Software Review: LANguard N.S.S. 5
LANguard Network Security Scanner (N.S.S.) from GFI provides a full-featured security scanner that can protect your entire network to pinpoint security problems of which you may not be aware. But knowing what's wrong is only half the battle, and LANguard N.S.S. goes a step further with its patch management functionality that helps you to deploy the patches and service packs that will address those problems.
Product: GFI LANguard Network Security Scanner 5
Product Homepage: click here
60-day Trial Version: click here
Installing LANguard N.S.S.
You can install LANguard N.S.S. on Windows 2000, Server 2003 or Windows XP, as long as Internet Explorer 5.1 or above is installed and the client for Microsoft Networks is enabled. We installed it on a Windows XP Pro machine.
You'll need a domain administrator account if you want to schedule scans (otherwise you can run the software using the local system account). You'll also need credentials for your SQL server if you want to use SQL/MSDE for storing the scanner logs (otherwise you can use an Access database; you don't have to have Access installed on the machine to do this). You'll also be asked for an e-mail address and SMTP server so the software can send you e-mail notifications. You'll need to enter the server's IP address and SMTP port and whether or not the SMTP server requires authentication. You can then select the folder to which the program will be installed.
The installation process was quick and straightforward. It took less than three minutes from start to finish.
Running LANguard N.S.S.
When you start the program, it will download and install updates automatically before loading the program components. The interface consists of a left pane called the Tools Explorer and three right panes, showing Scanned Computers, Scan Results and the Scanner Activity Window (see Figure 1).
Running a Scan
To run a scan, you click the New Scan button in the toolbar to open a dialog box. Here you select the type of scan you want to do from the following list:
- Single computer
- Range of computers
- List of computers
If you choose Single Computer, you'll be asked whether to scan the local machine ("This Computer") or another computer. If you select Another Computer, you must enter the name or IP address of the target computer. If you select to scan a range of computers, you must enter an IP address range. If you select to scan a list of computers, you can enter their names or IPs or import the list from a file. You can also select to scan one or more domains (the list of available domains on the network will appear with checkboxes you can check). You can also add computers or domains to your "favorites."
When you've made your target selection and clicked OK, the scanning activity will start appearing in the Scanner Activity Window in real time. It will show what actions are being performed: SMB probing, collecting information about the OS, detecting open TCP ports, detecting installed products and what patches and service packs are missing for each product, and a vulnerability scan analysis that checks for Trojans and vulnerabilities in FTP, DNS, mail, services, RPC, the Registry, information, CGI and miscellaneous vulnerabilities.
Getting the Report
Click Full Report in Under Security Scanner | Scan Filters in the left pane and the right pane will display a nicely formatted HTML report that summarizes the vulnerabilities that were found (see Figure 2).
In the report, you'll be shown the total number of vulnerabilities, with the details under each category. Examples include:
- Details of each missing service pack or security patch, with a hyperlink to the Web site where each can be downloaded.
- Registry settings that should be changed (for example, use NTLM instead of LM authentication, or disable DCOM), with a hyperlink to a Knowledge Base article providing instructions on how to do so.
- Service vulnerabilities (for example, Telnet is installed). Recommendations on alternatives (in this case, use SSH instead if possible) are also provided.
- Potential vulnerabilities, such as user accounts that are not being used and should be removed, or an administrator account that has not been renamed.
The scanner also lists all shares that exist on the target machine(s), network devices, and the computer's or domain's password policy. Audit policy status is shown, and descriptive information collected from the Registry is shown (processor vendor and speed, amount of RAM, display device, registered owner and organization, OEM, product ID, etc. The full reports tells you which ports are open (with descriptions of their common usage as well as the port number), Netbios names used by the computer, domain, etc., the computer's name, MAC address, domain, network role, and all trusted domains. You'll be shown a list of groups (both built-in/default and user-created) and a list of user accounts with information for each showing such details as password characteristics (password cannot be changed, password not required, etc.), password age, number of logons and bad passwords count. Sessions and services (with status shown) are also displayed.
This information can be broken out and displayed category by category (for example, you can get a report of just the missing patches and service packs, or just the open shares) by clicking the appropriate category in the left pane under Scan Filters.
