 17: Agent Properties - Agent Status tab 4. From Agent Status tab, enable/disable agent deployment by clicking Deploy agent or Disallow agent installation. 5. Click Change scan schedule… to configure the selected agent's scan schedule. 6. From Scanning profile drop-down menu, select the active scan profile. 7. From Auto remediation settings, click Change settings… to enable/disable agent auto– remediation. For more information, refer to Configuring auto-remediation options (page 125).
Screenshot 18: Agent Properties - Attributes tab 8. Click Attributes tab to manage the attributes assigned to the selected computer. Use the Add, Edit and Remove buttons to manage attributes.
Screenshot 19: Agent Properties - Relays tab 9. Click Relays tab to configure agent relays. Relays enable computers other than the one hosting GFI LanGuard to act as GFI LanGuard server. This helps you load-balance traffic directed to that machine and optimize network scanning performance. 10. Configure the options described below: Table 16: Agent relay options Option Description Set as relay Set the selected computer as a relay agent.
Option Description Address where to server The address used by client computers to connect to the relay agent (By default the DNS host name is used). 12. Click OK twice. 4.4 Agents settings To configure additional agents’ settings: 1. From Configuration tab, select Agents Management. 2. Click Agents Settings. Screenshot 20: Agent Settings - General tab 3.
Screenshot 21: Agent Settings - Advanced tab 4. (Optional) Click Advanced tab and select Create temporary custom share. When this option is enabled and administrative shares are disabled on agent machines, GFI LanGuard creates a temporary shared folder for transferring information. 5. Click OK to save and close dialog. WARNING Communication on TCP port 1070 must be enabled in Windows firewall for GFI LanGuard Agents to send data to GFI LanGuard. 4.
Reduced bandwidth consumption in local or geographically distributed networks. If a Relay Agent is configured on each site, a patch is only downloaded once and distributed to client computers Reduced performance load from the GFI LanGuard server component and distributed amongst relay agents Using multiple Relay Agents, increases the number of devices that can be protected simultaneously.
Screenshot 22: Agent Properties dialog 4. From the Relays tab, click Set as relay...
Screenshot 23: Set computer as relay wizard 5. Carefully ready the warning about resource requirements for the computer running a Relay Agent. Click Next.
Screenshot 24: Choose caching directory for the new Relay Agent 6. Choose the caching location for the Relay Agent. The caching directory is used by the relay to store audit and remediation information when auditing remote computers. By default, the RelayCache folder is created in C:\ProgramData\GFI\LanGuard 11\RelayCache. Click Next. Note Use the %AgentData% placeholder to quickly refer to the Agent's data folder.
Screenshot 25: Settings summary step 7. Click Finish. Note After you click Finish, the selected Agent is configured as a Relay Agent. You can monitor this process from Dashboard > Overview > Agent status. 4.5.2 Configuring Relay Agent advanced options To configure Relay Agent advanced options: 1. Open GFI LanGuard. 2. Click Configuration tab > Agents Management. 3. Right-click on the Agent you want to configure and select Properties. This opens the Agent's Properties dialog.
Screenshot 26: Relay Agent properties - Advanced settings 4. Click Relays tab > Advanced settings... Screenshot 27: Relay Agent advances settings dialog 5.
Table 19: Relay Agent - Advanced options Option Description Caching directory Location where the relay agent caches information when auditing remote computers. Address Displays the computer name that is running the relay agent. Click Default to restore the field to its original value. TCP port Communication port used by the relay agent to communicate with GFI LanGuard server.
Screenshot 28: Connecting to a Relay Agent 5. From the Assign a relay agent area, select Use relay agent and choose the relay from the dropdown menu. 6. Click OK. 4.6 Managing Agent groups The computer tree enables you to configure agent properties of groups of computers. To configure computer group properties: 1. From the computer tree, right-click a group of computers and click Properties. 2.(Optional) From General tab, specify name, type and authentication method for the selected group. 3.
4. Select Network Discovery and configure the following options: Table 21: Agent group network discovery Option Description Check automatically for new machines in this group GFI LanGuard will search for new machines automatically. Change schedule Change the schedule when GFI LanGuard searches for new computers. Run now Run network discovery. Scan OU recursively Recursively, loop through all organization units and enroll computers. 5.
Screenshot 30: Agent Relays 7. Configure the options described below: Table 22: Agent relay options Option Description Connect directly to GFI LanGuard server The selected computer will download product updates and patches from the GFI LanGuard server. Use relay agent The selected computer will use a relay agent to download product updates and patches. Select the relay agent to use from the drop down list. Note Some options are disabled because they are applicable only for single computers. 8.
5 Scanning Your Network This chapter provides you with information about the different scanning profiles that ship with GFI LanGuard, as well as how to trigger immediate or scheduled manual scans. Select the most suitable scanning profile and scanning mode (such as using Agent-less versus Agent-based scans), depending on the availability and location of your scan targets. Topics in this chapter: 5.1 About Scanning Profiles 64 5.2 Available Scanning Profiles 64 5.3 Manual scans 66 5.
5.2.1 Complete/Combination Scans Table 23: Complete/Combination scanning profiles Complete/Combination Scans profiles Full Vulnerability Assessment Use this scanning profile to enumerate particular network vulnerabilities such as open TCP/UDP ports commonly exploited by Trojans as well as missing patches and service packs. The list of vulnerabilities enumerated by this profile can be customized through the Vulnerabilities tab. Installed USB devices and applications are not enumerated by this profile.
5.2.3 Network & Software Audit Table 25: Network & Software Audit Network & Software Audit profiles Trojan Ports Use this scanning profile to enumerate open TCP/UDP ports that are commonly exploited by known Trojans. The list of TCP/UDP ports to be scanned can be customized through the TCP Ports and UDP Ports tabs respectively. Only the TCP/UDP ports commonly exploited by known Trojans are scanned by this profile.
Table 26: Target options when auditing Option Description Localhost Audit the local host where GFI LanGuard is installed. Domain: primary domain Audit the entire domain / workgroup of the computer / server where GFI LanGuard is installed. Note Optionally, from the computer tree, right-click a computer/computer group and select Scan > Custom Scan. 4. Click the browse button (...) to define custom rules for adding scan targets. Screenshot 32: Custom target properties 5.
Screenshot 33: Add new rule... 6. From the Add new rule dialog, select the Rule type described below to add computers: Table 27: Custom target properties Rule type Description Computer name is Search and add computers by name. Key–in a valid computer name and click Add for each computer. Click OK to apply changes. Computers file list is Search and add computers from a text file. Click the browse button and locate the text file. Click OK to apply changes.
7. Once the rules are added, click OK to close the Add new rule dialog. Click OK to close the Custom target properties dialog and return to the scan settings. 8. From the Profile drop–down menu, select the scan profile that you want GFI LanGuard to action during the scan. For more information, refer to Available Scanning Profiles (page 64). 9. From the Credentials drop–down menu, select the log–on method used by GFI LanGuard to log onto the scan targets.
1. After scanning a remote computer, from the Scan Results Overview panel, right–click on the respective target computer and select Enable auditing on > This computer/Selected computers/All computers. Screenshot 34: The audit policy administration wizard 2. Select/unselect auditing policies accordingly, and click Next to deploy the audit policy configuration settings, on the target computer(s). 3. At this stage, a dialog will show whether the deployment of audit policy settings was successful or not.
Creating a scheduled scan Editing scheduled scan settings Configuring scheduled scan properties 5.5.1 Creating a scheduled scan 1. Launch GFI LanGuard. 2. Click Configuration tab > Scheduled Scans. 3. From Common Tasks, select New scheduled scan. Screenshot 35: New Scheduled Scan dialog 4. Select one of the options described below and click Next. Table 30: New scheduled scan type Option Description Scan a single computer Scan local host or one specific computer.
Screenshot 36: Scheduled scan frequency 6. Specify date/time/frequency of the new scheduled scan and click Next.
Screenshot 37: Select scanning profile 7. From the Scan job operation drop-down menu, select the scanning profile to be used during the scan and click Next. For more information, refer to Available Scanning Profiles (page 64).
Screenshot 38: Remote logon credentials 8. (Optional) Specify Remote logon credentials and click Next. Remote logon credentials can be either one of the following: Table 31: Remote logon credentials Option Description GFI LanGuard 11 Attendant Service account Performs the scan using the credentials specified while installing GFI LanGuard 2011. Alternative credentials Specify alternate credentials to connect to the scan computers. Note Ensure the supplied credentials have administrative privileges.
Screenshot 39: Scheduled scan reporting options 9. From the Power saving options, configure the following options: Table 32: Power saving options Option Description Wait for offline machines to connect to network Shut down computers after the job has finished Attempt to wake up offline computers GFI LanGuard attempts to power on offline machines using Wake-on-LAN. For more information, refer to Configuring Wake-on-LAN on scan targets (page 130).
Screenshot 40: Scheduled scan auto–remediation options 10. From the auto–remediation dialog, select the required options and click Next. The table below describes the list of available options: Table 33: Auto–remediation options Option Description Download and deploy missing updates Automatically download and deploy missing patches on target machines. Download and deploy missing service packs and update rollups Automatically download and deploy missing service packs on target machines.
Screenshot 41: Scheduled scan reporting options 11. (Optional) Configure Reporting options as described below: Table 34: Reporting options Option Description Email the scan report Send a report by email at the end of each scheduled scan. Save the scan report to disk Save a report to disk at the end of each scheduled scan Comparison data and auto remediation details Include details of auto remediation actions performed and result comparison with previous security scans.
