The Windows 2000 Resource Kit

Internet Scanner (IS) is a Microsoft Windows 2000 Resource Kit tool for analyzing network servers. With IS, you can scan one server or multiple servers on a TCP/IP network or on the Internet. The results of the scan can show information such as potential security holes in the servers.

This tool spots many holes, which saves you the time and trouble of poking around each server or system on your network to determine whether that server or system is vulnerable. In addition, IS provides a way to automate this task. The automation process is great because you can run IS on a schedule or on demand. This flexibility lets you control how you monitor your servers and systems and at what frequency. The status information and reports that IS generates provide detailed information about the problems it encountered, which gives you a starting point for solving those problems. For example, IS will return a list of any system accounts, such as Guest accounts, that might compromise the system's security. You can then change the account information (such as a password).

Installing IS
The first step in using IS is installing it. You can install the scanner on any server or workstation that you'll use to perform testing.

Like most resource kit tools, resource kit installation doesn't include IS. You must use the IS Setup program to perform the tools installation on the target machine.

To execute Setup, start setup.exe from the \apps\internetscanner directory on the resource kit CD-ROM. Follow the prompts to complete the installation. By default, the system installs IS in the C:\program files\iss\scanner6 directory. This folder contains not only the scanner executable file but also release notes and documentation.

Scanning Your Servers
Choose Start, Programs, ISS, Internet Scanner 6.0, Internet Scanner 6.0 to start IS and bring up the IS GUI. When you start the application, the dialog box that Figure 1 shows appears. From this dialog box, you can start a new scanning session, open an existing session, or generate a report.

To start a new scanning session, select Create a New Session, then click OK to start the New Session Wizard. On the wizard's first page, click Next. The wizard displays the Policy Select dialog box. On this dialog box, you select a scanning policy. The scanning policy controls the extent to which IS will analyze the servers. You can choose from five levels:

  • Level 1 (Inventory)—Inventories the systems on the network
  • Level 2 (Classify)—Classifies the systems on the network
  • Level 3 (Minimum)—Provides susceptibility testing from unsophisticated attackers
  • Level 4 (Medium)—Provides medium susceptibility testing from automated attacks or moderately skilled attackers
  • Level 5 (Maximum)—Provides susceptibility testing from highly skilled attackers and looks for improperly configured servers

For your first scan, select the L1 Inventory option. Click Next to move to the next page. On the Comment dialog box, enter a descriptive comment for the session. Click Finish.

IS now shows a list of the hosts (i.e., servers) it will scan. In my test, I scanned only my local workstation, so an entry for 127.0.0.1 appears for that workstation.

You're now ready to initiate a scan. You can start a scan in several ways. The most obvious way is to select Scan Now from the Scan menu, which starts a scan with the current session parameters and automatically updates the interface with the results. The status window at the bottom of the interface is updated as the scan progresses.

You can also initiate a scan by selecting Console Mode Scan from the Scan menu. This option opens a command prompt window and runs the command in batch mode with the current session settings. As the batch process runs, it displays status information in the command prompt window. When the scan is finished, a dialog box appears asking whether you want to update the interface with the scan results. Click Yes to perform the update. The scan time depends on the number of systems you're scanning and the type of scan you're performing. For example, a level 3 scan is more time-consuming than a level 1 scan.

The IS interface window, which Figure 2 shows, displays the properties of each host that IS has scanned or will scan. The Scan Status column shows whether IS has scanned the host.

Working with Results
When you've completed a scan, you can work with the results. You have two choices for analyzing the data: clicking a host in the interface's left pane and viewing scan details or using reports. Clicking a host in the left pane of the interface displays a series of tabs along the bottom of the Session window. Each tab represents a page with either properties about that host or information detected during the scan.

Here's where using this tool gets interesting. Running the L1 Inventory scan on my local workstation provided interesting results. Clicking the Vulnerabilities tab revealed two SNMP services, which Figure 3, page 16, shows, that could let intruders gain access to my workstation. The Risk column provided a little insight into the extent of the vulnerabilities. Both SNMP service vulnerabilities showed a Low risk setting. When I right-clicked an SNMP service entry in the Risk column, a What's This? button appeared. Clicking the button took me to an explanation screen for the SNMP service's risks, which is nice because it's intuitive to drill down from the Vulnerabilities tab directly into details about the problem.

The second method for analyzing a scan is to use a report. You can create a report by selecting Generate Report from the Reports menu. This option displays a series of Generate Reports dialog boxes. Figure 4, page 16, shows the first of these dialog boxes—Generate Report - Select Reports—with one of the Vulnerability Assessment reports selected. After you've selected the report type, click Next to display the Report Criteria dialog box. Here, you can select the session or sessions on which to report, the level of risk, and the host systems that will appear on the report. After you've selected the criteria, click Next.

The last page of the Generate Reports process is the Summary Page. This page lets you preview, print, or export a report. The Preview option opens a preview window. This window isn't simply a dumb viewer: It has navigation controls like other viewers, but it also has live sections in the report. For example, if you run a Vulnerability Assessment report, you can double-click a vulnerability to open a window containing only that information. When you open a particular item in a report, the Preview window adds buttons to the top of the window that provide one-click access to any drill-down window or the Preview window.

A Powerful Tool
Caveat emptor! Licensing is a consideration with this tool, which Internet Security Systems (ISS) created. From the resource kit, you can use IS on the machine on which you install the tool, but you can't scan any other machines on a network. To scan other systems, you must obtain a license from ISS (http://www.iss.net). You can purchase licenses in packs (such as 10 or 15) or for entire networks. The licensing has two benefits: First, licensing is how ISS makes money from the scanner, and second, the license restricts the systems you can scan with IS. This last reason is important because it prevents someone from getting the tool from the resource kit and scanning your servers. You must license the tool to scan a host. Also, the resource kit version is IS 6.0, while IS 6.1 is the current version. If you license the tool, you can upgrade to IS 6.1.

IS is a powerful tool, and I've only scratched the surface in this column. The Reporting option alone can save you a tremendous amount of time and help you plug holes in your network and server configuration. One other feature of note is X-Press Updates, which lets you automatically or manually receive updates to IS. In the next issue, I'll introduce you to the Performance Counter Check tool.

Tip: You can create new sessions at any time by selecting New Session from the File menu.

Tip: IS is most often used on workstations to monitor servers. If you use IS on a server, the tool can place loads on that server that affect its performance.