Ensure your NT system's security

New Windows NT security risks surface almost every month: You might wonder how to keep your NT system secure. Internet Security Systems' (ISS's) new comprehensive security assessment tool--Internet Scanner 5.2--can find most known NT security risks.

Installation and Use
I installed Internet Scanner on a Small Business Server (SBS) system running NT 4.0, Service Pack 3 (SP3), and several recent hotfixes. I used the software's detail-oriented installation wizard, which made the process easy. I specified the installation directory, and the software copied the necessary files onto my system. The installation wizard then inspected my TCP/IP Registry settings to ensure maximum performance and automatically adjusted my maximum connection settings and timeout limits. These settings and limits help Internet Scanner balance its load and the load the software places on network systems.

Because of limitations in Microsoft's Winsock implementation (i.e., you can't use raw sockets), you must use a low-level raw packet driver with Internet Scanner. The installation wizard copies the driver onto your system and provides comprehensive instructions for installing the driver. I opened the Network applet in Control Panel, selected the Services tab, and clicked Add, Have Disk. I entered the name of the directory in which I installed Internet Scanner. After the packet driver installed, I rebooted the system.

You must use an encrypted license key with Internet Scanner. I copied my key into the installation directory and fired up the program.

Useful Features
Internet Scanner lets you scan IP addresses for potential security risks. The software generates detailed reports that explain the risks and list ways to correct them. These reports are available in three classifications: executive, line management, and engineering. Executive reports contain graphic displays (as opposed to pure text) and provide security trend analysis, system security condition, and network information. Line management reports are comprehensive technical security summaries designed for engineering managers. Screen 1 shows a report preview, which contains more text detail than an executive report has. Persons responsible for correcting security risks use this type of report, which describes security risks and offers information about correcting them. You can sort each report by IP and Domain Name System (DNS) addresses, risk rating (low, medium, or high), and vulnerability name (e.g., GetAdmin).

Internet Scanner searches for hundreds of known NT and UNIX risks. You can adjust settings and tailor the software to your needs before you scan your systems. For example, I used the configurable settings to adjust the number of hosts the software scanned at one time, which helped balance network loads and the load on the system performing the scan. I disabled risk checks that might cause a vulnerable NT system to crash and scanned for those risks after hours instead.

Internet Scanner includes three risk-scanning templates--heavy, medium, and light--that conduct security checks at different levels. You can copy these templates and customize them to your needs. You can also use the software's firewall and Web server modules to scan firewalls and Web services for security problems. Internet Scanner can scan multiple subnets and NT systems; thus, the software works well in most network environments, regardless of size.

Performing a Security Scan
To perform a security scan, you must define a range of IP addresses to scan, based on the available network addresses in your license key. After you define the IP address range, Internet Scanner attempts to contact each address to determine which devices are online.

After the software locates an IP address, it displays each system that is listening (i.e., that has its wiring in place and its network software running properly). The software displays these systems in a traditional tree view. The left-hand window lists system names and addresses, and the right-hand window displays general information about each system (e.g., NetBIOS).

After the software determined which NT systems were listening, I scanned each system for risks. To initiate a scan, I highlighted a subnet or system in the left window and clicked Scan.

During the scanning process, you can observe Internet Scanner's progress in the right window. A series of tabs lets you change the display to view system properties, scan status, identified vulnerabilities, NT services, and users.

When the scan completed, I selected the Vulnerabilities tab in the right window. Screen 2 shows the vulnerabilities that Internet Scanner found. The software located 7 potentially serious security risks and 14 medium-level security risks on my SBS system. I used the generated engineering reports to determine the severity of the identified risks, and I used the actions suggested in the report to correct each problem.

The Bottom Line
Internet Scanner is comprehensive software with an up-to-date vulnerability knowledge database. It has a well-designed user interface, complete with drop-down menus and a toolbar. The reports' layout and easy readability impressed me. The only feature this security tool lacks is the ability to take corrective action against risks that don't require hotfixes or updates. For example, if Internet Scanner adjusted my user policies when they didn't comply with my security policy, I'd save time: I wouldn't have to manually correct them using User Manager. If you don't currently use a security assessment tool or you need a new one, try Internet Scanner.

Internet Scanner 5.2
Contact: Internet Security Systems * 678-443-6000
Web: http://www.iss.net
Price: $4995 for a Class C license
System Requirements: Windows NT Workstation 4.0, 64MB of RAM, 20MB of hard disk space