Screenshot 42: Scheduled scan reporting options 12. Review the scan settings summary and click Finish. Note By default, all new scheduled scans are disabled. To enable, select Configuration tab > Scheduled Scans and click on the button. Note Confirm that the new scheduled scans are successfully set by clicking on Activity Monitor tab > Security Scans. New scheduled scans are listed in the queue.
5.5.2 Editing scheduled scan settings Scan schedules can be reviewed, edited, or deleted from Configuration tab > Scheduled Scans node. All scans are listed in the review page together with the relevant information. Use the scheduled scan toolbar to perform the actions described below: Table 35: Options to manage scanning profiles Options Add new scan Display the New scheduled scan wizard and create a new scheduled scan. Delete Use this button to delete the selected scheduled scan.
Screenshot 43: Scheduled Scan properties Table 36: Schedule scan properties Tab Description General Make changes to scan target setting, type of scanning profile and scan frequency. Logon Credentials Specify logon credentials used when scanning the specified target. Power Saving Configure power saving options. This dialog enables you to configure the scan to wait for offline machines to connect to the network, attempt to wake up offline machines and shut down machines when the scan is completed.
4. Click Agent Status tab > Change scan schedule.... Screenshot 44: Agent Activity Recurrence 5. Select Enable Schedule and configure the recurrence pattern. 6. Click OK. Note Additional properties can be configured from the Properties dialog. For more information, refer to Agent properties (page 47).
5.6.1 Starting an Agent scan manually To start an on demand scan on an agent computer: 1. Launch GFI LanGuard. 2. Click View Dashboard and select the computer(s) you want to start scanning. 3. From the Agent Status section, click Scan Now. Note Scan Now is only visible when the Agent Status is Agent Installed.
6 Dashboard The Dashboard section provides you with extensive security information based on data acquired during audits. Amongst others, the Dashboard enables you to determine the current network vulnerability level, the top–most vulnerable computers, and the number of computers in the database. Topics in this chapter: 6.1 Achieving results from the dashboard 83 6.2 Using the Dashboard 84 6.3 Using the Computer Tree 84 6.4 Using Attributes 88 6.5 Dashboard actions 90 6.
6.2 Using the Dashboard This section provides the required information on how to use the GFI LanGuard Dashboard. To display the Dashboard: 1. Launch GFI LanGuard and click Dashboard tab. Screenshot 45: View Dashboard 2. From the computers list, select a computer or computer group. The dashboard information updates according to your selection. 6.
6.3.1 Simple filtering To filter for a specific computer or group: 1. From the left pane, click Filter. 2. Configure the criteria and click Turn ON filters. Screenshot 46: Simple filtering 6.3.2 Advanced filtering To filter for a specific computer or group using advanced filtering: 1. From the left pane, click Filter and Advanced filtering... 2. From the Advanced Filtering dialog, click Add.
Screenshot 47: Add Filter Properties 3. Select the filter property to restrict and click Next. 4. Select the condition and key in the condition value. Click Add. 5. Repeat steps 2 to 4 for each condition. Click OK. 6.3.3 Grouping To group machines by specific attributes: 1. From the left panel, click Group. 2. Select one of the following attributes: Domain and Organizational Unit Operating System Network Role Relays Distribution Attributes.
Note If Attributes is selected, select the attribute from the drop down list. For more information, refer to Using Attributes (page 88). 3. If Attributes is selected, select the attribute from the drop-down list. 4. Click Apply grouping. 6.3.4 Searching The Search tab within the Computers tree enables you to search and display results for a specific computer or group. To display results for a specific computer: 1. From the Computers tree, select Search.
6.4 Using Attributes Attributes enable you to group and configure single or multiple computers at one go. Attributes also enable you to remediate vulnerabilities or deploy software on specific computers based on the assigned attribute. The following sections contain information about: Assigning attributes to a computer Assigning attributes to a group Configuring attributes 6.4.1 Assigning attributes to a computer To assign attributes to a single computer: 1. Click Dashboard tab. 2.
6.4.2 Assigning attributes to a group GFI LanGuard enables you to assign attributes to specific groups, domains, organizational units and networks. Once attributes are assigned, each member of the selected group inherits the attributes settings. To assign attributes to a group: 1. Click Dashboard tab. 2. From the computers list, right-click network and select Assign attributes. 3. From the Add more computers wizard, select network and click Next. Screenshot 50: Assigning attributes: Multiple computers 4.
Screenshot 51: New attribute dialog 3. From the Name drop-down menu, select an attribute or key-in a name to create a new one. 4. Specify a value for the attribute in the Value field. Click OK. 5. Repeat steps 2 to 4 until you add all the required attributes. 6. Click OK to save your settings. 6.5 Dashboard actions The Actions section enables you to manage and remediate vulnerabilities and missing patches found in your network. To access the Actions section: 1. Select Dashboard tab. 2.
Action Description Ignore Launch the Rule-Ignore Patch dialog. This enables you to ignore missing patches or vulnerabilities so that they will not be reported as issues in the future. Configure for which machine this rule applies and the time span that the issue is ignored. Change Sever- Launch the Rule-Change Severity dialog. This enables you to change the severity level of vulnerability. ity Configure for which machines this rule applies and the severity level.
6.7.1 Overview Screenshot 53: Dashboard Overview The Dashboard Overview is a graphical representation of the security level/vulnerability level of a single computer, domain or entire network. When a computer or domain is selected, the results related to the selected computer/domain are automatically updated in the dashboard.
Section Description Agent Status When selecting a domain or workgroup, a chart showing the overall agent status of all computers within the domain/workgroup is displayed. This enables you to determine the number of agents installed or pending installation on the selected domain/workgroup. When selecting a single computer, this section displays an icon representing the agent status. The icons are described below: Not installed - Agent is not installed on the target machine.
Section Description Security Sensors This section enables you to identify issues at a glance. Click a sensor to navigate and display issues and vulnerabilities for a specific computer or group. Sensors enable you to identify: Missing Software Updates Missing service packs Vulnerabilities Firewall Issues Unauthorized Applications Audit Status Credentials setup Malware Protection Issues Agent Health Issues.
6.7.2 Computers view Screenshot 54: Analyze results by computer Select this view to group audit results by computer. From the drop-down list, select one of the options described below: Table 40: View by computers information Option Description Agent Details Select this option to view the agent status. This option enables you to identify if an agent is installed on a computer and if yes, displays the type of credentials being used by the agent.
Option Description Open ports View the number of: Open TCP ports Open UDP ports Backdoors. Software View the number of: Antiphishing engines Antispyware engines Antivirus engines Backup applications Data loss prevention applications Device access and desk encryption applications Firewalls Installed applications Instant messengers Peer to peer applications Unauthorized applications Virtual machines VPN clients Web browsers.
6.7.3 History view Select this view to group audit results by date for a specific computer. To configure the history starting date or history period click the link provided.
6.7.4 Vulnerabilities View Display more details on the vulnerabilities found on a network and the number of affected computers. When a vulnerability is selected from the Vulnerability List, the Details section provides more information on the selected vulnerability. From the Details, section click Affected computers or Unaffected computers to display a list of affected and unaffected computers.
6.7.5 Patches View Display more details on the missing/installed patches and service packs found during a network audit. When a patch/service pack is selected from the list, the Details section provides more information on the selected patch/service pack. From the Details section, click Missing on to display a list of computers having the selected patch missing. Screenshot 57: Patches view in Dashboard Note Drag and drop a column header in the designated area to group data by criteria.
6.7.6 Ports View Display more details on the open ports found during a network audit. When a port is selected from the Port List, the Details section provides more information on the selected port. From the Details section, click View computers having this port open to display a list of computers having the selected port open. Screenshot 58: Ports view in Dashboard Note Drag and drop a column header in the designated area to group data by criteria.
6.7.7 Software View Display more details on the installed applications found during a network audit. When an application is selected from the Application List, the Details section provides more information on the selected application. Screenshot 59: Software view in Dashboard Note Drag and drop a column header in the designated area to group data by criteria. Note Agent-less scans require to temporarily run a service on the remote machine.
6.7.8 Hardware View Display more information on the hardware found during a network audit. Select hardware from the list to display more details. Screenshot 60: Hardware view in Dashboard Note Drag and drop a column header in the designated area to group data by criteria.
6.7.9 System Information View The System Information tab, displays information associated with the operating system of a scan target(s). Screenshot 61: System Information view in Dashboard Note Drag and drop a column header in the designated area to group data by criteria.
7 Interpreting Results On completion of a network security scan, it is important to identify the areas that require immediate attention. Use the information provided in this chapter to determine the correct analysis and interpretation approach to get the most out of your scan results and apply the appropriate fixes. Topics in this chapter: 7.1 Interpreting manual scan results 104 7.2 Loading results from the database 113 7.3 Saving and loading XML results 114 7.
Screenshot 62: Results overview From Scan Results Overview, expand a computer node to access results retrieved during the scan. Security scan results are organized in two sub–nodes tagged as: Vulnerability Assessment Network & Software Audit While a scan is in progress, each computer node has an icon that categorizes the response time. The table below describes the different icons used by GFI LanGuard to categorize the response time.