The product includes a number of security tools that can be accessed under the appropriately named "Tools" node in the left pane. You can use these tools to deploy Microsoft patches or deploy custom software. There are also tools to perform common TCP/IP diagnostics and information-gathering, including DNS Lookup, Traceroute, and Whois. There are tools to enumerate computers or users, SNMP and SQL Server Audit tools, and SNMP Walk.
Configuration of the software is made easy by the configuration utilities found in the Configuration node of the left console pane. These include the following:
- Scanning Profiles: this tool lets you set up different profiles you can use for scanning in a granular way. You might create a profile to scan only for particular vulnerabilities, or to scan only a specific part of the network.
- Scheduled Scans: this tool lets you automate the scanning process. You can launch a scan at a specified date and time, or after a particular time interval, on a specified target.
- Alerting Options: this tool is used to set up information for notifications (e-mail address and SMTP server information).
- Parameter Files: You can customize the parameter files that N.S.S. uses. These are text files that can be edited and saved, and they include mapping lists and server banners.
- Database Maintenance Options: You use this tool to change the type of database to be used for storing scan information (MSDE, Access or SQL).
In the General node in the left pane, there are a number of helpful features that make it easier to check the GFI Web site for program updates, get information about the version of N.S.S. you're running, enter a license key to prevent expiration of the evaluation software, get technical support, submit questions and go directly to GFI's Web pages.
The first and perhaps most dramatic change in version 5 is the new, super-intuitive user interface. I was impressed with its ease of use, and I had someone try it who had never used a security scanner before; my "guinea pig" had no problem running scans and getting reports without ever looking at the Help or instructions. However, there is a useful manual in PDF format in case you do run across something that you can't figure out on your own.
Patch and Software Deployment
Patch deployment is a lot easier because of the new interface, and the patch management node is very flexible, allowing you to select specific patches for specific computers. Being able to deploy custom software, such as virus updates, is also handy.
Of course, Microsoft already has various mechanisms for deploying software automatically, from SUS for updates to SMS to Group Policy Software Installation. However, the N.S.S. interface makes deployment simple. You merely select the location of the software to be deployed and the computers on which you want to install the software (or configure filters that will allow you to deploy the software based on which computers have specified operating systems or applications installed). You can select to deploy the software immediately or set a date and time for it to be deployed. You can choose whether the computers should be rebooted after the software is installed, whether to send a warning message to the user before deploying the software, whether to stop services first and whether to delete copied files from the target computer after deployment (See Figure 3).
It just takes one click to filter scan results by category; for example, to show all the computers that are missing Windows XP Service Pack 1. In addition to the built-in filters, you can make your own custom filters. You can specify the items that should be shown in the report and you can apply filters to previous scans as well as to the current scan.
Expanded Vulnerabilities Database
A security scanner is only as good as its vulnerability database. It is this database that the scanned computers are compared to, in order to determine their weak points. The database used by N.S.S. 5 has been updated and expanded to include SANS vulnerability issues. Even better, updates are downloaded automatically when you start the program or you can check for updates manually from the Help menu.
Better *NIX Support
Another addition to version 5 is an extensive set of vulnerability checks for Linux and UNIX machines, so you can find the weaknesses in all of the computers on your network, regardless of operating system.
Improved Scheduling Ability
Now you can provide different credentials for different scheduled scans, and you can perform multiple scheduled scans with multiple profiles.
There are many other subtle and not-so-subtle improvements, including the ability to export scan results to an XML file, a new VB-script compatible script engine, a new script debugging and editing tool, a better SQL audit tool, and improvements to the DNS lookup, Whois and SNMP tools. The "Enumerate computers" functionality has been improved to let you filter computers based on OS and services, and an "Enumerate users" functionality has been added to allow you to display Active Directory user accounts with account details.
Hackers spend their time discovering and exploiting vulnerabilities in other people's networks. Security scanners give administrators a way to stay one step ahead by discovering and correcting those vulnerabilities before they can be exploited. There are a lot of security scanners on the market. GFI's LANguard N.S.S. has been hailed by many network administrators as one of the best. We were impressed with some of the improvements and additions in version 5, especially its easy to use interface. You can take it for a test drive at no cost; just click here and download the evaluation version. If you decide to keep it, just enter the license key - no need to uninstall and reinstall.
WindowSecurity.com Rating 4.5/5
For more information about GFI LANguard Network Security Scanner, click here.