When examining the internal security of a network, administrators often ask questions such as:
- Is there an unauthorized PC on the network?
- Do all PCs have the required security patches installed?
- Do any machines have shares with no security set?
I'm going to introduce you to a tool that can assist you in answering these and other security questions and help you lock down your internal network.
New and improved LNSS
The product is GFI’s LANguard Network Security Scanner (LNSS). Version 3.0 was recently released, and you can download it from GFI’s site. If you have a previous version, you’ll definitely want to check out version 3.0. It offers many new features, including the ability to report missing security patches and deploy them remotely. The separate manual, also available for download, is well written and easy to follow.
GFI has taken a different approach to licensing with version 3. Previous versions were freeware that could be licensed to activate additional features. Version 3 installs as a 30-day fully functioning trial, and after 30 days, the advanced features stop working. The software is now licensed by the number of IP addresses you intend to scan.
Installation and setup
LNSS needs to be installed on a Windows NT/2000/XP box. It can be installed on a 9x box, but most of the advanced security scanning won't work. Client for Microsoft Networks must be installed and any personal firewall software disabled. Once installed, LNSS is simple to set up and use.
First, you must tell LNSS what you intend to scan. Select File and New Scan to bring up the dialog box shown in Figure A. You can select a single computer, define a range of IP addresses to scan, make a list of computers, or pick computers by domain. You can add any of these selections to Favorites to be used again.
You should do the first scan with null credentials. This will perform a baseline scan as an anonymous user and give you an idea of what a “normal” user would have access to. To set the scanning credentials, select Scan and then Options from the main menu. Click the Session tab to open the dialog box shown in Figure B and then choose the Null Session option. The other two options allow a scan to be performed as a specific user or as the currently logged on user. After you define the scan, click the Play button to start it.
The LNSS interface is divided into two panes, as shown in Figure C. The left pane displays the nodes discovered, each of which can be expanded to show the information LNSS has gathered. The right pane displays a real-time log of LNSS’ activities. LNSS will scan each IP in the range using NetBIOS queries, SNMP queries, port scans, and ping sweeps and then sort the information into an easy-to-read display. You can further sort the display by IP address, machine name, or OS type. Depending on the number of addresses scanned, LNSS can take some time to complete its job. An indicator in the lower-right corner keeps you informed of the progress.
Analyzing the results
Once the scan is complete, you can efficiently analyze the results. Expand each node and examine the information gathered during the scan. If the scan was performed with null credentials, you can see what a normal user on the network would have access to. Figure C shows information gathered on an HP JetDirect print server.
If you scanned a large list of addresses, it's much easier to examine the results in a report format. Version 3 has added many reporting options, including the ability to customize the report layout and content. It offers a separate report generator tool as well.
To create a report, you must first save the scan. Click on File, choose Save Scan Results, and click the Customize button. The Customize Report dialog box, shown in Figure D, lets you customize the report to include only the information you want to see.
You can add a custom header and footer and select what will appear on the report. Click the Report Items button and choose the items you want to appear on the report (Figure E).
The Customize Report dialog box also provides a drop-down list to select a report template. Report templates provide filtered reports based on preset criteria. When you finish, click Save and name the file, and the report will be saved in XML and HTML file formats. The XML file is used by the report generator tool described later in the article. The HTML file is opened automatically by default.
The report will highlight any known vulnerabilities and provide links to resources about each problem. It will also list any open ports and known problems with the service the port provides. By default, LNSS does not scan all 65,536 ports; it scans only a few dangerous ones. You can manually add ports via the Scanning tab in the Options dialog box.
After you've performed null credential scans, complete a scan with an account that has administrator access. This scan will provide details about the missing security patches, weak passwords on shares, and other known vulnerabilities.
LNSS can also be used to access external security. Complete a scan of your network from a PC connected to the Internet. Configure the scan to use null credentials and select your public IP range. (Any routers or firewalls encountered along the way will influence the results.) Select the Add Non-Responsive Computers To List To Be Probed check box under General Scan. This will perform port scanning of any IP addresses that don’t respond to any other queries, exposing any open ports that are not blocked by firewalls or routers in the path. Hopefully, the results won't show any vulnerabilities.
Although LNSS works great right out of the box, you’ll want to examine and configure the scanning options. You can save scanning configuration changes as configuration files and later recall them to perform different types of scans. Let's take a look under the hood at how to configure LNSS scanning options.
Click on Scan and then Options to display the scanning option tabs (Figure F). The General settings section sets the time that LNSS waits between sending packets and how long it waits to receive a response.
You can adjust these settings to compensate for the type of network you are scanning (LAN/WAN/MAN.) Adjusting these values can increase the time it takes for a scan to complete. The Debug settings control how much information is displayed in the right pane. The SNMP section controls how LNSS does SNMP probing. If your network uses community strings other than public and private, you will need to enter them in this section.
The last section allows any nonresponsive computers to be port scanned. Enable this option if you think there may be computers that are blocking NetBIOS, SNMP, and ICMP packets. This option will greatly increase the scan time because each unresponsive IP address in the range will have a complete port scan performed rather than just continuing to attempt to access the machine.
The Cracking tab configures options used for password cracking of network shares. LNSS uses a list of common passwords to detect weak passwords. (You can view and edit the password file by selecting View from the main menu and select Passwords.txt.) Use the administrator account for cracking, since it can't be locked out for bad password attempts.
The Scanning tab allows precise configuration of how LNSS performs its network scan (Figure G).
The Network Discovery section configures the discovery methods used. The Gather Information section controls the actual operation performed during the scan. Clicking the Configure Operations button displays the currently configured operations and allows additional functions to be performed. Clicking the Configure Ports button displays the current configured ports and allows additional ports to be added. The bottom section lets you set scanning delay times and enable or disable TCP and UDP scanning.
The Session tab is used to establish the user account that will perform the scanning operations. We discussed its configuration earlier. The Alerts tab (Figure H) defines the security vulnerabilities that LNSS will check for. The registered version of LNSS also allows alerts to be updated via the Internet. Advanced configuration of alerts, including a scripting language to create custom alerts, is included.
Version 3.0 adds the ability to check for missing hot fixes and security patches. LNSS uses an XML file called Mssecure.xml to keep it current on the missing patches. The file can be downloaded automatically from Microsoft’s Web site by flipping a switch. The registered version also allows missing patches to be deployed remotely. The remote deployment feature alone may be well worth the price of the registered version.
LNSS has another, less obvious use: It can be a great tool for documenting your network. You can configure the standard report output to list specific information about your network. By saving reports and comparing results against a previous report, you'll be able to document the differences.
The registered version also includes a report generator, which is a separate tool that queries the XML report files and creates reports. The report generator extends the functionality of the basic report output produced when you save scan results, and it lets you combine multiple queries into a custom report. For example, you might create a listing of all computers that are running Windows NT or 2000 and that are missing a particular service pack or patch.
Your money's worth
I think a lot of you will find that LNSS is a valuable tool. Although many of the advanced features are omitted from the free version, it's still useful. After seeing what it can do for you, I think you will find the registered version is worth the price. The pricing is available at the GFI Web site.