7.1.2 Vulnerability Level Rating The GFI LanGuard vulnerability level is a rating assigned to each scanned computer. The rating can be viewed from: Scan Results Details – This section in the Scan tab provides you with a vulnerability level meter assigned the computers/groups that have been scanned Dashboard – The Dashboard section provides you with information for specific computers or selected groups of computers, from the computer tree.
Score classification After categorizing detected vulnerabilities and generating a score for each category, the overall vulnerability level is generated. The vulnerability level is the severity rating with the highest score. Vulnerability level scores: A score of >= 8, results in High vulnerability rating A score of <= 7 and >= 5, results in Medium vulnerability rating A score of <= 4 and >=1, results in a Low vulnerability rating.
7.1.3 Vulnerability Assessment Screenshot 65: The Vulnerability Assessment node Click on any Vulnerability Assessment node to view the security vulnerabilities identified on the target computer grouped by type and severity. High Security Vulnerabilities Click on the High Security Vulnerabilities or Low Security Vulnerabilities sub–nodes for a list of weaknesses discovered while auditing a target device.
Missing Service Packs Click Missing Service Packs and Update Rollups or Missing Security Updates sub–nodes to check any missing software updates or patches. For a full list of missing service packs and missing patches that can be identified by GFI LanGuard, refer to http://go.gfi.com/?pageid=ms_app_fullreport Bulletin information. To access bulletin information, right–click on the respective service pack and select More details > Bulletin Info. Screenshot 66: Bulletin info dialog 7.1.
Click Network & Software Audit to view security vulnerabilities identified on scanned targets. In this section, vulnerabilities are grouped by type and severity. System Patching Status Click System Patching Status to view all missing and installed patches on a target machine. Available links are: Missing Service Packs and Update Rollups Missing Security Updates Missing Non-Security Updates Installed Service Packs and Update Rollups Installed Security Updates Installed Non-Security Updates.
Apart from detecting open ports, GFI LanGuard uses service fingerprint technology to analyze the service(s) that are running behind the detected open port(s). With service fingerprint, GFI LanGuard can detect if malicious software is using the detected open port. Screenshot 69: All UDP and TCP ports, found during a scan Hardware Click Hardware to view all details discovered by the hardware audit.
Table 45: Software information from an audit Icon Description General Applications Enumerates installed software on scan targets. Antivirus Applications Lists installed antivirus engines on scan targets. Instant Messenger Applications Lists all detected instances of Instant messenger applications on scan targets. Patch Management Applications Lists all the installed patch management applications, detected on your scan targets during a scan.
Category Registry Information Registered owner Registered organization Identify Hardware and software settings such as which drivers and applications will be automatically launched at system startup. Product name Current build number. NETBIOS Names Workstation service Rogue computers Domain name Wrong configurations. Domain controllers File server service. Groups Account operators Wrong configurations Administrators Security flaws due to rogue or obsolete user groups. Backup operations Guest.
Screenshot 70: Reloaded scan results 3. Select the saved scan result and click OK. 4. Analyze loaded results. For more information on how to interpret results. refer to the following sections: Vulnerability Assessment Network and Software Audit. 7.3 Saving and loading XML results Scan results are an invaluable source of information for systems administrators. GFI LanGuard results are stored in a SQL Server® or a Access™ database. In addition, scan results can also be exported to XML.
2. Locate the scan results to load and click OK. 3. Analyze loaded results.
8 Remediate Vulnerabilities GFI LanGuard enables you to manually or automatically fix vulnerabilities on network computers. Use the information in this chapter to learn how to configure and manage remediation operations to maintain a high level of security amongst your scan targets. Topics in this chapter: 8.1 Automatic Remediation 116 8.2 Manual Remediation 138 8.
Table 47: Automatic remediation stages Stage Description Stage 1 Select the application to auto–uninstall. Stage 2 Ensure that application supports silent uninstall. Test this by trying to remotely uninstall the application. This is the validation process. Stage 3 Setup a scheduled audit that will remove the unauthorized application. This is done automatically (using agents) or manually (agent–less approach).
Screenshot 71: Patch auto–deployment Note Key-in a search criteria and click Find to search for a specific application. Configuring Patch Auto-Deployment advanced options To configure auto–remediation: 1. Click Configuration tab > Software Updates > Patch Auto–Deployment and from Common Tasks, click Advanced options.
Screenshot 72: Patch Auto–Deployment Advanced Options 2. Configure the following options: Table 48: Patch Auto-Deployment Advanced Options Option Description Send an email when new patches or service packs are available. Send an email when new patches are identified. Enable automatic approval for: Selected updates are automatically downloaded and installed on target computers. Select from the following: Security updates Non-security updates Service packs and update rollups.
Configuring Patch Auto-download settings GFI LanGuard ships with a patch auto–download feature, that enables the automatic download of missing patches and service packs in all 38 languages supported by Microsoft® products. In addition, you can also schedule patch auto–download by specifying the timeframe within which the download of patches is performed. To configure patch auto–download: 1. Click Configuration tab > Software Updates > Patch Auto–Download. 2. From the right pane, click the link.
Screenshot 74: Patch Repository settings 4. To change the location where the downloaded patches are stored click the Patch Repository tab and specify the required details. 5. Select Use files downloaded by WSUS when available, if you are using an existing setup of WSUS. 6. To change the timeframe during which patch downloads are performed, click Timeframe tab and specify the required details. 7. Click Apply and OK. 8.1.
Validating unauthorized applications for auto-uninstall Managing applicable scheduled scans Setting an application as unauthorized 1. Click on Configuration tab > Applications inventory sub–node. 2. From the list of applications detected on the right, double click the application to set as unauthorized. Screenshot 75: Unauthorized application 3. Select the scanning profile for which this application will be set as unauthorized and click Next. 4.
Screenshot 76: Applications inventory wizard 4. Specify application name. Optionally provide the version number and publisher name. Click Next. 5. Select the scanning profiles that will detect unauthorized applications (Example: Full Scan) and click Next. 6. Specify whether changes made will effect applications, which have partial/full name match. Click Next to continue. 7. Review the information and click Finish.
Screenshot 77: Application auto–uninstall validation 2. From the right pane, select an application to validate and click Validate. 3. In the Application auto–uninstall validation wizard, click Next. 4. Select the computer where to test the application auto–uninstall and click Next. 5. Provide the authentication details for the validation operation and click Next. 6. Review the Auto–uninstall validation wizard information and click Start.
8.1.4 Configuring auto-remediation options To edit the general deployment options: 1. Launch GFI LanGuard. 2. From the computer tree, right-click a computer/computer group and select Properties. Screenshot 78: Computer properties 3. Select the Agent Status tab and from Auto remediation settings, click Change settings...
Screenshot 79: General auto-remediation settings 4. Select the action to take after receiving scan results from the agent. Click Configure autoremediation options...
Screenshot 80: Before deployment options 5. Configure Before Deployment options described below: Table 50: Before deployment Option Description Wake up offline computers Start computers if they are turned off. For more information, refer to Configuring Wake-onLAN on scan targets (page 130). Warn user before deployment (show message) Displays a message on the target machine to warn the user before deploying software.
Screenshot 81: After deployment options 6. Click After Deployment tab. Configure After Deployment options described below: Table 51: After deployment Option Description Do not reboot/shut- Select this option to leave scan target(s) turned on after remediating vulnerabilities. down the computer Reboot the target computers Reboots the computers after remediating vulnerabilities. Shut down the target computers Target machine will shut down after deploying software.
Option Description Delete copied files Deletes the downloaded patches / service packs after they are deployed. from remote computers after deployment Remember settings Saves your configured settings and uses them during the next remediation job. Screenshot 82: Advanced deployment options 7. (Optional) Select Advanced tab.
Configuring Wake-on-LAN on scan targets Wake-on-LAN enables GFI LanGuard to wake machines from the following states: Powered off Sleep Hibernated. The motherboard and the network interface card of the computer running GFI LanGuard, must support Wake-on-LAN. To configure Wake-on-LAN on Windows® 7: 1. Click Start, right click Computer and select Manage. 2. From the left panel, expand System Tools and click Device Manager. Screenshot 83: Device Manager 3.
Screenshot 84: Power Management 4. From the Power Management tab, select the following options: Allow this device to wake up the computer Only allow a magic packet to wake the computer Note Magic Packet is the wake up signal that is sent by GFI LanGuard to the scan target network card. 5. Click OK. Once the Network Interface Card is configured, run a FULL scan on the client machine. This enables GFI LanGuard to gather the required information from the client machine.
8.1.5 Configuring end-user reboot and shut down options When configuring After Deployment settings, in Auto-remediation options, you can configure GFI LanGuard to notify and let the user decide when to reboot or shut down the computer after completing an administrative task.
Screenshot 86: Remediation Center - Deploy Software Updates 4. Click Remediate.
Screenshot 87: Deployment options dialog 5. Click Advanced options.
Screenshot 88: Before Deployment Message options 6. From the Remediation options dialog, click Before Deployment tab > Messages....
Screenshot 89: Customizing warning messages 7. Customize any of the following options: Table 54: Warning messages Option Description Language Select the message language. When not waiting for user approval Use or customize the pre-defined message that launches on the end user’s computer when GFI LanGuard is not waiting for approval. When waiting for user approval Use or customize the pre-defined message that launches on the end user’s computer when GFI LanGuard is waiting for approval. 8.
Screenshot 90: Agent auto–remediation 5. Select Download and deploy missing updates to enable automatic remediation for missing patches. 6. Select Download and deploy missing service packs and update rollups to enable automatic remediation for missing service packs. 7. Select Uninstall unauthorized applications to enable automatic remediation for unauthorized applications. 8. (Optional) Click Configure auto–remediation options… to further customize remediation options.
8.2 Manual Remediation Apart from automatically downloading patches and service packs, GFI LanGuard can also deploy these updates network–wide as well as recall any patches that were deployed. Both patch deployment and patch rollback operations are managed by an agent service that manages all file transfers between GFI LanGuard and remote targets. This service is installed automatically on the remote target computer during the patch deployment process.
Screenshot 91: Remediation center From the left panel, expand and locate a computer or a domain to perform remediation actions. The available remediation actions are described below: Table 55: Remediation actions Action Description Deploy Software Updates Deploy missing patches discovered when auditing target computers. For more information, refer to Deploying Software Updates (page 139). Uninstall Software Updates Uninstall service packs from target computers.
This feature enables you to specifically select the items you want to deploy and provides you with a detailed description for each. Note To view additional information about an update, right-click on an update and select More details > Bulletin info... To manually deploy software updates: 1. Launch GFI LanGuard. 2. Click Remediate tab and expand Deploy Software Updates. Screenshot 92: Deploying software updates 3. From the computer tree, select the computer/group where to deploy software updates. 4.
Screenshot 93: Deploy software updates options 6. The Deploy software updates dialog, enables you to edit deployment options before starting the deployment operation. Review the options described below: Table 56: Deploy software updates options Option Description Deploy imme- Selected by default. Leave selected to deploy missing updates immediately. diately Deploy on Specify a date and time when to deploy missing updates . Credentials Provides you with the credentials settings for updates.
8.2.4 Uninstalling Software Updates The Uninstall Software Updates feature enables you to manually remove: Installed Service Packs and Update Rollups Installed Security Updates Installed Non-Security Updates. To manually uninstall software updates: 1. Launch GFI LanGuard. 2. Click Remediate tab and expand Uninstall Software Updates. Screenshot 94: Uninstalling software updates 3. From the computer tree, select the computer/group where to uninstall software updates. 4.
Screenshot 95: Uninstall software updates options 6. The Uninstall software updates dialog, enables you to edit uninstall options before starting the uninstall operation. Review the options described below: Table 57: Uninstall software updates options Option Description Uninstall immediately Selected by default. Leave selected if you want to uninstall updates immediately. uninstall on Specify a date and time for when updates are uninstalled.
8.2.5 Deploying Custom Software Apart from security updates and patches, GFI LanGuard also enables you to remotely deploy third party or custom software network–wide. Software that can be remotely deployed includes: Security applications such as anti–virus/anti–spyware solutions and software firewalls Third party software updates and patches such as anti–virus/anti–spyware signature file updates Custom code such as scripts and batch–files Desktop applications such as Microsoft® Office 2007 and more.
Option Description Remove Select an application from the list and click this button to remove the application. Import Click this button to import the applications parameters from an XML file. Export Click this button to export the applications parameters to XML file. 4. Click Deploy and configure the options described below: Table 59: Deployment options Option Description Deploy immediately Deploy the selected applications immediately.
Screenshot 97: Uninstall applications 2. Expand the application to display the list of computers and select the computers where the application will be uninstalled. Note The list of applications displayed relies on the unauthorized applications set up for the scanning profile in use. For more information, refer to Configuring unauthorized applications auto-uninstall (page 121). 3. Repeat step 2 for all applications that will be uninstalled and click Uninstall.
Option Description Uninstall on Uninstall the selected applications on a specific date and time. Configure when to uninstall the applications. Credentials Select the authentication method to use or specify a username and password. Select Use per computer credentials when available, to use the credentials specified in the computer properties. For more information, refer to Agent properties (page 47). Before deployment options Configure the actions to perform before deploying the selected applications.
Screenshot 98: Malware protection To remediate malware protection vulnerabilities: 1. Select Remediate tab > Remediation Center and click Malware Protection. 2. Locate and expand the malware vulnerability and select the computers to remediate. Note Key in a criteria and click Find to search a vulnerability. Click Clear to clear previous search results. 3.
Option Description After deployment options Configure the actions to perform after deploying the selected applications. For more information, refer to Configuring auto-remediation options (page 125). Advanced options Configure other options related to reboot/shut down and delete copied files from remote computers. For more information, refer to Configuring auto-remediation options (page 125). 4. Click OK. 5. To view the action progress, click Remediation Jobs from the right panel. 8.2.
Note To disconnect a machine, select Remediation Center >Remote Support via…, right– click a machine from the list and select Disconnect. Note To disable remote connection, right click a machine and select Disable Remote Connection.
9 Activity Monitoring Monitoring enables you to learn more about how GFI LanGuard is performing in your infrastructure. The Activity Monitor tab in GFI LanGuard enables you to monitor active security scans, remediation jobs and download operations of missing updates and security definitions. Topics in this chapter: 9.1 Monitoring Security Scans 151 9.2 Monitoring Software Updates Download 153 9.3 Monitoring Remediation Operations 155 9.4 Monitoring Product Updates 158 9.
Note To stop a scan right–click the security scan and select Stop selected scans. Note Drag and drop a column header in the designated area to group data by criteria. 9.1.1 Filter Security Scans The Security Scan section enables you to configure what type of scans to monitor. To configure what type of scans are displayed: 1. Launch GFI LanGuard. 2. Click Activity Monitor tab and from Common Tasks, click Filter security scans. Screenshot 101: Filter security scan dialog 3.
Option Description Only last X scans Displays only the last X scans. Only scans performed in the last X days Displays only the scans performed in the last X days. Interactive scans Displays only manual scans. For more information, refer to Manual scans (page 66). Scheduled scans Displays only scheduled scans. For more information, refer to Scheduled scans (page 70). Agent scans Displays only scans performed on agent computers.
Icon Description Failed An error occurred while downloading the update. Refer to Error column for more details regarding the error encountered. Pending Update is queued for download. Cancelled User cancelled update download. Right–click an entry and select one of the options described below: Table 64: Security updates download Option Description Configure Patch Auto–Download Enables or disables auto–patch download and used to configure where the patches are stored.
Error Message Cause Solution The repository folder is not accessible. See Configuration - Patch Auto-download The repository folder is the location where updates are downloaded to. GFI LanGuard enables you to specify alternate repositories than the default location. This error is generally caused after specifying an invalid or inaccessible repository path (example, the given path refers to a location on a shutdown computer). 1.
Screenshot 103: Monitoring jobs from the Remediation jobs sub-tab 3. From the computer tree, select Entire Network to view all the running, as well as completed operations. Select specific computers/groups to view remediation jobs history and/or remediation progress for the selected item(s). Note Right-click a remediation job and select Cancel selected deployment to stop the operation.
9.3.2 Remediation Operations view The remediation operations screen enables you to monitor as well as cancel all the scheduled remediation features within GFI LanGuard. To view remediation job activity: 1. Launch GFI LanGuard. 2. Click Activity Monitor > Remediation Operations. Screenshot 104: Monitoring jobs from the Remediation Operations view 3. Use the view to monitor the status and history of all the running and complete remediation jobs.
Note The Remediation job details section provides you with granular progress details indicating the total number of files that have to be downloaded, download progress for each file and the current operation being executed as part of the remediation job. 9.4 Monitoring Product Updates The Product Updates Activity screen enables you to view a history of the product updates, performed by GFI LanGuard. For more information, refer to Configuring Program Updates (page 184).
10 Reporting GFI LanGuard includes a reporting module which enables you to generate text and graphical reports based on information obtained from network security scans. This chapter provides you with an overview of the available reports as well as how to create your own reports for a tailored solution. Through the Reports tab, you are able to generate technical activity reports for IT staff and also executive reports that normally contain less technical details and focus more on overall statistics.
Table 66: Available General Reports Report Title Description Network Security Overview An executive summary report showing: Network vulnerability level Most vulnerable computers Agent status Audit status Vulnerability trends over time Information on operating systems Servers and workstations. Computer Security Overview An executive summary report showing: Computer vulnerability level Agent status Audit status Vulnerability trends over time Computer summary and details.
Report Title Description Full Audit A technical report showing information retrieved during an audit. Amongst others, the report contains information on: Vulnerabilities Open ports Hardware and software. Computer Summary A summary of scan target information, including: Operating system information Agent status Vulnerabilities severity. Hardware Audit Illustrates information related to the hardware found during an audit.
Report Title Description Scan History An overview of the network security audits performed over time. Amongst others, the report includes information on: Most scanned computers Least scanned computers Auditing status History listing. Remediation History Shows information related to remediation actions performed on target computers. Amongst others, the report includes information on: Remediation actions per day Remediation distribution by category Remediation list grouped by computers.
Report Suite Title Description HIPAA Compliance Reports The Health Insurance Portability and Accountability Act (HIPAA) is a requirement of all healthcare providers that regulates the exchange of private patient data. This helps prevent unlawful disclosure or release of medical information. To help you follow HIPAA regulations, GFI LanGuard provides you with a suite of HIPAA compliance reports, including: HIPAA 164.308(a)(1)(ii)(A) - Missing Security Updates by Host HIPAA 164.
Report Suite Title Description ISO/IEC 27001 & 27002 Compliance Reports The Information technology – Security techniques – Information security management systems (ISO/IEC) standard formally specifies a management system that is intended to bring information security under explicit management control. GFI LanGuard offers an extensive list of ISO/IEC Compliance reports, including: ISO/IEC 27001 A. 10.4 - Antivirus Applications ISO/IEC 27001 A. 10.7.2 - Disk Encryption Applications ISO/IEC 27001 A. 10.6.
10.2 Generating reports GFI LanGuard ships with an extensive list of default reports. These can be used as they are, or modified to provide information precisely to your requirements. Note For more information, refer to Customizing default reports (page 170). To generate a report: 1. Click Reports tab. 2. From the computer tree, select the computer/group you want to report on. Note Select Entire Network to report on all the computers listed under the computer tree. 3.
Screenshot 107: Report sample - Part 2 Screenshot 108: Report sample - Part 3 GFI LanGuard 10 Reporting | 166
10.3 Scheduling Reports To automate reporting tasks, GFI LanGuard enables you to generate and optionally send reports, based on a schedule. You can configure schedules for existing or custom reports. This section contains information about: Creating new scheduled reports Configuring scheduled reports options Managing scheduled reports 10.3.1 Creating new scheduled reports To create a new scheduled report: 1. Click Reports tab. 2. From Actions, select New scheduled report.
Option Description Click Add IP to open the Add IP address range dialog. From the Add IP address range dialog, key in an IP range or Subnet and click OK. Select the Domain/Workgroup/IP range you want to remove and click Remove Domain/IP. 5. From the Filter drop-down menu, select a filter that you want to apply to the new scheduled report. This enables you to generate reports based on data pertaining to scan targets included in the filter. Note Only custom filters can be applied to scheduled reports.
7. From Alerting & Saving Settings, configure the following options: Table 71: Alerting & Saving Settings Option Description Export to file Select to save the report in a folder. Export Settings Click Export Settings and from the Scheduled Reports Storage Options dialog, specify the folder where the report is saved and the format the report is saved in. Send by email Select to send report by email. The report is sent to recipients configured in Alerting Options.
Screenshot 111: Edit scheduled reports options 3. Double-click a report from the right pane to edit schedule report settings. Screenshot 112: Monitor scheduled reports activity 4. Monitor schedule reports activity from the Scheduled Reports Activity Logs section at the bottom of the right pane. 10.4 Customizing default reports GFI LanGuard enables you to create new reports based on the settings of an existing report.
Note Not all reports are editable. Screenshot 113: Edit report settings from the report sample preview 3. From the right pane, click Customize report to show advanced report options. Screenshot 114: Configuring report items 4. Click Report Items tab and select the related items that you want to include in the report.
Screenshot 115: Configuring report filtering options 5. Click Filters tab and configure the available filters that relate to the report. Screenshot 116: Configure report grouping and sorting options 6. Click Grouping & Sorting tab and configure: First category grouping - report information is grouped by the selected field Second category grouping - grouped information is sub-grouped by the selected field Additional ordering - order report information according to the selected field. 7.
2. Resize image to: Width = 624, Height = 25. 3. Rename the image to headerlogo.png. 4. Copy / paste image in \ Graphics \ Logo. Customizing Report Footer Logo 1. Create / select your image. 2. Resize image to: Width = 109, Height = 41. 3. Rename the image to footerlogo.png. 4. Copy / paste image in \ Graphics \ Logo. 10.4.
Placeholder Description %AUTOREMED_MISSINGSPS% Used in the report if Auto–remediate Missing Service Packs option is enabled for the scheduled scan. Note This placeholder is used only for post–scheduled scan reports. %AUTOREMED_UNINSTAPPS% Used in the report if Auto–remediate Uninstall Applications option is enabled for the scheduled scan. Note This placeholder is used only in post–scheduled scan reports. 10.
Screenshot 117: Customize the report parameters 3. (Optional) Click Advanced search to configure filters to narrow your search results to something more specific. 4. Analyze the search results from the results section at the bottom. The result contains links that enable you to navigate between computers, software products and vulnerabilities. For example, you can click a missing service pack link to open the missing patches for a specific computer.
Screenshot 118: Navigate using report links GFI LanGuard 10 Reporting | 176
11 Customizing GFI LanGuard GFI LanGuard enables you to run vulnerability scans straight out of the box – using the default settings configured prior to shipping. If required you can also customize these settings to suit any particular vulnerability management requirements that your organization might need. You can customize and configure various aspects of GFI LanGuard including scan schedules, vulnerability checks, scan filters and scan profiles. Topics in this chapter: 11.
Table 73: Mail settings parameters Option Description To The recipient email address. Emails sent by GFI LanGuard are received by this email address. CC Key–in another email address in this field if you need to send a copy to another email address. From The sender email address. GFI LanGuard will use this email account to send the required emails. Server Defines the server through which emails are routed. This can be either an FQDN (Fully Qualified Domain Name) or an IP Address.
Screenshot 120: The database maintenance properties dialog 2. Select the MS Access option and specify the full path (including the file name) of your Access™ database backend. Note The specified database file is created if it does not exist. Note If the specified database file already exists and belongs to a previous version of GFI LanGuard, you are asked to over–write the existing information. 3. Click OK. 11.2.
Screenshot 121: SQL Server® database backend options 2. Select the MS SQL Server option and choose the SQL Server that will be hosting the database from the provided list of servers discovered on your network. 3. Specify the SQL Server credentials or select the Use NT authority credentials option to authenticate to the SQL server using windows account details. 4. Click OK to finalize your settings.
6. If the current Access™ database contains data, click OK to transfer all scan data to the SQL Server® database. 11.2.3 Managing saved scan results Use the Saved Scan Results tab to maintain your database backend and delete saved scan results that are no longer required. Deletion of non–required saved scan results can be achieved manually as well as automatically through scheduled database maintenance.
11.2.4 List scanned computers GFI LanGuard maintains a global list of scanned computers for licensing purposes. Any computers in excess of what is specified in the licensing information are not scanned. GFI LanGuard enables systems administrators to delete scanned computers in order to release licenses that were previously utilized. To delete computers previously scanned: 1. Click Configuration tab > Database Maintenance Options > Manage list of scanned computers. 2.
Screenshot 123: Database Maintenance properties: Advanced tab To compact and repair a Access™ database backend: 1. Click Configuration tab > Database Maintenance Options > Database maintenance plan. 2. To manually launch a repair and compact process on an Access™ database backend, click Compact Now. 3.
Table 75: Database retention options Option Description Keep scans generated during the last Keep scan results generated during the specified number of days/weeks/months. Keep scans per scan target per profile number of Specify the number of scan results to keep, for every scan target by every scan profile. Never delete history Select this option if you want to keep all scan history. Keep history for the last Keep scan history for the specified number of days/weeks/months. 3. Click OK. 11.
Screenshot 124: Configuring proxy server settings 3. Select Override automatic proxy detection; configure the options described below: Table 76: Proxy settings Option Description Connect directly to the Internet A direct Internet connection is available. Connect via a proxy server Internet access is through a proxy server.
Screenshot 125: Configure updates at application startup 2. Select/unselect Check for updates at application startup to enable/disable auto update checks at application startup. 3. Select/unselect enable scheduled updates to configure the frequency of update checks. 4. Specify whether GFI LanGuard download updates from GFI website or from an alternative location. 5. Click OK. 11.3.3 Installing program updates manually To start GFI LanGuard program updates manually: 1.
Screenshot 126: Check for Updates wizard 3. Specify the location from where the required update files will be downloaded. 4. (Optional) Change the default download path, select Download all update files… to this path to provide an alternate download path to store all GFI LanGuard updates. 5. Click Next to proceed with the update. 6. Select the updates and click Next. 7. Click Start to start the update process.
12 Scanning Profile Editor The scanning profiles that ship with GFI LanGuard are already pre–configured to run a number of vulnerability checks on selected target. You can however disable vulnerability scanning as well as customize the list of vulnerability checks executed during a scan. Scans can be modified through the Scanning Profile Editor. Topics in this chapter: 12.1 Create a new Scanning Profile 188 12.2 Configuring Vulnerabilities 189 12.3 Configuring Patches 199 12.
Screenshot 127: The Scanning Profile Editor 4. Specify the name of the new profile and optionally select Copy all settings from an existing profile to clone settings from an existing profile. 5. Click OK to save settings. The new scanning profile is added under Profiles in the left pane. 12.
Screenshot 128: Enabling vulnerability scanning for the selected scanning profile 3. From the Vulnerability Assessment Options tab, click Vulnerabilities sub–tab. 4. Select the scanning profile to customize from the left pane under Profiles. 5. In the right pane, select Enable Vulnerability Scanning. Note Vulnerability scanning is configured on a scan profile by scan profile basis.
Screenshot 129: Select the vulnerability checks to be run by this scanning profile 2. In the right pane, select the vulnerability checks to execute through this scanning profile. 12.2.3 Customizing vulnerability checks properties All the checks listed in the Vulnerabilities tab have specific properties that determine when the check is triggered and what details will be enumerated during a scan.
Screenshot 130: Vulnerability properties dialog: General tab To change the properties of a vulnerability check: 1. Right–click on the vulnerability to customize, select Properties. 2. Customize the selected vulnerability check from the tabs described below: Table 77: Vulnerability properties dialog Tab Description General Use this tab to customize the general details of a vulnerability check including vulnerability check name, vulnerability type, OS family, OS version, Product, Timestamp and Severity.
Screenshot 131: Vulnerability conditions setup tab To add a vulnerability check condition: 1. From Vulnerability Assessment Options tab > Vulnerabilities sub-tab, right-click a vulnerability from the list of vulnerabilities and select Properties. 2. From the Edit vulnerability dialog, click Conditions tab > Add.
Screenshot 132: Check properties wizard - Select check type 3. Select the type of check to be configured and click Next.
Screenshot 133: Check properties wizard - Define the object to examine 4. Define the object to examine and click Next.
Screenshot 134: Check properties wizard - Set required conditions 5. Specify required conditions and click Finish to finalize your settings.
Screenshot 135: Check properties wizard - Defining conditional operators 6. If more than one condition is set up, define conditional operators and click OK to finalize your configuration settings.
Screenshot 136: Advanced vulnerability options 7. (Optional) Click Advanced in the Vulnerabilities tab to launch the advanced vulnerabilities scanning options.
Screenshot 137: Advanced vulnerability scanning dialogs The options in Advanced Vulnerabilities Options are used to: Configure extended vulnerability scanning features that check your target computers for weak passwords, anonymous FTP access, and unused user accounts. Configure how GFI LanGuard handles newly created vulnerability checks. Configure GFI LanGuard to send CGI requests through a specific proxy server.
Searching for Bulletin Information 12.3.1 Enabling/disabling missing patch detection checks Screenshot 138: Scanning Profiles properties: Patches tab options To enable missing patch detection checks in a particular scanning profile: 1. Launch GFI LanGuard. 2. Click the GFI LanGuard button and select Configuration > Scanning Profile Editor. Alternatively, press CTRL + P to launch the Scanning Profiles Editor. 3. From the Vulnerability Assessment Options tab, click Patches sub–tab. 4.
2. Select the scanning profile to customize from the left pane under Profiles. Screenshot 139: Select the missing patches to enumerate 3. In the right pane, select/unselect which missing patches are enumerated by this scanning profile. 12.3.3 Searching for Bulletin Information Screenshot 140: Searching for bulletin information To search for a particular bulletin: 1.
Screenshot 141: Extended bulletin information 12.4 Configuring Network & Software Audit options The scanning profiles that ship with GFI LanGuard are already pre–configured to run a number of network and software audit checks on selected target. You can however disable scanning as well as customize the list of network and software audits executed during a scan.
12.4.1 Configuring TCP/UDP port scanning options Screenshot 142: Scanning Profiles properties: TCP Ports tab options Table 78: TCP Port scanning options Option Description Enabling/disabling TCP Port scanning To enable TCP Port Scanning in a particular scanning profile: 1. From the Network & Security Audit Options tab, click TCP Ports sub–tab. 2. Select the scanning profile that you wish to customize from the left pane under Profiles. 3. Select Enable TCP Port Scanning option.
12.4.2 Configuring System Information options Screenshot 143: Scanning Profiles properties: System Information tab options To specify what System Information is enumerated by a particular scanning profile: 1. From the Network & Security Audit Options tab, click System Information sub–tab. 2. Select the scanning profile that you wish to customize from the left pane under Profiles. 3. From the right pane, expand the Windows System Information group or Linux System Information group accordingly. 4.
Screenshot 144: The network devices configuration page GFI LanGuard can also exclude from the scanning process specific USB devices that you consider safe. Such devices can be a USB mouse or keyboard. This is achieved through a safe/white list of USB devices to ignored during scanning. Similarly you can create a separate scanning profile that enumerates only Bluetooth dongles and wireless NIC cards connected to your target computers.
Table 79: Device scanning options Option Description Enabling/disabling checks for all installed network devices To enable network device (including USB device) scanning in a particular scanning profile: 1. From the Network & Security Audit Options tab, click Devices sub–tab. 2. Click Network Devices tab. 3. Select the scanning profile to customize from the left pane under Profiles. 4. From the right pane, select Enable scanning for hardware devices on target computer(s).
12.4.4 Configuring Applications scanning options The Applications tab enables you to specify which applications will trigger an alert during a scan. Screenshot 145: The applications configuration page Through this tab, you can also configure GFI LanGuard to detect and report unauthorized software installed on scanned targets and to generate high security vulnerability alerts whenever such software is detected.
Option Description Compiling installed applications blacklist/white–list To compile installed applications blacklist/white–list: 1. From the Network & Security Audit Options tab, click Applications sub–tab. 2. Select Unauthorized Applications sub–tab. 3. Select the scanning profile to customize from the left pane under Profiles. 4. From the right pane, select Enable scanning for installed applications on target computer(s) checkbox. 5. Specify the applications that are authorized for installation.
Option Description Enabling/disabling checks for security applications To enable checks for installed security applications in a particular scanning profile: 1. From the Network & Security Audit Options tab, click on the Applications sub–tab. 2. Click on the Advanced Options tab. 3. Select the scanning profile that you wish to customize from the left pane under Profiles. 4. Select Enable scanning for installed applications on target computer(s) checkbox. 5.
Screenshot 146: Scanning Profiles properties: Scanner Options tab Configurable options include timeouts, types of queries to run during target discovery, number of scanning threads count, SNMP scopes for queries and more. Important Configure these parameters with extreme care! An incorrect configuration can affect the security scanning performance of GFI LanGuard. To configure scanner options: 1.
Parameter Description Ping sweep Enable/disable the use of Ping sweeps to discover network devices. Custom TCP discovery Discover online machines by querying for the specified open TCP ports. Network Discovery Options Scanning delay Key in the time interval (in milliseconds) between one scan and another. Network discovery query responses timeout Amount of time in milliseconds the security scanner will wait before timing out when performing a machine discovery query (NetBIOS/SNMP/Ping).
13 Utilities GFI LanGuard provides you with a set of network utilities that enable you to monitor network activity, gather network information and audit network devices. Topics in this chapter: 13.1 DNS Lookup 212 13.2 Traceroute 215 13.3 Whois 216 13.4 Enumerate Computers 217 13.5 Enumerate Users 219 13.6 SNMP Auditing 220 13.7 SNMP Walk 221 13.8 SQL Server® Audit 222 13.9 Command Line Tools 223 13.
Screenshot 147: DNS Lookup tool 4. Under Common Tasks in the left pane, click on Edit DNS Lookup options or click Options on the right pane and specify the information described below: Table 82: DNS lookup options Option Description Basic Information Retrieve the host name and the relative IP address. Host Information Retrieve HINFO details. The host information (known as HINFO) generally includes target computer information such as hardware specifications and OS details.
Screenshot 148: DNS Lookup tool options 5. (Optional) Specify the alternative DNS server that will be queried by the DNS Lookup tool or leave as default to use the default DNS server. 6. Click Retrieve to start the process.
13.2 Traceroute Traceroute identifies the path that GFI LanGuard followed to reach a target computer. Screenshot 149: Traceroute tool To use the Traceroute tool: 1. Launch GFI LanGuard. 2. Click Utilities tab and select Traceroute in the left pane under Tools. 3. In the Trace (domain/IP/name), specify the name/IP or domain to reach. 4. (Optional) Under Common Tasks in the left pane, click on Edit Traceroute options or click Options on the right pane to change the default options. 5.
Icon Description Indicates a successful hop, but the time required was too long. Indicates that the hop was timed out (> 1000ms). 13.3 Whois Whois looks up information on a particular domain or IP address. Screenshot 150: Whois tool 1. Launch GFI LanGuard. 2. Click Utilities tab and select Whois in the left pane under Tools. 3. In Query (domain/IP/name) menu, specify the name/IP or domain to reach. 4.
13.4 Enumerate Computers Screenshot 151: Enumerate Computers tool The enumerate computers utility identifies domains and workgroups on a network. During execution, this tool will also scan each domain/workgroup discovered so to enumerate their respective computers. The information enumerated by this tool includes: The domain or workgroup name The list of domain/workgroup computers The operating system installed on the discovered computers Any additional details that might be collected through NetBIOS.
4. From Common Tasks in the left pane, click Edit Enumerate Computers options or Options on the right pane. 5. Select whether to enumerate computers from Active Directory® or Windows Explorer. 6. Click Retrieve to start the process. Note For an Active Directory® scan, you will need to run the tool under an account that has access rights to Active Directory®. 13.4.
13.5 Enumerate Users Screenshot 152: The Enumerate Users tool dialog To scan the Active Directory® and retrieve the list of all users and contacts included in this database: 1. Launch GFI LanGuard. 2. Click Utilities tab and select Enumerate Users in the left pane under Tools. 3. In the Enumerate users in domain menu, select the desired domain. 4.
13.6 SNMP Auditing Screenshot 153: SNMP Audit tool This tool identifies and reports weak SNMP community strings by performing a dictionary attack using the values stored in its default dictionary file (snmp–pass.txt). You can add new community strings to the default dictionary file by using a text editor (for example, notepad.exe). You can also direct the SNMP Audit tool to use other dictionary files.
13.7 SNMP Walk Screenshot 154: SNMP Walk tool To probe your network nodes and retrieve SNMP information (for example, OID’s): 1. Launch GFI LanGuard. 2. Click Utilities tab and select SNMP Walk in the left pane under Tools. 3. In the IP address menu, specify the IP address of the computer that you wish to scan for SNMP information. 4. From Common Tasks in the left pane, click Edit SNMP Walk options or Options on the right pane to edit the default options such as providing alternative community strings. 5.
13.8 SQL Server® Audit This tool enables you to test the password vulnerability of the ‘sa’ account (i.e. root administrator), and any other SQL user accounts configured on the SQL Server®. During the audit process, this tool will perform dictionary attacks on the SQL Server® accounts using the credentials specified in the ‘passwords.txt’ dictionary file. However, you can also direct the SQL Server® Audit tool to use other dictionary files.
13.9 Command Line Tools The command line tools enable you to launch network vulnerability scans and patch deployment sessions as well as importing and exporting profiles and vulnerabilities without loading up the GFI LanGuard management console. Use the information in this section to learn how to run patch management functions using the following CMD tools: Lnsscmd.exe Deploycmd.exe Impex.exe 13.9.1 Using Insscmd.exe The ‘lnsscmd.
Switch Description /Shutdown (Optional) Shuts down computers after scan. /ShutdownIntervalStart (Optional) Dependent on /Shutdown. The start time of the interval when shutdown is allowed. Use hh:mm:ss format. /ShutdownIntervalEnd (Optional) Dependent on /Shutdown. The end time of the interval when shutdown is allowed. Use hh:mm:ss format. /? (Optional) Use this switch to show the command line tool usage instructions. Note Always enclose full paths and profile names within double quotes.
"hh:mm:ss")] [/RebootInInterval] [/ShutDownInInterval] [/RebootIntervalStart=Time(formatted as "hh:mm:ss")] [/RebootIntervalEnd=Time(formatted as "hh:mm:ss")] [/?] deploycmd command switches Table 87: deploycmd command switches Switch Description Target Specify the name(s), IP or range of IPs of the target computer(s) on which the patch (es) will be deployed. /File Specify the file that you wish to deploy on the specified target(s).
Switch Description /ShutdownIntervalStart (Optional) Dependent on /Shutdown. The start time of the interval when shutdown is allowed. Use hh:mm:ss format. /ShutdownIntervalEnd (Optional) Dependent on /Shutdown. The end time of the interval when shutdown is allowed. Use hh:mm:ss format. /ShutDownInInterval (Optional) Shutdown the computer after deployment if deployment completes in the specified time interval. Otherwise wait to specify the interval manually.
Switch Description /VULNCAT: Exports/Imports all vulnerabilities of the specified category. /VULN: Exports/Imports the specified vulnerability (/VULNCAT must be specified). /PORTTYPE: Exports/Imports all ports of the specified type. /PORT: Exports/Imports the specified port (/PORTTYPE must be specified).
14 Script Debugger Scripts that identify custom vulnerabilities can be created using any VBScript compatible scripting language. By default, GFI LanGuard ships with a script editor that you can use to create your custom scripts. New checks must be included in the list of checks supported by GFI LanGuard. Use the Vulnerability Assessment tab to add new checks to the default list of vulnerability checks on a scan profile by scan profile basis. GFI LanGuard also supports Python scripting.
Step 1: Create the script 1. Launch the Script Debugger from Start > Programs > GFI LanGuard > LanGuard Script Debugger. 2. Go on File > New. 3. Create a script. For this example, use the following sample script code. Function Main echo "Script has run successfully" Main = true End Function 4. Save the script in \Data\Scripts\myscript.vbs. Step 2: Add new vulnerability checks 1. Launch GFI LanGuard. 2.
Screenshot 156: Add vulnerability dialog 4. Go through the General, Description and References tabs while specifying the basic details such as the vulnerability name, short description, security level and OVAL ID (if applicable). 5. Click the Conditions tab and click on the Add button. This will bring up the check properties wizard.
Screenshot 157: Adding vulnerability checks - Select type of check 6. Select Independent checks > VBScript node and click Next.
Screenshot 158: Adding vulnerability checks - Select VB Script file 7. Click Choose file and select the custom VBscript file that will be executed by this check. Click Next.
Screenshot 159: Adding vulnerability checks - Define conditions 8. Select the relative condition setup in the wizard to finalize script selection. Click Finish to exit wizard. 9. Click OK to save new vulnerability check. Step 3: Test the vulnerability check/script Scan your local host computer using the scanning profile where the new check was added. In Scan tab > Results, a vulnerability warning will be shown in the Vulnerability Assessment node of the scan results. 14.
2. Click the GFI LanGuard button and select Configuration > Scanning Profile Editor. Alternatively, press CTRL + P to launch the Scanning Profiles Editor. 3. In the new window, add a new vulnerability by clicking Add under the list of vulnerability checks. Screenshot 160: Add vulnerability dialog 4. Go through the General, Description and References tabs while specifying the basic details such as the vulnerability name, short description, security level and OVAL ID (if applicable). 5.
Screenshot 161: Adding vulnerability checks - Select type of check 6. Select Independent checks > Independent Python Script Test node and click Next.
Screenshot 162: Adding vulnerability checks - Select Python Script file 7. Click Choose file and select the custom Python Script file that will be executed by this check. Click Next.
Screenshot 163: Adding vulnerability checks - Defining conditions 8. Select the relative condition setup in the wizard to finalize script selection. Click Finish to exit wizard. 9. Click OK to save new vulnerability check. 14.3 SSH Module GFI LanGuard includes an SSH module which handles the execution of vulnerability scripts on Linux/UNIX based systems. The SSH module determines the result of vulnerability checks through the console (text) data produced by an executed script.
Table 89: Vulnerability keywords Keyword Description TRUE: / FALSE These strings indicate the result of the executed vulnerability check/script. When the SSH module detects a TRUE: it means that the check was successful; FALSE: indicates that the vulnerability check has failed. AddListItem This string triggers an internal function that adds results to the vulnerability check report (i.e. scan results). These results are shown in the GFI LanGuard management console after completion of a scan.
Step 2: Add the new vulnerability check 1. Launch GFI LanGuard. 2. Click the GFI LanGuard button and select Configuration > Scanning Profile Editor. Alternatively, press CTRL + P to launch the Scanning Profiles Editor. 3. From the middle pane, select the category in which the new vulnerability check will be included (for example, High Security Vulnerabilities…). 4. In the new window, add a new vulnerability by clicking Add in the middle pane. Screenshot 164: Add vulnerability dialog 5.
Screenshot 165: Adding vulnerability checks - Select type of check 7. Select Unix checks > SSH Script Test node and click on Next button to continue setup.
Screenshot 166: Adding vulnerability checks - Select SSH file 8. Click Choose file and select the custom SSH Script file that will execute during this check. Click Next to proceed.
Screenshot 167: Adding vulnerability checks - Define conditions 9. Select the relative condition setup in the wizard to finalize script selection. Click Finish to exit wizard. 10. Click OK to save new vulnerability check. Step 3: Test the vulnerability check/script used in the example Scan your local host computer using the scanning profile where the new check was added. 1. Log on to a Linux target computer and create a file called ‘test.file’.
15 Miscellaneous This chapter contains information about configuring NetBIOS on your computers and how to uninstall GFI LanGuard. Topics in this chapter: 15.1 Configuring NetBIOS 243 15.2 Uninstalling GFI LanGuard 244 15.1 Configuring NetBIOS To check if your scan targets are using NetBIOS: 1. Navigate to Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings. Note In Windows® XP, click Control Panel > Network Connections. 2.
Screenshot 168: Local Areas Connection properties: WINS tab 5. From the NetBIOS setting area, ensure that Default or Enable NetBIOS over TCP/IP are selected. 6. Click OK and exit the Local Area Properties dialog(s). Note If static IP is being used or the DHCP server does not provide NetBIOS setting, select the Enable NetBIOS over TCP/IP option. 15.2 Uninstalling GFI LanGuard To uninstall GFI LanGuard: 1. Click Start > Control Panel > Add or Remove Programs. 2.
16 Troubleshooting and support This chapter explains how to resolve issues encountered while using GFI LanGuard. These issues can be resolved using the contents of this Administrator Guide. If any issues remain unresolved after reviewing the manual, check if your problem is listed below. Refer to the following sections for information about resolving common issues and contacting our support team. Topics in this chapter: 16.1 Resolving common issues 245 16.2 Using the Troubleshooter Wizard 247 16.
Issue Encountered Solution/Description When trying to access the Change database tab while configuring an SQL database, a Failed to connect to database error is encountered Description This issue may occur when the following two conditions are met: GFI LanGuard is installed on Windows 2000 SP4 with MDAC 2.5 SP 3. The database backend is SQL Server® having the database instance name different from the SQL Server® machine name. Solution Install Microsoft® Data Access Components (MDAC 2.
Issue Encountered Solution/Description Firewall installed on GFI LanGuard is blocking connection with target computers Description Scanning might slow down or be blocked if a firewall is installed on GFI LanGuard machine. Solution Configure the firewall to allow the following components in outbound connections: <..\Program Files\GFI\LanGuard>\*.exe <..\Program Files\GFI\LanGuard Agent>\*.exe Note For more information, refer to http://go.gfi.
Screenshot 169: Troubleshooter wizard – Information details 3. In the Information details page select one of the following options described below: Table 91: Information gathering options Option Description Automatically detect and fix known issues (Recommended) Configure GFI LanGuard to automatically detect and fix issues. Gather only application information and logs Gather logs to send to GFI support. 4. Click Next to continue.
Screenshot 170: Troubleshooter wizard – Gathering information about known issues 5. The troubleshooter wizard will retrieve all the information required to solve common issues. Click Next to continue. 6. The troubleshooter will fix any known issues that it encounters. Select Yes if your problem was fixed or No if your problem is not solved to search the GFI Knowledge base for information. 16.
Note Before contacting Technical Support, have your Customer ID available. Your Customer ID is the online account number that is assigned to you when first registering your license keys in the GFI Customer Area at: http://customers.gfi.com. We will answer your query within 24 hours or less, depending on your time zone. Documentation If this manual does not satisfy your expectations, or if you think that this documentation can be improved in any way, let us know via email on documentation@gfi.com.
17 Appendix 1 - Data Processed When auditing networks, GFI LanGuard enumerates and processes the following information. This information is collected from scan targets using the ports and protocols described in the following sections. Topics in this chapter: 17.1 System Patching Status 251 17.2 Ports 252 17.3 Hardware 252 17.4 Software 254 17.5 System Information 256 17.1 System Patching Status Data Missing Service Packs and Update Rollups Description Discovers missing service packs.
Data Description Installed Service Packs and Update Rollups Lists installed Microsoft® and non-Microsoft® patches. Ports Protocol TCP 139 SMB TCP 445 File and printer sharing DCOM 135 DCOM dynamic. Remote registry Windows update agent. Installed Security Updates Lists installed Microsoft® and non-Microsoft® service packs. TCP 139 SMB TCP 445 File and printer sharing DCOM 135 DCOM dynamic. Remote registry Windows update agent.
Data Description Local drives Lists drives discovered on scanned target(s). Local drives include: Hard disks CD/DVD drives Floppy drives Ports Protocol TCP 139 SMB TCP 445 File and printer sharing DCOM 135 DCOM dynamic. Remote registry WMI. Processors Lists processors discovered during a scan. TCP 139 SMB TCP 445 File and printer sharing DCOM 135 DCOM dynamic. Remote registry WMI. Motherboards Lists motherboards discovered during a scan.
Data Description USB Devices Lists all the detected USB devices that are attached to the network/scan targets. Ports Protocol TCP 139 SMB TCP 445 File and printer sharing DCOM 135 DCOM dynamic. Remote registry WMI. Other devices Lists generic devices discovered during a scan, including: System devices/drivers Human Interface Devices (HID) TCP 139 SMB TCP 445 File and printer sharing DCOM 135 Mouse and keyboard DCOM dynamic.
Data Description Backup applications Lists backup applications. Ports TCP 139 TCP 445 Protocol SMB File and printer sharing Remote registry Data Loss Prevention Lists Data Loss Prevention applications. TCP 139 TCP 445 SMB File and printer sharing Remote registry Device Access Control Lists Device Access Control applications. TCP 139 TCP 445 SMB File and printer sharing Remote registry Disk Encryption Lists Disk Encryption applications.
Data Description Peer To Peer Lists Peer to Peer (P2P) applications. Ports Protocol TCP 139 TCP 445 SMB File and printer sharing Remote registry URL Filtering Lists web filtering applications. TCP 139 TCP 445 SMB File and printer sharing Remote registry Virtual Machine Software Lists virtualization software detected on your network. TCP 139 TCP 445 SMB File and printer sharing Remote registry Virtual Private Network (VPN) Client applications Lists VPN client applications.
Data Description Password policy Lists password policy configuration. Ports TCP 139 TCP 445. Protocol SMB File and printer sharing Remote registry. Security audit policy Security audit policy configuration. TCP 139 TCP 445. SMB File and printer sharing Remote registry. Registry Lists selected information from the system registry. Amongst others, enumerated information includes: Registry owner Current build number TCP 139 TCP 445. SMB File and printer sharing Remote registry.
Data Description Logged on users Lists locally and remotely logged on users. Ports TCP 139 TCP 445. Protocol SMB File and printer sharing Remote registry. Sessions Lists the active sessions at the time of the scan. TCP 139 TCP 445. SMB File and printer sharing Remote registry. Services Lists every service discovered during a scan. TCP 139 TCP 445. SMB File and printer sharing Remote registry. Processes Lists every active process discovered during a scan.
18 Appendix 2 - Certifications GFI LanGuard is OVAL and CVE certified. The following sections describe each certification and explain how they are used in GFI LanGuard. Topics in this chapter: 18.1 Open Vulnerability and Assessment Language (OVAL) 259 18.2 Common Vulnerabilities and Exposures (CVE) 260 18.
GFI LanGuard does not support HP–UX based machines and therefore it is beyond the scope of this product to include these checks within its check definition database. 18.1.2 About OVAL Compatibility OVAL Compatibility is a program established to develop consistency within the security community regarding the use and implementation of OVAL. The main goal of the compatibility program is to create a set of guidelines that will help enforce a standard implementation.
Note For an in–depth understanding of CVE compatibility refer to the complete list of CVE requirements available at http://go.gfi.com/?pageid=LAN_CVE_Requirements 18.2.2 About CVE and CAN CVE names (also called "CVE numbers," "CVE–IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities. CVE names have "entry" or "candidate" status.
19 Glossary A Access™ A Microsoft® desktop relational database management system included in the Microsoft® Office package. Access™ is normally used for small databases. Active Directory™ (AD) A technology that provides a variety of network services, including LDAP-like directory services. Anti-spyware A software countermeasure that detects spyware installed on a computer without the user's knowledge.
Blacklist A list of USBs or Network devices names that are considered as dangerous. When a USB\Network device name contains a blacklisted entry while scanning a network, GFI LanGuard will report the device as a security threat (High security vulnerability). Bluetooth An open wireless communication and interfacing protocol that enables exchange of data between devices. Bulletin Information Contains a collection of information about a patch or a Microsoft® update.
DNS Lookup tool A utility that converts domain names into the corresponding IP address and retrieves particular information from the target domain Domain Name System A database used by TCP/IP networks that enables the translation of hostnames into IP numbers and to provide other domain related information. E Enumerate computers tool A utility that identifies domains and workgroups on a network.
messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages. impex.exe A Command line tool, used to Import and Export profiles and vulnerabilities from GFI LanGuard. Internet Control Message Protocol (ICMP) The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite.
Microsoft® Windows service packs A collection of updates and fixes provided by Microsoft® to improve an application or an operating system. Microsoft® WSUS An acronym for Microsoft® Windows Server Update Services. This service enables administrators to manage the distribution of Microsoft® updates to network computers. N NETBIOS An acronym for Network Basic Input/output. This system provides services to allow applications on different computers within a network to communicate with each other.
Scan profiles A collection of vulnerability checks that determine what vulnerabilities are identified and which information will be retrieved from scanned targets. Script Debugger A GFI LanGuard module that allows you to write and debug custom scripts using a VBScriptcompatible language. Simple Network Management Protocol (SNMP) Simple Network Management Protocol is a technology used to monitor network devices such as, routers, hubs and switches.
Terminal Services A service that allows connecting to a target computer and managing its installed applications and stored data. Traceroute tool A tool used to identify the path that GFI LanGuard followed to reach a target computer. Trojans A form of malware that contains a hidden application that will harm a computer. U UDP ports An acronym for User Datagram Protocol, these used to transfer UDP data between devices. In this protocol received packets are not acknowledged.
Wi-Fi/Wireless LAN A technology used commonly in local area networks. Network nodes use data transmitted over radio waves instead of cables to communicate with each other. X XML An open text standard used to define data formats. GFI LanGuard uses this standard to import or export scanned saved results and configuration.
20 Index A Activity 70, 81, 93, 151, 157-159, 170, 211, 221 Advanced 24, 45, 51, 53-54, 84, 117, 129, 132, 134, 141, 143, 145, 147, 149, 171, 175, 178, 198, 206, 243 Agent 23, 38, 47, 61, 80, 82, 93, 95, 101, 125, 136, 138, 153, 160, 209, 247, 251, 255 Computer Tree 47, 54, 61, 67, 80, 84, 88, 106, 125, 140, 142, 144, 156, 165, 167, 174 Conditions 163, 189, 230, 234, 239, 245 Custom 18, 39, 41, 44, 46, 53, 64, 67, 127, 139, 144-145, 167, 188, 211, 218, 228, 233, 237 Custom target properties 67 Agent-based
Hardware Audit 66, 161 Header 172 Human Interface Devices (HID) 254 Network Security History 162 Network Security Overview 160 I IIS 108 Notifications 18, 178 O impex.
Scan Based – Full Audit 161 Scan History 162 Scanning Profile Editor 188-189, 200, 210, 229, 234, 239 Scanning Profiles 18, 27, 64, 70, 116-117, 123, 188-189, 200, 202, 210, 223, 229, 234, 239 Upgrading 30 USB 204, 254 Users 87, 96, 108, 164, 219, 225, 228, 257, 260 Scheduled Scans 38, 70, 80, 93, 122, 153 Utilities 212, 215-217, 219-222 Script Debugger 228 V Security audit policy 69, 257 Security Scanning Options 209 Security Scans 18, 70, 83, 151, 159, 163 VBscript 228 VPN client applications 256
USA, CANADA AND CENTRAL AND SOUTH AMERICA 15300 Weston Parkway, Suite 104 Cary, NC 27513, USA Telephone: +1 (888) 243-4329 Fax: +1 (919) 379-3402 ussales@gfi.com UK AND REPUBLIC OF IRELAND Magna House, 18-32 London Road, Staines-upon-Thames, Middlesex, TW18 4BP, UK Telephone: +44 (0) 870 770 5370 Fax: +44 (0) 870 770 5377 sales@gfi.com EUROPE, MIDDLE EAST AND AFRICA GFI House, San Andrea Street, San Gwann, SGN 1612, Malta Telephone: +356 2205 2000 Fax: +356 2138 2419 sales@gfi.
